aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xcontrib/pw-am.sh2
-rw-r--r--meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb2
-rw-r--r--meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb (renamed from meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb)5
-rw-r--r--meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb2
-rw-r--r--meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb2
-rw-r--r--meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb2
-rw-r--r--meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb2
-rw-r--r--meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb2
-rw-r--r--meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb2
-rw-r--r--meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb2
-rw-r--r--meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb2
-rw-r--r--meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb2
-rw-r--r--meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb2
-rw-r--r--meta-gnome/recipes-support/ibus/ibus.inc2
-rw-r--r--meta-gnome/recipes-support/keybinder/keybinder_3.0.bb2
-rw-r--r--meta-gnome/recipes-support/libhandy/libhandy_git.bb2
-rw-r--r--meta-gnome/recipes-support/libstemmer/libstemmer_git.bb2
-rw-r--r--meta-gnome/recipes-support/libwacom/libwacom_0.33.bb2
-rw-r--r--meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb2
-rw-r--r--meta-initramfs/recipes-devtools/dracut/dracut_git.bb2
-rw-r--r--meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb2
-rw-r--r--meta-initramfs/recipes-devtools/grubby/grubby_git.bb2
-rw-r--r--meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb2
-rw-r--r--meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb2
-rw-r--r--meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb2
-rw-r--r--meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc2
-rw-r--r--meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb4
-rw-r--r--meta-multimedia/recipes-multimedia/libcamera/libcamera.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb2
-rw-r--r--meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb2
-rw-r--r--meta-multimedia/recipes-support/crossguid/crossguid.bb2
-rw-r--r--meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb2
-rw-r--r--meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb2
-rw-r--r--meta-networking/recipes-connectivity/civetweb/civetweb_git.bb2
-rw-r--r--meta-networking/recipes-connectivity/dibbler/dibbler_git.bb2
-rw-r--r--meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb2
-rw-r--r--meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb2
-rw-r--r--meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb2
-rw-r--r--meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb2
-rw-r--r--meta-networking/recipes-connectivity/netplan/netplan_0.98.bb2
-rw-r--r--meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb (renamed from meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb)3
-rw-r--r--meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb2
-rw-r--r--meta-networking/recipes-connectivity/relayd/relayd_git.bb2
-rw-r--r--meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb2
-rw-r--r--meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb2
-rw-r--r--meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch111
-rw-r--r--meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch48
-rw-r--r--meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb4
-rw-r--r--meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch83
-rw-r--r--meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb3
-rw-r--r--meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb2
-rw-r--r--meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb2
-rw-r--r--meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch46
-rw-r--r--meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb (renamed from meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb)5
-rw-r--r--meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch51
-rw-r--r--meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb1
-rw-r--r--meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb2
-rw-r--r--meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb2
-rw-r--r--meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb2
-rw-r--r--meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb2
-rw-r--r--meta-networking/recipes-irc/znc/znc_1.7.5.bb4
-rw-r--r--meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch29
-rw-r--r--meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch32
-rw-r--r--meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb30
-rw-r--r--meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb23
-rw-r--r--meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb (renamed from meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb)6
-rw-r--r--meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb2
-rw-r--r--meta-networking/recipes-protocols/openflow/openflow.inc2
-rw-r--r--meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb2
-rw-r--r--meta-networking/recipes-support/arptables/arptables_git.bb2
-rw-r--r--meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb2
-rw-r--r--meta-networking/recipes-support/cifs/cifs-utils_6.10.bb2
-rw-r--r--meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb2
-rw-r--r--meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch1040
-rw-r--r--meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch188
-rw-r--r--meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb2
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch30
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch19
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch13
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch76
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch71
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch37
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch49
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch90
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch45
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch163
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch72
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch50
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch169
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch188
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch87
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch133
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch32
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch27
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb16
-rw-r--r--meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb5
-rw-r--r--meta-networking/recipes-support/geoip/geoip-perl_1.51.bb2
-rw-r--r--meta-networking/recipes-support/geoip/geoip_1.6.12.bb2
-rw-r--r--meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb2
-rw-r--r--meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb2
-rw-r--r--meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb2
-rw-r--r--meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb2
-rw-r--r--meta-networking/recipes-support/mtr/mtr_0.93.bb2
-rw-r--r--meta-networking/recipes-support/nbdkit/nbdkit_git.bb2
-rw-r--r--meta-networking/recipes-support/ndisc6/ndisc6_git.bb2
-rw-r--r--meta-networking/recipes-support/netcat/netcat_0.7.1.bb2
-rw-r--r--meta-networking/recipes-support/netcf/netcf_0.2.8.bb2
-rw-r--r--meta-networking/recipes-support/netperf/netperf_git.bb2
-rw-r--r--meta-networking/recipes-support/nis/yp-tools_4.2.3.bb2
-rw-r--r--meta-networking/recipes-support/ntimed/ntimed_git.bb2
-rw-r--r--meta-networking/recipes-support/open-isns/open-isns_0.99.bb2
-rw-r--r--meta-networking/recipes-support/phytool/phytool.bb2
-rw-r--r--meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb2
-rw-r--r--meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb2
-rw-r--r--meta-networking/recipes-support/spice/spice-protocol_git.bb2
-rw-r--r--meta-networking/recipes-support/spice/spice_git.bb4
-rw-r--r--meta-networking/recipes-support/spice/usbredir_0.8.0.bb2
-rw-r--r--meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch62
-rw-r--r--meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch41
-rw-r--r--meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch156
-rw-r--r--meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch210
-rw-r--r--meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb4
-rw-r--r--meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch1
-rw-r--r--meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch111
-rw-r--r--meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb1
-rw-r--r--meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch37
-rw-r--r--meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb3
-rw-r--r--meta-networking/recipes-support/unbound/unbound_1.9.4.bb2
-rw-r--r--meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch22
-rw-r--r--meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb (renamed from meta-networking/recipes-support/wireshark/wireshark_3.2.15.bb)5
-rw-r--r--meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb2
-rw-r--r--meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb2
-rw-r--r--meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb2
-rw-r--r--meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb4
-rw-r--r--meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb2
-rw-r--r--meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb2
-rw-r--r--meta-oe/recipes-benchmark/fio/fio_3.17.bb2
-rw-r--r--meta-oe/recipes-benchmark/glmark2/glmark2_git.bb2
-rw-r--r--meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb2
-rw-r--r--meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb4
-rw-r--r--meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb2
-rw-r--r--meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb2
-rw-r--r--meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb2
-rw-r--r--meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb2
-rw-r--r--meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb2
-rw-r--r--meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb2
-rw-r--r--meta-oe/recipes-bsp/ledmon/ledmon_git.bb2
-rw-r--r--meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb4
-rw-r--r--meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb2
-rw-r--r--meta-oe/recipes-connectivity/gattlib/gattlib_git.bb6
-rw-r--r--meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb2
-rw-r--r--meta-oe/recipes-connectivity/iwd/iwd_1.9.bb2
-rw-r--r--meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb2
-rw-r--r--meta-oe/recipes-connectivity/libndp/libndp_1.7.bb2
-rw-r--r--meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb2
-rw-r--r--meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb2
-rw-r--r--meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb (renamed from meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb)5
-rw-r--r--meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb2
-rw-r--r--meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb2
-rw-r--r--meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb2
-rw-r--r--meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb2
-rw-r--r--meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb2
-rw-r--r--meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb2
-rw-r--r--meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch2
-rw-r--r--meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb2
-rw-r--r--meta-oe/recipes-core/emlog/emlog.inc2
-rw-r--r--meta-oe/recipes-core/glfw/glfw_3.3.bb2
-rw-r--r--meta-oe/recipes-core/libnfc/libnfc_git.bb2
-rw-r--r--meta-oe/recipes-core/mdbus2/mdbus2_git.bb2
-rw-r--r--meta-oe/recipes-core/ndctl/ndctl_v67.bb2
-rw-r--r--meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb2
-rw-r--r--meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb2
-rw-r--r--meta-oe/recipes-core/safec/safec_3.5.1.bb2
-rw-r--r--meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch96
-rw-r--r--meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb2
-rw-r--r--meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb9
-rw-r--r--meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb (renamed from meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb)6
-rw-r--r--meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb2
-rw-r--r--meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb2
-rw-r--r--meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb2
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb-native_10.4.25.bb (renamed from meta-oe/recipes-dbs/mysql/mariadb-native_10.4.20.bb)0
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb.inc6
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch73
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch32
-rw-r--r--meta-oe/recipes-dbs/mysql/mariadb_10.4.25.bb (renamed from meta-oe/recipes-dbs/mysql/mariadb_10.4.20.bb)0
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch6
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch947
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch904
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch38
-rw-r--r--meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb (renamed from meta-oe/recipes-dbs/postgresql/postgresql_12.7.bb)5
-rw-r--r--meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb2
-rw-r--r--meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb2
-rw-r--r--meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb1
-rw-r--r--meta-oe/recipes-devtools/bootchart/bootchart_git.bb2
-rw-r--r--meta-oe/recipes-devtools/breakpad/breakpad_git.bb10
-rw-r--r--meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb4
-rw-r--r--meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch49
-rw-r--r--meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb2
-rw-r--r--meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb2
-rw-r--r--meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb4
-rw-r--r--meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb9
-rw-r--r--meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb5
-rw-r--r--meta-oe/recipes-devtools/guider/guider_3.9.7.bb2
-rw-r--r--meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb2
-rw-r--r--meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb2
-rw-r--r--meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb2
-rw-r--r--meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb2
-rw-r--r--meta-oe/recipes-devtools/libubox/libubox_git.bb2
-rw-r--r--meta-oe/recipes-devtools/ltrace/ltrace_git.bb2
-rw-r--r--meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch73
-rw-r--r--meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch28
-rw-r--r--meta-oe/recipes-devtools/lua/lua_5.3.6.bb3
-rw-r--r--meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb2
-rw-r--r--meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb2
-rw-r--r--meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb2
-rw-r--r--meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb2
-rw-r--r--meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb2
-rw-r--r--meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb (renamed from meta-oe/recipes-devtools/nodejs/nodejs_12.21.0.bb)4
-rw-r--r--meta-oe/recipes-devtools/openocd/openocd_git.bb8
-rw-r--r--meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb2
-rw-r--r--meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb2
-rw-r--r--meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb2
-rw-r--r--meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb2
-rw-r--r--meta-oe/recipes-devtools/php/php_7.4.33.bb (renamed from meta-oe/recipes-devtools/php/php_7.4.21.bb)2
-rw-r--r--meta-oe/recipes-devtools/ply/ply_git.bb2
-rw-r--r--meta-oe/recipes-devtools/pmtools/pmtools_git.bb2
-rw-r--r--meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb2
-rw-r--r--meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch73
-rw-r--r--meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb3
-rw-r--r--meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb2
-rw-r--r--meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb2
-rw-r--r--meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb2
-rw-r--r--meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb2
-rw-r--r--meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb2
-rw-r--r--meta-oe/recipes-devtools/valijson/valijson_git.bb2
-rw-r--r--meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb2
-rw-r--r--meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb2
-rw-r--r--meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb2
-rw-r--r--meta-oe/recipes-devtools/yasm/yasm_git.bb2
-rw-r--r--meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch44
-rw-r--r--meta-oe/recipes-extended/brotli/brotli_1.0.7.bb4
-rw-r--r--meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb2
-rw-r--r--meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb2
-rw-r--r--meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb2
-rw-r--r--meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb2
-rw-r--r--meta-oe/recipes-extended/figlet/figlet_git.bb2
-rw-r--r--meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb2
-rw-r--r--meta-oe/recipes-extended/haveged/haveged_1.9.13.bb2
-rw-r--r--meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb2
-rw-r--r--meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb2
-rw-r--r--meta-oe/recipes-extended/iotop/iotop_0.6.bb2
-rw-r--r--meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb2
-rw-r--r--meta-oe/recipes-extended/jansson/jansson_2.13.1.bb3
-rw-r--r--meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb2
-rw-r--r--meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb2
-rw-r--r--meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb2
-rw-r--r--meta-oe/recipes-extended/libcec/libcec_git.bb2
-rw-r--r--meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb2
-rw-r--r--meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb2
-rw-r--r--meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb2
-rw-r--r--meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb2
-rw-r--r--meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb2
-rw-r--r--meta-oe/recipes-extended/libqb/libqb_1.0.5.bb2
-rw-r--r--meta-oe/recipes-extended/libreport/libreport_2.10.0.bb2
-rw-r--r--meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb2
-rw-r--r--meta-oe/recipes-extended/libuio/libuio_0.2.1.bb2
-rw-r--r--meta-oe/recipes-extended/md5deep/md5deep_git.bb2
-rw-r--r--meta-oe/recipes-extended/mraa/mraa_git.bb2
-rw-r--r--meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb2
-rw-r--r--meta-oe/recipes-extended/ostree/ostree_2020.3.bb4
-rw-r--r--meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch27
-rw-r--r--meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch226
-rw-r--r--meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch27
-rw-r--r--meta-oe/recipes-extended/p7zip/p7zip_16.02.bb23
-rw-r--r--meta-oe/recipes-extended/p8platform/p8platform_git.bb2
-rw-r--r--meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb2
-rw-r--r--meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb2
-rw-r--r--meta-oe/recipes-extended/pmdk/pmdk_1.7.bb2
-rw-r--r--meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch74
-rw-r--r--meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch87
-rw-r--r--meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch33
-rw-r--r--meta-oe/recipes-extended/polkit/polkit_0.116.bb3
-rw-r--r--meta-oe/recipes-extended/redis/redis_5.0.14.bb (renamed from meta-oe/recipes-extended/redis/redis_5.0.9.bb)3
-rw-r--r--meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb2
-rw-r--r--meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb2
-rw-r--r--meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb2
-rw-r--r--meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb2
-rw-r--r--meta-oe/recipes-extended/sedutil/sedutil_git.bb2
-rw-r--r--meta-oe/recipes-extended/socketcan/can-isotp_git.bb2
-rw-r--r--meta-oe/recipes-extended/socketcan/can-utils_git.bb2
-rw-r--r--meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb2
-rw-r--r--meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb2
-rw-r--r--meta-oe/recipes-extended/sysdig/sysdig_git.bb2
-rw-r--r--meta-oe/recipes-extended/tipcutils/tipcutils_git.bb2
-rw-r--r--meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb2
-rw-r--r--meta-oe/recipes-extended/upm/upm_git.bb2
-rw-r--r--meta-oe/recipes-extended/wipe/wipe_0.24.bb2
-rw-r--r--meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb2
-rw-r--r--meta-oe/recipes-extended/zlog/zlog_1.2.14.bb2
-rw-r--r--meta-oe/recipes-extended/zstd/zstd_1.4.5.bb2
-rw-r--r--meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb2
-rw-r--r--meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb2
-rw-r--r--meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb2
-rw-r--r--meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb2
-rw-r--r--meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb2
-rw-r--r--meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb2
-rw-r--r--meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb2
-rw-r--r--meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb13
-rw-r--r--meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb2
-rw-r--r--meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb2
-rw-r--r--meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb2
-rw-r--r--meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb2
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch72
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch86
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch43
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch29
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch27
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch30
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch27
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch29
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch24
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch238
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch31
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch31
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch74
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb29
-rw-r--r--meta-oe/recipes-graphics/qrencode/qrencode_git.bb2
-rw-r--r--meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb2
-rw-r--r--meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb2
-rw-r--r--meta-oe/recipes-graphics/spir/spirv-tools_git.bb11
-rw-r--r--meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb2
-rw-r--r--meta-oe/recipes-graphics/tesseract/tesseract_git.bb2
-rw-r--r--meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb2
-rw-r--r--meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb2
-rw-r--r--meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb2
-rw-r--r--meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb2
-rw-r--r--meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb2
-rw-r--r--meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb2
-rw-r--r--meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb2
-rw-r--r--meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch84
-rw-r--r--meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch785
-rw-r--r--meta-oe/recipes-graphics/xorg-app/xterm_353.bb3
-rw-r--r--meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb2
-rw-r--r--meta-oe/recipes-graphics/yad/yad_6.0.bb2
-rw-r--r--meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb2
-rw-r--r--meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb2
-rw-r--r--meta-oe/recipes-kernel/crash/crash_7.2.8.bb2
-rw-r--r--meta-oe/recipes-kernel/kpatch/kpatch.inc2
-rw-r--r--meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb2
-rw-r--r--meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb2
-rw-r--r--meta-oe/recipes-multimedia/jack/a2jmidid_9.bb2
-rw-r--r--meta-oe/recipes-multimedia/jack/jack_1.19.14.bb2
-rw-r--r--meta-oe/recipes-multimedia/libass/libass_0.14.0.bb2
-rw-r--r--meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb2
-rw-r--r--meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb2
-rw-r--r--meta-oe/recipes-multimedia/pipewire/pipewire_git.bb2
-rw-r--r--meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb2
-rw-r--r--meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb2
-rw-r--r--meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb15
-rw-r--r--meta-oe/recipes-security/softhsm/softhsm_git.bb2
-rw-r--r--meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb2
-rw-r--r--meta-oe/recipes-support/anthy/anthy_9100h.bb4
-rw-r--r--meta-oe/recipes-support/avro/avro-c_1.9.2.bb2
-rw-r--r--meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb2
-rw-r--r--meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch27
-rw-r--r--meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch84
-rw-r--r--meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb (renamed from meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb)10
-rw-r--r--meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb2
-rw-r--r--meta-oe/recipes-support/cli11/cli11_1.8.0.bb2
-rw-r--r--meta-oe/recipes-support/cmark/cmark_git.bb2
-rw-r--r--meta-oe/recipes-support/daemonize/daemonize_git.bb2
-rw-r--r--meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb2
-rw-r--r--meta-oe/recipes-support/dstat/dstat_0.7.4.bb4
-rw-r--r--meta-oe/recipes-support/epeg/epeg_git.bb2
-rw-r--r--meta-oe/recipes-support/fmt/fmt_6.2.0.bb2
-rw-r--r--meta-oe/recipes-support/freerdp/freerdp_git.bb2
-rw-r--r--meta-oe/recipes-support/function2/function2_4.0.0.bb2
-rw-r--r--meta-oe/recipes-support/gd/gd_2.3.0.bb2
-rw-r--r--meta-oe/recipes-support/gflags/gflags_2.2.2.bb2
-rw-r--r--meta-oe/recipes-support/glog/glog_0.3.5.bb2
-rw-r--r--meta-oe/recipes-support/gnulib/gnulib_2018-03-07.03.bb2
-rw-r--r--meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb2
-rw-r--r--meta-oe/recipes-support/gpm/gpm_git.bb2
-rw-r--r--meta-oe/recipes-support/hidapi/hidapi_git.bb2
-rw-r--r--meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb2
-rw-r--r--meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb2
-rw-r--r--meta-oe/recipes-support/hwdata/hwdata_git.bb2
-rw-r--r--meta-oe/recipes-support/iksemel/iksemel_1.5.bb2
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb2
-rw-r--r--meta-oe/recipes-support/inih/libinih_git.bb2
-rw-r--r--meta-oe/recipes-support/iniparser/iniparser_4.1.bb2
-rw-r--r--meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb2
-rw-r--r--meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb2
-rw-r--r--meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb2
-rw-r--r--meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb2
-rw-r--r--meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb2
-rw-r--r--meta-oe/recipes-support/libfann/libfann_git.bb2
-rw-r--r--meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb2
-rw-r--r--meta-oe/recipes-support/libgusb/libgusb_git.bb2
-rw-r--r--meta-oe/recipes-support/libharu/libharu_2.3.0.bb2
-rw-r--r--meta-oe/recipes-support/libiio/libiio_git.bb2
-rw-r--r--meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch158
-rw-r--r--meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb3
-rw-r--r--meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb2
-rw-r--r--meta-oe/recipes-support/libmxml/libmxml_3.1.bb2
-rw-r--r--meta-oe/recipes-support/libp11/libp11_0.4.10.bb2
-rw-r--r--meta-oe/recipes-support/librsync/librsync_2.3.1.bb2
-rw-r--r--meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb2
-rw-r--r--meta-oe/recipes-support/libteam/libteam_1.30.bb2
-rw-r--r--meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb2
-rw-r--r--meta-oe/recipes-support/libusbg/libusbg_git.bb2
-rw-r--r--meta-oe/recipes-support/libusbgx/libusbgx_git.bb2
-rw-r--r--meta-oe/recipes-support/libutempter/libutempter.bb2
-rw-r--r--meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb2
-rw-r--r--meta-oe/recipes-support/lvm2/lvm2.inc2
-rw-r--r--meta-oe/recipes-support/mcelog/mce-inject_git.bb2
-rw-r--r--meta-oe/recipes-support/mcelog/mce-test_git.bb2
-rw-r--r--meta-oe/recipes-support/mcelog/mcelog_168.bb2
-rw-r--r--meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb2
-rw-r--r--meta-oe/recipes-support/ne10/ne10_1.2.1.bb2
-rw-r--r--meta-oe/recipes-support/nss/nss/CVE-2020-12403_1.patch65
-rw-r--r--meta-oe/recipes-support/nss/nss/CVE-2020-12403_2.patch80
-rw-r--r--meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch283
-rw-r--r--meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch63
-rw-r--r--meta-oe/recipes-support/nss/nss_3.51.1.bb4
-rw-r--r--meta-oe/recipes-support/numactl/numactl_git.bb2
-rw-r--r--meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb2
-rw-r--r--meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb2
-rw-r--r--meta-oe/recipes-support/opencv/ade_0.1.1f.bb2
-rw-r--r--meta-oe/recipes-support/opencv/opencv_4.1.0.bb12
-rw-r--r--meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch277
-rw-r--r--meta-oe/recipes-support/openldap/openldap_2.4.57.bb2
-rw-r--r--meta-oe/recipes-support/opensc/opensc_0.20.0.bb2
-rw-r--r--meta-oe/recipes-support/picocom/picocom_git.bb2
-rw-r--r--meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb2
-rw-r--r--meta-oe/recipes-support/pidgin/icyque_git.bb2
-rw-r--r--meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb2
-rw-r--r--meta-oe/recipes-support/poco/poco_1.9.4.bb2
-rw-r--r--meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb2
-rw-r--r--meta-oe/recipes-support/remmina/remmina_1.3.6.bb2
-rw-r--r--meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb2
-rw-r--r--meta-oe/recipes-support/sass/libsass_3.6.3.bb2
-rw-r--r--meta-oe/recipes-support/sass/sassc_git.bb2
-rw-r--r--meta-oe/recipes-support/satyr/satyr_0.28.bb2
-rw-r--r--meta-oe/recipes-support/serial-utils/pty-forward-native.bb2
-rw-r--r--meta-oe/recipes-support/serial-utils/serial-forward_git.bb2
-rw-r--r--meta-oe/recipes-support/span-lite/span-lite_git.bb2
-rw-r--r--meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb2
-rw-r--r--meta-oe/recipes-support/spitools/spitools_git.bb2
-rw-r--r--meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb2
-rw-r--r--meta-oe/recipes-support/toscoterm/toscoterm_git.bb2
-rw-r--r--meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch63
-rw-r--r--meta-oe/recipes-support/udisks/udisks2_git.bb3
-rw-r--r--meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb2
-rw-r--r--meta-oe/recipes-support/uthash/uthash_2.1.0.bb2
-rw-r--r--meta-oe/recipes-support/utouch/utouch-evemu_git.bb2
-rw-r--r--meta-oe/recipes-support/utouch/utouch-frame_git.bb2
-rw-r--r--meta-oe/recipes-support/utouch/utouch-mtview_git.bb2
-rw-r--r--meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb2
-rw-r--r--meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb2
-rw-r--r--meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb2
-rw-r--r--meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb2
-rw-r--r--meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb2
-rw-r--r--meta-oe/recipes-support/zbar/zbar_git.bb2
-rw-r--r--meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb2
-rw-r--r--meta-oe/recipes-test/bats/bats_1.1.0.bb2
-rw-r--r--meta-oe/recipes-test/catch2/catch2_2.9.2.bb2
-rw-r--r--meta-oe/recipes-test/evtest/evtest_1.34.bb2
-rw-r--r--meta-oe/recipes-test/fbtest/fb-test_git.bb2
-rw-r--r--meta-oe/recipes-test/googletest/googletest_git.bb2
-rw-r--r--meta-oe/recipes-test/pm-qa/pm-qa_git.bb3
-rw-r--r--meta-perl/recipes-perl/po4a/po4a_0.49.bb2
-rw-r--r--meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb2
-rw-r--r--meta-python/recipes-devtools/gyp/gyp.inc2
-rw-r--r--meta-python/recipes-devtools/python/python-feedformatter.inc2
-rw-r--r--meta-python/recipes-devtools/python/python-lxml.inc2
-rw-r--r--meta-python/recipes-devtools/python/python3-absl_0.7.0.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-astor_0.8.1.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch99
-rw-r--r--meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch43
-rw-r--r--meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch37
-rw-r--r--meta-python/recipes-devtools/python/python3-cryptography_2.8.bb3
-rw-r--r--meta-python/recipes-devtools/python/python3-dbussy_1.2.1.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-dt-schema_git.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-fasteners_0.16.3.bb (renamed from meta-python/recipes-devtools/python/python3-fasteners_0.15.bb)9
-rw-r--r--meta-python/recipes-devtools/python/python3-gast_0.2.2.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-h5py_2.9.0.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-imageio_2.6.0.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-keras-preprocessing_1.1.0.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-langtable_0.0.38.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch94
-rw-r--r--meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb1
-rw-r--r--meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-pkgconfig_1.4.0.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-prctl_1.7.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-26137.patch72
-rw-r--r--meta-python/recipes-devtools/python/python3-urllib3/CVE-2021-33503.patch67
-rw-r--r--meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb6
-rw-r--r--meta-python/recipes-devtools/python/python3-wheel_0.33.6.bb2
-rw-r--r--meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb2
-rw-r--r--meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb2
-rw-r--r--meta-python/recipes-extended/python-cson/python3-cson_git.bb2
-rw-r--r--meta-python/recipes-extended/python-pyparted/python-pyparted.inc2
-rw-r--r--meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb2
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch37
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch13
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch11
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch17
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch4
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch4
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch8
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/0008-Fix-perl-install-directory-to-usr-bin.patch (renamed from meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch)10
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/0009-support-apxs.in-force-destdir-to-be-empty-string.patch (renamed from meta-webserver/recipes-httpd/apache2/apache2/0001-support-apxs.in-force-destdir-to-be-empty-string.patch)10
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/0010-apache2-do-not-use-relative-path-for-gen_test_char.patch (renamed from meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch)7
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2_2.4.54.bb (renamed from meta-webserver/recipes-httpd/apache2/apache2_2.4.48.bb)11
-rw-r--r--meta-webserver/recipes-httpd/cherokee/cherokee_git.bb2
-rw-r--r--meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch39
-rw-r--r--meta-webserver/recipes-httpd/nginx/files/CVE-2022-41741-CVE-2022-41742.patch319
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb4
-rw-r--r--meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb2
-rw-r--r--meta-webserver/recipes-support/fcgi/fcgi_git.bb2
-rw-r--r--meta-webserver/recipes-webadmin/netdata/netdata_git.bb2
-rw-r--r--meta-xfce/recipes-apps/xarchiver/xarchiver_git.bb2
-rw-r--r--meta-xfce/recipes-apps/xfce-polkit/xfce-polkit_0.3.bb2
-rw-r--r--meta-xfce/recipes-apps/xfce4-datetime-setter/xfce4-datetime-setter_3.32.2.bb2
-rw-r--r--meta-xfce/recipes-panel-plugins/closebutton/xfce4-closebutton-plugin_git.bb2
547 files changed, 10353 insertions, 894 deletions
diff --git a/contrib/pw-am.sh b/contrib/pw-am.sh
index 8987eee8e..d9d1187b0 100755
--- a/contrib/pw-am.sh
+++ b/contrib/pw-am.sh
@@ -9,7 +9,7 @@
for patchnumber in $@;
do
- wget -nv http://patches.openembedded.org/patch/$patchnumber/mbox/ -O pw-am-$patchnumber.patch
+ wget -nv http://patchwork.yoctoproject.org/patch/$patchnumber/mbox/ -O pw-am-$patchnumber.patch
git am -s pw-am-$patchnumber.patch
rm pw-am-$patchnumber.patch
done
diff --git a/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb b/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb
index d9864ac3e..e4a0f9569 100644
--- a/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb
+++ b/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb
@@ -11,7 +11,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://fsck.c;md5=3859dc73da97909ff1d0125e88a27e02"
DEPENDS = "zlib"
-SRC_URI = "git://github.com/prasad-joshi/logfsprogs.git \
+SRC_URI = "git://github.com/prasad-joshi/logfsprogs.git;branch=master;protocol=https \
file://0001-Add-LDFLAGS-to-linker-cmdline.patch \
file://0001-btree-Avoid-conflicts-with-libc-namespace-about-setk.patch \
file://0001-include-sys-sysmacros.h-for-major-minor-definition.patch \
diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb
index 6f5cb6cee..efb331d7b 100644
--- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb
+++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb
@@ -10,8 +10,7 @@ SRC_URI = "http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \
file://0001-libntfs-3g-Makefile.am-fix-install-failed-while-host.patch \
"
S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}"
-SRC_URI[md5sum] = "d97474ae1954f772c6d2fa386a6f462c"
-SRC_URI[sha256sum] = "3e5a021d7b761261836dcb305370af299793eedbded731df3d6943802e1262d5"
+SRC_URI[sha256sum] = "f20e36ee68074b845e3629e6bced4706ad053804cbaf062fbae60738f854170c"
UPSTREAM_CHECK_URI = "https://www.tuxera.com/community/open-source-ntfs-3g/"
UPSTREAM_CHECK_REGEX = "ntfs-3g_ntfsprogs-(?P<pver>\d+(\.\d+)+)\.tgz"
@@ -50,3 +49,5 @@ do_install_append() {
# Satisfy the -dev runtime dependency
ALLOW_EMPTY_${PN} = "1"
+
+CVE_PRODUCT = "tuxera:ntfs-3g"
diff --git a/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb b/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb
index 414084449..9e546e8a3 100644
--- a/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb
+++ b/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=628b867016631792781a8735a04760e5 \
DEPENDS = "fuse virtual/libusb0"
# v3.2p3
SRCREV = "3744375dfaa350e31c9b360eb1e1a517bbeb5c47"
-SRC_URI = "git://github.com/owfs/owfs \
+SRC_URI = "git://github.com/owfs/owfs;branch=master;protocol=https \
file://0001-Add-build-rule-for-README.patch \
file://owhttpd \
file://owserver \
diff --git a/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb b/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb
index bf9c34dc9..9b776e9dc 100644
--- a/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb
+++ b/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb
@@ -6,7 +6,7 @@ LICENSE = "GPLv2"
DEPENDS = "glib-2.0 fuse3"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRC_URI = "git://github.com/libfuse/sshfs"
+SRC_URI = "git://github.com/libfuse/sshfs;branch=master;protocol=https"
SRCREV = "a7e1038203c856cc7e052d439d1da49fe131339f"
S = "${WORKDIR}/git"
diff --git a/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb b/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb
index 3dd5c82ee..13273f7bc 100644
--- a/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb
+++ b/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://src/unionfs.c;beginline=3;endline=8;md5=30fa8de70fd8a
file://LICENSE;md5=7e5a37fce17307066eec6b23546da3b3 \
"
-SRC_URI = "git://github.com/rpodgorny/${BPN}.git;branch=master \
+SRC_URI = "git://github.com/rpodgorny/${BPN}.git;branch=master;protocol=https \
file://0001-support-cross-compiling.patch \
"
SRCREV = "8d732962423c3ca5be1f14b7ec139ff464e10a51"
diff --git a/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb b/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb
index 24b17fc93..dc9132a82 100644
--- a/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb
+++ b/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb
@@ -22,6 +22,8 @@ UPSTREAM_CHECK_REGEX = "fuse\-(?P<pver>3(\.\d+)+).tar.xz"
inherit meson pkgconfig
+CVE_PRODUCT = "fuse_project:fuse"
+
DEPENDS = "udev"
PACKAGES =+ "fuse3-utils"
diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb
index 49682b3cd..4ec121351 100644
--- a/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb
+++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb
@@ -27,6 +27,8 @@ CVE_CHECK_WHITELIST += "CVE-2019-14860"
UPSTREAM_CHECK_URI = "https://github.com/libfuse/libfuse/releases"
UPSTREAM_CHECK_REGEX = "fuse\-(?P<pver>2(\.\d+)+).tar.gz"
+CVE_PRODUCT = "fuse_project:fuse"
+
inherit autotools pkgconfig update-rc.d systemd
INITSCRIPT_NAME = "fuse"
diff --git a/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb b/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb
index 98bd478f3..2c5a9e16b 100644
--- a/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb
+++ b/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb
@@ -9,7 +9,7 @@ DEPENDS = "util-linux"
# v1.13.0
SRCREV = "284f77f0075a16a2ad1f3b0fb89b7f64a1bc755d"
-SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-tools.git \
+SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-tools.git;branch=master \
file://0001-f2fs-tools-Use-srcdir-prefix-to-denote-include-path.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb b/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb
index c72671739..c90a7ecc2 100644
--- a/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb
+++ b/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb
@@ -7,7 +7,7 @@ HOMEPAGE = "https://github.com/Gregwar/fatcat"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=57fbbfebd0dd1d6ff21b8cecb552a03f"
-SRC_URI = "git://github.com/Gregwar/fatcat.git \
+SRC_URI = "git://github.com/Gregwar/fatcat.git;branch=master;protocol=https \
file://0001-Use-unistd.h-not-argp.h-for-all-POSIX-systems.patch \
"
diff --git a/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb b/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb
index 88d495b68..c258a128e 100644
--- a/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb
+++ b/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb
@@ -3,7 +3,7 @@ SECTION = "console/tools"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
-SRC_URI = "git://salsa.debian.org/parted-team/fatresize.git;protocol=https"
+SRC_URI = "git://salsa.debian.org/parted-team/fatresize.git;protocol=https;branch=master"
SRCREV = "3f80afc76ad82d4a1b852a6c8dea24cd9f5e7a24"
PV = "1.0.2-11"
diff --git a/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb b/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb
index 23583650b..ed003ee7b 100644
--- a/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb
+++ b/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb
@@ -8,7 +8,7 @@ BRANCH ?= "dev"
SRCREV = "a3cf93b66f4606a46354cf884d24aa966661f848"
-SRC_URI = "git://github.com/westerndigitalcorporation/ufs-utils.git;protocol=git;branch=${BRANCH} \
+SRC_URI = "git://github.com/westerndigitalcorporation/ufs-utils.git;protocol=https;branch=${BRANCH} \
file://0001-Replace-u_intXX_t-with-kernel-typedefs.patch \
"
diff --git a/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb b/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb
index 90e553301..756427566 100644
--- a/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb
+++ b/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb
@@ -6,7 +6,7 @@ DEPENDS = "glib-2.0 gtk+3 gdk-pixbuf clutter-1.0 clutter-gtk-1.0 libsoup-2.4"
inherit meson gobject-introspection
SRCREV = "145e417f32e507b63c21ad4e915b808a6174099e"
-SRC_URI = "git://github.com/gnome/libchamplain.git"
+SRC_URI = "git://github.com/gnome/libchamplain.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-gnome/recipes-support/ibus/ibus.inc b/meta-gnome/recipes-support/ibus/ibus.inc
index 1bbeb2c48..c0c0b3b31 100644
--- a/meta-gnome/recipes-support/ibus/ibus.inc
+++ b/meta-gnome/recipes-support/ibus/ibus.inc
@@ -10,7 +10,7 @@ PV = "1.5.22"
DEPENDS = "unicode-ucd"
SRC_URI = " \
- git://github.com/ibus/ibus.git \
+ git://github.com/ibus/ibus.git;branch=master;protocol=https \
file://0001-Do-not-try-to-start-dbus-we-do-not-have-dbus-lauch.patch \
"
SRCREV = "e3262f08b9e3efc57808700823b0622ec03a1b5f"
diff --git a/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb b/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb
index d567d00d3..fb4c81672 100644
--- a/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb
+++ b/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb
@@ -13,7 +13,7 @@ B = "${S}"
SRCREV = "736ccef40d39603b8111c8a3a0bca0319bbafdc0"
PV = "3.0+git${SRCPV}"
-SRC_URI = "git://github.com/engla/keybinder.git;branch=keybinder-3.0 \
+SRC_URI = "git://github.com/engla/keybinder.git;branch=keybinder-3.0;protocol=https \
"
RDEPENDS_${PN} = "gtk+"
diff --git a/meta-gnome/recipes-support/libhandy/libhandy_git.bb b/meta-gnome/recipes-support/libhandy/libhandy_git.bb
index 8c6159f99..6d63ddb86 100644
--- a/meta-gnome/recipes-support/libhandy/libhandy_git.bb
+++ b/meta-gnome/recipes-support/libhandy/libhandy_git.bb
@@ -2,7 +2,7 @@ SUMMARY = "A library full of GTK+ widgets for mobile phones"
LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
-SRC_URI = "git://source.puri.sm/Librem5/${BPN}.git;protocol=https"
+SRC_URI = "git://source.puri.sm/Librem5/${BPN}.git;protocol=https;branch=master"
SRCREV = "ef7c4bf75ae239495141ada83d2fbaf034315563"
S = "${WORKDIR}/git"
PV = "0.0.12"
diff --git a/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb b/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb
index 96dd880b6..837807ccf 100644
--- a/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb
+++ b/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2750797da77c1d784e7626b3f7d7ff3e"
DEPENDS_class-target = "${BPN}-native"
SRC_URI = "\
- git://github.com/snowballstem/snowball.git \
+ git://github.com/snowballstem/snowball.git;branch=master;protocol=https \
file://0001-Build-so-lib.patch \
file://0002-snowball-stemwords-do-link-with-LDFLAGS-set-by-build.patch \
"
diff --git a/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb b/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb
index 6fb3b82ef..5db78b7cf 100644
--- a/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb
+++ b/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb
@@ -9,6 +9,6 @@ DEPENDS = " \
inherit autotools pkgconfig
-SRC_URI = "git://github.com/linuxwacom/libwacom.git"
+SRC_URI = "git://github.com/linuxwacom/libwacom.git;branch=master;protocol=https"
SRCREV = "87cc710e21a6220e267dd08936bbec2932aa3658"
S = "${WORKDIR}/git"
diff --git a/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb b/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb
index ed3dece3f..ee0504532 100644
--- a/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb
+++ b/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb
@@ -5,7 +5,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
PV = "0.6+git${SRCPV}"
S = "${WORKDIR}/git"
-SRC_URI = "git://github.com/kexecboot/kexecboot.git"
+SRC_URI = "git://github.com/kexecboot/kexecboot.git;branch=master;protocol=https"
SRC_URI_append_libc-klibc = " file://0001-kexecboot-Use-new-reboot-API-with-klibc.patch "
SRCREV = "5a5e04be206140059f42ac786d424da1afaa04b6"
diff --git a/meta-initramfs/recipes-devtools/dracut/dracut_git.bb b/meta-initramfs/recipes-devtools/dracut/dracut_git.bb
index 13cf5f6de..dd22b196f 100644
--- a/meta-initramfs/recipes-devtools/dracut/dracut_git.bb
+++ b/meta-initramfs/recipes-devtools/dracut/dracut_git.bb
@@ -10,7 +10,7 @@ PV = "049"
# v048 tag
SRCREV = "225e4b94cbdb702cf512490dcd2ad9ca5f5b22c1"
-SRC_URI = "git://git.kernel.org/pub/scm/boot/dracut/dracut.git;protocol=http \
+SRC_URI = "git://git.kernel.org/pub/scm/boot/dracut/dracut.git;protocol=http;branch=master \
file://0001-util.h-include-sys-reg.h-when-libc-glibc.patch \
file://0001-dracut.sh-improve-udevdir.patch \
file://0001-set-viriable-_drv-not-local.patch \
diff --git a/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb b/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb
index 7403cf64f..c890165b6 100644
--- a/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb
+++ b/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb
@@ -14,7 +14,7 @@ DEPENDS_append_libc-musl = " libexecinfo"
S = "${WORKDIR}/git"
SRCREV = "79c5cfa02c567efdc5bb18cdd584789e2e35aa23"
-SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https; \
+SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https;branch=master \
file://grubby-rename-grub2-editenv-to-grub-editenv.patch \
file://run-ptest \
file://0001-Add-another-variable-LIBS-to-provides-libraries-from.patch \
diff --git a/meta-initramfs/recipes-devtools/grubby/grubby_git.bb b/meta-initramfs/recipes-devtools/grubby/grubby_git.bb
index 7248147a5..c0797ac5c 100644
--- a/meta-initramfs/recipes-devtools/grubby/grubby_git.bb
+++ b/meta-initramfs/recipes-devtools/grubby/grubby_git.bb
@@ -14,7 +14,7 @@ DEPENDS_append_libc-musl = " libexecinfo"
S = "${WORKDIR}/git"
SRCREV = "a1d2ae93408c3408e672d7eba4550fdf27fb0201"
-SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https; \
+SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https;branch=master \
file://grubby-rename-grub2-editenv-to-grub-editenv.patch \
file://run-ptest \
file://0001-Add-another-variable-LIBS-to-provides-libraries-from.patch \
diff --git a/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb b/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb
index d32238162..fe5898a90 100644
--- a/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb
+++ b/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
inherit autotools pkgconfig klibc
SRCREV = "64f61a9dc71b158c7084006cbce4ea23886f0b47"
-SRC_URI = "git://git.infradead.org/mtd-utils.git \
+SRC_URI = "git://git.infradead.org/mtd-utils.git;branch=master \
file://0001-libmissing.h-fix-klibc-build-when-using-glibc-toolch.patch \
file://0002-Instead-of-doing-preprocessor-magic-just-output-off_.patch \
file://0003-Makefile.am-only-build-ubi-utils.patch \
diff --git a/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb b/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb
index 7ad55d8b8..143ac6f43 100644
--- a/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb
+++ b/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb
@@ -12,7 +12,7 @@ DEPENDS = "zlib xz"
inherit klibc autotools
-SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git"
+SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git;branch=master"
SRCREV = "5750980cdbbc33ef75bfba6660295b932376ce15"
BUILD_PATCHES = "file://0001-force-static-build.patch \
diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb
index 828e351be..ef473c489 100644
--- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb
+++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=394a0f17b97f33426275571e15920434"
PV = "1.8.4+git${SRCPV}"
# release-1.8.4
SRCREV = "d5a01fc9895daae98a0c5a8c7d3afce46add529d"
-SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https \
+SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https;branch=master \
file://CVE-2020-13848.patch"
S="${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb b/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb
index 20faef047..32e74f08c 100644
--- a/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb
+++ b/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb
@@ -8,7 +8,7 @@ DEPENDS = "avahi cmake-native dvb-apps libdvbcsa libpcre2 openssl uriparser zlib
LICENSE = "GPLv3+"
LIC_FILES_CHKSUM = "file://LICENSE.md;md5=9cae5acac2e9ee2fc3aec01ac88ce5db"
-SRC_URI = "git://github.com/tvheadend/tvheadend.git \
+SRC_URI = "git://github.com/tvheadend/tvheadend.git;branch=master;protocol=https \
file://0001-adjust-for-64bit-time_t.patch \
file://0001-allocate-space-for-buf-on-heap.patch \
"
diff --git a/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb b/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb
index 1a51abc36..343b9d791 100644
--- a/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb
+++ b/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb
@@ -4,7 +4,7 @@ LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c"
SRCREV = "b93deed1a231dd6dd7e39b9fe7d2abe05aa00158"
-SRC_URI = "git://github.com/foo86/dcadec.git;protocol=https \
+SRC_URI = "git://github.com/foo86/dcadec.git;protocol=https;branch=master \
file://0001-define-BASELIB-make-variable.patch \
"
diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb
index f23bc6ca8..c89156dcf 100644
--- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb
+++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \
DEPENDS = "glib-2.0 dbus dleyna-core"
-SRC_URI = "git://github.com/01org/${BPN}.git"
+SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https"
SRCREV = "de913c35e5c936e2d40ddbd276ee902cd802bd3a"
S = "${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb
index 8939cd36e..647532d9f 100644
--- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb
+++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb
@@ -13,7 +13,7 @@ DEPENDS = "glib-2.0 gupnp"
PV .= "+git${SRCPV}"
-SRC_URI = "git://github.com/01org/${BPN}.git"
+SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https"
SRCREV = "1c6853f5bc697dc0a8774fd70dbc915c4dbe7c5b"
S = "${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb
index 642f21bd5..4b5376344 100644
--- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb
+++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \
DEPENDS = "glib-2.0 gssdp gupnp gupnp-av gupnp-dlna libsoup-2.4 dleyna-core"
RDEPENDS_${PN} = "dleyna-connector-dbus"
-SRC_URI = "git://github.com/01org/${BPN}.git \
+SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https \
file://0001-add-gupnp-1.2-API-support.patch \
"
SRCREV = "50fd1ec9d51328e7dea98874129dc8d6fe3ea1dd"
diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb
index e31b7aea2..5fa3e2373 100644
--- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb
+++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb
@@ -12,7 +12,7 @@ DEPENDS = "glib-2.0 gssdp gupnp gupnp-av gupnp-dlna libsoup-2.4 libxml2 dleyna-c
RDEPENDS_${PN} = "dleyna-connector-dbus"
PV .= "+git${SRCPV}"
-SRC_URI = "git://github.com/01org/${BPN}.git"
+SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https"
SRCREV = "eb895ae82715e9889a948ffa810c0f828b4f4c76"
S = "${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb b/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb
index d7911681c..c499119c6 100644
--- a/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb
+++ b/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb
@@ -11,7 +11,7 @@ LICENSE = "Fraunhofer_FDK_AAC_Codec_Library_for_Android"
LICENSE_FLAGS = "commercial"
LIC_FILES_CHKSUM = "file://NOTICE;md5=5985e1e12f4afa710d64ed7bfd291875"
-SRC_URI = "git://github.com/mstorsjo/fdk-aac.git;protocol=git;branch=master"
+SRC_URI = "git://github.com/mstorsjo/fdk-aac.git;protocol=https;branch=master"
SRCREV = "d387d3b6ed79ff9a82c60440bdd86e6e5e324bec"
S = "${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc
index fcc9df8c3..ee3e38cd9 100644
--- a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc
+++ b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc
@@ -4,7 +4,7 @@ SECTION = "libs/multimedia"
LICENSE = "LGPL-2.1"
LIC_FILES_CHKSUM = "file://LICENSE;md5=fc178bcd425090939a8b634d1d6a9594"
-SRC_URI = "git://github.com/FluidSynth/fluidsynth.git"
+SRC_URI = "git://github.com/FluidSynth/fluidsynth.git;branch=master;protocol=https"
SRCREV = "19a20eb8526465fdf940b740b13462d71e190a1a"
S = "${WORKDIR}/git"
PV = "2.1.3"
diff --git a/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb b/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb
index c96e4c52e..2f9ceffab 100644
--- a/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb
+++ b/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb
@@ -3,7 +3,7 @@ Description = "Gerbera - An UPnP media server"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://LICENSE.md;md5=25cdec9afe3f1f26212ead6bd2f7fac8"
-SRC_URI = "git://github.com/v00d00/gerbera.git;protocol=https \
+SRC_URI = "git://github.com/v00d00/gerbera.git;protocol=https;branch=master \
"
PV = "1.3.2"
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb b/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb
index d047caef5..19d43a4b7 100644
--- a/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb
+++ b/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb
@@ -14,10 +14,10 @@ PV = "0.6.1"
SRCREV_base = "c41a05cc9e2310c2f73eda4b4f0b4477bf4479c5"
SRCREV_common = "88e512ca7197a45c4114f7fa993108f23245bf50"
-
+SRCREV_FORMAT = "base_common"
SRC_URI = " \
git://github.com/RidgeRun/gst-shark.git;protocol=https;branch=${SRCBRANCH};name=base \
- git://gitlab.freedesktop.org/gstreamer/common.git;protocol=https;destsuffix=git/common;name=common; \
+ git://gitlab.freedesktop.org/gstreamer/common.git;protocol=https;destsuffix=git/common;name=common;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
index 3f8fe2f36..e16fd2596 100644
--- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
+++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "\
"
SRC_URI = " \
- git://linuxtv.org/libcamera.git;protocol=git \
+ git://linuxtv.org/libcamera.git;protocol=git;branch=master \
"
SRCREV = "a8be6e94e79f602d543a15afd44ef60e378b138f"
diff --git a/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb b/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb
index 7f042c382..4cf8e2eff 100644
--- a/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb
+++ b/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
SRCREV = "bc6c0b164a87ce05e9925785cc6fb3f54c02b026"
-SRC_URI = "git://code.videolan.org/videolan/libdvbcsa.git;protocol=https \
+SRC_URI = "git://code.videolan.org/videolan/libdvbcsa.git;protocol=https;branch=master \
file://libdvbcsa.pc \
"
diff --git a/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb b/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb
index f060f1e80..cb42d943f 100644
--- a/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb
+++ b/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://alpha.cpp;beginline=3;endline=22;md5=6665e479f71feb92
PV = "1.10+git${SRCPV}"
SRCREV = "52e7d93c5947f72380521116c05d97c528863ba8"
-SRC_URI = "git://github.com/OpenELEC/libsquish.git;protocol=https"
+SRC_URI = "git://github.com/OpenELEC/libsquish.git;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb b/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb
index b313b110c..4631b037b 100644
--- a/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb
+++ b/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb
@@ -20,7 +20,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=416ef1ca5167707fe381d7be33664a33"
DEPENDS = "curl-native icu"
SRCREV = "67e43bf0fa56008276b878ec3790aa5f32eb2a16"
-SRC_URI = "git://github.com/MycroftAI/mimic.git"
+SRC_URI = "git://github.com/MycroftAI/mimic.git;branch=master;protocol=https"
inherit autotools
diff --git a/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb b/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb
index ca9d94a19..253f995d8 100644
--- a/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb
+++ b/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb
@@ -8,7 +8,7 @@ DEPENDS = "expat libxml2 libxml2-native neon neon-native"
PV = "5.1.0+git${SRCPV}"
SRCREV = "44c05779dd996035758f5ec426766aeedce29cc3"
-SRC_URI = "git://github.com/metabrainz/libmusicbrainz.git \
+SRC_URI = "git://github.com/metabrainz/libmusicbrainz.git;branch=master;protocol=https \
file://allow-libdir-override.patch "
S = "${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb b/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb
index 235e63e48..84b7baab2 100644
--- a/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb
+++ b/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb
@@ -6,7 +6,7 @@ HOMEPAGE = "https://www.musicpd.org/libs/libmpdclient/"
inherit meson
SRC_URI = " \
- git://github.com/MusicPlayerDaemon/libmpdclient \
+ git://github.com/MusicPlayerDaemon/libmpdclient;branch=master;protocol=https \
"
SRCREV = "4e8d990eb5239566ee948f1cd79b7248e008620a"
S = "${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb b/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb
index 41abe7108..b4fce35df 100644
--- a/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb
+++ b/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb
@@ -10,7 +10,7 @@ DEPENDS += " \
"
SRC_URI = " \
- git://github.com/MusicPlayerDaemon/mpc \
+ git://github.com/MusicPlayerDaemon/mpc;branch=master;protocol=https \
"
SRCREV = "59875acdf34e5f0eac0c11453c49daef54f78413"
S = "${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb b/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb
index 133ee6e79..3f2051599 100644
--- a/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb
+++ b/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb
@@ -17,7 +17,7 @@ DEPENDS += " \
"
SRC_URI = " \
- git://github.com/MusicPlayerDaemon/MPD;branch=v0.20.x \
+ git://github.com/MusicPlayerDaemon/MPD;branch=v0.20.x;protocol=https \
file://mpd.conf.in \
file://0001-StringBuffer-Include-cstddef-for-size_t.patch \
file://0002-Include-stdexcept-for-runtime_error.patch \
diff --git a/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb b/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb
index 0c99c7c69..c92a4421a 100644
--- a/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb
+++ b/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb
@@ -31,7 +31,7 @@ PACKAGECONFIG[outputs_screen] = "-Doutputs_screen=true,-Doutputs_screen=false"
PACKAGECONFIG[chat_screen] = "-Dchat_screen=true,-Dchat_screen=false"
SRC_URI = " \
- git://github.com/MusicPlayerDaemon/ncmpc \
+ git://github.com/MusicPlayerDaemon/ncmpc;branch=master;protocol=https \
"
SRCREV = "79cf9905355f25bc5cc6d5a05d2846d75342f554"
S = "${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb b/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb
index 62d1ad7f7..e71cb8701 100644
--- a/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb
+++ b/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb
@@ -7,7 +7,7 @@ LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE.md;md5=79aa497b11564d1d419ee889e7b498f6"
SRCREV = "913f29d3d550637934f9abf43a097eb2c30d76fc"
-SRC_URI = "git://github.com/MycroftAI/mycroft-core.git;branch=master \
+SRC_URI = "git://github.com/MycroftAI/mycroft-core.git;branch=master;protocol=https \
file://0001-Remove-python-venv.patch \
file://0002-dev_setup.sh-Remove-the-git-dependency.patch \
file://0003-dev_setup.sh-Remove-the-TERM-dependency.patch \
diff --git a/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb b/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb
index a9cdfac8a..5787f2203 100644
--- a/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb
+++ b/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb
@@ -7,7 +7,7 @@ inherit cmake pkgconfig
# openal-soft-1.19.1
SRCREV = "6761218e51699f46bf25c377e65b3e9ea5e434b9"
-SRC_URI = "git://github.com/kcat/openal-soft \
+SRC_URI = "git://github.com/kcat/openal-soft;branch=master;protocol=https \
file://0001-Use-BUILD_CC-to-compile-native-tools.patch \
file://0002-makehrtf-Disable-Wstringop-truncation.patch \
"
diff --git a/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb b/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb
index 5f78be4f5..53ee2a82f 100644
--- a/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb
+++ b/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb
@@ -9,7 +9,7 @@ DEPENDS = "gnutls zlib"
SRCREV = "fa8646daeb19dfd12c181f7d19de708d623704c0"
SRC_URI = " \
- git://git.ffmpeg.org/rtmpdump \
+ git://git.ffmpeg.org/rtmpdump;branch=master \
file://fix-racing-build-issue.patch"
S = "${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb b/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb
index c651d8113..47f7af46b 100644
--- a/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb
+++ b/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb
@@ -3,7 +3,7 @@ LICENSE = "CC-BY-3.0"
# http://www.bigbuckbunny.org/index.php/about/
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/CC-BY-3.0;md5=dfa02b5755629022e267f10b9c0a2ab7"
-SRC_URI = "https://www.mediaspip.net/IMG/avi/big_buck_bunny_1080p_surround.avi"
+SRC_URI = "http://www.peach.themazzone.com/big_buck_bunny_1080p_surround.avi"
SRC_URI[md5sum] = "223991c8b33564eb77988a4c13c1c76a"
SRC_URI[sha256sum] = "69fe2cfe7154a6e752688e3a0d7d6b07b1605bbaf75b56f6470dc7b4c20c06ea"
diff --git a/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb b/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb
index 062096892..68cf8795a 100644
--- a/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb
+++ b/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb
@@ -7,7 +7,7 @@ LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://NOTICE;md5=dbdefe400d894b510a9de14813181d0b"
SRCREV = "8449529c7e50f432091539ba7b438e79b04059b5"
-SRC_URI = "git://github.com/tinyalsa/tinyalsa \
+SRC_URI = "git://github.com/tinyalsa/tinyalsa;branch=master;protocol=https \
file://0001-Use-CMAKE_INSTALL_-path-instead-of-hardcoding-bin-li.patch \
"
PV = "1.1.1+git${SRCPV}"
diff --git a/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb b/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb
index 6abf6080b..f8ab1bf68 100644
--- a/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb
+++ b/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=db1b7a668b2a6f47b2af88fb008ad555 \
file://os.h;beginline=3;endline=14;md5=5c0af5e1bedef3ce8178c89f48cd6f1f"
DEPENDS = "libogg"
-SRC_URI = "git://gitlab.xiph.org/xiph/tremor.git;protocol=https \
+SRC_URI = "git://gitlab.xiph.org/xiph/tremor.git;protocol=https;branch=master \
file://obsolete_automake_macros.patch;striplevel=0 \
file://tremor-arm-thumb2.patch \
"
diff --git a/meta-multimedia/recipes-support/crossguid/crossguid.bb b/meta-multimedia/recipes-support/crossguid/crossguid.bb
index 228b8b654..f2d6e7a24 100644
--- a/meta-multimedia/recipes-support/crossguid/crossguid.bb
+++ b/meta-multimedia/recipes-support/crossguid/crossguid.bb
@@ -10,7 +10,7 @@ DEPENDS += "util-linux"
PV = "0.0+git${SRCPV}"
SRCREV = "b56957ac453575e91ca1b63a80c0077c2b0d011a"
-SRC_URI = "git://github.com/graeme-hill/crossguid;protocol=https"
+SRC_URI = "git://github.com/graeme-hill/crossguid;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb b/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb
index feffa9fe1..50c69a9a0 100644
--- a/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb
+++ b/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb
@@ -9,7 +9,7 @@ DEPENDS = "gstreamer1.0"
S = "${WORKDIR}/git"
SRCREV = "3b862e52e5c53ad1023dc6808effa4cb75572c4b"
-SRC_URI = "git://github.com/kirushyk/gst-instruments.git;protocol=https;"
+SRC_URI = "git://github.com/kirushyk/gst-instruments.git;protocol=https;branch=master"
FILES_${PN}-staticdev += "${libdir}/gstreamer-1.0/*a"
FILES_${PN} += "${libdir}/*"
diff --git a/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb b/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb
index d4a62bd92..4cb85f815 100644
--- a/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb
+++ b/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb
@@ -2,7 +2,7 @@ SUMMARY = "a SocketCAN over Ethernet tunnel"
HOMEPAGE = "https://github.com/mguentner/cannelloni"
LICENSE = "GPLv2"
-SRC_URI = "git://github.com/mguentner/cannelloni.git;protocol=https \
+SRC_URI = "git://github.com/mguentner/cannelloni.git;protocol=https;branch=master \
file://0001-Use-GNUInstallDirs-instead-of-hard-coding-paths.patch \
file://0002-include-missing-stdexcept-for-runtime_error.patch \
"
diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb
index 2820f9fa6..e9c205618 100644
--- a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb
+++ b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=50bd1d7f135b50d7e218996ba28d0d88"
SRCREV = "4b440a339979852d5a51fb11a822952712231c23"
PV = "1.12+git${SRCPV}"
-SRC_URI = "git://github.com/civetweb/civetweb.git \
+SRC_URI = "git://github.com/civetweb/civetweb.git;branch=master;protocol=https \
file://0001-Unittest-Link-librt-and-libm-using-l-option.patch \
"
diff --git a/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb b/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb
index 90051a319..f85665590 100644
--- a/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb
+++ b/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=7236695bb6d4461c105d685a8b61c4e3"
SRCREV = "c4b0ed52e751da7823dd9a36e91f93a6310e5525"
-SRC_URI = "git://github.com/tomaszmrugalski/dibbler \
+SRC_URI = "git://github.com/tomaszmrugalski/dibbler;branch=master;protocol=https \
file://dibbler_fix_getSize_crash.patch \
file://0001-linux-port-Rename-pthread_mutex_t-variable-lock.patch \
"
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb
index 2c39c4c44..1ea0cb16d 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb
@@ -13,7 +13,7 @@ LICENSE = "GPLv2 & LGPLv2+"
LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a"
DEPENDS = "openssl-native openssl libidn libtool libpcap libtalloc"
-SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0; \
+SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0;protocol=https \
file://freeradius \
file://volatiles.58_radiusd \
file://freeradius-enble-user-in-conf.patch \
diff --git a/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb b/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb
index 5b27cfe15..c1a814611 100644
--- a/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb
+++ b/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb
@@ -4,7 +4,7 @@ SECTION = "libs"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=0036c1b155f4e999f3e0a373490b5db9"
-SRC_URI = "git://github.com/dugsong/libdnet.git;nobranch=1"
+SRC_URI = "git://github.com/dugsong/libdnet.git;nobranch=1;protocol=https"
SRCREV = "12fca29a6d4e99d1b923d6820887fe7b24226904"
UPSTREAM_CHECK_GITTAGREGEX = "libdnet-(?P<pver>\d+(\.\d+)+)"
diff --git a/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb b/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb
index 8444f0b73..66a7aaa6b 100644
--- a/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb
+++ b/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=587b3fd7fd291e418ff4d2b8f3904755"
SECTION = "libs/networking"
-SRC_URI = "git://github.com/nanomsg/nanomsg.git;protocol=https"
+SRC_URI = "git://github.com/nanomsg/nanomsg.git;protocol=https;branch=master"
SRCREV = "1749fd7b039165a91b8d556b4df18e3e632ad830"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb b/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb
index 77be27ffa..6d035f403 100644
--- a/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb
+++ b/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb
@@ -8,7 +8,7 @@ SECTION = "libs/networking"
SRCREV = "53ae1a5ab37fdfc9ad5c236df3eaf4dd63f0fee9"
-SRC_URI = "git://github.com/nanomsg/nng.git;branch=v1.2.x"
+SRC_URI = "git://github.com/nanomsg/nng.git;branch=v1.2.x;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb b/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb
index 9f123c70f..d91fc752e 100644
--- a/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb
+++ b/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb
@@ -15,7 +15,7 @@ SRCREV = "5d22e9d22c4a3724d27b80b0cd9b898ae8f59d2b"
PV = "0.98+git${SRCPV}"
SRC_URI = " \
- git://github.com/CanonicalLtd/netplan.git \
+ git://github.com/CanonicalLtd/netplan.git;branch=master;protocol=https \
"
DEPENDS = "glib-2.0 libyaml ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
diff --git a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb
index 33a2b7c0c..a28372dd1 100644
--- a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb
+++ b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb
@@ -33,11 +33,12 @@ SRC_URI_append_libc-musl = " \
file://musl/0003-Fix-build-with-musl-for-n-dhcp4.patch \
file://musl/0004-Fix-build-with-musl-systemd-specific.patch \
"
-SRC_URI[sha256sum] = "2b29ccc1531ba7ebba95a97f40c22b963838e8b6833745efe8e6fb71fd8fca77"
+SRC_URI[sha256sum] = "377aa053752eaa304b72c9906f9efcd9fbd5f7f6cb4cd4ad72425a68982cffc6"
S = "${WORKDIR}/NetworkManager-${PV}"
EXTRA_OECONF = " \
+ --disable-firewalld-zone \
--disable-ifcfg-rh \
--disable-more-warnings \
--with-iptables=${sbindir}/iptables \
diff --git a/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb b/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb
index 597c1920c..144afb484 100644
--- a/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb
+++ b/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb
@@ -3,7 +3,7 @@ LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING.LGPL;md5=243b725d71bb5df4a1e5920b344b86ad"
SRC_URI = " \
- git://git.infradead.org/users/dwmw2/openconnect.git \
+ git://git.infradead.org/users/dwmw2/openconnect.git;branch=master \
file://0001-trojans-tncc-wrapper.py-convert-to-python3.patch \
"
SRCREV = "ea73851969ae7a6ea54fdd2d2b8c94776af24b2a"
diff --git a/meta-networking/recipes-connectivity/relayd/relayd_git.bb b/meta-networking/recipes-connectivity/relayd/relayd_git.bb
index e3134e41f..a75b43e06 100644
--- a/meta-networking/recipes-connectivity/relayd/relayd_git.bb
+++ b/meta-networking/recipes-connectivity/relayd/relayd_git.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://main.c;endline=17;md5=86aad799085683e0a2e1c2684a20bab
DEPENDS = "libubox"
-SRC_URI = "git://git.openwrt.org/project/relayd.git \
+SRC_URI = "git://git.openwrt.org/project/relayd.git;branch=master \
file://0001-rtnl_flush-Error-on-failed-write.patch \
"
diff --git a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
index 54e855a09..5d968f147 100644
--- a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
+++ b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
@@ -9,7 +9,7 @@ DEPENDS += "libgcrypt"
PV .= "r550-2jnpr1"
SRCREV = "b1243d29e0c00312ead038b04a2cf5e2fa31d740"
-SRC_URI = "git://github.com/ndpgroup/vpnc \
+SRC_URI = "git://github.com/ndpgroup/vpnc;branch=master;protocol=https \
file://long-help \
file://default.conf \
file://0001-search-for-log-help-in-build-dir.patch \
diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb
index db7b0d486..b9c545e15 100644
--- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb
+++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
PROVIDES += "cyassl"
RPROVIDES_${PN} = "cyassl"
-SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https"
+SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master"
SRCREV = "e116c89a58af750421d82ece13f80516d2bde02e"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch
new file mode 100644
index 000000000..88794aa7a
--- /dev/null
+++ b/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch
@@ -0,0 +1,111 @@
+From d255bf90834fb45be52decf9bc0b4fb46c90f205 Mon Sep 17 00:00:00 2001
+From: Martin Dummer <md11@users.sourceforge.net>
+Date: Sun, 12 Sep 2021 22:52:26 +0200
+Subject: [PATCH] fix buffer overflow in atftpd
+
+Andreas B. Mundt <andi@debian.org> reports:
+
+I've found a problem in atftpd that might be relevant for security.
+The daemon can be crashed by any client sending a crafted combination
+of TFTP options to the server. As TFTP is usually only used in the LAN,
+it's probably not too dramatic.
+
+Observations and how to reproduce the issue
+===========================================
+
+Install bullseye packages and prepare tftp-root:
+ sudo apt install atftp atftpd
+ mkdir tmp
+ touch tmp/file.txt
+
+Run server:
+ /usr/sbin/atftpd --user=$(id -un) --group=$(id -gn) --daemon --no-fork --trace \
+ --logfile=/dev/stdout --verbose=7 --port 2000 tmp
+
+Fetch file from client:
+ /usr/bin/atftp -g --trace --option "blksize 8" \
+ --remote-file file.txt -l /dev/null 127.0.0.1 2000
+
+Crash server by adding another option to the tiny blksize:
+ /usr/bin/atftp -g --trace --option "blksize 8" --option "timeout 3" \
+ --remote-file file.txt -l /dev/null 127.0.0.1 2000
+
+Analysis
+========
+
+The reason for the crash is a buffer overflow. The size of the buffer keeping the data
+to be sent with every segment is calculated by adding 4 bytes to the blksize (for opcode
+and block number). However, the same buffer is used for the OACK, which for a blksize=8
+overflows as soon as another option is set.
+
+Signed-off-by: Martin Dummer <md11@users.sourceforge.net>
+
+CVE: CVE-2021-41054
+Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/d255bf90834fb45be52decf9bc0b4fb46c90f205.patch]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ tftpd_file.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/tftpd_file.c b/tftpd_file.c
+index ff40e8d..37a0906 100644
+--- a/tftpd_file.c
++++ b/tftpd_file.c
+@@ -168,11 +168,24 @@ int tftpd_receive_file(struct thread_data *data)
+ logger(LOG_DEBUG, "timeout option -> %d", timeout);
+ }
+
+- /* blksize options */
++ /*
++ * blksize option, must be the last option evaluated,
++ * because data->data_buffer_size may be modified here,
++ * and may be smaller than the buffer containing options
++ */
+ if ((result = opt_get_blksize(data->tftp_options)) > -1)
+ {
+- if ((result < 8) || (result > 65464))
++ /*
++ * If we receive more options, we have to make sure our buffer for
++ * the OACK is not too small. Use the string representation of
++ * the options here for simplicity, which puts us on the save side.
++ * FIXME: Use independent buffers for OACK and data.
++ */
++ opt_options_to_string(data->tftp_options, string, MAXLEN);
++ if ((result < strlen(string)-2) || (result > 65464))
+ {
++ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.",
++ string, strlen(string)-2);
+ tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size);
+ if (data->trace)
+ logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG,
+@@ -531,11 +544,24 @@ int tftpd_send_file(struct thread_data *data)
+ logger(LOG_INFO, "timeout option -> %d", timeout);
+ }
+
+- /* blksize options */
++ /*
++ * blksize option, must be the last option evaluated,
++ * because data->data_buffer_size may be modified here,
++ * and may be smaller than the buffer containing options
++ */
+ if ((result = opt_get_blksize(data->tftp_options)) > -1)
+ {
+- if ((result < 8) || (result > 65464))
++ /*
++ * If we receive more options, we have to make sure our buffer for
++ * the OACK is not too small. Use the string representation of
++ * the options here for simplicity, which puts us on the save side.
++ * FIXME: Use independent buffers for OACK and data.
++ */
++ opt_options_to_string(data->tftp_options, string, MAXLEN);
++ if ((result < strlen(string)-2) || (result > 65464))
+ {
++ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.",
++ string, strlen(string)-2);
+ tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size);
+ if (data->trace)
+ logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG,
+--
+2.17.1
+
diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch
new file mode 100644
index 000000000..310728aac
--- /dev/null
+++ b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch
@@ -0,0 +1,48 @@
+From 9cf799c40738722001552618518279e9f0ef62e5 Mon Sep 17 00:00:00 2001
+From: Simon Rettberg <simon.rettberg@rz.uni-freiburg.de>
+Date: Wed, 10 Jan 2018 17:01:20 +0100
+Subject: [PATCH] options.c: Proper fix for the read-past-end-of-array
+
+This properly fixes what commit:b3e36dd tried to do.
+
+CVE: CVE-2021-46671
+Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/9cf799c40738722001552618518279e9f0ef62e5.patch]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ options.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/options.c b/options.c
+index ee419c6..c716994 100644
+--- a/options.c
++++ b/options.c
+@@ -43,6 +43,12 @@ int opt_parse_request(char *data, int data_size, struct tftp_opt *options)
+ struct tftphdr *tftp_data = (struct tftphdr *)data;
+ size_t size = data_size - sizeof(tftp_data->th_opcode);
+
++ /* sanity check - requests always end in a null byte,
++ * check to prevent argz_next from reading past the end of
++ * data, as it doesn't do bounds checks */
++ if (data_size == 0 || data[data_size-1] != '\0')
++ return ERR;
++
+ /* read filename */
+ entry = argz_next(tftp_data->th_stuff, size, entry);
+ if (!entry)
+@@ -79,6 +85,12 @@ int opt_parse_options(char *data, int data_size, struct tftp_opt *options)
+ struct tftphdr *tftp_data = (struct tftphdr *)data;
+ size_t size = data_size - sizeof(tftp_data->th_opcode);
+
++ /* sanity check - options always end in a null byte,
++ * check to prevent argz_next from reading past the end of
++ * data, as it doesn't do bounds checks */
++ if (data_size == 0 || data[data_size-1] != '\0')
++ return ERR;
++
+ while ((entry = argz_next(tftp_data->th_stuff, size, entry)))
+ {
+ tmp = entry;
+--
+2.17.1
+
diff --git a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb
index ff9084dbf..32b776e57 100644
--- a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb
+++ b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb
@@ -6,9 +6,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=94d55d512a9ba36caa9b7df079bae19f"
SRCREV = "52b71f0831dcbde508bd3a961d84abb80a62480f"
-SRC_URI = "git://git.code.sf.net/p/atftp/code \
+SRC_URI = "git://git.code.sf.net/p/atftp/code;branch=master \
file://atftpd.init \
file://atftpd.service \
+ file://0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch \
+ file://0001-fix-buffer-overflow-in-atftpd.patch \
"
SRC_URI_append_libc-musl = " file://0001-argz.h-fix-musl-compile-add-missing-defines.patch \
file://0002-tftp.h-tftpd.h-fix-musl-compile-missing-include.patch \
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
new file mode 100644
index 000000000..0ddea03c6
--- /dev/null
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
@@ -0,0 +1,83 @@
+From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 15 Jun 2022 10:44:50 +0530
+Subject: [PATCH] CVE-2022-24407
+
+Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc]
+CVE: CVE-2022-24407
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ plugins/sql.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/plugins/sql.c b/plugins/sql.c
+index 95f5f707..5d20759b 100644
+--- a/plugins/sql.c
++++ b/plugins/sql.c
+@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context,
+ char *statement = NULL;
+ char *escap_userid = NULL;
+ char *escap_realm = NULL;
++ char *escap_passwd = NULL;
+ const char *cmd;
+
+ sql_settings_t *settings;
+@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context,
+ "Unable to begin transaction\n");
+ }
+ for (cur = to_store; ret == SASL_OK && cur->name; cur++) {
++ /* Free the buffer, current content is from previous loop. */
++ if (escap_passwd) {
++ sparams->utils->free(escap_passwd);
++ escap_passwd = NULL;
++ }
+
+ if (cur->name[0] == '*') {
+ continue;
+@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context,
+ }
+ sparams->utils->free(statement);
+
++ if (cur->values[0]) {
++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1);
++ if (!escap_passwd) {
++ ret = SASL_NOMEM;
++ break;
++ }
++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]);
++ }
++
+ /* create a statement that we will use */
+ statement = sql_create_statement(cmd, cur->name, escap_userid,
+ escap_realm,
+- cur->values && cur->values[0] ?
+- cur->values[0] : SQL_NULL_VALUE,
++ escap_passwd ?
++ escap_passwd : SQL_NULL_VALUE,
+ sparams->utils);
++ if (!statement) {
++ ret = SASL_NOMEM;
++ break;
++ }
+
+ {
+ char *log_statement =
+ sql_create_statement(cmd, cur->name,
+ escap_userid,
+ escap_realm,
+- cur->values && cur->values[0] ?
++ escap_passwd ?
+ "<omitted>" : SQL_NULL_VALUE,
+ sparams->utils);
+ sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
+@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context,
+ done:
+ if (escap_userid) sparams->utils->free(escap_userid);
+ if (escap_realm) sparams->utils->free(escap_realm);
++ if (escap_passwd) sparams->utils->free(escap_passwd);
+ if (conn) settings->sql_engine->sql_close(conn);
+ if (userid) sparams->utils->free(userid);
+ if (realm) sparams->utils->free(realm);
+--
+2.25.1
+
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
index d3983eb1a..3e7056d67 100644
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3f55e0974e3d6db00ca6f57f2d206396"
SRCREV = "e41cfb986c1b1935770de554872247453fdbb079"
-SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https \
+SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \
file://avoid-to-call-AC_TRY_RUN.patch \
file://Fix-hardcoded-libdir.patch \
file://debian_patches_0014_avoid_pic_overwrite.diff \
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https \
file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \
file://0001-makeinit.sh-fix-parallel-build-issue.patch \
file://CVE-2019-19906.patch \
+ file://CVE-2022-24407.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb
index 4a9cf9db4..7cf8cfa94 100644
--- a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb
@@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
SRCREV ?= "34e3ffb194f6fa3028c0eb2ff57e7db2d1026771"
-SRC_URI = "git://github.com/open-iscsi/open-iscsi \
+SRC_URI = "git://github.com/open-iscsi/open-iscsi;branch=master;protocol=https \
file://0001-Makefile-Do-not-set-Werror.patch \
file://initd.debian \
file://99_iscsi-initiator-utils \
diff --git a/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb b/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb
index 61d656b7c..d5296f6a9 100644
--- a/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb
+++ b/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb
@@ -13,7 +13,7 @@ RDEPENDS_${PN} = "python3-pygobject python3-dbus"
REQUIRED_DISTRO_FEATURES = "systemd"
SRCREV = "333ef1ed1d7c7c17264fcf7629e5c2f78ab4112c"
-SRC_URI = "git://gitlab.com/craftyguy/networkd-dispatcher;protocol=https"
+SRC_URI = "git://gitlab.com/craftyguy/networkd-dispatcher;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch b/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch
new file mode 100644
index 000000000..b6ec8c70d
--- /dev/null
+++ b/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch
@@ -0,0 +1,46 @@
+From 1f25dae3f38548bad32c5a3ebee4c07938d8c1b8 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Thu, 30 Dec 2021 10:35:57 +0800
+Subject: [PATCH] fix build with glibc 2.34
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The closefrom() function which is introduced in glibc 2.34 conflicts
+with the one provided by postfix.
+
+Fixes:
+| In file included from attr_clnt.c:88:
+| /usr/include/unistd.h:363:13: error: conflicting types for ‘closefrom’; have ‘void(int)’
+| 363 | extern void closefrom (int __lowfd) __THROW;
+| | ^~~~~~~~~
+| In file included from attr_clnt.c:87:
+| ./sys_defs.h:1506:12: note: previous declaration of ‘closefrom’ with type ‘int(int)’
+| 1506 | extern int closefrom(int);
+| | ^~~~~~~~~
+
+Upstream-Status: Backport
+[https://github.com/vdukhovni/postfix/commit/3d966d3bd5f95b2c918aefb864549fa9f0442e24]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/util/sys_defs.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h
+index 39daa16..5de5855 100644
+--- a/src/util/sys_defs.h
++++ b/src/util/sys_defs.h
+@@ -827,6 +827,9 @@ extern int initgroups(const char *, int);
+ #define HAVE_POSIX_GETPW_R
+ #endif
+ #endif
++#if HAVE_GLIBC_API_VERSION_SUPPORT(2, 34)
++#define HAS_CLOSEFROM
++#endif
+
+ #endif
+
+--
+2.17.1
+
diff --git a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb b/meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb
index db5b41bfb..2612e12be 100644
--- a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb
+++ b/meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb
@@ -13,6 +13,7 @@ SRC_URI += "ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-${P
file://postfix-install.patch \
file://icu-config.patch \
file://0001-makedefs-add-lnsl-and-lresolv-to-SYSLIBS-by-default.patch \
+ file://0001-fix-build-with-glibc-2.34.patch \
"
-SRC_URI[sha256sum] = "18555183ae8b52a9e76067799279c86f9f2770cdef3836deb8462ee0a0855dec"
-UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.3(\.\d+)+).tar.gz"
+SRC_URI[sha256sum] = "5f71658546d9b65863249dec3a189d084ea0596e23dc4613c579ad3ae75b10d2"
+UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.4(\.\d+)+).tar.gz"
diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch
new file mode 100644
index 000000000..712d5db07
--- /dev/null
+++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch
@@ -0,0 +1,51 @@
+From ed31fe2cbd5b8b1148b467f84f7acea66fa43bb8 Mon Sep 17 00:00:00 2001
+From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com>
+Date: Tue, 3 Aug 2021 21:53:28 +0200
+Subject: [PATCH] CVE-2021-46854
+
+mod_radius: copy _only_ the password
+
+Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/10a227b4d50e0a2cd2faf87926f58d865da44e43]
+CVE: CVE-2021-46854
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ contrib/mod_radius.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/mod_radius.c b/contrib/mod_radius.c
+index b56cdfe..f234dd5 100644
+--- a/contrib/mod_radius.c
++++ b/contrib/mod_radius.c
+@@ -2319,21 +2319,26 @@ static void radius_add_passwd(radius_packet_t *packet, unsigned char type,
+
+ pwlen = strlen((const char *) passwd);
+
++ /* Clear the buffers. */
++ memset(pwhash, '\0', sizeof(pwhash));
++
+ if (pwlen == 0) {
+ pwlen = RADIUS_PASSWD_LEN;
+
+ } if ((pwlen & (RADIUS_PASSWD_LEN - 1)) != 0) {
++ /* pwlen is not a multiple of RADIUS_PASSWD_LEN, need to prepare a proper buffer */
++ memcpy(pwhash, passwd, pwlen);
+
+ /* Round up the length. */
+ pwlen += (RADIUS_PASSWD_LEN - 1);
+
+ /* Truncate the length, as necessary. */
+ pwlen &= ~(RADIUS_PASSWD_LEN - 1);
++ } else {
++ /* pwlen is a multiple of RADIUS_PASSWD_LEN, we can just use it. */
++ memcpy(pwhash, passwd, pwlen);
+ }
+
+- /* Clear the buffers. */
+- memset(pwhash, '\0', sizeof(pwhash));
+- memcpy(pwhash, passwd, pwlen);
+
+ /* Find the password attribute. */
+ attrib = radius_get_attrib(packet, RADIUS_PASSWORD);
+--
+2.25.1
+
diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb
index 1e4697a63..9ec97b923 100644
--- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb
+++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb
@@ -12,6 +12,7 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \
file://contrib.patch \
file://build_fixup.patch \
file://proftpd.service \
+ file://CVE-2021-46854.patch \
"
SRC_URI[md5sum] = "13270911c42aac842435f18205546a1b"
SRC_URI[sha256sum] = "91ef74b143495d5ff97c4d4770c6804072a8c8eb1ad1ecc8cc541b40e152ecaf"
diff --git a/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb b/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb
index 115353fec..071002c5e 100644
--- a/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb
+++ b/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb
@@ -5,7 +5,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://gpl_license.txt;md5=11c7b65c4a4acb9d5175f7e9bf99c403"
SRCREV = "39276d14b659684c4c0612725ab83ea841c6ef99"
-SRC_URI = "git://github.com/arno-iptables-firewall/aif"
+SRC_URI = "git://github.com/arno-iptables-firewall/aif;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb b/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb
index 2f627d458..994825cb7 100644
--- a/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb
+++ b/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb
@@ -8,7 +8,7 @@ DEPENDS = "libnfnetlink libmnl"
SRCREV = "ba196a97e810746e5660fe3f57c87c0ed0f2b324"
PV .= "+git${SRCPV}"
-SRC_URI = "git://git.netfilter.org/libnetfilter_log"
+SRC_URI = "git://git.netfilter.org/libnetfilter_log;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb b/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb
index 896cfdfaa..1bbab6f3c 100644
--- a/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb
+++ b/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb
@@ -8,7 +8,7 @@ DEPENDS = "libnfnetlink libmnl"
SRCREV = "601abd1c71ccdf90753cf294c120ad43fb25dc54"
-SRC_URI = "git://git.netfilter.org/libnetfilter_queue \
+SRC_URI = "git://git.netfilter.org/libnetfilter_queue;branch=master \
file://0001-libnetfilter-queue-Declare-the-define-visivility-attribute-together.patch \
"
diff --git a/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb b/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb
index 4ff00bf87..fee9967eb 100644
--- a/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb
+++ b/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb
@@ -5,7 +5,7 @@ SECTION = "libs"
DEPENDS = "libmnl"
SRCREV = "eedafeb6db330b8adff1b7cdd3dac325f9144195"
-SRC_URI = "git://git.netfilter.org/libnftnl \
+SRC_URI = "git://git.netfilter.org/libnftnl;branch=master \
file://0001-avoid-naming-local-function-as-one-of-printf-family.patch \
"
diff --git a/meta-networking/recipes-irc/znc/znc_1.7.5.bb b/meta-networking/recipes-irc/znc/znc_1.7.5.bb
index a3d4b7cc5..d7467ff4a 100644
--- a/meta-networking/recipes-irc/znc/znc_1.7.5.bb
+++ b/meta-networking/recipes-irc/znc/znc_1.7.5.bb
@@ -5,8 +5,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
DEPENDS = "openssl zlib icu"
-SRC_URI = "git://github.com/znc/znc.git;name=znc \
- git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket \
+SRC_URI = "git://github.com/znc/znc.git;name=znc;branch=master;protocol=https \
+ git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket;branch=master;protocol=https \
"
SRCREV_znc = "c7f72f8bc800115ac985e7e13eace78031cb1b50"
SRCREV_Csocket = "e8d9e0bb248c521c2c7fa01e1c6a116d929c41b4"
diff --git a/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch b/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
deleted file mode 100644
index a9dc9dc2b..000000000
--- a/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From ce8faa3ee266ea69431805e6ed4bd7102d982508 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Thu, 12 Nov 2020 09:43:38 +0100
-Subject: [PATCH] compat: SYM_FUNC_{START,END} were backported to 5.4
-
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-
-Upstream-Status: Backport
-Fixes build failure in Dunfell.
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- compat/compat-asm.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: src/compat/compat-asm.h
-===================================================================
---- src.orig/compat/compat-asm.h
-+++ src/compat/compat-asm.h
-@@ -40,7 +40,7 @@
- #undef pull
- #endif
-
--#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0)
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 76)
- #define SYM_FUNC_START ENTRY
- #define SYM_FUNC_END ENDPROC
- #endif
diff --git a/meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch b/meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch
deleted file mode 100644
index f01cfe4e1..000000000
--- a/meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 122f06bfd8fc7b06a0899fa9adc4ce8e06900d98 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Sun, 7 Mar 2021 08:14:33 -0700
-Subject: [PATCH] compat: icmp_ndo_send functions were backported extensively
-
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-
-Upstream-Status: Backport
-
-Fixes build with 5.4.103 update.
-/include/linux/icmpv6.h:56:6: note: previous declaration of 'icmpv6_ndo_send' was here
-| 56 | void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info);
-
-Signed-of-by: Armin Kuster <akuster808@gmail.com>
-
----
- src/compat/compat.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: src/compat/compat.h
-===================================================================
---- src.orig/compat/compat.h
-+++ src/compat/compat.h
-@@ -946,7 +946,7 @@ static inline int skb_ensure_writable(st
- }
- #endif
-
--#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)
-+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0) && LINUX_VERSION_CODE >= KERNEL_VERSION(5, 5, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 102) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 20, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 178) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 223) && LINUX_VERSION_CODE > KERNEL_VERSION(4, 10, 0)) || LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 259) || defined(ISRHEL8) || defined(ISUBUNTU1804)
- #if IS_ENABLED(CONFIG_NF_NAT)
- #include <linux/ip.h>
- #include <linux/icmpv6.h>
diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb
deleted file mode 100644
index 6ed988baf..000000000
--- a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb
+++ /dev/null
@@ -1,30 +0,0 @@
-require wireguard.inc
-
-SRCREV = "43f57dac7b8305024f83addc533c9eede6509129"
-
-SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat \
- file://0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch \
- file://0001-compat-icmp_ndo_send-functions-were-backported-exten.patch "
-
-inherit module kernel-module-split
-
-DEPENDS = "virtual/kernel libmnl"
-
-# This module requires Linux 3.10 higher and several networking related
-# configuration options. For exact kernel requirements visit:
-# https://www.wireguard.io/install/#kernel-requirements
-
-EXTRA_OEMAKE_append = " \
- KERNELDIR=${STAGING_KERNEL_DIR} \
- "
-
-MAKE_TARGETS = "module"
-
-RRECOMMENDS_${PN} = "kernel-module-xt-hashlimit"
-MODULE_NAME = "wireguard"
-
-module_do_install() {
- install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}
- install -m 0644 ${MODULE_NAME}.ko \
- ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko
-}
diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb
new file mode 100644
index 000000000..df2db1534
--- /dev/null
+++ b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb
@@ -0,0 +1,23 @@
+require wireguard.inc
+
+SRCREV = "18fbcd68a35a892527345dc5679d0b2d860ee004"
+
+SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat;protocol=https;branch=master"
+
+inherit module kernel-module-split
+
+DEPENDS = "virtual/kernel libmnl"
+
+# This module requires Linux 3.10 higher and several networking related
+# configuration options. For exact kernel requirements visit:
+# https://www.wireguard.io/install/#kernel-requirements
+
+EXTRA_OEMAKE_append = " \
+ KERNELDIR=${STAGING_KERNEL_DIR} \
+ "
+
+MAKE_TARGETS = "module"
+MODULES_INSTALL_TARGET = "module-install"
+
+RRECOMMENDS_${PN} = "kernel-module-xt-hashlimit"
+MODULE_NAME = "wireguard"
diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb
index f698b9a9a..b63ef8818 100644
--- a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb
+++ b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb
@@ -1,7 +1,7 @@
require wireguard.inc
-SRCREV = "a8063adc8ae9b4fc9848500e93f94bee8ad2e585"
-SRC_URI = "git://git.zx2c4.com/wireguard-tools"
+SRCREV = "3ba6527130c502144e7388b900138bca6260f4e8"
+SRC_URI = "git://git.zx2c4.com/wireguard-tools;branch=master"
inherit bash-completion systemd pkgconfig
@@ -9,7 +9,7 @@ DEPENDS += "wireguard-module libmnl"
do_install () {
oe_runmake DESTDIR="${D}" PREFIX="${prefix}" SYSCONFDIR="${sysconfdir}" \
- SYSTEMDUNITDIR="${systemd_unitdir}" \
+ SYSTEMDUNITDIR="${systemd_system_unitdir}" \
WITH_SYSTEMDUNITS=${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'yes', '', d)} \
WITH_BASHCOMPLETION=yes \
WITH_WGQUICK=yes \
diff --git a/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb b/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb
index 6dd15ad9f..fdcd90651 100644
--- a/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb
+++ b/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb
@@ -12,7 +12,7 @@ SECTION = "net"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENCE;md5=411a48ac3c2e9e0911b8dd9aed26f754"
-SRC_URI = "git://github.com/jech/babeld.git;protocol=git"
+SRC_URI = "git://github.com/jech/babeld.git;protocol=https;branch=master"
SRCREV = "0835d5d894ea016ab7b81562466cade2c51a12d4"
UPSTREAM_CHECK_GITTAGREGEX = "babeld-(?P<pver>\d+(\.\d+)+)"
diff --git a/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-networking/recipes-protocols/openflow/openflow.inc
index cccbfa19a..ab538c620 100644
--- a/meta-networking/recipes-protocols/openflow/openflow.inc
+++ b/meta-networking/recipes-protocols/openflow/openflow.inc
@@ -11,7 +11,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=e870c934e2c3d6ccf085fd7cf0a1e2e2"
-SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git"
+SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git;branch=master"
DEPENDS = "virtual/libc"
diff --git a/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb b/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb
index b02e183db..181698d77 100644
--- a/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb
+++ b/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb
@@ -8,7 +8,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRC_URI = "git://github.com/xelerance/xl2tpd.git"
+SRC_URI = "git://github.com/xelerance/xl2tpd.git;branch=master;protocol=https"
SRCREV = "ba619c79c4790c78c033df0abde4a9a5de744a08"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/arptables/arptables_git.bb b/meta-networking/recipes-support/arptables/arptables_git.bb
index c02a19944..b59dc4ca1 100644
--- a/meta-networking/recipes-support/arptables/arptables_git.bb
+++ b/meta-networking/recipes-support/arptables/arptables_git.bb
@@ -6,7 +6,7 @@ SRCREV = "efae8949e31f8b2eb6290f377a28384cecaf105a"
PV = "0.0.5+git${SRCPV}"
SRC_URI = " \
- git://git.netfilter.org/arptables \
+ git://git.netfilter.org/arptables;branch=master \
file://0001-Use-ARPCFLAGS-for-package-specific-compiler-flags.patch \
file://arptables-arpt-get-target-fix.patch \
file://arptables.service \
diff --git a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb
index 1c87c48bf..4b195eded 100644
--- a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb
+++ b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f9d20a453221a1b7e32ae84694da2c37"
SRCREV = "42c1aefc303fdf891fbb099ea51f00dca83ab606"
SRC_URI = "\
- git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git \
+ git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git;branch=main \
file://kernel-headers.patch \
file://0005-build-don-t-ignore-CFLAGS-from-environment.patch \
file://0006-libbridge-Modifying-the-AR-to-cross-toolchain.patch \
diff --git a/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb b/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb
index 8d82ee454..e76481cc1 100644
--- a/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb
+++ b/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
PV = "6.10"
SRCREV = "5ff5fc2ecc10353fd39ad508db5c2828fd2d8d9a"
-SRC_URI = "git://git.samba.org/cifs-utils.git"
+SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master"
S = "${WORKDIR}/git"
DEPENDS += "libtalloc"
diff --git a/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb b/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb
index 799cf8611..3da651c47 100644
--- a/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb
+++ b/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=fd0c9adf285a69aa3b4faf34384e1029"
DEPENDS = "curl"
DEPENDS_class-native = "curl-native"
-SRC_URI = "git://github.com/jpbarrette/curlpp.git"
+SRC_URI = "git://github.com/jpbarrette/curlpp.git;branch=master;protocol=https"
SRCREV = "592552a165cc569dac7674cb7fc9de3dc829906f"
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch
new file mode 100644
index 000000000..360931a83
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch
@@ -0,0 +1,1040 @@
+From 74d4fcd756a85bc1823232ea74334f7ccfb9d5d2 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 15 Mar 2021 21:59:51 +0000
+Subject: [PATCH] Use random source ports where possible if source
+ addresses/interfaces in use.
+
+CVE-2021-3448 applies.
+
+It's possible to specify the source address or interface to be
+used when contacting upstream nameservers: server=8.8.8.8@1.2.3.4
+or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
+these have, until now, used a single socket, bound to a fixed
+port. This was originally done to allow an error (non-existent
+interface, or non-local address) to be detected at start-up. This
+means that any upstream servers specified in such a way don't use
+random source ports, and are more susceptible to cache-poisoning
+attacks.
+
+We now use random ports where possible, even when the
+source is specified, so server=8.8.8.8@1.2.3.4 or
+server=8.8.8.8@eth0 will use random source
+ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
+use the explicitly configured port, and should only be done with
+understanding of the security implications.
+Note that this change changes non-existing interface, or non-local
+source address errors from fatal to run-time. The error will be
+logged and communiction with the server not possible.
+
+Upstream-Status: Backport
+CVE: CVE-2021-3448
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ CHANGELOG | 22 +++
+ man/dnsmasq.8 | 4 +-
+ src/dnsmasq.c | 31 ++--
+ src/dnsmasq.h | 26 ++--
+ src/forward.c | 392 ++++++++++++++++++++++++++++++--------------------
+ src/loop.c | 20 +--
+ src/network.c | 110 +++++---------
+ src/option.c | 3 +-
+ src/tftp.c | 6 +-
+ src/util.c | 2 +-
+ 10 files changed, 344 insertions(+), 272 deletions(-)
+
+Index: dnsmasq-2.81/man/dnsmasq.8
+===================================================================
+--- dnsmasq-2.81.orig/man/dnsmasq.8
++++ dnsmasq-2.81/man/dnsmasq.8
+@@ -489,7 +489,7 @@ source address specified but the port ma
+ part of the source address. Forcing queries to an interface is not
+ implemented on all platforms supported by dnsmasq.
+ .TP
+-.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<source-ip>|<interface>[#<port>]]
++.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<interface>][@<source-ip>[#<port>]]
+ This is functionally the same as
+ .B --server,
+ but provides some syntactic sugar to make specifying address-to-name queries easier. For example
+Index: dnsmasq-2.81/src/dnsmasq.c
+===================================================================
+--- dnsmasq-2.81.orig/src/dnsmasq.c
++++ dnsmasq-2.81/src/dnsmasq.c
+@@ -1668,6 +1668,7 @@ static int set_dns_listeners(time_t now)
+ {
+ struct serverfd *serverfdp;
+ struct listener *listener;
++ struct randfd_list *rfl;
+ int wait = 0, i;
+
+ #ifdef HAVE_TFTP
+@@ -1688,11 +1689,14 @@ static int set_dns_listeners(time_t now)
+ for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next)
+ poll_listen(serverfdp->fd, POLLIN);
+
+- if (daemon->port != 0 && !daemon->osport)
+- for (i = 0; i < RANDOM_SOCKS; i++)
+- if (daemon->randomsocks[i].refcount != 0)
+- poll_listen(daemon->randomsocks[i].fd, POLLIN);
+-
++ for (i = 0; i < RANDOM_SOCKS; i++)
++ if (daemon->randomsocks[i].refcount != 0)
++ poll_listen(daemon->randomsocks[i].fd, POLLIN);
++
++ /* Check overflow random sockets too. */
++ for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next)
++ poll_listen(rfl->rfd->fd, POLLIN);
++
+ for (listener = daemon->listeners; listener; listener = listener->next)
+ {
+ /* only listen for queries if we have resources */
+@@ -1729,18 +1733,23 @@ static void check_dns_listeners(time_t n
+ {
+ struct serverfd *serverfdp;
+ struct listener *listener;
++ struct randfd_list *rfl;
+ int i;
+ int pipefd[2];
+
+ for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next)
+ if (poll_check(serverfdp->fd, POLLIN))
+- reply_query(serverfdp->fd, serverfdp->source_addr.sa.sa_family, now);
++ reply_query(serverfdp->fd, now);
+
+- if (daemon->port != 0 && !daemon->osport)
+- for (i = 0; i < RANDOM_SOCKS; i++)
+- if (daemon->randomsocks[i].refcount != 0 &&
+- poll_check(daemon->randomsocks[i].fd, POLLIN))
+- reply_query(daemon->randomsocks[i].fd, daemon->randomsocks[i].family, now);
++ for (i = 0; i < RANDOM_SOCKS; i++)
++ if (daemon->randomsocks[i].refcount != 0 &&
++ poll_check(daemon->randomsocks[i].fd, POLLIN))
++ reply_query(daemon->randomsocks[i].fd, now);
++
++ /* Check overflow random sockets too. */
++ for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next)
++ if (poll_check(rfl->rfd->fd, POLLIN))
++ reply_query(rfl->rfd->fd, now);
+
+ /* Races. The child process can die before we read all of the data from the
+ pipe, or vice versa. Therefore send tcp_pids to zero when we wait() the
+Index: dnsmasq-2.81/src/dnsmasq.h
+===================================================================
+--- dnsmasq-2.81.orig/src/dnsmasq.h
++++ dnsmasq-2.81/src/dnsmasq.h
+@@ -542,13 +542,20 @@ struct serverfd {
+ };
+
+ struct randfd {
++ struct server *serv;
+ int fd;
+- unsigned short refcount, family;
++ unsigned short refcount; /* refcount == 0xffff means overflow record. */
+ };
+-
++
++struct randfd_list {
++ struct randfd *rfd;
++ struct randfd_list *next;
++};
++
+ struct server {
+ union mysockaddr addr, source_addr;
+ char interface[IF_NAMESIZE+1];
++ unsigned int ifindex; /* corresponding to interface, above */
+ struct serverfd *sfd;
+ char *domain; /* set if this server only handles a domain. */
+ int flags, tcpfd, edns_pktsz;
+@@ -669,8 +676,7 @@ struct frec {
+ struct frec_src *next;
+ } frec_src;
+ struct server *sentto; /* NULL means free */
+- struct randfd *rfd4;
+- struct randfd *rfd6;
++ struct randfd_list *rfds;
+ unsigned short new_id;
+ int fd, forwardall, flags;
+ time_t time;
+@@ -1100,11 +1106,12 @@ extern struct daemon {
+ int forwardcount;
+ struct server *srv_save; /* Used for resend on DoD */
+ size_t packet_len; /* " " */
+- struct randfd *rfd_save; /* " " */
++ int fd_save; /* " " */
+ pid_t tcp_pids[MAX_PROCS];
+ int tcp_pipes[MAX_PROCS];
+ int pipe_to_parent;
+ struct randfd randomsocks[RANDOM_SOCKS];
++ struct randfd_list *rfl_spare, *rfl_poll;
+ int v6pktinfo;
+ struct addrlist *interface_addrs; /* list of all addresses/prefix lengths associated with all local interfaces */
+ int log_id, log_display_id; /* ids of transactions for logging */
+@@ -1275,7 +1282,7 @@ void safe_strncpy(char *dest, const char
+ void safe_pipe(int *fd, int read_noblock);
+ void *whine_malloc(size_t size);
+ int sa_len(union mysockaddr *addr);
+-int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2);
++int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2);
+ int hostname_isequal(const char *a, const char *b);
+ int hostname_issubdomain(char *a, char *b);
+ time_t dnsmasq_time(void);
+@@ -1326,7 +1333,7 @@ char *parse_server(char *arg, union myso
+ int option_read_dynfile(char *file, int flags);
+
+ /* forward.c */
+-void reply_query(int fd, int family, time_t now);
++void reply_query(int fd, time_t now);
+ void receive_query(struct listener *listen, time_t now);
+ unsigned char *tcp_request(int confd, time_t now,
+ union mysockaddr *local_addr, struct in_addr netmask, int auth_dns);
+@@ -1336,13 +1343,12 @@ int send_from(int fd, int nowild, char *
+ union mysockaddr *to, union all_addr *source,
+ unsigned int iface);
+ void resend_query(void);
+-struct randfd *allocate_rfd(int family);
+-void free_rfd(struct randfd *rfd);
++int allocate_rfd(struct randfd_list **fdlp, struct server *serv);
++void free_rfds(struct randfd_list **fdlp);
+
+ /* network.c */
+ int indextoname(int fd, int index, char *name);
+ int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp);
+-int random_sock(int family);
+ void pre_allocate_sfds(void);
+ int reload_servers(char *fname);
+ void mark_servers(int flag);
+Index: dnsmasq-2.81/src/forward.c
+===================================================================
+--- dnsmasq-2.81.orig/src/forward.c
++++ dnsmasq-2.81/src/forward.c
+@@ -16,7 +16,7 @@
+
+ #include "dnsmasq.h"
+
+-static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash);
++static struct frec *lookup_frec(unsigned short id, int fd, void *hash);
+ static struct frec *lookup_frec_by_sender(unsigned short id,
+ union mysockaddr *addr,
+ void *hash);
+@@ -307,26 +307,18 @@ static int forward_query(int udpfd, unio
+ if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign)
+ PUTSHORT(SAFE_PKTSZ, pheader);
+
+- if (forward->sentto->addr.sa.sa_family == AF_INET)
+- log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
+- else
+- log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
+-
+-
+- if (forward->sentto->sfd)
+- fd = forward->sentto->sfd->fd;
+- else
++ if ((fd = allocate_rfd(&forward->rfds, forward->sentto)) != -1)
+ {
+- if (forward->sentto->addr.sa.sa_family == AF_INET6)
+- fd = forward->rfd6->fd;
++ if (forward->sentto->addr.sa.sa_family == AF_INET)
++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
+ else
+- fd = forward->rfd4->fd;
++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
++
++ while (retry_send(sendto(fd, (char *)header, plen, 0,
++ &forward->sentto->addr.sa,
++ sa_len(&forward->sentto->addr))));
+ }
+
+- while (retry_send(sendto(fd, (char *)header, plen, 0,
+- &forward->sentto->addr.sa,
+- sa_len(&forward->sentto->addr))));
+-
+ return 1;
+ }
+ #endif
+@@ -501,49 +493,28 @@ static int forward_query(int udpfd, unio
+
+ while (1)
+ {
++ int fd;
++
+ /* only send to servers dealing with our domain.
+ domain may be NULL, in which case server->domain
+ must be NULL also. */
+
+ if (type == (start->flags & SERV_TYPE) &&
+ (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
+- !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
++ !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) &&
++ ((fd = allocate_rfd(&forward->rfds, start)) != -1))
+ {
+- int fd;
+-
+- /* find server socket to use, may need to get random one. */
+- if (start->sfd)
+- fd = start->sfd->fd;
+- else
+- {
+- if (start->addr.sa.sa_family == AF_INET6)
+- {
+- if (!forward->rfd6 &&
+- !(forward->rfd6 = allocate_rfd(AF_INET6)))
+- break;
+- daemon->rfd_save = forward->rfd6;
+- fd = forward->rfd6->fd;
+- }
+- else
+- {
+- if (!forward->rfd4 &&
+- !(forward->rfd4 = allocate_rfd(AF_INET)))
+- break;
+- daemon->rfd_save = forward->rfd4;
+- fd = forward->rfd4->fd;
+- }
+
+ #ifdef HAVE_CONNTRACK
+- /* Copy connection mark of incoming query to outgoing connection. */
+- if (option_bool(OPT_CONNTRACK))
+- {
+- unsigned int mark;
+- if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
+- setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
+- }
+-#endif
++ /* Copy connection mark of incoming query to outgoing connection. */
++ if (option_bool(OPT_CONNTRACK))
++ {
++ unsigned int mark;
++ if (get_incoming_mark(&forward->frec_src.source, &forward->frec_src.dest, 0, &mark))
++ setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
+ }
+-
++#endif
++
+ #ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER))
+ {
+@@ -574,6 +545,7 @@ static int forward_query(int udpfd, unio
+ /* Keep info in case we want to re-send this packet */
+ daemon->srv_save = start;
+ daemon->packet_len = plen;
++ daemon->fd_save = fd;
+
+ if (!gotname)
+ strcpy(daemon->namebuff, "query");
+@@ -590,7 +562,7 @@ static int forward_query(int udpfd, unio
+ break;
+ forward->forwardall++;
+ }
+- }
++ }
+
+ if (!(start = start->next))
+ start = daemon->servers;
+@@ -805,7 +777,7 @@ static size_t process_reply(struct dns_h
+ }
+
+ /* sets new last_server */
+-void reply_query(int fd, int family, time_t now)
++void reply_query(int fd, time_t now)
+ {
+ /* packet from peer server, extract data for cache, and send to
+ original requester */
+@@ -820,9 +792,9 @@ void reply_query(int fd, int family, tim
+
+ /* packet buffer overwritten */
+ daemon->srv_save = NULL;
+-
++
+ /* Determine the address of the server replying so that we can mark that as good */
+- if ((serveraddr.sa.sa_family = family) == AF_INET6)
++ if (serveraddr.sa.sa_family == AF_INET6)
+ serveraddr.in6.sin6_flowinfo = 0;
+
+ header = (struct dns_header *)daemon->packet;
+@@ -845,7 +817,7 @@ void reply_query(int fd, int family, tim
+
+ hash = hash_questions(header, n, daemon->namebuff);
+
+- if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash)))
++ if (!(forward = lookup_frec(ntohs(header->id), fd, hash)))
+ return;
+
+ #ifdef HAVE_DUMPFILE
+@@ -900,25 +872,8 @@ void reply_query(int fd, int family, tim
+ }
+
+
+- if (start->sfd)
+- fd = start->sfd->fd;
+- else
+- {
+- if (start->addr.sa.sa_family == AF_INET6)
+- {
+- /* may have changed family */
+- if (!forward->rfd6)
+- forward->rfd6 = allocate_rfd(AF_INET6);
+- fd = forward->rfd6->fd;
+- }
+- else
+- {
+- /* may have changed family */
+- if (!forward->rfd4)
+- forward->rfd4 = allocate_rfd(AF_INET);
+- fd = forward->rfd4->fd;
+- }
+- }
++ if ((fd = allocate_rfd(&forward->rfds, start)) == -1)
++ return;
+
+ #ifdef HAVE_DUMPFILE
+ dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)plen, NULL, &start->addr);
+@@ -1126,8 +1081,7 @@ void reply_query(int fd, int family, tim
+ }
+
+ new->sentto = server;
+- new->rfd4 = NULL;
+- new->rfd6 = NULL;
++ new->rfds = NULL;
+ new->frec_src.next = NULL;
+ new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA);
+ new->forwardall = 0;
+@@ -1166,24 +1120,7 @@ void reply_query(int fd, int family, tim
+ /* Don't resend this. */
+ daemon->srv_save = NULL;
+
+- if (server->sfd)
+- fd = server->sfd->fd;
+- else
+- {
+- fd = -1;
+- if (server->addr.sa.sa_family == AF_INET6)
+- {
+- if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
+- fd = new->rfd6->fd;
+- }
+- else
+- {
+- if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
+- fd = new->rfd4->fd;
+- }
+- }
+-
+- if (fd != -1)
++ if ((fd = allocate_rfd(&new->rfds, server)) != -1)
+ {
+ #ifdef HAVE_CONNTRACK
+ /* Copy connection mark of incoming query to outgoing connection. */
+@@ -1344,7 +1281,7 @@ void receive_query(struct listener *list
+
+ /* packet buffer overwritten */
+ daemon->srv_save = NULL;
+-
++
+ dst_addr_4.s_addr = dst_addr.addr4.s_addr = 0;
+ netmask.s_addr = 0;
+
+@@ -2207,9 +2144,8 @@ static struct frec *allocate_frec(time_t
+ f->next = daemon->frec_list;
+ f->time = now;
+ f->sentto = NULL;
+- f->rfd4 = NULL;
++ f->rfds = NULL;
+ f->flags = 0;
+- f->rfd6 = NULL;
+ #ifdef HAVE_DNSSEC
+ f->dependent = NULL;
+ f->blocking_query = NULL;
+@@ -2221,46 +2157,192 @@ static struct frec *allocate_frec(time_t
+ return f;
+ }
+
+-struct randfd *allocate_rfd(int family)
++/* return a UDP socket bound to a random port, have to cope with straying into
++ occupied port nos and reserved ones. */
++static int random_sock(struct server *s)
++{
++ int fd;
++
++ if ((fd = socket(s->source_addr.sa.sa_family, SOCK_DGRAM, 0)) != -1)
++ {
++ if (local_bind(fd, &s->source_addr, s->interface, s->ifindex, 0))
++ return fd;
++
++ if (s->interface[0] == 0)
++ (void)prettyprint_addr(&s->source_addr, daemon->namebuff);
++ else
++ strcpy(daemon->namebuff, s->interface);
++
++ my_syslog(LOG_ERR, _("failed to bind server socket to %s: %s"),
++ daemon->namebuff, strerror(errno));
++ close(fd);
++ }
++
++ return -1;
++}
++
++/* compare source addresses and interface, serv2 can be null. */
++static int server_isequal(const struct server *serv1,
++ const struct server *serv2)
++{
++ return (serv2 &&
++ serv2->ifindex == serv1->ifindex &&
++ sockaddr_isequal(&serv2->source_addr, &serv1->source_addr) &&
++ strncmp(serv2->interface, serv1->interface, IF_NAMESIZE) == 0);
++}
++
++/* fdlp points to chain of randomfds already in use by transaction.
++ If there's already a suitable one, return it, else allocate a
++ new one and add it to the list.
++
++ Not leaking any resources in the face of allocation failures
++ is rather convoluted here.
++
++ Note that rfd->serv may be NULL, when a server goes away.
++*/
++int allocate_rfd(struct randfd_list **fdlp, struct server *serv)
+ {
+ static int finger = 0;
+- int i;
++ int i, j = 0;
++ struct randfd_list *rfl;
++ struct randfd *rfd = NULL;
++ int fd = 0;
++
++ /* If server has a pre-allocated fd, use that. */
++ if (serv->sfd)
++ return serv->sfd->fd;
++
++ /* existing suitable random port socket linked to this transaction? */
++ for (rfl = *fdlp; rfl; rfl = rfl->next)
++ if (server_isequal(serv, rfl->rfd->serv))
++ return rfl->rfd->fd;
++
++ /* No. need new link. */
++ if ((rfl = daemon->rfl_spare))
++ daemon->rfl_spare = rfl->next;
++ else if (!(rfl = whine_malloc(sizeof(struct randfd_list))))
++ return -1;
+
+ /* limit the number of sockets we have open to avoid starvation of
+ (eg) TFTP. Once we have a reasonable number, randomness should be OK */
+-
+ for (i = 0; i < RANDOM_SOCKS; i++)
+ if (daemon->randomsocks[i].refcount == 0)
+ {
+- if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
+- break;
+-
+- daemon->randomsocks[i].refcount = 1;
+- daemon->randomsocks[i].family = family;
+- return &daemon->randomsocks[i];
++ if ((fd = random_sock(serv)) != -1)
++ {
++ rfd = &daemon->randomsocks[i];
++ rfd->serv = serv;
++ rfd->fd = fd;
++ rfd->refcount = 1;
++ }
++ break;
+ }
+
+ /* No free ones or cannot get new socket, grab an existing one */
+- for (i = 0; i < RANDOM_SOCKS; i++)
++ if (!rfd)
++ for (j = 0; j < RANDOM_SOCKS; j++)
++ {
++ i = (j + finger) % RANDOM_SOCKS;
++ if (daemon->randomsocks[i].refcount != 0 &&
++ server_isequal(serv, daemon->randomsocks[i].serv) &&
++ daemon->randomsocks[i].refcount != 0xfffe)
++ {
++ finger = i + 1;
++ rfd = &daemon->randomsocks[i];
++ rfd->refcount++;
++ break;
++ }
++ }
++
++ if (j == RANDOM_SOCKS)
+ {
+- int j = (i+finger) % RANDOM_SOCKS;
+- if (daemon->randomsocks[j].refcount != 0 &&
+- daemon->randomsocks[j].family == family &&
+- daemon->randomsocks[j].refcount != 0xffff)
++ struct randfd_list *rfl_poll;
++
++ /* there are no free slots, and non with the same parameters we can piggy-back on.
++ We're going to have to allocate a new temporary record, distinguished by
++ refcount == 0xffff. This will exist in the frec randfd list, never be shared,
++ and be freed when no longer in use. It will also be held on
++ the daemon->rfl_poll list so the poll system can find it. */
++
++ if ((rfl_poll = daemon->rfl_spare))
++ daemon->rfl_spare = rfl_poll->next;
++ else
++ rfl_poll = whine_malloc(sizeof(struct randfd_list));
++
++ if (!rfl_poll ||
++ !(rfd = whine_malloc(sizeof(struct randfd))) ||
++ (fd = random_sock(serv)) == -1)
+ {
+- finger = j;
+- daemon->randomsocks[j].refcount++;
+- return &daemon->randomsocks[j];
++
++ /* Don't leak anything we may already have */
++ rfl->next = daemon->rfl_spare;
++ daemon->rfl_spare = rfl;
++
++ if (rfl_poll)
++ {
++ rfl_poll->next = daemon->rfl_spare;
++ daemon->rfl_spare = rfl_poll;
++ }
++
++ if (rfd)
++ free(rfd);
++
++ return -1; /* doom */
+ }
++
++ /* Note rfd->serv not set here, since it's not reused */
++ rfd->fd = fd;
++ rfd->refcount = 0xffff; /* marker for temp record */
++
++ rfl_poll->rfd = rfd;
++ rfl_poll->next = daemon->rfl_poll;
++ daemon->rfl_poll = rfl_poll;
+ }
+
+- return NULL; /* doom */
++ rfl->rfd = rfd;
++ rfl->next = *fdlp;
++ *fdlp = rfl;
++
++ return rfl->rfd->fd;
+ }
+
+-void free_rfd(struct randfd *rfd)
++void free_rfds(struct randfd_list **fdlp)
+ {
+- if (rfd && --(rfd->refcount) == 0)
+- close(rfd->fd);
++ struct randfd_list *tmp, *rfl, *poll, *next, **up;
++
++ for (rfl = *fdlp; rfl; rfl = tmp)
++ {
++ if (rfl->rfd->refcount == 0xffff || --(rfl->rfd->refcount) == 0)
++ close(rfl->rfd->fd);
++
++ /* temporary overflow record */
++ if (rfl->rfd->refcount == 0xffff)
++ {
++ free(rfl->rfd);
++
++ /* go through the link of all these by steam to delete.
++ This list is expected to be almost always empty. */
++ for (poll = daemon->rfl_poll, up = &daemon->rfl_poll; poll; poll = next)
++ {
++ next = poll->next;
++
++ if (poll->rfd == rfl->rfd)
++ {
++ *up = poll->next;
++ poll->next = daemon->rfl_spare;
++ daemon->rfl_spare = poll;
++ }
++ else
++ up = &poll->next;
++ }
++ }
++
++ tmp = rfl->next;
++ rfl->next = daemon->rfl_spare;
++ daemon->rfl_spare = rfl;
++ }
++
++ *fdlp = NULL;
+ }
+
+ static void free_frec(struct frec *f)
+@@ -2276,12 +2358,9 @@ static void free_frec(struct frec *f)
+ }
+
+ f->frec_src.next = NULL;
+- free_rfd(f->rfd4);
+- f->rfd4 = NULL;
++ free_rfds(&f->rfds);
+ f->sentto = NULL;
+ f->flags = 0;
+- free_rfd(f->rfd6);
+- f->rfd6 = NULL;
+
+ #ifdef HAVE_DNSSEC
+ if (f->stash)
+@@ -2389,26 +2468,39 @@ struct frec *get_new_frec(time_t now, in
+ }
+
+ /* crc is all-ones if not known. */
+-static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash)
++static struct frec *lookup_frec(unsigned short id, int fd, void *hash)
+ {
+ struct frec *f;
++ struct server *s;
++ int type;
++ struct randfd_list *fdl;
+
+ for(f = daemon->frec_list; f; f = f->next)
+ if (f->sentto && f->new_id == id &&
+ (memcmp(hash, f->hash, HASH_SIZE) == 0))
+ {
+ /* sent from random port */
+- if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd)
++ for (fdl = f->rfds; fdl; fdl = fdl->next)
++ if (fdl->rfd->fd == fd)
+ return f;
++ }
+
+- if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd)
+- return f;
++ /* Sent to upstream from socket associated with a server.
++ Note we have to iterate over all the possible servers, since they may
++ have different bound sockets. */
++ type = f->sentto->flags & SERV_TYPE;
++ s = f->sentto;
++ do {
++ if ((type == (s->flags & SERV_TYPE)) &&
++ (type != SERV_HAS_DOMAIN ||
++ (s->domain && hostname_isequal(f->sentto->domain, s->domain))) &&
++ !(s->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) &&
++ s->sfd && s->sfd->fd == fd)
++ return f;
++
++ s = s->next ? s->next : daemon->servers;
++ } while (s != f->sentto);
+
+- /* sent to upstream from bound socket. */
+- if (f->sentto->sfd && f->sentto->sfd->fd == fd)
+- return f;
+- }
+-
+ return NULL;
+ }
+
+@@ -2454,30 +2546,26 @@ static struct frec *lookup_frec_by_query
+ void resend_query()
+ {
+ if (daemon->srv_save)
+- {
+- int fd;
+-
+- if (daemon->srv_save->sfd)
+- fd = daemon->srv_save->sfd->fd;
+- else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
+- fd = daemon->rfd_save->fd;
+- else
+- return;
+-
+- while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
+- &daemon->srv_save->addr.sa,
+- sa_len(&daemon->srv_save->addr))));
+- }
++ while(retry_send(sendto(daemon->fd_save, daemon->packet, daemon->packet_len, 0,
++ &daemon->srv_save->addr.sa,
++ sa_len(&daemon->srv_save->addr))));
+ }
+
+ /* A server record is going away, remove references to it */
+ void server_gone(struct server *server)
+ {
+ struct frec *f;
++ int i;
+
+ for (f = daemon->frec_list; f; f = f->next)
+ if (f->sentto && f->sentto == server)
+ free_frec(f);
++
++ /* If any random socket refers to this server, NULL the reference.
++ No more references to the socket will be created in the future. */
++ for (i = 0; i < RANDOM_SOCKS; i++)
++ if (daemon->randomsocks[i].refcount != 0 && daemon->randomsocks[i].serv == server)
++ daemon->randomsocks[i].serv = NULL;
+
+ if (daemon->last_server == server)
+ daemon->last_server = NULL;
+Index: dnsmasq-2.81/src/loop.c
+===================================================================
+--- dnsmasq-2.81.orig/src/loop.c
++++ dnsmasq-2.81/src/loop.c
+@@ -22,6 +22,7 @@ static ssize_t loop_make_probe(u32 uid);
+ void loop_send_probes()
+ {
+ struct server *serv;
++ struct randfd_list *rfds = NULL;
+
+ if (!option_bool(OPT_LOOP_DETECT))
+ return;
+@@ -34,22 +35,15 @@ void loop_send_probes()
+ {
+ ssize_t len = loop_make_probe(serv->uid);
+ int fd;
+- struct randfd *rfd = NULL;
+
+- if (serv->sfd)
+- fd = serv->sfd->fd;
+- else
+- {
+- if (!(rfd = allocate_rfd(serv->addr.sa.sa_family)))
+- continue;
+- fd = rfd->fd;
+- }
++ if ((fd = allocate_rfd(&rfds, serv)) == -1)
++ continue;
+
+ while (retry_send(sendto(fd, daemon->packet, len, 0,
+ &serv->addr.sa, sa_len(&serv->addr))));
+-
+- free_rfd(rfd);
+ }
++
++ free_rfds(&rfds);
+ }
+
+ static ssize_t loop_make_probe(u32 uid)
+Index: dnsmasq-2.81/src/network.c
+===================================================================
+--- dnsmasq-2.81.orig/src/network.c
++++ dnsmasq-2.81/src/network.c
+@@ -545,6 +545,7 @@ int enumerate_interfaces(int reset)
+ #ifdef HAVE_AUTH
+ struct auth_zone *zone;
+ #endif
++ struct server *serv;
+
+ /* Do this max once per select cycle - also inhibits netlink socket use
+ in TCP child processes. */
+@@ -562,7 +563,21 @@ int enumerate_interfaces(int reset)
+
+ if ((param.fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1)
+ return 0;
+-
++
++ /* iface indexes can change when interfaces are created/destroyed.
++ We use them in the main forwarding control path, when the path
++ to a server is specified by an interface, so cache them.
++ Update the cache here. */
++ for (serv = daemon->servers; serv; serv = serv->next)
++ if (strlen(serv->interface) != 0)
++ {
++ struct ifreq ifr;
++
++ safe_strncpy(ifr.ifr_name, serv->interface, IF_NAMESIZE);
++ if (ioctl(param.fd, SIOCGIFINDEX, &ifr) != -1)
++ serv->ifindex = ifr.ifr_ifindex;
++ }
++
+ /* Mark interfaces for garbage collection */
+ for (iface = daemon->interfaces; iface; iface = iface->next)
+ iface->found = 0;
+@@ -658,7 +673,7 @@ int enumerate_interfaces(int reset)
+
+ errno = errsave;
+ spare = param.spare;
+-
++
+ return ret;
+ }
+
+@@ -798,10 +813,10 @@ int tcp_interface(int fd, int af)
+ /* use mshdr so that the CMSDG_* macros are available */
+ msg.msg_control = daemon->packet;
+ msg.msg_controllen = len = daemon->packet_buff_sz;
+-
++
+ /* we overwrote the buffer... */
+ daemon->srv_save = NULL;
+-
++
+ if (af == AF_INET)
+ {
+ if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) != -1 &&
+@@ -1102,59 +1117,6 @@ void join_multicast(int dienow)
+ }
+ #endif
+
+-/* return a UDP socket bound to a random port, have to cope with straying into
+- occupied port nos and reserved ones. */
+-int random_sock(int family)
+-{
+- int fd;
+-
+- if ((fd = socket(family, SOCK_DGRAM, 0)) != -1)
+- {
+- union mysockaddr addr;
+- unsigned int ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1;
+- int tries = ports_avail < 30 ? 3 * ports_avail : 100;
+-
+- memset(&addr, 0, sizeof(addr));
+- addr.sa.sa_family = family;
+-
+- /* don't loop forever if all ports in use. */
+-
+- if (fix_fd(fd))
+- while(tries--)
+- {
+- unsigned short port = htons(daemon->min_port + (rand16() % ((unsigned short)ports_avail)));
+-
+- if (family == AF_INET)
+- {
+- addr.in.sin_addr.s_addr = INADDR_ANY;
+- addr.in.sin_port = port;
+-#ifdef HAVE_SOCKADDR_SA_LEN
+- addr.in.sin_len = sizeof(struct sockaddr_in);
+-#endif
+- }
+- else
+- {
+- addr.in6.sin6_addr = in6addr_any;
+- addr.in6.sin6_port = port;
+-#ifdef HAVE_SOCKADDR_SA_LEN
+- addr.in6.sin6_len = sizeof(struct sockaddr_in6);
+-#endif
+- }
+-
+- if (bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == 0)
+- return fd;
+-
+- if (errno != EADDRINUSE && errno != EACCES)
+- break;
+- }
+-
+- close(fd);
+- }
+-
+- return -1;
+-}
+-
+-
+ int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp)
+ {
+ union mysockaddr addr_copy = *addr;
+@@ -1199,38 +1161,33 @@ int local_bind(int fd, union mysockaddr
+ return 1;
+ }
+
+-static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
++static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname, unsigned int ifindex)
+ {
+ struct serverfd *sfd;
+- unsigned int ifindex = 0;
+ int errsave;
+ int opt = 1;
+
+ /* when using random ports, servers which would otherwise use
+- the INADDR_ANY/port0 socket have sfd set to NULL */
+- if (!daemon->osport && intname[0] == 0)
++ the INADDR_ANY/port0 socket have sfd set to NULL, this is
++ anything without an explictly set source port. */
++ if (!daemon->osport)
+ {
+ errno = 0;
+
+ if (addr->sa.sa_family == AF_INET &&
+- addr->in.sin_addr.s_addr == INADDR_ANY &&
+ addr->in.sin_port == htons(0))
+ return NULL;
+
+ if (addr->sa.sa_family == AF_INET6 &&
+- memcmp(&addr->in6.sin6_addr, &in6addr_any, sizeof(in6addr_any)) == 0 &&
+ addr->in6.sin6_port == htons(0))
+ return NULL;
+ }
+
+- if (intname && strlen(intname) != 0)
+- ifindex = if_nametoindex(intname); /* index == 0 when not binding to an interface */
+-
+ /* may have a suitable one already */
+ for (sfd = daemon->sfds; sfd; sfd = sfd->next )
+- if (sockaddr_isequal(&sfd->source_addr, addr) &&
+- strcmp(intname, sfd->interface) == 0 &&
+- ifindex == sfd->ifindex)
++ if (ifindex == sfd->ifindex &&
++ sockaddr_isequal(&sfd->source_addr, addr) &&
++ strcmp(intname, sfd->interface) == 0)
+ return sfd;
+
+ /* need to make a new one. */
+@@ -1281,7 +1238,7 @@ void pre_allocate_sfds(void)
+ #ifdef HAVE_SOCKADDR_SA_LEN
+ addr.in.sin_len = sizeof(struct sockaddr_in);
+ #endif
+- if ((sfd = allocate_sfd(&addr, "")))
++ if ((sfd = allocate_sfd(&addr, "", 0)))
+ sfd->preallocated = 1;
+
+ memset(&addr, 0, sizeof(addr));
+@@ -1291,13 +1248,13 @@ void pre_allocate_sfds(void)
+ #ifdef HAVE_SOCKADDR_SA_LEN
+ addr.in6.sin6_len = sizeof(struct sockaddr_in6);
+ #endif
+- if ((sfd = allocate_sfd(&addr, "")))
++ if ((sfd = allocate_sfd(&addr, "", 0)))
+ sfd->preallocated = 1;
+ }
+
+ for (srv = daemon->servers; srv; srv = srv->next)
+ if (!(srv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)) &&
+- !allocate_sfd(&srv->source_addr, srv->interface) &&
++ !allocate_sfd(&srv->source_addr, srv->interface, srv->ifindex) &&
+ errno != 0 &&
+ option_bool(OPT_NOWILD))
+ {
+@@ -1506,7 +1463,7 @@ void check_servers(void)
+
+ /* Do we need a socket set? */
+ if (!serv->sfd &&
+- !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface)) &&
++ !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface, serv->ifindex)) &&
+ errno != 0)
+ {
+ my_syslog(LOG_WARNING,
+Index: dnsmasq-2.81/src/option.c
+===================================================================
+--- dnsmasq-2.81.orig/src/option.c
++++ dnsmasq-2.81/src/option.c
+@@ -810,7 +810,8 @@ char *parse_server(char *arg, union myso
+ if (interface_opt)
+ {
+ #if defined(SO_BINDTODEVICE)
+- safe_strncpy(interface, interface_opt, IF_NAMESIZE);
++ safe_strncpy(interface, source, IF_NAMESIZE);
++ source = interface_opt;
+ #else
+ return _("interface binding not supported");
+ #endif
+Index: dnsmasq-2.81/src/tftp.c
+===================================================================
+--- dnsmasq-2.81.orig/src/tftp.c
++++ dnsmasq-2.81/src/tftp.c
+@@ -601,7 +601,7 @@ void check_tftp_listeners(time_t now)
+
+ /* we overwrote the buffer... */
+ daemon->srv_save = NULL;
+-
++
+ if ((len = get_block(daemon->packet, transfer)) == -1)
+ {
+ len = tftp_err_oops(daemon->packet, transfer->file->filename);
+Index: dnsmasq-2.81/src/util.c
+===================================================================
+--- dnsmasq-2.81.orig/src/util.c
++++ dnsmasq-2.81/src/util.c
+@@ -316,7 +316,7 @@ void *whine_malloc(size_t size)
+ return ret;
+ }
+
+-int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2)
++int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2)
+ {
+ if (s1->sa.sa_family == s2->sa.sa_family)
+ {
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch
new file mode 100644
index 000000000..b2ef22c06
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch
@@ -0,0 +1,188 @@
+From 70df9f9104c8f0661966298b58caf794b99e26e1 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 22 Sep 2022 17:39:21 +0530
+Subject: [PATCH] CVE-2022-0934
+
+Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39]
+CVE: CVE-2022-0934
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ CHANGELOG | 2 ++
+ src/rfc3315.c | 48 +++++++++++++++++++++++++++---------------------
+ 2 files changed, 29 insertions(+), 21 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 60b08d0..d1d7e41 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -88,6 +88,8 @@ version 2.81
+
+ Add --script-on-renewal option.
+
++ Fix write-after-free error in DHCPv6 server code.
++ CVE-2022-0934 refers.
+
+ version 2.80
+ Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index b3f0a0a..eef1360 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -33,9 +33,9 @@ struct state {
+ unsigned int mac_len, mac_type;
+ };
+
+-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
+ struct in6_addr *client_addr, int is_unicast, time_t now);
+-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now);
++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now);
+ static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts);
+ static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string);
+ static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string);
+@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if
+ }
+
+ /* This cost me blood to write, it will probably cost you blood to understand - srk. */
+-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
+ struct in6_addr *client_addr, int is_unicast, time_t now)
+ {
+ void *end = inbuff + sz;
+ void *opts = inbuff + 34;
+- int msg_type = *((unsigned char *)inbuff);
++ int msg_type = *inbuff;
+ unsigned char *outmsgtypep;
+ void *opt;
+ struct dhcp_vendor *vendor;
+@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+ return 1;
+ }
+
+-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now)
++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now)
+ {
+ void *opt;
+- int i, o, o1, start_opts;
++ int i, o, o1, start_opts, start_msg;
+ struct dhcp_opt *opt_cfg;
+ struct dhcp_netid *tagif;
+ struct dhcp_config *config = NULL;
+ struct dhcp_netid known_id, iface_id, v6_id;
+- unsigned char *outmsgtypep;
++ unsigned char outmsgtype;
+ struct dhcp_vendor *vendor;
+ struct dhcp_context *context_tmp;
+ struct dhcp_mac *mac_opt;
+@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ v6_id.next = state->tags;
+ state->tags = &v6_id;
+
+- /* copy over transaction-id, and save pointer to message type */
+- if (!(outmsgtypep = put_opt6(inbuff, 4)))
++ start_msg = save_counter(-1);
++ /* copy over transaction-id */
++ if (!put_opt6(inbuff, 4))
+ return 0;
+ start_opts = save_counter(-1);
+- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16;
+-
++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16;
++
+ /* We're going to be linking tags from all context we use.
+ mark them as unused so we don't link one twice and break the list */
+ for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current)
+@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE))
+
+ {
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ o1 = new_opt6(OPTION6_STATUS_CODE);
+ put_opt6_short(DHCP6USEMULTI);
+ put_opt6_string("Use multicast");
+@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ struct dhcp_netid *solicit_tags;
+ struct dhcp_context *c;
+
+- *outmsgtypep = DHCP6ADVERTISE;
++ outmsgtype = DHCP6ADVERTISE;
+
+ if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0))
+ {
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ state->lease_allocate = 1;
+ o = new_opt6(OPTION6_RAPID_COMMIT);
+ end_opt6(o);
+@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ int start = save_counter(-1);
+
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ state->lease_allocate = 1;
+
+ log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL);
+@@ -921,7 +922,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ case DHCP6RENEW:
+ {
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPRENEW", NULL, NULL);
+
+@@ -1033,7 +1034,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ int good_addr = 0;
+
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPCONFIRM", NULL, NULL);
+
+@@ -1097,7 +1098,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname);
+ if (ignore)
+ return 0;
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ tagif = add_options(state, 1);
+ break;
+ }
+@@ -1106,7 +1107,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ case DHCP6RELEASE:
+ {
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPRELEASE", NULL, NULL);
+
+@@ -1171,7 +1172,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ case DHCP6DECLINE:
+ {
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPDECLINE", NULL, NULL);
+
+@@ -1251,7 +1252,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ }
+
+ }
+-
++
++ /* Fill in the message type. Note that we store the offset,
++ not a direct pointer, since the packet memory may have been
++ reallocated. */
++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype;
++
+ log_tags(tagif, state->xid);
+ log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1));
+
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
index a1dc0f3a0..8db57edb7 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
@@ -10,4 +10,6 @@ SRC_URI += "\
file://CVE-2020-25685-2.patch \
file://CVE-2020-25686-1.patch \
file://CVE-2020-25686-2.patch \
+ file://CVE-2021-3448.patch \
+ file://CVE-2022-0934.patch \
"
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch
new file mode 100644
index 000000000..5580cd409
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch
@@ -0,0 +1,30 @@
+From bd9d2fe7da833f0e4705a8280efc56930371806b Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Wed, 6 May 2020 13:40:36 +0300
+Subject: [PATCH 1/3] auth: mech-rpa - Fail on zero len buffer
+
+---
+ src/auth/mech-rpa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12674
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c
+index 08298ebdd6..2de8705b4f 100644
+--- a/src/auth/mech-rpa.c
++++ b/src/auth/mech-rpa.c
+@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data,
+ return 0;
+
+ len = *p++;
+- if (p + len > end)
++ if (p + len > end || len == 0)
+ return 0;
+
+ *buffer = p_malloc(pool, len);
+--
+2.11.0
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch
index f86235076..3f87714dc 100644
--- a/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch
+++ b/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch
@@ -13,11 +13,11 @@ Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com>
configure.ac | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
-diff --git a/configure.ac b/configure.ac
-index 3b32614..94ec002 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -519,13 +519,10 @@ have_ioloop=no
+Index: dovecot-2.2.36.4/configure.ac
+===================================================================
+--- dovecot-2.2.36.4.orig/configure.ac
++++ dovecot-2.2.36.4/configure.ac
+@@ -490,13 +490,10 @@ have_ioloop=no
if test "$ioloop" = "best" || test "$ioloop" = "epoll"; then
AC_CACHE_CHECK([whether we can use epoll],i_cv_epoll_works,[
@@ -34,7 +34,7 @@ index 3b32614..94ec002 100644
], [
i_cv_epoll_works=yes
], [
-@@ -653,7 +650,7 @@ fi
+@@ -596,7 +593,7 @@ fi
dnl * Old glibcs have broken posix_fallocate(). Make sure not to use it.
dnl * It may also be broken in AIX.
AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[
@@ -43,7 +43,7 @@ index 3b32614..94ec002 100644
#define _XOPEN_SOURCE 600
#include <stdio.h>
#include <stdlib.h>
-@@ -662,7 +659,7 @@ AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[
+@@ -605,7 +602,7 @@ AC_CACHE_CHECK([whether posix_fallocate(
#if defined(__GLIBC__) && (__GLIBC__ < 2 || __GLIBC_MINOR__ < 7)
possibly broken posix_fallocate
#endif
@@ -52,7 +52,7 @@ index 3b32614..94ec002 100644
int fd = creat("conftest.temp", 0600);
int ret;
if (fd == -1) {
-@@ -671,8 +668,6 @@ AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[
+@@ -614,8 +611,6 @@ AC_CACHE_CHECK([whether posix_fallocate(
}
ret = posix_fallocate(fd, 1024, 1024) < 0 ? 1 : 0;
unlink("conftest.temp");
@@ -61,6 +61,3 @@ index 3b32614..94ec002 100644
], [
i_cv_posix_fallocate_works=yes
], [
---
-1.8.4.2
-
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch
index 65ae9bf91..3170ae865 100644
--- a/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch
+++ b/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch
@@ -18,11 +18,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
src/doveadm/Makefile.am | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/src/doveadm/Makefile.am b/src/doveadm/Makefile.am
-index c644646..6ae9144 100644
---- a/src/doveadm/Makefile.am
-+++ b/src/doveadm/Makefile.am
-@@ -180,8 +180,8 @@ test_libs = \
+Index: dovecot-2.2.36.4/src/doveadm/Makefile.am
+===================================================================
+--- dovecot-2.2.36.4.orig/src/doveadm/Makefile.am
++++ dovecot-2.2.36.4/src/doveadm/Makefile.am
+@@ -182,8 +182,8 @@ test_libs = \
../lib/liblib.la
test_deps = $(noinst_LTLIBRARIES) $(test_libs)
@@ -33,6 +33,3 @@ index c644646..6ae9144 100644
test_doveadm_util_DEPENDENCIES = $(test_deps)
check: check-am check-test
---
-2.14.2
-
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch
new file mode 100644
index 000000000..583f71ca5
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch
@@ -0,0 +1,76 @@
+From 667d353b0f217372e8cc43ea4fe13466689c7ed0 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 11:33:31 +0300
+Subject: [PATCH 01/13] lib-mail: message-parser - Add a message_part_finish()
+ helper function
+
+---
+ src/lib-mail/message-parser.c | 25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index b1de1950a..aaa8dd8b7 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -195,6 +195,13 @@ message_part_append(pool_t pool, struct message_part *parent)
+ return part;
+ }
+
++static void message_part_finish(struct message_parser_ctx *ctx)
++{
++ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size);
++ message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size);
++ ctx->part = ctx->part->parent;
++}
++
+ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx)
+ {
+ struct message_boundary *b;
+@@ -312,19 +319,16 @@ static int parse_part_finish(struct message_parser_ctx *ctx,
+ struct message_boundary *boundary,
+ struct message_block *block_r, bool first_line)
+ {
+- struct message_part *part;
+ size_t line_size;
+
+ i_assert(ctx->last_boundary == NULL);
+
+ /* get back to parent MIME part, summing the child MIME part sizes
+ into parent's body sizes */
+- for (part = ctx->part; part != boundary->part; part = part->parent) {
+- message_size_add(&part->parent->body_size, &part->body_size);
+- message_size_add(&part->parent->body_size, &part->header_size);
++ while (ctx->part != boundary->part) {
++ message_part_finish(ctx);
++ i_assert(ctx->part != NULL);
+ }
+- i_assert(part != NULL);
+- ctx->part = part;
+
+ if (boundary->epilogue_found) {
+ /* this boundary isn't needed anymore */
+@@ -1132,13 +1136,8 @@ int message_parser_parse_next_block(struct message_parser_ctx *ctx,
+ i_assert(ctx->input->eof || ctx->input->closed ||
+ ctx->input->stream_errno != 0 ||
+ ctx->broken_reason != NULL);
+- while (ctx->part->parent != NULL) {
+- message_size_add(&ctx->part->parent->body_size,
+- &ctx->part->body_size);
+- message_size_add(&ctx->part->parent->body_size,
+- &ctx->part->header_size);
+- ctx->part = ctx->part->parent;
+- }
++ while (ctx->part->parent != NULL)
++ message_part_finish(ctx);
+ }
+
+ if (block_r->size == 0) {
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch
new file mode 100644
index 000000000..9f24320eb
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch
@@ -0,0 +1,71 @@
+From de0da7bc8df55521db8fa787f88e293618c96386 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 11:34:22 +0300
+Subject: [PATCH 02/13] lib-mail: message-parser - Change message_part_append()
+ to do all work internally
+
+---
+ src/lib-mail/message-parser.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index aaa8dd8b7..2edf3e7a6 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -167,16 +167,17 @@ static int message_parser_read_more(struct message_parser_ctx *ctx,
+ return 1;
+ }
+
+-static struct message_part *
+-message_part_append(pool_t pool, struct message_part *parent)
++static void
++message_part_append(struct message_parser_ctx *ctx)
+ {
++ struct message_part *parent = ctx->part;
+ struct message_part *p, *part, **list;
+
+ i_assert(parent != NULL);
+ i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART |
+ MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0);
+
+- part = p_new(pool, struct message_part, 1);
++ part = p_new(ctx->part_pool, struct message_part, 1);
+ part->parent = parent;
+ for (p = parent; p != NULL; p = p->parent)
+ p->children_count++;
+@@ -192,7 +193,7 @@ message_part_append(pool_t pool, struct message_part *parent)
+ list = &(*list)->next;
+
+ *list = part;
+- return part;
++ ctx->part = part;
+ }
+
+ static void message_part_finish(struct message_parser_ctx *ctx)
+@@ -220,7 +221,7 @@ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx)
+ static int parse_next_body_message_rfc822_init(struct message_parser_ctx *ctx,
+ struct message_block *block_r)
+ {
+- ctx->part = message_part_append(ctx->part_pool, ctx->part);
++ message_part_append(ctx);
+ return parse_next_header_init(ctx, block_r);
+ }
+
+@@ -270,7 +271,7 @@ boundary_line_find(struct message_parser_ctx *ctx,
+ static int parse_next_mime_header_init(struct message_parser_ctx *ctx,
+ struct message_block *block_r)
+ {
+- ctx->part = message_part_append(ctx->part_pool, ctx->part);
++ message_part_append(ctx);
+ ctx->part->flags |= MESSAGE_PART_FLAG_IS_MIME;
+
+ return parse_next_header_init(ctx, block_r);
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch
new file mode 100644
index 000000000..81aead8aa
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch
@@ -0,0 +1,37 @@
+Backport of:
+
+From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Mon, 18 May 2020 12:33:39 +0300
+Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses
+
+Add missing check for buffer length.
+
+If this is not checked, it is possible to send message which
+causes read past buffer bug.
+
+Broken in c7480644202e5451fbed448508ea29a25cffc99c
+---
+ src/lib-ntlm/ntlm-message.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12673
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+--- a/src/lib-ntlm/ntlm-message.c
++++ b/src/lib-ntlm/ntlm-message.c
+@@ -184,6 +184,11 @@ static int ntlmssp_check_buffer(const st
+ if (length == 0 && space == 0)
+ return 1;
+
++ if (length > data_size) {
++ *error = "buffer length out of bounds";
++ return 0;
++ }
++
+ if (offset >= data_size) {
+ *error = "buffer offset out of bounds";
+ return 0;
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch b/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch
new file mode 100644
index 000000000..e53090235
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch
@@ -0,0 +1,49 @@
+From a9800b436fcf1f9633c2b136a9c5cb7a486a8a52 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 11:36:48 +0300
+Subject: [PATCH 03/13] lib-mail: message-parser - Optimize updating
+ children_count
+
+---
+ src/lib-mail/message-parser.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 2edf3e7a6..05768a058 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -171,7 +171,7 @@ static void
+ message_part_append(struct message_parser_ctx *ctx)
+ {
+ struct message_part *parent = ctx->part;
+- struct message_part *p, *part, **list;
++ struct message_part *part, **list;
+
+ i_assert(parent != NULL);
+ i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART |
+@@ -179,8 +179,6 @@ message_part_append(struct message_parser_ctx *ctx)
+
+ part = p_new(ctx->part_pool, struct message_part, 1);
+ part->parent = parent;
+- for (p = parent; p != NULL; p = p->parent)
+- p->children_count++;
+
+ /* set child position */
+ part->physical_pos =
+@@ -200,6 +198,7 @@ static void message_part_finish(struct message_parser_ctx *ctx)
+ {
+ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size);
+ message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size);
++ ctx->part->parent->children_count += 1 + ctx->part->children_count;
+ ctx->part = ctx->part->parent;
+ }
+
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch b/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch
new file mode 100644
index 000000000..ba6667fa9
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch
@@ -0,0 +1,90 @@
+From 99ee7596712cf0ea0a288b712bc898ecb2b35f9b Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 12:00:38 +0300
+Subject: [PATCH 04/13] lib-mail: message-parser - Optimize appending new part
+ to linked list
+
+---
+ src/lib-mail/message-parser.c | 28 ++++++++++++++++++++++------
+ 1 file changed, 22 insertions(+), 6 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+Index: dovecot-2.2.36.4/src/lib-mail/message-parser.c
+===================================================================
+--- dovecot-2.2.36.4.orig/src/lib-mail/message-parser.c
++++ dovecot-2.2.36.4/src/lib-mail/message-parser.c
+@@ -1,7 +1,7 @@
+ /* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */
+
+ #include "lib.h"
+-#include "buffer.h"
++#include "array.h"
+ #include "str.h"
+ #include "istream.h"
+ #include "rfc822-parser.h"
+@@ -34,6 +34,9 @@ struct message_parser_ctx {
+ const char *last_boundary;
+ struct message_boundary *boundaries;
+
++ struct message_part **next_part;
++ ARRAY(struct message_part **) next_part_stack;
++
+ size_t skip;
+ char last_chr;
+ unsigned int want_count;
+@@ -171,7 +174,7 @@ static void
+ message_part_append(struct message_parser_ctx *ctx)
+ {
+ struct message_part *parent = ctx->part;
+- struct message_part *part, **list;
++ struct message_part *part;
+
+ i_assert(parent != NULL);
+ i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART |
+@@ -186,16 +189,27 @@ message_part_append(struct message_parse
+ parent->body_size.physical_size +
+ parent->header_size.physical_size;
+
+- list = &part->parent->children;
+- while (*list != NULL)
+- list = &(*list)->next;
++ /* add to parent's linked list */
++ *ctx->next_part = part;
++ /* update the parent's end-of-linked-list pointer */
++ struct message_part **next_part = &part->next;
++ array_append(&ctx->next_part_stack, &next_part, 1);
++ /* This part is now the new parent for the next message_part_append()
++ call. Its linked list begins with the children pointer. */
++ ctx->next_part = &part->children;
+
+- *list = part;
+ ctx->part = part;
+ }
+
+ static void message_part_finish(struct message_parser_ctx *ctx)
+ {
++ struct message_part **const *parent_next_partp;
++ unsigned int count = array_count(&ctx->next_part_stack);
++
++ parent_next_partp = array_idx(&ctx->next_part_stack, count-1);
++ array_delete(&ctx->next_part_stack, count-1, 1);
++ ctx->next_part = *parent_next_partp;
++
+ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size);
+ message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size);
+ ctx->part->parent->children_count += 1 + ctx->part->children_count;
+@@ -1062,7 +1076,9 @@ message_parser_init(pool_t part_pool, st
+ ctx = message_parser_init_int(input, hdr_flags, flags);
+ ctx->part_pool = part_pool;
+ ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1);
++ ctx->next_part = &ctx->part->children;
+ ctx->parse_next_block = parse_next_header_init;
++ p_array_init(&ctx->next_part_stack, ctx->parser_pool, 4);
+ return ctx;
+ }
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch b/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch
new file mode 100644
index 000000000..4e63509b4
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch
@@ -0,0 +1,45 @@
+From e39c95b248917eb2b596ca55a957f3cbc7fd406f Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 12:10:07 +0300
+Subject: [PATCH 05/13] lib-mail: message-parser - Minor code cleanup to
+ finding the end of boundary line
+
+---
+ src/lib-mail/message-parser.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index ff4e09e5a..6c6a680b5 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -260,17 +260,16 @@ boundary_line_find(struct message_parser_ctx *ctx,
+ }
+
+ /* need to find the end of line */
+- if (memchr(data + 2, '\n', size - 2) == NULL &&
+- size < BOUNDARY_END_MAX_LEN &&
++ data += 2;
++ size -= 2;
++ if (memchr(data, '\n', size) == NULL &&
++ size+2 < BOUNDARY_END_MAX_LEN &&
+ !ctx->input->eof && !full) {
+ /* no LF found */
+ ctx->want_count = BOUNDARY_END_MAX_LEN;
+ return 0;
+ }
+
+- data += 2;
+- size -= 2;
+-
+ *boundary_r = boundary_find(ctx->boundaries, data, size);
+ if (*boundary_r == NULL)
+ return -1;
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch b/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch
new file mode 100644
index 000000000..1012d7983
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch
@@ -0,0 +1,163 @@
+From aed125484a346b4893c1a169088c39fe7ced01f3 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 12:53:12 +0300
+Subject: [PATCH 06/13] lib-mail: message-parser - Truncate excessively long
+ MIME boundaries
+
+RFC 2046 requires that the boundaries are a maximum of 70 characters
+(excluding the "--" prefix and suffix). We allow 80 characters for a bit of
+extra safety. Anything longer than that is truncated and treated the same
+as if it was just 80 characters.
+---
+ src/lib-mail/message-parser.c | 7 ++-
+ src/lib-mail/test-message-parser.c | 95 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 100 insertions(+), 2 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 6c6a680b5..92f541b02 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -10,7 +10,8 @@
+
+ /* RFC-2046 requires boundaries are max. 70 chars + "--" prefix + "--" suffix.
+ We'll add a bit more just in case. */
+-#define BOUNDARY_END_MAX_LEN (70 + 2 + 2 + 10)
++#define BOUNDARY_STRING_MAX_LEN (70 + 10)
++#define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2)
+
+ struct message_boundary {
+ struct message_boundary *next;
+@@ -526,8 +527,10 @@ static void parse_content_type(struct message_parser_ctx *ctx,
+ rfc2231_parse(&parser, &results);
+ for (; *results != NULL; results += 2) {
+ if (strcasecmp(results[0], "boundary") == 0) {
++ /* truncate excessively long boundaries */
+ ctx->last_boundary =
+- p_strdup(ctx->parser_pool, results[1]);
++ p_strndup(ctx->parser_pool, results[1],
++ BOUNDARY_STRING_MAX_LEN);
+ break;
+ }
+ }
+diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c
+index 1f1aa1437..94aa3eb7c 100644
+--- a/src/lib-mail/test-message-parser.c
++++ b/src/lib-mail/test-message-parser.c
+@@ -642,6 +642,100 @@ static void test_message_parser_no_eoh(void)
+ test_end();
+ }
+
++static void test_message_parser_long_mime_boundary(void)
++{
++ /* Close the boundaries in wrong reverse order. But because all
++ boundaries are actually truncated to the same size (..890) it
++ works the same as if all of them were duplicate boundaries. */
++static const char input_msg[] =
++"Content-Type: multipart/mixed; boundary=\"1234567890123456789012345678901234567890123456789012345678901234567890123456789012\"\n"
++"\n"
++"--1234567890123456789012345678901234567890123456789012345678901234567890123456789012\n"
++"Content-Type: multipart/mixed; boundary=\"123456789012345678901234567890123456789012345678901234567890123456789012345678901\"\n"
++"\n"
++"--123456789012345678901234567890123456789012345678901234567890123456789012345678901\n"
++"Content-Type: multipart/mixed; boundary=\"12345678901234567890123456789012345678901234567890123456789012345678901234567890\"\n"
++"\n"
++"--12345678901234567890123456789012345678901234567890123456789012345678901234567890\n"
++"Content-Type: text/plain\n"
++"\n"
++"1\n"
++"--1234567890123456789012345678901234567890123456789012345678901234567890123456789012\n"
++"Content-Type: text/plain\n"
++"\n"
++"22\n"
++"--123456789012345678901234567890123456789012345678901234567890123456789012345678901\n"
++"Content-Type: text/plain\n"
++"\n"
++"333\n"
++"--12345678901234567890123456789012345678901234567890123456789012345678901234567890\n"
++"Content-Type: text/plain\n"
++"\n"
++"4444\n";
++ struct message_parser_ctx *parser;
++ struct istream *input;
++ struct message_part *parts, *part;
++ struct message_block block;
++ pool_t pool;
++ int ret;
++
++ test_begin("message parser long mime boundary");
++ pool = pool_alloconly_create("message parser", 10240);
++ input = test_istream_create(input_msg);
++
++ parser = message_parser_init(pool, input, 0, 0);
++ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ;
++ test_assert(ret < 0);
++ message_parser_deinit(&parser, &parts);
++
++ part = parts;
++ test_assert(part->children_count == 6);
++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME));
++ test_assert(part->header_size.lines == 2);
++ test_assert(part->header_size.physical_size == 126);
++ test_assert(part->header_size.virtual_size == 126+2);
++ test_assert(part->body_size.lines == 22);
++ test_assert(part->body_size.physical_size == 871);
++ test_assert(part->body_size.virtual_size == 871+22);
++
++ part = parts->children;
++ test_assert(part->children_count == 5);
++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME));
++ test_assert(part->header_size.lines == 2);
++ test_assert(part->header_size.physical_size == 125);
++ test_assert(part->header_size.virtual_size == 125+2);
++ test_assert(part->body_size.lines == 19);
++ test_assert(part->body_size.physical_size == 661);
++ test_assert(part->body_size.virtual_size == 661+19);
++
++ part = parts->children->children;
++ test_assert(part->children_count == 4);
++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME));
++ test_assert(part->header_size.lines == 2);
++ test_assert(part->header_size.physical_size == 124);
++ test_assert(part->header_size.virtual_size == 124+2);
++ test_assert(part->body_size.lines == 16);
++ test_assert(part->body_size.physical_size == 453);
++ test_assert(part->body_size.virtual_size == 453+16);
++
++ part = parts->children->children->children;
++ for (unsigned int i = 1; i <= 3; i++, part = part->next) {
++ test_assert(part->children_count == 0);
++ test_assert(part->flags == (MESSAGE_PART_FLAG_TEXT | MESSAGE_PART_FLAG_IS_MIME));
++ test_assert(part->header_size.lines == 2);
++ test_assert(part->header_size.physical_size == 26);
++ test_assert(part->header_size.virtual_size == 26+2);
++ test_assert(part->body_size.lines == 0);
++ test_assert(part->body_size.physical_size == i);
++ test_assert(part->body_size.virtual_size == i);
++ }
++
++ test_parsed_parts(input, parts);
++ i_stream_unref(&input);
++ pool_unref(&pool);
++ test_end();
++}
++
+ int main(void)
+ {
+ static void (*test_functions[])(void) = {
+@@ -654,6 +748,7 @@ int main(void)
+ test_message_parser_garbage_suffix_mime_boundary,
+ test_message_parser_continuing_mime_boundary,
+ test_message_parser_continuing_truncated_mime_boundary,
++ test_message_parser_long_mime_boundary,
+ test_message_parser_no_eoh,
+ NULL
+ };
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch b/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch
new file mode 100644
index 000000000..eeb6c96f1
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch
@@ -0,0 +1,72 @@
+From 5f8de52fec3191a1aa68a399ee2068485737dc4f Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 13:06:02 +0300
+Subject: [PATCH 07/13] lib-mail: message-parser - Optimize boundary lookups
+ when exact boundary is found
+
+When an exact boundary is found, there's no need to continue looking for
+more boundaries.
+---
+ src/lib-mail/message-parser.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 92f541b02..c2934c761 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -80,8 +80,14 @@ boundary_find(struct message_boundary *boundaries,
+ while (boundaries != NULL) {
+ if (boundaries->len <= len &&
+ memcmp(boundaries->boundary, data, boundaries->len) == 0 &&
+- (best == NULL || best->len < boundaries->len))
++ (best == NULL || best->len < boundaries->len)) {
+ best = boundaries;
++ if (best->len == len) {
++ /* This is exactly the wanted boundary. There
++ can't be a better one. */
++ break;
++ }
++ }
+
+ boundaries = boundaries->next;
+ }
+@@ -263,15 +269,27 @@ boundary_line_find(struct message_parser_ctx *ctx,
+ /* need to find the end of line */
+ data += 2;
+ size -= 2;
+- if (memchr(data, '\n', size) == NULL &&
++ const unsigned char *lf_pos = memchr(data, '\n', size);
++ if (lf_pos == NULL &&
+ size+2 < BOUNDARY_END_MAX_LEN &&
+ !ctx->input->eof && !full) {
+ /* no LF found */
+ ctx->want_count = BOUNDARY_END_MAX_LEN;
+ return 0;
+ }
+-
+- *boundary_r = boundary_find(ctx->boundaries, data, size);
++ size_t find_size = size;
++
++ if (lf_pos != NULL) {
++ find_size = lf_pos - data;
++ if (find_size > 0 && data[find_size-1] == '\r')
++ find_size--;
++ if (find_size > 2 && data[find_size-1] == '-' &&
++ data[find_size-2] == '-')
++ find_size -= 2;
++ } else if (find_size > BOUNDARY_END_MAX_LEN)
++ find_size = BOUNDARY_END_MAX_LEN;
++
++ *boundary_r = boundary_find(ctx->boundaries, data, find_size);
+ if (*boundary_r == NULL)
+ return -1;
+
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch
new file mode 100644
index 000000000..4af070a87
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch
@@ -0,0 +1,50 @@
+From 929396767d831bedbdec6392aaa835b045332fd3 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 14:53:27 +0300
+Subject: [PATCH 08/13] lib-mail: message-parser - Add boundary_remove_until()
+ helper function
+
+---
+ src/lib-mail/message-parser.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index c2934c761..028f74159 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -223,6 +223,13 @@ static void message_part_finish(struct message_parser_ctx *ctx)
+ ctx->part = ctx->part->parent;
+ }
+
++static void
++boundary_remove_until(struct message_parser_ctx *ctx,
++ struct message_boundary *boundary)
++{
++ ctx->boundaries = boundary;
++}
++
+ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx)
+ {
+ struct message_boundary *b;
+@@ -364,10 +371,10 @@ static int parse_part_finish(struct message_parser_ctx *ctx,
+
+ if (boundary->epilogue_found) {
+ /* this boundary isn't needed anymore */
+- ctx->boundaries = boundary->next;
++ boundary_remove_until(ctx, boundary->next);
+ } else {
+ /* forget about the boundaries we possibly skipped */
+- ctx->boundaries = boundary;
++ boundary_remove_until(ctx, boundary);
+ }
+
+ /* the boundary itself should already be in buffer. add that. */
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch b/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch
new file mode 100644
index 000000000..aade7dc2b
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch
@@ -0,0 +1,169 @@
+From d53d83214b1d635446a8cf8ff9438cc530133d62 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 15:00:57 +0300
+Subject: [PATCH 09/13] lib-mail: message-parser - Don't use memory pool for
+ parser
+
+This reduces memory usage when parsing many MIME parts where boundaries are
+being added and removed constantly.
+---
+ src/lib-mail/message-parser.c | 48 ++++++++++++++++++++++++++++---------------
+ 1 file changed, 32 insertions(+), 16 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 028f74159..8970d8e0e 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -17,14 +17,14 @@ struct message_boundary {
+ struct message_boundary *next;
+
+ struct message_part *part;
+- const char *boundary;
++ char *boundary;
+ size_t len;
+
+ unsigned int epilogue_found:1;
+ };
+
+ struct message_parser_ctx {
+- pool_t parser_pool, part_pool;
++ pool_t part_pool;
+ struct istream *input;
+ struct message_part *parts, *part;
+ const char *broken_reason;
+@@ -32,7 +32,7 @@ struct message_parser_ctx {
+ enum message_header_parser_flags hdr_flags;
+ enum message_parser_flags flags;
+
+- const char *last_boundary;
++ char *last_boundary;
+ struct message_boundary *boundaries;
+
+ struct message_part **next_part;
+@@ -223,10 +223,24 @@ static void message_part_finish(struct message_parser_ctx *ctx)
+ ctx->part = ctx->part->parent;
+ }
+
++static void message_boundary_free(struct message_boundary *b)
++{
++ i_free(b->boundary);
++ i_free(b);
++}
++
+ static void
+ boundary_remove_until(struct message_parser_ctx *ctx,
+ struct message_boundary *boundary)
+ {
++ while (ctx->boundaries != boundary) {
++ struct message_boundary *cur = ctx->boundaries;
++
++ i_assert(cur != NULL);
++ ctx->boundaries = cur->next;
++ message_boundary_free(cur);
++
++ }
+ ctx->boundaries = boundary;
+ }
+
+@@ -234,15 +248,14 @@ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx)
+ {
+ struct message_boundary *b;
+
+- b = p_new(ctx->parser_pool, struct message_boundary, 1);
++ b = i_new(struct message_boundary, 1);
+ b->part = ctx->part;
+ b->boundary = ctx->last_boundary;
++ ctx->last_boundary = NULL;
+ b->len = strlen(b->boundary);
+
+ b->next = ctx->boundaries;
+ ctx->boundaries = b;
+-
+- ctx->last_boundary = NULL;
+ }
+
+ static int parse_next_body_message_rfc822_init(struct message_parser_ctx *ctx,
+@@ -359,6 +372,8 @@ static int parse_part_finish(struct message_parser_ctx *ctx,
+ struct message_block *block_r, bool first_line)
+ {
+ size_t line_size;
++ size_t boundary_len = boundary->len;
++ bool boundary_epilogue_found = boundary->epilogue_found;
+
+ i_assert(ctx->last_boundary == NULL);
+
+@@ -391,7 +406,7 @@ static int parse_part_finish(struct message_parser_ctx *ctx,
+ i_assert(block_r->data[0] == '\n');
+ line_size = 1;
+ }
+- line_size += 2 + boundary->len + (boundary->epilogue_found ? 2 : 0);
++ line_size += 2 + boundary_len + (boundary_epilogue_found ? 2 : 0);
+ i_assert(block_r->size >= ctx->skip + line_size);
+ block_r->size = line_size;
+ parse_body_add_block(ctx, block_r);
+@@ -553,9 +568,9 @@ static void parse_content_type(struct message_parser_ctx *ctx,
+ for (; *results != NULL; results += 2) {
+ if (strcasecmp(results[0], "boundary") == 0) {
+ /* truncate excessively long boundaries */
++ i_free(ctx->last_boundary);
+ ctx->last_boundary =
+- p_strndup(ctx->parser_pool, results[1],
+- BOUNDARY_STRING_MAX_LEN);
++ i_strndup(results[1], BOUNDARY_STRING_MAX_LEN);
+ break;
+ }
+ }
+@@ -678,7 +693,7 @@ static int parse_next_header(struct message_parser_ctx *ctx,
+ i_assert(!ctx->multipart);
+ part->flags = 0;
+ }
+- ctx->last_boundary = NULL;
++ i_free(ctx->last_boundary);
+
+ if (!ctx->part_seen_content_type ||
+ (part->flags & MESSAGE_PART_FLAG_IS_MIME) == 0) {
+@@ -1081,11 +1096,8 @@ message_parser_init_int(struct istream *input,
+ enum message_parser_flags flags)
+ {
+ struct message_parser_ctx *ctx;
+- pool_t pool;
+
+- pool = pool_alloconly_create("Message Parser", 1024);
+- ctx = p_new(pool, struct message_parser_ctx, 1);
+- ctx->parser_pool = pool;
++ ctx = i_new(struct message_parser_ctx, 1);
+ ctx->hdr_flags = hdr_flags;
+ ctx->flags = flags;
+ ctx->input = input;
+@@ -1105,7 +1117,7 @@ message_parser_init(pool_t part_pool, struct istream *input,
+ ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1);
+ ctx->next_part = &ctx->part->children;
+ ctx->parse_next_block = parse_next_header_init;
+- p_array_init(&ctx->next_part_stack, ctx->parser_pool, 4);
++ i_array_init(&ctx->next_part_stack, 4);
+ return ctx;
+ }
+
+@@ -1146,8 +1158,12 @@ int message_parser_deinit_from_parts(struct message_parser_ctx **_ctx,
+
+ if (ctx->hdr_parser_ctx != NULL)
+ message_parse_header_deinit(&ctx->hdr_parser_ctx);
++ boundary_remove_until(ctx, NULL);
+ i_stream_unref(&ctx->input);
+- pool_unref(&ctx->parser_pool);
++ if (array_is_created(&ctx->next_part_stack))
++ array_free(&ctx->next_part_stack);
++ i_free(ctx->last_boundary);
++ i_free(ctx);
+ i_assert(ret < 0 || *parts_r != NULL);
+ return ret;
+ }
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch b/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch
new file mode 100644
index 000000000..ae5254466
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch
@@ -0,0 +1,188 @@
+From df9e0d358ef86e3342525dcdefcf79dc2d749a30 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 16:59:40 +0300
+Subject: [PATCH 10/13] lib-mail: message-parser - Support limiting max number
+ of nested MIME parts
+
+The default is to allow 100 nested MIME parts. When the limit is reached,
+the innermost MIME part's body contains all the rest of the inner bodies
+until a parent MIME part is reached.
+---
+ src/lib-mail/message-parser.c | 43 +++++++++++++++++++++++++++++++-------
+ src/lib-mail/test-message-parser.c | 31 +++++++++++++++++++++++++++
+ 2 files changed, 67 insertions(+), 7 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 8970d8e0e..721615f76 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -13,6 +13,8 @@
+ #define BOUNDARY_STRING_MAX_LEN (70 + 10)
+ #define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2)
+
++#define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100
++
+ struct message_boundary {
+ struct message_boundary *next;
+
+@@ -28,9 +30,11 @@ struct message_parser_ctx {
+ struct istream *input;
+ struct message_part *parts, *part;
+ const char *broken_reason;
++ unsigned int nested_parts_count;
+
+ enum message_header_parser_flags hdr_flags;
+ enum message_parser_flags flags;
++ unsigned int max_nested_mime_parts;
+
+ char *last_boundary;
+ struct message_boundary *boundaries;
+@@ -206,6 +210,8 @@ message_part_append(struct message_parser_ctx *ctx)
+ ctx->next_part = &part->children;
+
+ ctx->part = part;
++ ctx->nested_parts_count++;
++ i_assert(ctx->nested_parts_count < ctx->max_nested_mime_parts);
+ }
+
+ static void message_part_finish(struct message_parser_ctx *ctx)
+@@ -213,8 +219,12 @@ static void message_part_finish(struct message_parser_ctx *ctx)
+ struct message_part **const *parent_next_partp;
+ unsigned int count = array_count(&ctx->next_part_stack);
+
++ i_assert(ctx->nested_parts_count > 0);
++ ctx->nested_parts_count--;
++
+ parent_next_partp = array_idx(&ctx->next_part_stack, count-1);
+ array_delete(&ctx->next_part_stack, count-1, 1);
++
+ ctx->next_part = *parent_next_partp;
+
+ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size);
+@@ -592,6 +602,11 @@ static bool block_is_at_eoh(const struct message_block *block)
+ return FALSE;
+ }
+
++static bool parse_too_many_nested_mime_parts(struct message_parser_ctx *ctx)
++{
++ return ctx->nested_parts_count > ctx->max_nested_mime_parts;
++}
++
+ #define MUTEX_FLAGS \
+ (MESSAGE_PART_FLAG_MESSAGE_RFC822 | MESSAGE_PART_FLAG_MULTIPART)
+
+@@ -616,8 +631,12 @@ static int parse_next_header(struct message_parser_ctx *ctx,
+ "\n--boundary" belongs to us or to a previous boundary.
+ this is a problem if the boundary prefixes are identical,
+ because MIME requires only the prefix to match. */
+- parse_next_body_multipart_init(ctx);
+- ctx->multipart = TRUE;
++ if (!parse_too_many_nested_mime_parts(ctx)) {
++ parse_next_body_multipart_init(ctx);
++ ctx->multipart = TRUE;
++ } else {
++ part->flags &= ~MESSAGE_PART_FLAG_MULTIPART;
++ }
+ }
+
+ /* before parsing the header see if we can find a --boundary from here.
+@@ -721,12 +740,16 @@ static int parse_next_header(struct message_parser_ctx *ctx,
+ i_assert(ctx->last_boundary == NULL);
+ ctx->multipart = FALSE;
+ ctx->parse_next_block = parse_next_body_to_boundary;
+- } else if (part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822)
++ } else if ((part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) != 0 &&
++ !parse_too_many_nested_mime_parts(ctx)) {
+ ctx->parse_next_block = parse_next_body_message_rfc822_init;
+- else if (ctx->boundaries != NULL)
+- ctx->parse_next_block = parse_next_body_to_boundary;
+- else
+- ctx->parse_next_block = parse_next_body_to_eof;
++ } else {
++ part->flags &= ~MESSAGE_PART_FLAG_MESSAGE_RFC822;
++ if (ctx->boundaries != NULL)
++ ctx->parse_next_block = parse_next_body_to_boundary;
++ else
++ ctx->parse_next_block = parse_next_body_to_eof;
++ }
+
+ ctx->want_count = 1;
+
+@@ -1100,6 +1123,8 @@ message_parser_init_int(struct istream *input,
+ ctx = i_new(struct message_parser_ctx, 1);
+ ctx->hdr_flags = hdr_flags;
+ ctx->flags = flags;
++ ctx->max_nested_mime_parts =
++ MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS;
+ ctx->input = input;
+ i_stream_ref(input);
+ return ctx;
+@@ -1159,6 +1184,10 @@ int message_parser_deinit_from_parts(struct message_parser_ctx **_ctx,
+ if (ctx->hdr_parser_ctx != NULL)
+ message_parse_header_deinit(&ctx->hdr_parser_ctx);
+ boundary_remove_until(ctx, NULL);
++ /* caller might have stopped the parsing early */
++ i_assert(ctx->nested_parts_count == 0 ||
++ i_stream_have_bytes_left(ctx->input));
++
+ i_stream_unref(&ctx->input);
+ if (array_is_created(&ctx->next_part_stack))
+ array_free(&ctx->next_part_stack);
+diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c
+index 94aa3eb7c..481d05942 100644
+--- a/src/lib-mail/test-message-parser.c
++++ b/src/lib-mail/test-message-parser.c
+@@ -166,6 +166,36 @@ static void test_message_parser_small_blocks(void)
+ test_end();
+ }
+
++static void test_message_parser_stop_early(void)
++{
++ struct message_parser_ctx *parser;
++ struct istream *input;
++ struct message_part *parts;
++ struct message_block block;
++ unsigned int i;
++ pool_t pool;
++ int ret;
++
++ test_begin("message parser stop early");
++ pool = pool_alloconly_create("message parser", 10240);
++ input = test_istream_create(test_msg);
++
++ test_istream_set_allow_eof(input, FALSE);
++ for (i = 1; i <= TEST_MSG_LEN+1; i++) {
++ i_stream_seek(input, 0);
++ test_istream_set_size(input, i);
++ parser = message_parser_init(pool, input, 0, 0);
++ while ((ret = message_parser_parse_next_block(parser,
++ &block)) > 0) ;
++ test_assert(ret == 0);
++ message_parser_deinit(&parser, &parts);
++ }
++
++ i_stream_unref(&input);
++ pool_unref(&pool);
++ test_end();
++}
++
+ static void test_message_parser_truncated_mime_headers(void)
+ {
+ static const char input_msg[] =
+@@ -740,6 +770,7 @@ int main(void)
+ {
+ static void (*test_functions[])(void) = {
+ test_message_parser_small_blocks,
++ test_message_parser_stop_early,
+ test_message_parser_truncated_mime_headers,
+ test_message_parser_truncated_mime_headers2,
+ test_message_parser_truncated_mime_headers3,
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch b/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch
new file mode 100644
index 000000000..52848bf3a
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch
@@ -0,0 +1,87 @@
+From d7bba401dd234802bcdb55ff27dfb99bffdab804 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 17:09:33 +0300
+Subject: [PATCH 11/13] lib-mail: message-parser - Support limiting max number
+ of MIME parts
+
+The default is to allow 10000 MIME parts. When it's reached, no more
+MIME boundary lines will be recognized, so the rest of the mail belongs
+to the last added MIME part.
+---
+ src/lib-mail/message-parser.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 721615f76..646307802 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -14,6 +14,7 @@
+ #define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2)
+
+ #define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100
++#define MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS 10000
+
+ struct message_boundary {
+ struct message_boundary *next;
+@@ -31,10 +32,12 @@ struct message_parser_ctx {
+ struct message_part *parts, *part;
+ const char *broken_reason;
+ unsigned int nested_parts_count;
++ unsigned int total_parts_count;
+
+ enum message_header_parser_flags hdr_flags;
+ enum message_parser_flags flags;
+ unsigned int max_nested_mime_parts;
++ unsigned int max_total_mime_parts;
+
+ char *last_boundary;
+ struct message_boundary *boundaries;
+@@ -211,7 +214,9 @@ message_part_append(struct message_parser_ctx *ctx)
+
+ ctx->part = part;
+ ctx->nested_parts_count++;
++ ctx->total_parts_count++;
+ i_assert(ctx->nested_parts_count < ctx->max_nested_mime_parts);
++ i_assert(ctx->total_parts_count <= ctx->max_total_mime_parts);
+ }
+
+ static void message_part_finish(struct message_parser_ctx *ctx)
+@@ -296,6 +301,12 @@ boundary_line_find(struct message_parser_ctx *ctx,
+ return -1;
+ }
+
++ if (ctx->total_parts_count >= ctx->max_total_mime_parts) {
++ /* can't add any more MIME parts. just stop trying to find
++ more boundaries. */
++ return -1;
++ }
++
+ /* need to find the end of line */
+ data += 2;
+ size -= 2;
+@@ -1125,6 +1136,8 @@ message_parser_init_int(struct istream *input,
+ ctx->flags = flags;
+ ctx->max_nested_mime_parts =
+ MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS;
++ ctx->max_total_mime_parts =
++ MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS;
+ ctx->input = input;
+ i_stream_ref(input);
+ return ctx;
+@@ -1142,6 +1155,7 @@ message_parser_init(pool_t part_pool, struct istream *input,
+ ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1);
+ ctx->next_part = &ctx->part->children;
+ ctx->parse_next_block = parse_next_header_init;
++ ctx->total_parts_count = 1;
+ i_array_init(&ctx->next_part_stack, 4);
+ return ctx;
+ }
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch b/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch
new file mode 100644
index 000000000..a81177d2b
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch
@@ -0,0 +1,133 @@
+From 0c9d56b41b992a868f299e05677a67c4d0495523 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 2 Jul 2020 17:31:19 +0300
+Subject: [PATCH 12/13] lib-mail: Fix handling trailing "--" in MIME boundaries
+
+Broken by 5b8ec27fae941d06516c30476dcf4820c6d200ab
+---
+ src/lib-mail/message-parser.c | 14 ++++++++----
+ src/lib-mail/test-message-parser.c | 46 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 56 insertions(+), 4 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 646307802..175d4b488 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -75,7 +75,7 @@ static int preparsed_parse_next_header_init(struct message_parser_ctx *ctx,
+
+ static struct message_boundary *
+ boundary_find(struct message_boundary *boundaries,
+- const unsigned char *data, size_t len)
++ const unsigned char *data, size_t len, bool trailing_dashes)
+ {
+ struct message_boundary *best = NULL;
+
+@@ -89,7 +89,11 @@ boundary_find(struct message_boundary *boundaries,
+ memcmp(boundaries->boundary, data, boundaries->len) == 0 &&
+ (best == NULL || best->len < boundaries->len)) {
+ best = boundaries;
+- if (best->len == len) {
++ /* If we see "foo--", it could either mean that there
++ is a boundary named "foo" that ends now or there's
++ a boundary "foo--" which continues. */
++ if (best->len == len ||
++ (best->len == len-2 && trailing_dashes)) {
+ /* This is exactly the wanted boundary. There
+ can't be a better one. */
+ break;
+@@ -319,6 +323,7 @@ boundary_line_find(struct message_parser_ctx *ctx,
+ return 0;
+ }
+ size_t find_size = size;
++ bool trailing_dashes = FALSE;
+
+ if (lf_pos != NULL) {
+ find_size = lf_pos - data;
+@@ -326,11 +331,12 @@ boundary_line_find(struct message_parser_ctx *ctx,
+ find_size--;
+ if (find_size > 2 && data[find_size-1] == '-' &&
+ data[find_size-2] == '-')
+- find_size -= 2;
++ trailing_dashes = TRUE;
+ } else if (find_size > BOUNDARY_END_MAX_LEN)
+ find_size = BOUNDARY_END_MAX_LEN;
+
+- *boundary_r = boundary_find(ctx->boundaries, data, find_size);
++ *boundary_r = boundary_find(ctx->boundaries, data, find_size,
++ trailing_dashes);
+ if (*boundary_r == NULL)
+ return -1;
+
+diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c
+index 481d05942..113454ea0 100644
+--- a/src/lib-mail/test-message-parser.c
++++ b/src/lib-mail/test-message-parser.c
+@@ -510,6 +510,51 @@ static const char input_msg[] =
+ test_end();
+ }
+
++static void test_message_parser_trailing_dashes(void)
++{
++static const char input_msg[] =
++"Content-Type: multipart/mixed; boundary=\"a--\"\n"
++"\n"
++"--a--\n"
++"Content-Type: multipart/mixed; boundary=\"a----\"\n"
++"\n"
++"--a----\n"
++"Content-Type: text/plain\n"
++"\n"
++"body\n"
++"--a------\n"
++"Content-Type: text/html\n"
++"\n"
++"body2\n"
++"--a----";
++ struct message_parser_ctx *parser;
++ struct istream *input;
++ struct message_part *parts;
++ struct message_block block;
++ pool_t pool;
++ int ret;
++
++ test_begin("message parser trailing dashes");
++ pool = pool_alloconly_create("message parser", 10240);
++ input = test_istream_create(input_msg);
++
++ parser = message_parser_init(pool, input, 0, 0);
++ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ;
++ test_assert(ret < 0);
++ message_parser_deinit(&parser, &parts);
++
++ test_assert(parts->children_count == 2);
++ test_assert(parts->children->next == NULL);
++ test_assert(parts->children->children_count == 1);
++ test_assert(parts->children->children->next == NULL);
++ test_assert(parts->children->children->children_count == 0);
++
++ test_parsed_parts(input, parts);
++ i_stream_unref(&input);
++ pool_unref(&pool);
++ test_end();
++}
++
+ static void test_message_parser_continuing_mime_boundary(void)
+ {
+ static const char input_msg[] =
+@@ -777,6 +822,7 @@ int main(void)
+ test_message_parser_empty_multipart,
+ test_message_parser_duplicate_mime_boundary,
+ test_message_parser_garbage_suffix_mime_boundary,
++ test_message_parser_trailing_dashes,
+ test_message_parser_continuing_mime_boundary,
+ test_message_parser_continuing_truncated_mime_boundary,
+ test_message_parser_long_mime_boundary,
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch b/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch
new file mode 100644
index 000000000..97068345f
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch
@@ -0,0 +1,32 @@
+From f77a2b6c3ffe2ea96f4a4b05ec38dc9d53266ecb Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Wed, 27 May 2020 11:35:55 +0300
+Subject: [PATCH 13/13] lib-mail: Fix parse_too_many_nested_mime_parts()
+
+This was originally correct, until it was "optimized" wrong and got merged.
+---
+ src/lib-mail/message-parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 175d4b488..5b11772ff 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -621,7 +621,7 @@ static bool block_is_at_eoh(const struct message_block *block)
+
+ static bool parse_too_many_nested_mime_parts(struct message_parser_ctx *ctx)
+ {
+- return ctx->nested_parts_count > ctx->max_nested_mime_parts;
++ return ctx->nested_parts_count+1 >= ctx->max_nested_mime_parts;
+ }
+
+ #define MUTEX_FLAGS \
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch b/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch
new file mode 100644
index 000000000..44f6564f8
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch
@@ -0,0 +1,27 @@
+From 1a6ff0beebf0ab0c71081eaff1d5d7fd26015a94 Mon Sep 17 00:00:00 2001
+From: Josef 'Jeff' Sipek <jeff.sipek@dovecot.fi>
+Date: Tue, 19 Sep 2017 13:26:57 +0300
+Subject: [PATCH] lib: buffer_free(NULL) should be a no-op
+
+---
+ src/lib/buffer.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+--- a/src/lib/buffer.c
++++ b/src/lib/buffer.c
+@@ -148,6 +148,9 @@ void buffer_free(buffer_t **_buf)
+ {
+ struct real_buffer *buf = (struct real_buffer *)*_buf;
+
++ if (buf == NULL)
++ return;
++
+ *_buf = NULL;
+ if (buf->alloced)
+ p_free(buf->pool, buf->w_buffer);
diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
index e21a94ad6..29905196b 100644
--- a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
+++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
@@ -10,6 +10,22 @@ SRC_URI = "http://dovecot.org/releases/2.2/dovecot-${PV}.tar.gz \
file://dovecot.service \
file://dovecot.socket \
file://0001-doveadm-Fix-parallel-build.patch \
+ file://0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch \
+ file://0002-lib-mail-message-parser-Change-message_part_append-t.patch \
+ file://0003-lib-mail-message-parser-Optimize-updating-children_c.patch \
+ file://0004-lib-mail-message-parser-Optimize-appending-new-part-.patch \
+ file://0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch \
+ file://0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch \
+ file://0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch \
+ file://0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch \
+ file://0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch \
+ file://0010-lib-mail-message-parser-Support-limiting-max-number-.patch \
+ file://0011-lib-mail-message-parser-Support-limiting-max-number-.patch \
+ file://0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch \
+ file://0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch \
+ file://buffer_free_fix.patch \
+ file://0002-lib-ntlm-Check-buffer-length-on-responses.patch \
+ file://0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch \
"
SRC_URI[md5sum] = "66c4d71858b214afee5b390ee602dee2"
diff --git a/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb b/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb
index 5dabdd51d..cad2fa7d7 100644
--- a/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb
+++ b/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb
@@ -8,13 +8,14 @@ SECTION = "admin"
LICENSE = "GPLv2+"
LIC_FILES_CHKSUM = "file://COPYING;md5=5574c6965ae5f583e55880e397fbb018"
-SRC_URI = "git://github.com/LINBIT/drbd-utils;name=drbd-utils \
- git://github.com/LINBIT/drbd-headers;name=drbd-headers;destsuffix=git/drbd-headers \
+SRC_URI = "git://github.com/LINBIT/drbd-utils;name=drbd-utils;branch=master;protocol=https \
+ git://github.com/LINBIT/drbd-headers;name=drbd-headers;destsuffix=git/drbd-headers;branch=master;protocol=https \
${@bb.utils.contains('DISTRO_FEATURES','usrmerge','file://0001-drbd-utils-support-usrmerge.patch','',d)} \
"
# v9.12.0
SRCREV_drbd-utils = "91629a4cce49ca0d4f917fe0bffa25cfe8db3052"
SRCREV_drbd-headers = "233006b4d26cf319638be0ef6d16ec7dee287b66"
+SRCREV_FORMAT = "drbd-utils_drbd-headers"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb b/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb
index ed5c3a979..8301c65bf 100644
--- a/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb
+++ b/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e4f3ea6e9b28af88dc0321190a1f8250"
S = "${WORKDIR}/git"
SRCREV = "4cdfdc38eca237c19c22a8b90490446ce6d970fa"
-SRC_URI = "git://github.com/maxmind/geoip-api-perl.git;protocol=https; \
+SRC_URI = "git://github.com/maxmind/geoip-api-perl.git;protocol=https;branch=master \
file://run-ptest \
"
diff --git a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb
index 4271c2e15..0efcbec1f 100644
--- a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb
+++ b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb
@@ -10,7 +10,7 @@ SECTION = "libdevel"
GEOIP_DATABASE_VERSION = "20181205"
-SRC_URI = "git://github.com/maxmind/geoip-api-c.git \
+SRC_URI = "git://github.com/maxmind/geoip-api-c.git;branch=main;protocol=https \
http://sources.openembedded.org/GeoIP.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIP-dat; \
http://sources.openembedded.org/GeoIPv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIPv6-dat; \
http://sources.openembedded.org/GeoLiteCity.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCity-dat; \
diff --git a/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb b/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb
index 125b59e76..9c15490dc 100644
--- a/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb
+++ b/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb
@@ -9,7 +9,7 @@ inherit manpages
MAN_PKG = "${PN}"
SRCREV = "42bfbb9beb924672ca86b86e9679ac3d6b87d992"
-SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https"
+SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb b/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb
index ad0ec2700..59e540a71 100644
--- a/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb
+++ b/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
S = "${WORKDIR}/git"
SRCREV = "c3ee70c878b9c5833a77a1f339f1ca4dc6f225c5"
SRC_URI = "\
- git://github.com/nmav/ipcalc.git;protocol=https; \
+ git://github.com/nmav/ipcalc.git;protocol=https;branch=master \
file://0001-Makefile-pass-extra-linker-flags.patch \
"
diff --git a/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb b/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb
index 3cabc4ff8..7a229c7b1 100644
--- a/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb
+++ b/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb
@@ -14,7 +14,7 @@ PV .= "+git${SRCPV}"
LK_REL = "1.0.18"
SRC_URI = " \
- git://github.com/sctp/lksctp-tools.git \
+ git://github.com/sctp/lksctp-tools.git;branch=master;protocol=https \
file://0001-withsctp-use-PACKAGE_VERSION-in-withsctp.h.patch \
file://0001-configure.ac-add-CURRENT-REVISION-and-AGE-for-libsct.patch \
file://0001-build-fix-netinet-sctp.h-not-to-be-installed.patch \
diff --git a/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb b/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb
index 5917cfb3e..e07356165 100644
--- a/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb
+++ b/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
DEPENDS = "flex-native bison-native libnl python"
PV = "0.3.1+git${SRCPV}"
-SRC_URI = "git://github.com/linux-wpan/lowpan-tools \
+SRC_URI = "git://github.com/linux-wpan/lowpan-tools;branch=master;protocol=https \
file://no-help2man.patch \
file://0001-Fix-build-errors-with-clang.patch \
file://0001-addrdb-coord-config-parse.y-add-missing-time.h-inclu.patch \
diff --git a/meta-networking/recipes-support/mtr/mtr_0.93.bb b/meta-networking/recipes-support/mtr/mtr_0.93.bb
index dd150700a..4db7f7bbf 100644
--- a/meta-networking/recipes-support/mtr/mtr_0.93.bb
+++ b/meta-networking/recipes-support/mtr/mtr_0.93.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
file://ui/mtr.c;beginline=5;endline=16;md5=00a894a39d53726a27386534d1c4e468"
SRCREV = "304349bad86229aedbc62c07d5e98a8292967991"
-SRC_URI = "git://github.com/traviscross/mtr"
+SRC_URI = "git://github.com/traviscross/mtr;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_git.bb b/meta-networking/recipes-support/nbdkit/nbdkit_git.bb
index a63e49ec5..0876c6f35 100644
--- a/meta-networking/recipes-support/nbdkit/nbdkit_git.bb
+++ b/meta-networking/recipes-support/nbdkit/nbdkit_git.bb
@@ -9,7 +9,7 @@ HOMEPAGE = "https://github.com/libguestfs/nbdkit"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=4332a97808994cf2133a65b6c6f33eaf"
-SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https \
+SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \
file://0001-server-Fix-build-when-printf-is-a-macro.patch \
"
diff --git a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb b/meta-networking/recipes-support/ndisc6/ndisc6_git.bb
index 5f866052c..d359b620b 100644
--- a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb
+++ b/meta-networking/recipes-support/ndisc6/ndisc6_git.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
PV = "1.0.4+git${SRCPV}"
SRCREV = "4c794b5512d23c649def1f94a684225dcbb6ac3e"
-SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http \
+SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http;branch=master \
file://0001-replace-VLAIS-with-malloc-free-pair.patch \
file://0002-Do-not-undef-_GNU_SOURCE.patch \
file://0001-autogen-Do-not-symlink-gettext.h-from-build-host.patch \
diff --git a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb
index 14d743f82..1e113de51 100644
--- a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb
+++ b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb
@@ -16,6 +16,8 @@ SRC_URI[sha256sum] = "b55af0bbdf5acc02d1eb6ab18da2acd77a400bafd074489003f3df0967
inherit autotools
+CVE_PRODUCT = "netcat_project:netcat"
+
do_install_append() {
install -d ${D}${bindir}
mv ${D}${bindir}/nc ${D}${bindir}/nc.${BPN}
diff --git a/meta-networking/recipes-support/netcf/netcf_0.2.8.bb b/meta-networking/recipes-support/netcf/netcf_0.2.8.bb
index a180571f2..af617ce92 100644
--- a/meta-networking/recipes-support/netcf/netcf_0.2.8.bb
+++ b/meta-networking/recipes-support/netcf/netcf_0.2.8.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fb919cc88dbe06ec0b0bd50e001ccf1f"
SRCREV = "2c5d4255857531bc09d91dcd02e86545f29004d4"
PV .= "+git${SRCPV}"
-SRC_URI = "git://pagure.io/netcf.git;protocol=https \
+SRC_URI = "git://pagure.io/netcf.git;protocol=https;branch=master \
"
UPSTREAM_CHECK_GITTAGREGEX = "release-(?P<pver>(\d+(\.\d+)+))"
diff --git a/meta-networking/recipes-support/netperf/netperf_git.bb b/meta-networking/recipes-support/netperf/netperf_git.bb
index d48f3aeab..f6ea211f7 100644
--- a/meta-networking/recipes-support/netperf/netperf_git.bb
+++ b/meta-networking/recipes-support/netperf/netperf_git.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a0ab17253e7a3f318da85382c7d5d5d6"
PV = "2.7.0+git${SRCPV}"
-SRC_URI = "git://github.com/HewlettPackard/netperf.git \
+SRC_URI = "git://github.com/HewlettPackard/netperf.git;branch=master;protocol=https \
file://cpu_set.patch \
file://vfork.patch \
file://init \
diff --git a/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb b/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb
index bb401666c..0c67f67d7 100644
--- a/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb
+++ b/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb
@@ -14,7 +14,7 @@ and ypdomainname. \
# v4.2.3
SRCREV = "1bfda29c342a81b97cb1995ffd9e8da5de63e7ab"
-SRC_URI = "git://github.com/thkukuk/yp-tools \
+SRC_URI = "git://github.com/thkukuk/yp-tools;branch=master;protocol=https \
file://domainname.service \
"
diff --git a/meta-networking/recipes-support/ntimed/ntimed_git.bb b/meta-networking/recipes-support/ntimed/ntimed_git.bb
index a749b1659..43ed1abe3 100644
--- a/meta-networking/recipes-support/ntimed/ntimed_git.bb
+++ b/meta-networking/recipes-support/ntimed/ntimed_git.bb
@@ -8,7 +8,7 @@ SECTION = "net"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://main.c;beginline=2;endline=24;md5=89db8e76f2951f3fad167e7aa9718a44"
-SRC_URI = "git://github.com/bsdphk/Ntimed \
+SRC_URI = "git://github.com/bsdphk/Ntimed;branch=master;protocol=https \
file://use-ldflags.patch"
PV = "0.0+git${SRCPV}"
diff --git a/meta-networking/recipes-support/open-isns/open-isns_0.99.bb b/meta-networking/recipes-support/open-isns/open-isns_0.99.bb
index a03b92f5f..1bf7c48e0 100644
--- a/meta-networking/recipes-support/open-isns/open-isns_0.99.bb
+++ b/meta-networking/recipes-support/open-isns/open-isns_0.99.bb
@@ -13,7 +13,7 @@ SECTION = "net"
DEPENDS = "openssl"
-SRC_URI = "git://github.com/open-iscsi/open-isns"
+SRC_URI = "git://github.com/open-iscsi/open-isns;branch=master;protocol=https"
SRCREV = "cfdbcff867ee580a71bc9c18c3a38a6057df0150"
diff --git a/meta-networking/recipes-support/phytool/phytool.bb b/meta-networking/recipes-support/phytool/phytool.bb
index 29499d6d7..7fde88c44 100644
--- a/meta-networking/recipes-support/phytool/phytool.bb
+++ b/meta-networking/recipes-support/phytool/phytool.bb
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0"
PV = "2+git${SRCPV}"
SRCREV = "8882328c08ba2efb13c049812098f1d0cb8adf0c"
-SRC_URI = "git://github.com/wkz/phytool.git"
+SRC_URI = "git://github.com/wkz/phytool.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb b/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb
index 15fd7ff66..5cb4e67c2 100644
--- a/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb
+++ b/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb
@@ -6,7 +6,7 @@ DEPENDS = "libnl"
RDEPENDS_${PN} = "bash perl"
BRANCH = "stable-v${@d.getVar('PV').split('.')[0]}"
-SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=${BRANCH} \
+SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=${BRANCH};protocol=https \
file://0001-Remove-man-files-which-cant-be-built.patch \
"
SRCREV = "f12c953f0864691eacc9fcc4cda489b92ffd5a85"
diff --git a/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb b/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb
index 0b63f79ac..d8a1f6140 100644
--- a/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb
+++ b/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb
@@ -6,7 +6,7 @@ LICENSE = "GPLv2+"
LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
SRCREV = "a8e5847e5f7e411be424f9b52a6cdf9d2ed4aeb5"
-SRC_URI = "git://github.com/troglobit/smcroute.git;branch=master;protocol=git"
+SRC_URI = "git://github.com/troglobit/smcroute.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/spice/spice-protocol_git.bb b/meta-networking/recipes-support/spice/spice-protocol_git.bb
index 1d56bea17..ca683bf22 100644
--- a/meta-networking/recipes-support/spice/spice-protocol_git.bb
+++ b/meta-networking/recipes-support/spice/spice-protocol_git.bb
@@ -18,7 +18,7 @@ PV = "0.14.1+git${SRCPV}"
SRCREV = "e0ec178a72aa33e307ee5ac02b63bf336da921a5"
SRC_URI = " \
- git://anongit.freedesktop.org/spice/spice-protocol \
+ git://anongit.freedesktop.org/spice/spice-protocol;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/spice/spice_git.bb b/meta-networking/recipes-support/spice/spice_git.bb
index 9d3a0e6cb..3d47f5a54 100644
--- a/meta-networking/recipes-support/spice/spice_git.bb
+++ b/meta-networking/recipes-support/spice/spice_git.bb
@@ -21,8 +21,8 @@ SRCREV_spice-common = "4fc4c2db36c7f07b906e9a326a9d3dc0ae6a2671"
SRCREV_FORMAT = "spice_spice-common"
SRC_URI = " \
- git://anongit.freedesktop.org/spice/spice;name=spice \
- git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/subprojects/spice-common;name=spice-common \
+ git://anongit.freedesktop.org/spice/spice;name=spice;branch=master \
+ git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/subprojects/spice-common;name=spice-common;branch=master \
file://0001-Convert-pthread_t-to-be-numeric.patch \
file://0001-Fix-compile-errors-on-Linux-32bit-system.patch \
"
diff --git a/meta-networking/recipes-support/spice/usbredir_0.8.0.bb b/meta-networking/recipes-support/spice/usbredir_0.8.0.bb
index 9ee43be1e..f07fb3b50 100644
--- a/meta-networking/recipes-support/spice/usbredir_0.8.0.bb
+++ b/meta-networking/recipes-support/spice/usbredir_0.8.0.bb
@@ -10,7 +10,7 @@ DEPENDS = "libusb1"
SRCREV = "07b98b8e71f620dfdd57e92ddef6b677b259a092"
SRC_URI = " \
- git://anongit.freedesktop.org/spice/usbredir \
+ git://anongit.freedesktop.org/spice/usbredir;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
new file mode 100644
index 000000000..b7118ba1f
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
@@ -0,0 +1,62 @@
+From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 28 Sep 2021 17:52:08 +0200
+Subject: [PATCH] Reject RSASSA-PSS params with negative salt length
+
+The `salt_len` member in the struct is of type `ssize_t` because we use
+negative values for special automatic salt lengths when generating
+signatures.
+
+Not checking this could lead to an integer overflow. The value is assigned
+to the `len` field of a chunk (`size_t`), which is further used in
+calculations to check the padding structure and (if that is passed by a
+matching crafted signature value) eventually a memcpy() that will result
+in a segmentation fault.
+
+Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params")
+Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
+Fixes: CVE-2021-41990
+
+Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41990]
+CVE: CVE-2021-41990
+
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+---
+ src/libstrongswan/credentials/keys/signature_params.c | 6 +++++-
+ src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
+index d89bd2c96bb5..837de8443d43 100644
+--- a/src/libstrongswan/credentials/keys/signature_params.c
++++ b/src/libstrongswan/credentials/keys/signature_params.c
+@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params)
+ case RSASSA_PSS_PARAMS_SALT_LEN:
+ if (object.len)
+ {
+- params->salt_len = (size_t)asn1_parse_integer_uint64(object);
++ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object);
++ if (params->salt_len < 0)
++ {
++ goto end;
++ }
+ }
+ break;
+ case RSASSA_PSS_PARAMS_TRAILER:
+diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+index f9bd1d314dec..3a775090883e 100644
+--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
+ int i;
+ bool success = FALSE;
+
+- if (!params)
++ if (!params || params->salt_len < 0)
+ {
+ return FALSE;
+ }
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
new file mode 100644
index 000000000..2d898fa5c
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
@@ -0,0 +1,41 @@
+From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 28 Sep 2021 19:38:22 +0200
+Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change
+
+random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
+equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added
+directly to that offset before applying`% CACHE_SIZE` to get an index into
+the cache array. If the random value was very high, this resulted in an
+integer overflow and a negative index value and, therefore, an out-of-bounds
+access of the array and in turn dereferencing invalid pointers when trying
+to acquire the read lock. This most likely results in a segmentation fault.
+
+Fixes: 764e8b2211ce ("reimplemented certificate cache")
+Fixes: CVE-2021-41991
+
+Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41991]
+CVE: CVE-2021-41991
+
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+---
+ src/libstrongswan/credentials/sets/cert_cache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
+index f1579c60a9bc..ceebb3843725 100644
+--- a/src/libstrongswan/credentials/sets/cert_cache.c
++++ b/src/libstrongswan/credentials/sets/cert_cache.c
+@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this,
+ for (try = 0; try < REPLACE_TRIES; try++)
+ {
+ /* replace a random relation */
+- offset = random();
++ offset = random() % CACHE_SIZE;
+ for (i = 0; i < CACHE_SIZE; i++)
+ {
+ rel = &this->relations[(i + offset) % CACHE_SIZE];
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch
new file mode 100644
index 000000000..97aa6a0ef
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch
@@ -0,0 +1,156 @@
+From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 14 Dec 2021 10:51:35 +0100
+Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails
+
+Without this, the authentication succeeded if the server sent an early
+EAP-Success message for mutual, key-generating EAP methods like EAP-TLS,
+which may be used in EAP-only scenarios but would complete without server
+or client authentication. For clients configured for such EAP-only
+scenarios, a rogue server could capture traffic after the tunnel is
+established or even access hosts behind the client. For non-mutual EAP
+methods, public key server authentication has been enforced for a while.
+
+A server previously could also crash a client by sending an EAP-Success
+immediately without initiating an actual EAP method.
+
+Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK")
+Fixes: CVE-2021-45079
+
+Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-45079/strongswan-5.5.0-5.9.4_eap_success.patch]
+CVE: CVE-2021-45079
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +-
+ src/libcharon/plugins/eap_md5/eap_md5.c | 2 +-
+ src/libcharon/plugins/eap_radius/eap_radius.c | 4 ++-
+ src/libcharon/sa/eap/eap_method.h | 8 ++++-
+ .../ikev2/authenticators/eap_authenticator.c | 32 ++++++++++++++++---
+ 5 files changed, 40 insertions(+), 8 deletions(-)
+
+diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
+index 95ba090b79ce..cffb6222c2f8 100644
+--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
++++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
+@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_t,
+ METHOD(eap_method_t, get_msk, status_t,
+ private_eap_gtc_t *this, chunk_t *msk)
+ {
+- return FAILED;
++ return NOT_SUPPORTED;
+ }
+
+ METHOD(eap_method_t, get_identifier, uint8_t,
+diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c
+index ab5f7ff6a823..3a92ad7c0a04 100644
+--- a/src/libcharon/plugins/eap_md5/eap_md5.c
++++ b/src/libcharon/plugins/eap_md5/eap_md5.c
+@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_t,
+ METHOD(eap_method_t, get_msk, status_t,
+ private_eap_md5_t *this, chunk_t *msk)
+ {
+- return FAILED;
++ return NOT_SUPPORTED;
+ }
+
+ METHOD(eap_method_t, is_mutual, bool,
+diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
+index 2dc7a423e702..5336dead13d9 100644
+--- a/src/libcharon/plugins/eap_radius/eap_radius.c
++++ b/src/libcharon/plugins/eap_radius/eap_radius.c
+@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t,
+ *out = msk;
+ return SUCCESS;
+ }
+- return FAILED;
++ /* we assume the selected method did not establish an MSK, if it failed
++ * to establish one, process() would have failed */
++ return NOT_SUPPORTED;
+ }
+
+ METHOD(eap_method_t, get_identifier, uint8_t,
+diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h
+index 0b5218dfec15..33564831f86e 100644
+--- a/src/libcharon/sa/eap/eap_method.h
++++ b/src/libcharon/sa/eap/eap_method.h
+@@ -114,10 +114,16 @@ struct eap_method_t {
+ * Not all EAP methods establish a shared secret. For implementations of
+ * the EAP-Identity method, get_msk() returns the received identity.
+ *
++ * @note Returning NOT_SUPPORTED is important for implementations of EAP
++ * methods that don't establish an MSK. In particular as client because
++ * key-generating EAP methods MUST fail to process EAP-Success messages if
++ * no MSK is established.
++ *
+ * @param msk chunk receiving internal stored MSK
+ * @return
+- * - SUCCESS, or
++ * - SUCCESS, if MSK is established
+ * - FAILED, if MSK not established (yet)
++ * - NOT_SUPPORTED, for non-MSK-establishing methods
+ */
+ status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
+
+diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+index e1e6cd7ee6f3..87548fc471a6 100644
+--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
++++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
+ this->method->destroy(this->method);
+ return server_initiate_eap(this, FALSE);
+ }
+- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
++ switch (this->method->get_msk(this->method, &this->msk))
+ {
+- this->msk = chunk_clone(this->msk);
++ case SUCCESS:
++ this->msk = chunk_clone(this->msk);
++ break;
++ case NOT_SUPPORTED:
++ break;
++ case FAILED:
++ default:
++ DBG1(DBG_IKE, "failed to establish MSK");
++ goto failure;
+ }
+ if (vendor)
+ {
+@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
+ return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
+ case FAILED:
+ default:
++failure:
+ /* type might have changed for virtual methods */
+ type = this->method->get_type(this->method, &vendor);
+ if (vendor)
+@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client, status_t,
+ uint32_t vendor;
+ auth_cfg_t *cfg;
+
+- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
++ if (!this->method)
+ {
+- this->msk = chunk_clone(this->msk);
++ DBG1(DBG_IKE, "received unexpected %N",
++ eap_code_names, eap_payload->get_code(eap_payload));
++ return FAILED;
++ }
++ switch (this->method->get_msk(this->method, &this->msk))
++ {
++ case SUCCESS:
++ this->msk = chunk_clone(this->msk);
++ break;
++ case NOT_SUPPORTED:
++ break;
++ case FAILED:
++ default:
++ DBG1(DBG_IKE, "received %N but failed to establish MSK",
++ eap_code_names, eap_payload->get_code(eap_payload));
++ return FAILED;
+ }
+ type = this->method->get_type(this->method, &vendor);
+ if (vendor)
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch
new file mode 100644
index 000000000..66e504712
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch
@@ -0,0 +1,210 @@
+From 66d3b2e0e596a6eac1ebcd15c83a8d9368fe7b34 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 22 Jul 2022 15:37:43 +0200
+Subject: [PATCH] credential-manager: Do online revocation checks only after
+ basic trust chain validation
+
+This avoids querying URLs of potentially untrusted certificates, e.g. if
+an attacker sends a specially crafted end-entity and intermediate CA
+certificate with a CDP that points to a server that completes the
+TCP handshake but then does not send any further data, which will block
+the fetcher thread (depending on the plugin) for as long as the default
+timeout for TCP. Doing that multiple times will block all worker threads,
+leading to a DoS attack.
+
+The logging during the certificate verification obviously changes. The
+following example shows the output of `pki --verify` for the current
+strongswan.org certificate:
+
+new:
+
+ using certificate "CN=www.strongswan.org"
+ using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3"
+ using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
+ reached self-signed root ca with a path length of 1
+checking certificate status of "CN=www.strongswan.org"
+ requesting ocsp status from 'http://r3.o.lencr.org' ...
+ ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3"
+ ocsp response is valid: until Jul 27 12:59:58 2022
+certificate status is good
+checking certificate status of "C=US, O=Let's Encrypt, CN=R3"
+ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found
+ fetching crl from 'http://x1.c.lencr.org/' ...
+ using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
+ crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
+ crl is valid: until Apr 18 01:59:59 2023
+certificate status is good
+certificate trusted, lifetimes valid, certificate not revoked
+
+old:
+
+ using certificate "CN=www.strongswan.org"
+ using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3"
+checking certificate status of "CN=www.strongswan.org"
+ requesting ocsp status from 'http://r3.o.lencr.org' ...
+ ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3"
+ ocsp response is valid: until Jul 27 12:59:58 2022
+certificate status is good
+ using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
+checking certificate status of "C=US, O=Let's Encrypt, CN=R3"
+ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found
+ fetching crl from 'http://x1.c.lencr.org/' ...
+ using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
+ crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
+ crl is valid: until Apr 18 01:59:59 2023
+certificate status is good
+ reached self-signed root ca with a path length of 1
+certificate trusted, lifetimes valid, certificate not revoked
+
+Note that this also fixes an issue with the previous dual-use of the
+`trusted` flag. It not only indicated whether the chain is trusted but
+also whether the current issuer is the root anchor (the corresponding
+flag in the `cert_validator_t` interface is called `anchor`). This was
+a problem when building multi-level trust chains for pre-trusted
+end-entity certificates (i.e. where `trusted` is TRUE from the start).
+This caused the main loop to get aborted after the first intermediate CA
+certificate and the mentioned `anchor` flag wasn't correct in any calls
+to `cert_validator_t` implementations.
+
+Fixes: CVE-2022-40617
+
+CVE: CVE-2022-40617
+Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2022-40617/strongswan-5.1.0-5.9.7_cert_online_validate.patch]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ .../credentials/credential_manager.c | 54 +++++++++++++++----
+ 1 file changed, 45 insertions(+), 9 deletions(-)
+
+diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
+index e93b5943a3a7..798785544e41 100644
+--- a/src/libstrongswan/credentials/credential_manager.c
++++ b/src/libstrongswan/credentials/credential_manager.c
+@@ -556,7 +556,7 @@ static void cache_queue(private_credential_manager_t *this)
+ */
+ static bool check_lifetime(private_credential_manager_t *this,
+ certificate_t *cert, char *label,
+- int pathlen, bool trusted, auth_cfg_t *auth)
++ int pathlen, bool anchor, auth_cfg_t *auth)
+ {
+ time_t not_before, not_after;
+ cert_validator_t *validator;
+@@ -571,7 +571,7 @@ static bool check_lifetime(private_credential_manager_t *this,
+ continue;
+ }
+ status = validator->check_lifetime(validator, cert,
+- pathlen, trusted, auth);
++ pathlen, anchor, auth);
+ if (status != NEED_MORE)
+ {
+ break;
+@@ -604,13 +604,13 @@ static bool check_lifetime(private_credential_manager_t *this,
+ */
+ static bool check_certificate(private_credential_manager_t *this,
+ certificate_t *subject, certificate_t *issuer, bool online,
+- int pathlen, bool trusted, auth_cfg_t *auth)
++ int pathlen, bool anchor, auth_cfg_t *auth)
+ {
+ cert_validator_t *validator;
+ enumerator_t *enumerator;
+
+ if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) ||
+- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth))
++ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth))
+ {
+ return FALSE;
+ }
+@@ -623,7 +623,7 @@ static bool check_certificate(private_credential_manager_t *this,
+ continue;
+ }
+ if (!validator->validate(validator, subject, issuer,
+- online, pathlen, trusted, auth))
++ online, pathlen, anchor, auth))
+ {
+ enumerator->destroy(enumerator);
+ return FALSE;
+@@ -726,6 +726,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
+ auth_cfg_t *auth;
+ signature_params_t *scheme;
+ int pathlen;
++ bool is_anchor = FALSE;
+
+ auth = auth_cfg_create();
+ get_key_strength(subject, auth);
+@@ -743,7 +744,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
+ auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
+ DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"",
+ issuer->get_subject(issuer));
+- trusted = TRUE;
++ trusted = is_anchor = TRUE;
+ }
+ else
+ {
+@@ -778,11 +779,18 @@ static bool verify_trust_chain(private_credential_manager_t *this,
+ DBG1(DBG_CFG, " issuer is \"%Y\"",
+ current->get_issuer(current));
+ call_hook(this, CRED_HOOK_NO_ISSUER, current);
++ if (trusted)
++ {
++ DBG1(DBG_CFG, " reached end of incomplete trust chain for "
++ "trusted certificate \"%Y\"",
++ subject->get_subject(subject));
++ }
+ break;
+ }
+ }
+- if (!check_certificate(this, current, issuer, online,
+- pathlen, trusted, auth))
++ /* don't do online verification here */
++ if (!check_certificate(this, current, issuer, FALSE,
++ pathlen, is_anchor, auth))
+ {
+ trusted = FALSE;
+ issuer->destroy(issuer);
+@@ -794,7 +802,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
+ }
+ current->destroy(current);
+ current = issuer;
+- if (trusted)
++ if (is_anchor)
+ {
+ DBG1(DBG_CFG, " reached self-signed root ca with a "
+ "path length of %d", pathlen);
+@@ -807,6 +815,34 @@ static bool verify_trust_chain(private_credential_manager_t *this,
+ DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN);
+ call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject);
+ }
++ else if (trusted && online)
++ {
++ enumerator_t *enumerator;
++ auth_rule_t rule;
++
++ /* do online revocation checks after basic validation of the chain */
++ pathlen = 0;
++ current = subject;
++ enumerator = auth->create_enumerator(auth);
++ while (enumerator->enumerate(enumerator, &rule, &issuer))
++ {
++ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT)
++ {
++ if (!check_certificate(this, current, issuer, TRUE, pathlen++,
++ rule == AUTH_RULE_CA_CERT, auth))
++ {
++ trusted = FALSE;
++ break;
++ }
++ else if (rule == AUTH_RULE_CA_CERT)
++ {
++ break;
++ }
++ current = issuer;
++ }
++ }
++ enumerator->destroy(enumerator);
++ }
+ if (trusted)
+ {
+ result->merge(result, auth, FALSE);
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
index 8a8809243..c11748645 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
@@ -11,6 +11,10 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
file://fix-funtion-parameter.patch \
file://0001-memory.h-Include-stdint.h-for-uintptr_t.patch \
file://0001-Remove-obsolete-setting-regarding-the-Standard-Outpu.patch \
+ file://CVE-2021-41990.patch \
+ file://CVE-2021-41991.patch \
+ file://CVE-2021-45079.patch \
+ file://CVE-2022-40617.patch \
"
SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29"
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
index 9b74e00c5..84d4716f3 100644
--- a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
@@ -9,6 +9,7 @@ if we haven't captured all of it.
(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
+CVE: CVE-2020-8037
Upstream-Status: Backport
Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com>
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch
new file mode 100644
index 000000000..5f5c68ccd
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch
@@ -0,0 +1,111 @@
+From 8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Wed, 30 Sep 2020 11:37:30 -0700
+Subject: [PATCH] Handle very large -f files by rejecting them.
+
+_read(), on Windows, has a 32-bit size argument and a 32-bit return
+value, so reject -f files that have more than 2^31-1 characters.
+
+Add some #defines so that, on Windows, we use _fstati64 to get the size
+of that file, to handle large files.
+
+Don't assume that our definition for ssize_t is the same size as size_t;
+by the time we want to print the return value of the read, we know it'll
+fit into an int, so just cast it to int and print it with %d.
+
+(cherry picked from commit faf8fb70af3a013e5d662b8283dec742fd6b1a77)
+
+CVE: CVE-2022-25308
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86]
+
+Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
+
+---
+ netdissect-stdinc.h | 16 +++++++++++++++-
+ tcpdump.c | 15 ++++++++++++---
+ 2 files changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/netdissect-stdinc.h b/netdissect-stdinc.h
+index 8282c5846..9941c2a16 100644
+--- a/netdissect-stdinc.h
++++ b/netdissect-stdinc.h
+@@ -149,10 +149,17 @@
+ #ifdef _MSC_VER
+ #define stat _stat
+ #define open _open
+-#define fstat _fstat
+ #define read _read
+ #define close _close
+ #define O_RDONLY _O_RDONLY
++
++/*
++ * We define our_fstat64 as _fstati64, and define our_statb as
++ * struct _stati64, so we get 64-bit file sizes.
++ */
++#define our_fstat _fstati64
++#define our_statb struct _stati64
++
+ #endif /* _MSC_VER */
+
+ /*
+@@ -211,6 +218,13 @@ typedef char* caddr_t;
+
+ #include <arpa/inet.h>
+
++/*
++ * We should have large file support enabled, if it's available,
++ * so just use fstat as our_fstat and struct stat as our_statb.
++ */
++#define our_fstat fstat
++#define our_statb struct stat
++
+ #endif /* _WIN32 */
+
+ #ifndef HAVE___ATTRIBUTE__
+diff --git a/tcpdump.c b/tcpdump.c
+index 043bda1d7..8f27ba2a4 100644
+--- a/tcpdump.c
++++ b/tcpdump.c
+@@ -108,6 +108,7 @@ The Regents of the University of California. All rights reserved.\n";
+ #endif /* HAVE_CAP_NG_H */
+ #endif /* HAVE_LIBCAP_NG */
+
++#include "netdissect-stdinc.h"
+ #include "netdissect.h"
+ #include "interface.h"
+ #include "addrtoname.h"
+@@ -861,15 +862,22 @@ read_infile(char *fname)
+ {
+ register int i, fd, cc;
+ register char *cp;
+- struct stat buf;
++ our_statb buf;
+
+ fd = open(fname, O_RDONLY|O_BINARY);
+ if (fd < 0)
+ error("can't open %s: %s", fname, pcap_strerror(errno));
+
+- if (fstat(fd, &buf) < 0)
++ if (our_fstat(fd, &buf) < 0)
+ error("can't stat %s: %s", fname, pcap_strerror(errno));
+
++ /*
++ * Reject files whose size doesn't fit into an int; a filter
++ * *that* large will probably be too big.
++ */
++ if (buf.st_size > INT_MAX)
++ error("%s is too large", fname);
++
+ cp = malloc((u_int)buf.st_size + 1);
+ if (cp == NULL)
+ error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1,
+@@ -878,7 +886,8 @@ read_infile(char *fname)
+ if (cc < 0)
+ error("read %s: %s", fname, pcap_strerror(errno));
+ if (cc != buf.st_size)
+- error("short read %s (%d != %d)", fname, cc, (int)buf.st_size);
++ error("short read %s (%d != %d)", fname, (int) cc,
++ (int)buf.st_size);
+
+ close(fd);
+ /* replace "# comment" with spaces */
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
index 2ea493863..66bf21775 100644
--- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
+++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
@@ -18,6 +18,7 @@ SRC_URI = " \
file://add-ptest.patch \
file://run-ptest \
file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \
+ file://CVE-2018-16301.patch \
"
SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae"
diff --git a/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch b/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch
new file mode 100644
index 000000000..3ca9a831f
--- /dev/null
+++ b/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch
@@ -0,0 +1,37 @@
+From d3110859064b15408dbca1294dc7e31c2208504d Mon Sep 17 00:00:00 2001
+From: Gabriel Ganne <gabriel.ganne@gmail.com>
+Date: Mon, 3 Aug 2020 08:26:38 +0200
+Subject: [PATCH] fix heap-buffer-overflow when DLT_JUNIPER_ETHER
+
+The test logic on datalen was inverted.
+
+Processing truncated packats should now raise a warning like the
+following:
+ Warning: <pcap> was captured using a snaplen of 4 bytes. This may mean you have truncated packets.
+
+Fixes #616 #617
+
+CVE: CVE-2020-24265
+CVE: CVE-2020-24266
+Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/d3110859064b15408dbca1294dc7e31c2208504d]
+
+Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com>
+Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
+Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
+---
+ src/common/get.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/common/get.c b/src/common/get.c
+index f9ee92d3..0517bf0a 100644
+--- a/src/common/get.c
++++ b/src/common/get.c
+@@ -178,7 +178,7 @@ get_l2len(const u_char *pktdata, const int datalen, const int datalink)
+ break;
+
+ case DLT_JUNIPER_ETHER:
+- if (datalen >= 5) {
++ if (datalen < 5) {
+ l2_len = -1;
+ break;
+ }
diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb
index 39be950ad..557d32331 100644
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb
@@ -6,7 +6,8 @@ SECTION = "net"
LICENSE = "GPLv3"
LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=890b830b22fd632e9ffd996df20338f8"
-SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz"
+SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz \
+ file://CVE-2020-24265-and-CVE-2020-24266.patch"
SRC_URI[md5sum] = "53b52bf64f0b6b9443428e657b37bc6b"
SRC_URI[sha256sum] = "ed2402caa9434ff5c74b2e7b31178c73e7c7c5c4ea1e1d0e2e39a7dc46958fde"
diff --git a/meta-networking/recipes-support/unbound/unbound_1.9.4.bb b/meta-networking/recipes-support/unbound/unbound_1.9.4.bb
index 6200214ac..f4b3c28ae 100644
--- a/meta-networking/recipes-support/unbound/unbound_1.9.4.bb
+++ b/meta-networking/recipes-support/unbound/unbound_1.9.4.bb
@@ -9,7 +9,7 @@ SECTION = "net"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=5308494bc0590c0cb036afd781d78f06"
-SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=http;branch=master \
+SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=http;branch=master;protocol=https \
file://0001-contrib-add-yocto-compatible-startup-scripts.patch \
"
SRCREV="b60c4a472c856f0a98120b7259e991b3a6507eb5"
diff --git a/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch b/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch
new file mode 100644
index 000000000..54438dd87
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch
@@ -0,0 +1,22 @@
+Fix update to build for alt arch machine.
+
+Commit 9ca6e39c7ee26570e29dc87332ffb0f6c1d0e4a4 changed the UseLemon to use
+the target lemon built by the target wireshark. Revert to use the one built by
+wireshark-native.
+
+Upstream-Status: Inappropriate [configuration]
+Signed-off: Armin Kuster <akuster@mvista.com>
+
+Index: wireshark-3.2.18/cmake/modules/UseLemon.cmake
+===================================================================
+--- wireshark-3.2.18.orig/cmake/modules/UseLemon.cmake
++++ wireshark-3.2.18/cmake/modules/UseLemon.cmake
+@@ -13,7 +13,7 @@ MACRO(ADD_LEMON_FILES _source _generated
+ # These files are generated as side-effect
+ ${_out}.h
+ ${_out}.out
+- COMMAND $<TARGET_FILE:lemon>
++ COMMAND lemon
+ -T${_lemonpardir}/lempar.c
+ -d.
+ ${_in}
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.15.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
index 36e84d0cc..f9e22141c 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.2.15.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb
@@ -8,11 +8,12 @@ DEPENDS = "pcre expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bi
DEPENDS_append_class-target = " wireshark-native chrpath-replacement-native "
-SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz"
+SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz \
+ file://fix_lemon_path.patch "
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
-SRC_URI[sha256sum] = "32f6cfd67b00903a1bfca02ecc4ccf72db6b70d4fda33e4a099fefb03e849bdb"
+SRC_URI[sha256sum] = "bbe75d909b052fcd67a850f149f0d5b1e2531026fc2413946b48570293306887"
PE = "1"
diff --git a/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb b/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb
index bab75fee3..6b83cbd52 100644
--- a/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb
+++ b/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4cfd939b1d7e6aba9fcefb7f6e2fd45d"
DEPENDS = "libnl"
-SRC_URI = "git://github.com/linux-wpan/wpan-tools"
+SRC_URI = "git://github.com/linux-wpan/wpan-tools;branch=master;protocol=https"
SRCREV = "a316ca2caa746d60817400e5bf646c2820f09273"
S = "${WORKDIR}/git"
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb b/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb
index de4fa1642..75a206c6b 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
inherit setuptools3
-SRC_URI = "git://github.com/sivel/speedtest-cli.git"
+SRC_URI = "git://github.com/sivel/speedtest-cli.git;branch=master;protocol=https"
SRCREV = "c58ad3367bf27f4b4a4d5b1bca29ebd574731c5d"
S = "${WORKDIR}/git"
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb b/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb
index 065243ccf..f55247d9e 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb
@@ -21,7 +21,7 @@ SRCREV_inih = "4b10c654051a86556dfdb634c891b6c3224c4109"
SRCREV_FORMAT = "rwmem_inih"
SRC_URI = " \
- git://github.com/tomba/rwmem.git;protocol=https;name=rwmem \
+ git://github.com/tomba/rwmem.git;protocol=https;name=rwmem;branch=master \
git://github.com/benhoyt/inih.git;protocol=https;name=inih;nobranch=1;destsuffix=git/ext/inih \
"
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
index 58841ef31..cc15a8de3 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
@@ -14,7 +14,7 @@ inherit scons dos2unix siteinfo python3native
PV = "4.2.2"
#v4.2.2
SRCREV = "a0bbbff6ada159e19298d37946ac8dc4b497eadf"
-SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.2 \
+SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.2;protocol=https \
file://0001-Tell-scons-to-use-build-settings-from-environment-va.patch \
file://0001-Use-long-long-instead-of-int64_t.patch \
file://0001-Use-__GLIBC__-to-control-use-of-gnu_get_libc_version.patch \
@@ -56,6 +56,8 @@ EXTRA_OESCONS = "--prefix=${D}${prefix} \
LINKFLAGS='${LDFLAGS}' \
CXXFLAGS='${CXXFLAGS}' \
TARGET_ARCH=${TARGET_ARCH} \
+ MONGO_VERSION=${PV} \
+ OBJCOPY=${OBJCOPY} \
--ssl \
--disable-warnings-as-errors \
--use-system-zlib \
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb
index 275b984e4..f0a0c6797 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=18810669f13b87348459e611d31ab760 \
PV = "0.5.9+git${SRCPV}"
SRCREV = "3a3d622d9bb74c44fa67bc20573751a207514134"
-SRC_URI = "git://github.com/lcdproc/lcdproc \
+SRC_URI = "git://github.com/lcdproc/lcdproc;branch=master;protocol=https \
file://0001-Fix-parallel-build-fix-port-internal-make-dependenci.patch \
file://0002-Include-limits.h-for-PATH_MAX-definition.patch \
file://0003-Fix-non-x86-platforms-on-musl.patch \
diff --git a/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb b/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb
index b21212a43..de2341da4 100644
--- a/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb
+++ b/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb
@@ -9,7 +9,7 @@ SRCREV = "ad7e646700d14b81413297bda02fb7fe96613c3f"
PV = "1.0+git${SRCPV}"
-SRC_URI = "git://github.com/ssvb/cpuburn-arm.git \
+SRC_URI = "git://github.com/ssvb/cpuburn-arm.git;branch=master;protocol=https \
file://0001-cpuburn-a8.S-Remove-.func-.endfunc.patch \
file://0002-burn.S-Add.patch \
file://0003-burn.S-Remove-.func-.endfunc.patch \
diff --git a/meta-oe/recipes-benchmark/fio/fio_3.17.bb b/meta-oe/recipes-benchmark/fio/fio_3.17.bb
index 759d1087c..bb3243a5c 100644
--- a/meta-oe/recipes-benchmark/fio/fio_3.17.bb
+++ b/meta-oe/recipes-benchmark/fio/fio_3.17.bb
@@ -23,7 +23,7 @@ PACKAGECONFIG ??= "${PACKAGECONFIG_NUMA}"
PACKAGECONFIG[numa] = ",--disable-numa,numactl"
SRCREV = "08ce9dc20b8a4e55db7af6d869ddfa49b4a02d03"
-SRC_URI = "git://git.kernel.dk/fio.git \
+SRC_URI = "git://git.kernel.dk/fio.git;branch=master \
file://0001-update-the-interpreter-paths.patch \
file://python3_shebangs.patch \
"
diff --git a/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb b/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb
index 6d20bbdaf..4976bf690 100644
--- a/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb
+++ b/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb
@@ -14,7 +14,7 @@ PV = "20191226+${SRCPV}"
COMPATIBLE_HOST_rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '.*-linux*', 'null', d)}"
-SRC_URI = "git://github.com/glmark2/glmark2.git;protocol=https \
+SRC_URI = "git://github.com/glmark2/glmark2.git;protocol=https;branch=master \
file://python3.patch"
SRCREV = "72dabc5d72b49c6d45badeb8a941ba4d829b0bd6"
diff --git a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb
index 4a520e3be..86e5fef53 100644
--- a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb
+++ b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb
@@ -19,3 +19,5 @@ EXTRA_OECONF = "--exec-prefix=${STAGING_DIR_HOST}${layout_exec_prefix}"
PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}"
PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
+
+CVE_PRODUCT = "iperf_project:iperf"
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb
index 98d2faabf..b7ffb029a 100644
--- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9088fe7ffdccd042f7645f1012d7f70"
DEPENDS = "openssl"
-SRC_URI = "git://github.com/esnet/iperf.git \
+SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
file://0002-Remove-pg-from-profile_CFLAGS.patch \
"
@@ -28,3 +28,5 @@ PACKAGECONFIG[lksctp] = "ac_cv_header_netinet_sctp_h=yes,ac_cv_header_netinet_sc
CFLAGS += "-D_GNU_SOURCE"
EXTRA_OECONF = "--with-openssl=${RECIPE_SYSROOT}${prefix}"
+
+CVE_PRODUCT = "iperf_project:iperf"
diff --git a/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb b/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb
index e81389431..60286c324 100644
--- a/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb
+++ b/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=9a825c63897c53f487ef900598c31527"
SRCREV = "b6b2ce5f9f87a09b14499cb00c600c601f022634"
PV = "20110206+git${SRCPV}"
-SRC_URI = "git://git.musl-libc.org/libc-bench \
+SRC_URI = "git://git.musl-libc.org/libc-bench;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb b/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb
index 4768d7b63..d6c35d0b3 100644
--- a/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb
+++ b/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb
@@ -12,7 +12,7 @@ PE = "1"
SRCREV = "e6499ff92b4a7dcffbd131d1f5d24933e48c3f20"
SRC_URI = " \
- git://github.com/libhugetlbfs/libhugetlbfs.git;protocol=https \
+ git://github.com/libhugetlbfs/libhugetlbfs.git;protocol=https;branch=master \
file://skip-checking-LIB32-and-LIB64-if-they-point-to-the-s.patch \
file://libhugetlbfs-avoid-search-host-library-path-for-cros.patch \
file://tests-Makefile-install-static-4G-edge-testcases.patch \
diff --git a/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb b/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb
index a2966e99d..d30ea5a01 100644
--- a/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb
+++ b/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=55ea9d559f985fb4834317d8ed6b9e58"
SRCREV = "fb72e5e5f0879231f38e0e826a98a6ca2d1ca38e"
-SRC_URI = "git://github.com/stressapptest/stressapptest \
+SRC_URI = "git://github.com/stressapptest/stressapptest;branch=master;protocol=https \
file://libcplusplus-compat.patch \
file://read_sysfs_for_cachesize.patch \
"
diff --git a/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb b/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb
index 2ce10f9c4..9c20d68ef 100644
--- a/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb
+++ b/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://main.c;endline=22;md5=879b9bbb60851454885b5fa47eb6b34
PV = "0.4.0+git${SRCPV}"
SRCREV = "a2cf6d7e382e3aea1eb39173174d9fa28cad15f3"
-SRC_URI = "git://github.com/ssvb/tinymembench.git \
+SRC_URI = "git://github.com/ssvb/tinymembench.git;branch=master;protocol=https \
file://0001-asm-Delete-.func-.endfunc-directives.patch \
"
diff --git a/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb b/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb
index 88fcc0200..589d62717 100644
--- a/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb
+++ b/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
SRCREV = "a2f0c39d5f21596bb9f5223e895c0ff210b265d0"
# SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/cpufreq/cpufrequtils.git
-SRC_URI = "git://github.com/emagii/cpufrequtils.git \
+SRC_URI = "git://github.com/emagii/cpufrequtils.git;branch=master;protocol=https \
file://0001-dont-unset-cflags.patch \
"
diff --git a/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb b/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb
index b89fe6771..e42adc6dc 100644
--- a/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb
+++ b/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb
@@ -11,7 +11,7 @@ PV = "0.18+git${SRCPV}"
S = "${WORKDIR}/git"
-SRC_URI = "git://github.com/grondo/edac-utils \
+SRC_URI = "git://github.com/grondo/edac-utils;branch=master;protocol=https \
file://make-init-script-be-able-to-automatically-load-EDAC-.patch \
file://add-restart-to-initscript.patch \
file://edac.service \
diff --git a/meta-oe/recipes-bsp/ledmon/ledmon_git.bb b/meta-oe/recipes-bsp/ledmon/ledmon_git.bb
index f9ae9aad9..1a9cb18c5 100644
--- a/meta-oe/recipes-bsp/ledmon/ledmon_git.bb
+++ b/meta-oe/recipes-bsp/ledmon/ledmon_git.bb
@@ -16,7 +16,7 @@ inherit autotools systemd
SYSTEMD_SERVICE_${PN} = "ledmon.service"
# 0.93
-SRC_URI = "git://github.com/intel/ledmon;branch=master \
+SRC_URI = "git://github.com/intel/ledmon;branch=master;protocol=https \
file://0002-include-sys-select.h-and-sys-types.h.patch \
file://0001-Don-t-build-with-Werror-to-fix-compile-error.patch \
"
diff --git a/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb b/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb
index 890db55bc..37a98a099 100644
--- a/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb
+++ b/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb
@@ -10,7 +10,7 @@ DEPENDS = " \
virtual/libiconv \
"
-SRC_URI = "git://github.com/lm-sensors/lm-sensors.git;protocol=https \
+SRC_URI = "git://github.com/lm-sensors/lm-sensors.git;protocol=https;branch=master \
file://fancontrol.init \
file://sensord.init \
"
@@ -95,7 +95,7 @@ RDEPENDS_${PN} += " \
${PN}-sensorsdetect \
${PN}-sensorsconfconvert \
${PN}-pwmconfig \
- ${PN}-isatools \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'x86', '${PN}-isatools', '', d)} \
"
# libsensors packages
diff --git a/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb b/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb
index 4f4bb2dfa..9344c17dc 100644
--- a/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb
+++ b/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8264535c0c4e9c6c335635c4026a8022"
DEPENDS = "util-linux"
PV .= "+git${SRCPV}"
-SRC_URI = "git://github.com/linux-nvme/nvme-cli.git \
+SRC_URI = "git://github.com/linux-nvme/nvme-cli.git;branch=master;protocol=https \
file://0001-fix-musl-compilation.patch \
"
SRCREV = "1d84d6ae0c7d7ceff5a73fe174dde8b0005f6108"
diff --git a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
index 6b4decce5..64595d59c 100644
--- a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
+++ b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
@@ -9,7 +9,7 @@ DEPENDS += "glib-2.0-native"
PV = "0.2+git${SRCPV}"
-SRC_URI = "git://github.com/labapart/gattlib.git \
+SRC_URI = "git://github.com/labapart/gattlib.git;branch=master;protocol=https \
file://dbus-avoid-strange-chars-from-the-build-dir.patch \
file://0001-cmake-Use-GNUInstallDirs.patch \
"
@@ -28,5 +28,5 @@ EXTRA_OECMAKE += "-DGATTLIB_BUILD_DOCS=OFF"
inherit pkgconfig cmake
-FILES_${PN} = "${libdir}/* ${includedir}/*"
-FILES_${PN}-dev = "${includedir}/*"
+FILES_${PN} = "${libdir}/*"
+FILES_${PN}-dev = "${includedir}/* ${libdir}/pkgconfig"
diff --git a/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb b/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb
index 8c97662df..bee757d5a 100644
--- a/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb
+++ b/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=a0fd36908af843bcee10cb6dfc47fa67 \
SRCREV = "95ec1ab31ee97411fc37156d12061adcf0331598"
PV = "1.5.3+git${SRCPV}"
-SRC_URI = "git://github.com/cminyard/gensio;protocol=https \
+SRC_URI = "git://github.com/cminyard/gensio;protocol=https;branch=master \
file://0001-filter-Rename-some-variables-to-tr_stdxxx.patch \
"
diff --git a/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb b/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb
index 25500e650..1606f10cf 100644
--- a/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb
+++ b/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fb504b67c50331fc78734fed90fb0e09"
DEPENDS = "ell"
-SRC_URI = "git://git.kernel.org/pub/scm/network/wireless/iwd.git"
+SRC_URI = "git://git.kernel.org/pub/scm/network/wireless/iwd.git;branch=master"
SRCREV = "aa3dc1b95348dea177e9d8c2c3063b29e20fe2e9"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb b/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb
index 908b98d8c..b1a9ed7ec 100644
--- a/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb
+++ b/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb
@@ -12,7 +12,7 @@ DEPENDS = "libplist usbmuxd libusbmuxd libtasn1 gnutls libgcrypt"
SRCREV = "fb71aeef10488ed7b0e60a1c8a553193301428c0"
PV = "1.2.0+git${SRCPV}"
SRC_URI = "\
- git://github.com/libimobiledevice/libimobiledevice;protocol=https \
+ git://github.com/libimobiledevice/libimobiledevice;protocol=https;branch=master \
file://configure-fix-largefile.patch \
"
diff --git a/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb b/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb
index 07a7a1d23..2537963dd 100644
--- a/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb
+++ b/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://libndp.org/"
LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
-SRC_URI = "git://github.com/jpirko/libndp \
+SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \
"
# tag for v1.6
SRCREV = "96674e7d4f4d569c2c961e865cc16152dfab5f09"
diff --git a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
index 3ee69554b..b4094dd6f 100644
--- a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
+++ b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
DEPENDS = "zlib libsigc++-2.0 openssl cppunit"
-SRC_URI = "git://github.com/rakshasa/libtorrent \
+SRC_URI = "git://github.com/rakshasa/libtorrent;branch=master;protocol=https \
file://don-t-run-code-while-configuring-package.patch \
"
SRCREV = "756f70010779927dc0691e1e722ed433d5d295e1"
diff --git a/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb b/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb
index 757720731..41e95f56a 100644
--- a/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb
+++ b/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb
@@ -5,7 +5,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=a68902a430e32200263d182d44924d47"
SRCREV = "533b738838ad8407032e14b6772b29ef9af63cfa"
-SRC_URI = "git://github.com/libuv/libuv;branch=v1.x \
+SRC_URI = "git://github.com/libuv/libuv;branch=v1.x;protocol=https \
file://CVE-2020-8252.patch"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb b/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb
index c98976779..79e59a8fe 100644
--- a/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb
+++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb
@@ -2,14 +2,13 @@ DESCRIPTION = "Precision Time Protocol (PTP) according to IEEE standard 1588 for
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v${PV}/linuxptp-${PV}.tgz \
+SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v2.0/linuxptp-${PV}.tgz \
file://build-Allow-CC-and-prefix-to-be-overriden.patch \
file://Use-cross-cpp-in-incdefs.patch \
file://time_t_maybe_long_long.patch \
"
-SRC_URI[md5sum] = "d8bb7374943bb747db7786ac26f17f11"
-SRC_URI[sha256sum] = "0a24d9401e87d4af023d201e234d91127d82c350daad93432106284aa9459c7d"
+SRC_URI[sha256sum] = "6f4669db1733747427217a9e74c8b5ca25c4245947463e9cdb860ec8f5ec797a"
EXTRA_OEMAKE = "ARCH=${TARGET_ARCH} EXTRA_CFLAGS='${CFLAGS}'"
diff --git a/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb b/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb
index 3a1222e89..d070111e9 100644
--- a/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb
+++ b/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = " \
file://about.html;md5=e5662cbb5f8fd5c9faac526e4077898e \
"
-SRC_URI = "git://github.com/eclipse/paho.mqtt.c;protocol=http \
+SRC_URI = "git://github.com/eclipse/paho.mqtt.c;protocol=http;branch=master;protocol=https \
file://0001-Fix-bug-of-free-with-musl.patch"
SRCREV = "3148fe2d5f4b87e16266dfe559c0764e16ca0546"
diff --git a/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb b/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb
index 2ef6b187e..bbc311ee1 100644
--- a/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb
+++ b/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/alanxz/rabbitmq-c"
LIC_FILES_CHKSUM = "file://LICENSE-MIT;md5=6b7424f9db80cfb11fdd5c980b583f53"
LICENSE = "MIT"
-SRC_URI = "git://github.com/alanxz/rabbitmq-c.git"
+SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https"
# v0.10.0-master
SRCREV = "ffe918a5fcef72038a88054dca3c56762b1953d4"
diff --git a/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb b/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb
index 331f978f8..41fb1ec82 100644
--- a/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb
+++ b/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
DEPENDS = "libsigc++-2.0 curl cppunit libtorrent ncurses"
-SRC_URI = "git://github.com/rakshasa/rtorrent \
+SRC_URI = "git://github.com/rakshasa/rtorrent;branch=master;protocol=https \
file://don-t-run-code-while-configuring-package.patch \
"
# v0.9.8
diff --git a/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb b/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb
index 728423432..7993e608d 100644
--- a/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb
+++ b/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb
@@ -10,7 +10,7 @@ inherit autotools pkgconfig gitpkgv systemd
PKGV = "${GITPKGVTAG}"
SRCREV = "ee85938c21043ef5f7cd4dfbc7677f385814d4d8"
-SRC_URI = "git://github.com/libimobiledevice/usbmuxd;protocol=https"
+SRC_URI = "git://github.com/libimobiledevice/usbmuxd;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb b/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb
index 99cfb3205..dd2b4392c 100644
--- a/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb
+++ b/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb
@@ -9,7 +9,7 @@ SECTION = "test"
S = "${WORKDIR}/git"
SRCREV = "f7a8d7ef7d1a831c1bb47de21fa083536ea2f3a9"
-SRC_URI = "git://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT.git \
+SRC_URI = "git://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT.git;branch=master;protocol=https \
file://0001-Use-toolchain-from-environment-variables.patch \
file://0002-Add-missing-include-removes-unnedded-stuff-and-add-n.patch \
file://0003-fix-path-to-usr-sbin-for-script-and-make-script-for-.patch \
diff --git a/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb b/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb
index 0b66970a9..2a435897d 100644
--- a/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb
+++ b/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb
@@ -7,7 +7,7 @@ DEPENDS = "zeromq"
SRCREV = "8d5c9a88988dcbebb72939ca0939d432230ffde1"
PV = "4.6.0"
-SRC_URI = "git://github.com/zeromq/cppzmq.git"
+SRC_URI = "git://github.com/zeromq/cppzmq.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch b/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch
index 2c4ca057f..1c2fc3813 100644
--- a/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch
+++ b/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch
@@ -21,7 +21,7 @@ index 009e4fd..f3f0d80 100644
if (!dbus_conn)
- return;
-+ DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
++ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
if (verbose)
g_print ("New message from server: type='%d' path='%s' iface='%s'"
diff --git a/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb b/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb
index 42cd032c2..f40b48836 100644
--- a/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb
+++ b/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb
@@ -6,7 +6,7 @@ SRCREV = "1226a0a1374628ff191f6d8a56000be5e53e7608"
PV = "0.0.0+gitr${SRCPV}"
PR = "r1.59"
-SRC_URI = "git://github.com/alban/dbus-daemon-proxy \
+SRC_URI = "git://github.com/alban/dbus-daemon-proxy;branch=master;protocol=https \
file://0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-core/emlog/emlog.inc b/meta-oe/recipes-core/emlog/emlog.inc
index 9a0f9ba92..948e18da4 100644
--- a/meta-oe/recipes-core/emlog/emlog.inc
+++ b/meta-oe/recipes-core/emlog/emlog.inc
@@ -3,7 +3,7 @@ most recent (and only the most recent) output from a process"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
-SRC_URI = "git://github.com/nicupavel/emlog.git;protocol=http"
+SRC_URI = "git://github.com/nicupavel/emlog.git;protocol=http;branch=master;protocol=https"
SRCREV = "aee53e8dee862f35291242ba41b0ca88010f6c71"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-core/glfw/glfw_3.3.bb b/meta-oe/recipes-core/glfw/glfw_3.3.bb
index 0fcf716c8..c920cbd50 100644
--- a/meta-oe/recipes-core/glfw/glfw_3.3.bb
+++ b/meta-oe/recipes-core/glfw/glfw_3.3.bb
@@ -12,7 +12,7 @@ inherit pkgconfig cmake features_check
PV .= "+git${SRCPV}"
SRCREV = "781fbbadb0bccc749058177b1385c82da9ace880"
-SRC_URI = "git://github.com/glfw/glfw.git"
+SRC_URI = "git://github.com/glfw/glfw.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-core/libnfc/libnfc_git.bb b/meta-oe/recipes-core/libnfc/libnfc_git.bb
index 2851ecf9f..65586247a 100644
--- a/meta-oe/recipes-core/libnfc/libnfc_git.bb
+++ b/meta-oe/recipes-core/libnfc/libnfc_git.bb
@@ -11,7 +11,7 @@ PV = "1.7.1+git${SRCPV}"
S = "${WORKDIR}/git"
SRCREV = "2d4543673e9b76c02679ca8b89259659f1afd932"
-SRC_URI = "git://github.com/nfc-tools/libnfc.git \
+SRC_URI = "git://github.com/nfc-tools/libnfc.git;branch=master;protocol=https \
file://0001-usbbus-Include-stdint.h-for-uintX_t.patch \
"
diff --git a/meta-oe/recipes-core/mdbus2/mdbus2_git.bb b/meta-oe/recipes-core/mdbus2/mdbus2_git.bb
index 82f2cf8c9..fa98e1cb4 100644
--- a/meta-oe/recipes-core/mdbus2/mdbus2_git.bb
+++ b/meta-oe/recipes-core/mdbus2/mdbus2_git.bb
@@ -6,7 +6,7 @@ DEPENDS = "readline"
PV = "2.3.3+git${SRCPV}"
-SRC_URI = "git://github.com/freesmartphone/mdbus.git;protocol=http"
+SRC_URI = "git://github.com/freesmartphone/mdbus.git;protocol=http;branch=master;protocol=https"
SRCREV = "28202692d0b441000f4ddb8f347f72d1355021aa"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-core/ndctl/ndctl_v67.bb b/meta-oe/recipes-core/ndctl/ndctl_v67.bb
index da0c6563a..19d96414d 100644
--- a/meta-oe/recipes-core/ndctl/ndctl_v67.bb
+++ b/meta-oe/recipes-core/ndctl/ndctl_v67.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e66651809cac5da60c8b80e9e4e79e08"
inherit autotools-brokensep pkgconfig bash-completion systemd
SRCREV = "637bb424dc317a044c722a671355ef9df0e0d30f"
-SRC_URI = "git://github.com/pmem/ndctl.git"
+SRC_URI = "git://github.com/pmem/ndctl.git;branch=master;protocol=https"
DEPENDS = "kmod udev json-c keyutils"
diff --git a/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb b/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb
index dec1bea56..1d86f48ae 100644
--- a/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb
+++ b/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb
@@ -6,7 +6,7 @@ SECTION = "base"
S = "${WORKDIR}/git"
SRCREV = "40c5d226c7c0706f0176884e9b94b3886679c983"
-SRC_URI = "git://github.com/KhronosGroup/OpenCL-Headers.git"
+SRC_URI = "git://github.com/KhronosGroup/OpenCL-Headers.git;branch=main;protocol=https"
do_configure[noexec] = "1"
do_compile[noexec] = "1"
diff --git a/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb b/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb
index 7c49c8d55..de355d29d 100644
--- a/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb
+++ b/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb
@@ -8,7 +8,7 @@ inherit pkgconfig cmake
S = "${WORKDIR}/git"
SRCREV = "b342ff7b7f70a4b3f2cfc53215af8fa20adc3d86"
-SRC_URI = "git://github.com/KhronosGroup/OpenCL-ICD-Loader.git"
+SRC_URI = "git://github.com/KhronosGroup/OpenCL-ICD-Loader.git;branch=main;protocol=https"
do_install () {
install -d ${D}${bindir}
diff --git a/meta-oe/recipes-core/safec/safec_3.5.1.bb b/meta-oe/recipes-core/safec/safec_3.5.1.bb
index 91d8fc65a..29158094a 100644
--- a/meta-oe/recipes-core/safec/safec_3.5.1.bb
+++ b/meta-oe/recipes-core/safec/safec_3.5.1.bb
@@ -9,7 +9,7 @@ inherit autotools pkgconfig
S = "${WORKDIR}/git"
# v08112019
SRCREV = "ad76c7b1dbd0403b0c9decf54164fcce271c590f"
-SRC_URI = "git://github.com/rurban/safeclib.git \
+SRC_URI = "git://github.com/rurban/safeclib.git;branch=master;protocol=https \
"
COMPATIBLE_HOST = '(x86_64|i.86|powerpc|powerpc64|arm|aarch64|mips).*-linux'
diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch
new file mode 100644
index 000000000..89cb593e6
--- /dev/null
+++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch
@@ -0,0 +1,96 @@
+From b073e1c2b9a8138da83300f598b9a56fc9762b4b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stanislav=20Angelovi=C4=8D?= <angelovic.s@gmail.com>
+Date: Mon, 16 Nov 2020 17:05:36 +0100
+Subject: [PATCH] Try to first find googletest in the system before downloading
+ it (#125)
+
+Upstream-Status: Backport [d6fdaca]
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+
+---
+ tests/CMakeLists.txt | 62 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 40 insertions(+), 22 deletions(-)
+
+diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
+index 97f7c1a..7ecc327 100644
+--- a/tests/CMakeLists.txt
++++ b/tests/CMakeLists.txt
+@@ -2,26 +2,44 @@
+ # DOWNLOAD AND BUILD OF GOOGLETEST
+ #-------------------------------
+
+-include(FetchContent)
+-
+-message("Fetching googletest...")
+-FetchContent_Declare(googletest
+- GIT_REPOSITORY https://github.com/google/googletest.git
+- GIT_TAG master
+- GIT_SHALLOW 1
+- UPDATE_COMMAND "")
+-
+-#FetchContent_MakeAvailable(googletest) # Not available in CMake 3.13 :-( Let's do it manually:
+-FetchContent_GetProperties(googletest)
+-if(NOT googletest_POPULATED)
+- FetchContent_Populate(googletest)
+- set(gtest_force_shared_crt ON CACHE INTERNAL "" FORCE)
+- set(BUILD_GMOCK ON CACHE INTERNAL "" FORCE)
+- set(INSTALL_GTEST OFF CACHE INTERNAL "" FORCE)
+- set(BUILD_SHARED_LIBS_BAK ${BUILD_SHARED_LIBS})
+- set(BUILD_SHARED_LIBS OFF)
+- add_subdirectory(${googletest_SOURCE_DIR} ${googletest_BINARY_DIR})
+- set(BUILD_SHARED_LIBS ${BUILD_SHARED_LIBS_BAK})
++set(GOOGLETEST_VERSION 1.10.0 CACHE STRING "Version of gmock to use")
++set(GOOGLETEST_GIT_REPO "https://github.com/google/googletest.git" CACHE STRING "A git repo to clone and build googletest from if gmock is not found in the system")
++
++find_package(GTest ${GOOGLETEST_VERSION} CONFIG)
++if (NOT TARGET GTest::gmock)
++ # Try pkg-config if GTest was not found through CMake config
++ find_package(PkgConfig)
++ if (PkgConfig_FOUND)
++ pkg_check_modules(GMock IMPORTED_TARGET GLOBAL gmock>=${GOOGLETEST_VERSION})
++ if(TARGET PkgConfig::GMock)
++ add_library(GTest::gmock ALIAS PkgConfig::GMock)
++ endif()
++ endif()
++ # GTest was not found in the system, build it on our own
++ if (NOT TARGET GTest::gmock)
++ include(FetchContent)
++
++ message("Fetching googletest...")
++ FetchContent_Declare(googletest
++ GIT_REPOSITORY ${GOOGLETEST_GIT_REPO}
++ GIT_TAG release-${GOOGLETEST_VERSION}
++ GIT_SHALLOW 1
++ UPDATE_COMMAND "")
++
++ #FetchContent_MakeAvailable(googletest) # Not available in CMake 3.13 :-( Let's do it manually:
++ FetchContent_GetProperties(googletest)
++ if(NOT googletest_POPULATED)
++ FetchContent_Populate(googletest)
++ set(gtest_force_shared_crt ON CACHE INTERNAL "" FORCE)
++ set(BUILD_GMOCK ON CACHE INTERNAL "" FORCE)
++ set(INSTALL_GTEST OFF CACHE INTERNAL "" FORCE)
++ set(BUILD_SHARED_LIBS_BAK ${BUILD_SHARED_LIBS})
++ set(BUILD_SHARED_LIBS OFF)
++ add_subdirectory(${googletest_SOURCE_DIR} ${googletest_BINARY_DIR})
++ set(BUILD_SHARED_LIBS ${BUILD_SHARED_LIBS_BAK})
++ add_library(GTest::gmock ALIAS gmock)
++ endif()
++ endif()
+ endif()
+
+ #-------------------------------
+@@ -87,11 +105,11 @@ include_directories(${CMAKE_CURRENT_SOURCE_DIR})
+
+ add_executable(sdbus-c++-unit-tests ${UNITTESTS_SRCS})
+ target_compile_definitions(sdbus-c++-unit-tests PRIVATE LIBSYSTEMD_VERSION=${LIBSYSTEMD_VERSION})
+-target_link_libraries(sdbus-c++-unit-tests sdbus-c++-objlib gmock gmock_main)
++target_link_libraries(sdbus-c++-unit-tests sdbus-c++-objlib GTest::gmock)
+
+ add_executable(sdbus-c++-integration-tests ${INTEGRATIONTESTS_SRCS})
+ target_compile_definitions(sdbus-c++-integration-tests PRIVATE LIBSYSTEMD_VERSION=${LIBSYSTEMD_VERSION})
+-target_link_libraries(sdbus-c++-integration-tests sdbus-c++ gmock gmock_main)
++target_link_libraries(sdbus-c++-integration-tests sdbus-c++ GTest::gmock)
+
+ # Manual performance and stress tests
+ option(ENABLE_PERF_TESTS "Build and install manual performance tests (default OFF)" OFF)
diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb
index c8e81a412..f0e928d0d 100644
--- a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb
+++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb
@@ -12,7 +12,7 @@ DEPENDS += "gperf-native gettext-native util-linux libcap"
SRCREV = "efb536d0cbe2e58f80e501d19999928c75e08f6a"
SRCBRANCH = "v243-stable"
-SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=git;branch=${SRCBRANCH}"
+SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=https;branch=${SRCBRANCH}"
SRC_URI += "file://static-libsystemd-pkgconfig.patch"
diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb b/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb
index c4d63fd27..a94fb8def 100644
--- a/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb
+++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb
@@ -12,13 +12,16 @@ PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'with-exte
${@bb.utils.contains('PTEST_ENABLED', '1', 'with-tests', '', d)}"
PACKAGECONFIG[with-builtin-libsystemd] = ",,sdbus-c++-libsystemd,libcap"
PACKAGECONFIG[with-external-libsystemd] = ",,systemd,libsystemd"
-PACKAGECONFIG[with-tests] = "-DBUILD_TESTS=ON -DTESTS_INSTALL_PATH=${libdir}/${BPN}/tests,-DBUILD_TESTS=OFF"
+PACKAGECONFIG[with-tests] = "-DBUILD_TESTS=ON -DTESTS_INSTALL_PATH=${libdir}/${BPN}/tests,-DBUILD_TESTS=OFF,googletest gmock"
DEPENDS += "expat"
SRCREV = "3a4f343fb924650e7639660efa5f143961162044"
-SRC_URI = "git://github.com/Kistler-Group/sdbus-cpp.git;protocol=https;branch=master"
-SRC_URI += "file://run-ptest"
+
+SRC_URI = "git://github.com/Kistler-Group/sdbus-cpp.git;protocol=https;branch=master \
+ file://0001-Try-to-first-find-googletest-in-the-system-before-do.patch \
+ file://run-ptest \
+"
EXTRA_OECMAKE = "-DBUILD_CODE_GEN=ON \
-DBUILD_DOC=ON \
diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb
index b9668eb09..d303f27eb 100644
--- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb
+++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb
@@ -21,8 +21,8 @@ RDEPENDS_${PN} = " \
"
SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz"
-SRC_URI[md5sum] = "6e4ffb6d35a73f7539a5d0c1354654cd"
-SRC_URI[sha256sum] = "a89e13dff0798fd0280e801d5f0cc8cfdb2aa5b1929bec1b7322e13d3eca95fb"
+SRC_URI[md5sum] = "9c5952cebb836ee783b0b76c5380a964"
+SRC_URI[sha256sum] = "61835132a5986217af17b8943013aa3fe6d47bdc1a07386343526765e2ce27a9"
inherit autotools gettext pkgconfig
@@ -54,7 +54,7 @@ PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup"
PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt"
PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup"
PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux"
-PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev"
+PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules"
PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto"
# gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't
# recognized.
diff --git a/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb b/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb
index 4e217a351..ad5355ea6 100644
--- a/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb
+++ b/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb
@@ -9,7 +9,7 @@ S = "${WORKDIR}/git"
SRCREV = "5649050d201856bf06c8738b5d2aa1710c86ac2f"
PV = "1.1.5"
SRC_URI = " \
- git://github.com/smuellerDD/libkcapi.git \
+ git://github.com/smuellerDD/libkcapi.git;branch=master;protocol=https \
file://0001-kcapi-kdf-Move-code-to-fix.patch \
file://0001-Use-__builtin_bswap32-on-Clang-if-supported.patch \
"
diff --git a/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb b/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb
index 9b6e7ccbe..321aa4fdc 100644
--- a/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb
+++ b/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb
@@ -15,7 +15,7 @@ LIC_FILES_CHKSUM = " \
file://COPYING.GPL;md5=8a71d0475d08eee76d8b6d0c6dbec543 \
file://COPYING.BSD;md5=66b7a37c3c10483c1fd86007726104d7 \
"
-SRC_URI = "git://github.com/OpenSC/${BPN}.git"
+SRC_URI = "git://github.com/OpenSC/${BPN}.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
# v1.26
diff --git a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb
index b597ef1ea..48f2fd8ac 100644
--- a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb
+++ b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb
@@ -4,7 +4,7 @@ HOMEPAGE = "https://github.com/google/leveldb"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=92d1b128950b11ba8495b64938fc164d"
-SRC_URI = "git://github.com/google/${BPN}.git \
+SRC_URI = "git://github.com/google/${BPN}.git;branch=main;protocol=https \
file://run-ptest"
SRCREV = "78b39d68c15ba020c0d60a3906fb66dbf1697595"
diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.20.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.25.bb
index e1a038dfa..e1a038dfa 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.20.bb
+++ b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.25.bb
diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc
index 0fb0c95ec..565f4d561 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -15,12 +15,10 @@ SRC_URI = "https://downloads.mariadb.org/interstitial/${BP}/source/${BP}.tar.gz
file://support-files-CMakeLists.txt-fix-do_populate_sysroot.patch \
file://sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \
file://0001-disable-ucontext-on-musl.patch \
- file://c11_atomics.patch \
- file://clang_version_header_conflict.patch \
file://fix-arm-atomic.patch \
"
-SRC_URI[md5sum] = "c3bc7a3eca3b0bbae5748f7b22a55c0c"
-SRC_URI[sha256sum] = "87d5e29ee1f18de153266ec658138607703ed2a05b3ffb1f89091d33f4abf545"
+
+SRC_URI[sha256sum] = "ff963c4e11bc06b775f66f2b1ddef184996208fb4b23cfdb50d95fb02eaa7ef8"
UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases"
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch b/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch
deleted file mode 100644
index b1ce96360..000000000
--- a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-Author: Vicențiu Ciorbaru <vicentiu@mariadb.org>
-Date: Fri Dec 21 19:14:04 2018 +0200
-
- Link with libatomic to enable C11 atomics support
-
- Some architectures (mips) require libatomic to support proper
- atomic operations. Check first if support is available without
- linking, otherwise use the library.
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
-Index: mariadb-10.4.17/configure.cmake
-===================================================================
---- mariadb-10.4.17.orig/configure.cmake
-+++ mariadb-10.4.17/configure.cmake
-@@ -863,7 +863,25 @@ int main()
- long long int *ptr= &var;
- return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST);
- }"
--HAVE_GCC_C11_ATOMICS)
-+HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC)
-+IF (HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC)
-+ SET(HAVE_GCC_C11_ATOMICS True)
-+ELSE()
-+ SET(OLD_CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES})
-+ LIST(APPEND CMAKE_REQUIRED_LIBRARIES "atomic")
-+ CHECK_CXX_SOURCE_COMPILES("
-+ int main()
-+ {
-+ long long int var= 1;
-+ long long int *ptr= &var;
-+ return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST);
-+ }"
-+ HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC)
-+ IF(HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC)
-+ SET(HAVE_GCC_C11_ATOMICS True)
-+ ENDIF()
-+ SET(CMAKE_REQUIRED_LIBRARIES ${OLD_CMAKE_REQUIRED_LIBRARIES})
-+ENDIF()
-
- IF(WITH_VALGRIND)
- SET(HAVE_valgrind 1)
-Index: mariadb-10.4.17/mysys/CMakeLists.txt
-===================================================================
---- mariadb-10.4.17.orig/mysys/CMakeLists.txt
-+++ mariadb-10.4.17/mysys/CMakeLists.txt
-@@ -78,6 +78,10 @@ TARGET_LINK_LIBRARIES(mysys dbug strings
- ${LIBNSL} ${LIBM} ${LIBRT} ${CMAKE_DL_LIBS} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY})
- DTRACE_INSTRUMENT(mysys)
-
-+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC)
-+ TARGET_LINK_LIBRARIES(mysys atomic)
-+ENDIF()
-+
- IF(HAVE_BFD_H)
- TARGET_LINK_LIBRARIES(mysys bfd)
- ENDIF(HAVE_BFD_H)
-Index: mariadb-10.4.17/sql/CMakeLists.txt
-===================================================================
---- mariadb-10.4.17.orig/sql/CMakeLists.txt
-+++ mariadb-10.4.17/sql/CMakeLists.txt
-@@ -196,6 +196,10 @@ ELSE()
- SET(MYSQLD_SOURCE main.cc ${DTRACE_PROBES_ALL})
- ENDIF()
-
-+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC)
-+ TARGET_LINK_LIBRARIES(sql atomic)
-+ENDIF()
-+
-
- IF(MSVC AND NOT WITHOUT_DYNAMIC_PLUGINS)
-
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch b/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch
deleted file mode 100644
index c77a86944..000000000
--- a/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-libc++ also has a file called version and this file and how cflags are specified
-it ends up including this file and resulting in compile errors
-
-fixes errors like
-storage/mroonga/version:1:1: error: expected unqualified-id
-7.07
-^
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
---- a/storage/mroonga/CMakeLists.txt
-+++ b/storage/mroonga/CMakeLists.txt
-@@ -80,7 +80,7 @@ else()
- set(MRN_SOURCE_DIR ${CMAKE_SOURCE_DIR})
- endif()
-
--file(READ ${MRN_SOURCE_DIR}/version MRN_VERSION)
-+file(READ ${MRN_SOURCE_DIR}/ver MRN_VERSION)
- file(READ ${MRN_SOURCE_DIR}/version_major MRN_VERSION_MAJOR)
- file(READ ${MRN_SOURCE_DIR}/version_minor MRN_VERSION_MINOR)
- file(READ ${MRN_SOURCE_DIR}/version_micro MRN_VERSION_MICRO)
---- /dev/null
-+++ b/storage/mroonga/ver
-@@ -0,0 +1 @@
-+7.07
-\ No newline at end of file
---- a/storage/mroonga/version
-+++ /dev/null
-@@ -1 +0,0 @@
--7.07
-\ No newline at end of file
diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.4.20.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.4.25.bb
index c0b53379d..c0b53379d 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb_10.4.20.bb
+++ b/meta-oe/recipes-dbs/mysql/mariadb_10.4.25.bb
diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
index 865ad3287..a1f5b2a7b 100644
--- a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
@@ -13,7 +13,7 @@ diff --git a/src/include/storage/s_lock.h b/src/include/storage/s_lock.h
index 3fe29ce..7cd578f 100644
--- a/src/include/storage/s_lock.h
+++ b/src/include/storage/s_lock.h
-@@ -316,11 +316,12 @@ tas(volatile slock_t *lock)
+@@ -317,11 +317,12 @@ tas(volatile slock_t *lock)
/*
* On ARM and ARM64, we use __sync_lock_test_and_set(int *, int) if available.
@@ -27,7 +27,7 @@ index 3fe29ce..7cd578f 100644
#ifdef HAVE_GCC__SYNC_INT32_TAS
#define HAS_TEST_AND_SET
-@@ -337,7 +338,7 @@ tas(volatile slock_t *lock)
+@@ -338,7 +339,7 @@ tas(volatile slock_t *lock)
#define S_UNLOCK(lock) __sync_lock_release(lock)
#endif /* HAVE_GCC__SYNC_INT32_TAS */
@@ -35,7 +35,7 @@ index 3fe29ce..7cd578f 100644
+#endif /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */
- /* S/390 and S/390x Linux (32- and 64-bit zSeries) */
+ /*
--
2.9.3
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch
new file mode 100644
index 000000000..6f0d5ac06
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch
@@ -0,0 +1,947 @@
+From 31eefa1efc8eecb6ab91c8835d2952d44a3b1ae1 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 22 Sep 2022 11:20:41 +0530
+Subject: [PATCH] CVE-2022-1552
+
+Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=ab49ce7c3414ac19e4afb386d7843ce2d2fb8bda && https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=677a494789062ca88e0142a17bedd5415f6ab0aa]
+
+CVE: CVE-2022-1552
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ contrib/amcheck/expected/check_btree.out | 23 ++++++
+ contrib/amcheck/sql/check_btree.sql | 21 +++++
+ contrib/amcheck/verify_nbtree.c | 27 +++++++
+ src/backend/access/brin/brin.c | 29 ++++++-
+ src/backend/catalog/index.c | 65 ++++++++++++----
+ src/backend/commands/cluster.c | 37 ++++++---
+ src/backend/commands/indexcmds.c | 98 ++++++++++++++++++++----
+ src/backend/commands/matview.c | 30 +++-----
+ src/backend/utils/init/miscinit.c | 24 +++---
+ src/test/regress/expected/privileges.out | 71 +++++++++++++++++
+ src/test/regress/sql/privileges.sql | 64 ++++++++++++++++
+ 11 files changed, 422 insertions(+), 67 deletions(-)
+
+diff --git a/contrib/amcheck/expected/check_btree.out b/contrib/amcheck/expected/check_btree.out
+index 59a805d..0fd6ea0 100644
+--- a/contrib/amcheck/expected/check_btree.out
++++ b/contrib/amcheck/expected/check_btree.out
+@@ -168,11 +168,34 @@ SELECT bt_index_check('toasty', true);
+
+ (1 row)
+
++--
++-- Check that index expressions and predicates are run as the table's owner
++--
++TRUNCATE bttest_a;
++INSERT INTO bttest_a SELECT * FROM generate_series(1, 1000);
++ALTER TABLE bttest_a OWNER TO regress_bttest_role;
++-- A dummy index function checking current_user
++CREATE FUNCTION ifun(int8) RETURNS int8 AS $$
++BEGIN
++ ASSERT current_user = 'regress_bttest_role',
++ format('ifun(%s) called by %s', $1, current_user);
++ RETURN $1;
++END;
++$$ LANGUAGE plpgsql IMMUTABLE;
++CREATE INDEX bttest_a_expr_idx ON bttest_a ((ifun(id) + ifun(0)))
++ WHERE ifun(id + 10) > ifun(10);
++SELECT bt_index_check('bttest_a_expr_idx', true);
++ bt_index_check
++----------------
++
++(1 row)
++
+ -- cleanup
+ DROP TABLE bttest_a;
+ DROP TABLE bttest_b;
+ DROP TABLE bttest_multi;
+ DROP TABLE delete_test_table;
+ DROP TABLE toast_bug;
++DROP FUNCTION ifun(int8);
+ DROP OWNED BY regress_bttest_role; -- permissions
+ DROP ROLE regress_bttest_role;
+diff --git a/contrib/amcheck/sql/check_btree.sql b/contrib/amcheck/sql/check_btree.sql
+index 99acbc8..3248187 100644
+--- a/contrib/amcheck/sql/check_btree.sql
++++ b/contrib/amcheck/sql/check_btree.sql
+@@ -110,11 +110,32 @@ INSERT INTO toast_bug SELECT repeat('a', 2200);
+ -- Should not get false positive report of corruption:
+ SELECT bt_index_check('toasty', true);
+
++--
++-- Check that index expressions and predicates are run as the table's owner
++--
++TRUNCATE bttest_a;
++INSERT INTO bttest_a SELECT * FROM generate_series(1, 1000);
++ALTER TABLE bttest_a OWNER TO regress_bttest_role;
++-- A dummy index function checking current_user
++CREATE FUNCTION ifun(int8) RETURNS int8 AS $$
++BEGIN
++ ASSERT current_user = 'regress_bttest_role',
++ format('ifun(%s) called by %s', $1, current_user);
++ RETURN $1;
++END;
++$$ LANGUAGE plpgsql IMMUTABLE;
++
++CREATE INDEX bttest_a_expr_idx ON bttest_a ((ifun(id) + ifun(0)))
++ WHERE ifun(id + 10) > ifun(10);
++
++SELECT bt_index_check('bttest_a_expr_idx', true);
++
+ -- cleanup
+ DROP TABLE bttest_a;
+ DROP TABLE bttest_b;
+ DROP TABLE bttest_multi;
+ DROP TABLE delete_test_table;
+ DROP TABLE toast_bug;
++DROP FUNCTION ifun(int8);
+ DROP OWNED BY regress_bttest_role; -- permissions
+ DROP ROLE regress_bttest_role;
+diff --git a/contrib/amcheck/verify_nbtree.c b/contrib/amcheck/verify_nbtree.c
+index 700a02f..cb6475d 100644
+--- a/contrib/amcheck/verify_nbtree.c
++++ b/contrib/amcheck/verify_nbtree.c
+@@ -228,6 +228,9 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed,
+ Relation indrel;
+ Relation heaprel;
+ LOCKMODE lockmode;
++ Oid save_userid;
++ int save_sec_context;
++ int save_nestlevel;
+
+ if (parentcheck)
+ lockmode = ShareLock;
+@@ -244,9 +247,27 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed,
+ */
+ heapid = IndexGetRelation(indrelid, true);
+ if (OidIsValid(heapid))
++ {
+ heaprel = table_open(heapid, lockmode);
++
++ /*
++ * Switch to the table owner's userid, so that any index functions are
++ * run as that user. Also lock down security-restricted operations
++ * and arrange to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(heaprel->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++ }
+ else
++ {
+ heaprel = NULL;
++ /* for "gcc -Og" https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78394 */
++ save_userid = InvalidOid;
++ save_sec_context = -1;
++ save_nestlevel = -1;
++ }
+
+ /*
+ * Open the target index relations separately (like relation_openrv(), but
+@@ -293,6 +314,12 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed,
+ heapallindexed, rootdescend);
+ }
+
++ /* Roll back any GUC changes executed by index functions */
++ AtEOXact_GUC(false, save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(save_userid, save_sec_context);
++
+ /*
+ * Release locks early. That's ok here because nothing in the called
+ * routines will trigger shared cache invalidations to be sent, so we can
+diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c
+index c7b403b..781cac2 100644
+--- a/src/backend/access/brin/brin.c
++++ b/src/backend/access/brin/brin.c
+@@ -873,6 +873,9 @@ brin_summarize_range(PG_FUNCTION_ARGS)
+ Oid heapoid;
+ Relation indexRel;
+ Relation heapRel;
++ Oid save_userid;
++ int save_sec_context;
++ int save_nestlevel;
+ double numSummarized = 0;
+
+ if (RecoveryInProgress())
+@@ -899,7 +902,22 @@ brin_summarize_range(PG_FUNCTION_ARGS)
+ */
+ heapoid = IndexGetRelation(indexoid, true);
+ if (OidIsValid(heapoid))
++ {
+ heapRel = table_open(heapoid, ShareUpdateExclusiveLock);
++
++ /*
++ * Autovacuum calls us. For its benefit, switch to the table owner's
++ * userid, so that any index functions are run as that user. Also
++ * lock down security-restricted operations and arrange to make GUC
++ * variable changes local to this command. This is harmless, albeit
++ * unnecessary, when called from SQL, because we fail shortly if the
++ * user does not own the index.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(heapRel->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++ }
+ else
+ heapRel = NULL;
+
+@@ -914,7 +932,7 @@ brin_summarize_range(PG_FUNCTION_ARGS)
+ RelationGetRelationName(indexRel))));
+
+ /* User must own the index (comparable to privileges needed for VACUUM) */
+- if (!pg_class_ownercheck(indexoid, GetUserId()))
++ if (heapRel != NULL && !pg_class_ownercheck(indexoid, save_userid))
+ aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX,
+ RelationGetRelationName(indexRel));
+
+@@ -932,6 +950,12 @@ brin_summarize_range(PG_FUNCTION_ARGS)
+ /* OK, do it */
+ brinsummarize(indexRel, heapRel, heapBlk, true, &numSummarized, NULL);
+
++ /* Roll back any GUC changes executed by index functions */
++ AtEOXact_GUC(false, save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(save_userid, save_sec_context);
++
+ relation_close(indexRel, ShareUpdateExclusiveLock);
+ relation_close(heapRel, ShareUpdateExclusiveLock);
+
+@@ -973,6 +997,9 @@ brin_desummarize_range(PG_FUNCTION_ARGS)
+ * passed indexoid isn't an index then IndexGetRelation() will fail.
+ * Rather than emitting a not-very-helpful error message, postpone
+ * complaining, expecting that the is-it-an-index test below will fail.
++ *
++ * Unlike brin_summarize_range(), autovacuum never calls this. Hence, we
++ * don't switch userid.
+ */
+ heapoid = IndexGetRelation(indexoid, true);
+ if (OidIsValid(heapoid))
+diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c
+index 3ece136..0333bfd 100644
+--- a/src/backend/catalog/index.c
++++ b/src/backend/catalog/index.c
+@@ -1400,6 +1400,9 @@ index_concurrently_build(Oid heapRelationId,
+ Oid indexRelationId)
+ {
+ Relation heapRel;
++ Oid save_userid;
++ int save_sec_context;
++ int save_nestlevel;
+ Relation indexRelation;
+ IndexInfo *indexInfo;
+
+@@ -1409,7 +1412,16 @@ index_concurrently_build(Oid heapRelationId,
+ /* Open and lock the parent heap relation */
+ heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock);
+
+- /* And the target index relation */
++ /*
++ * Switch to the table owner's userid, so that any index functions are run
++ * as that user. Also lock down security-restricted operations and
++ * arrange to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(heapRel->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++
+ indexRelation = index_open(indexRelationId, RowExclusiveLock);
+
+ /*
+@@ -1425,6 +1437,12 @@ index_concurrently_build(Oid heapRelationId,
+ /* Now build the index */
+ index_build(heapRel, indexRelation, indexInfo, false, true);
+
++ /* Roll back any GUC changes executed by index functions */
++ AtEOXact_GUC(false, save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(save_userid, save_sec_context);
++
+ /* Close both the relations, but keep the locks */
+ table_close(heapRel, NoLock);
+ index_close(indexRelation, NoLock);
+@@ -3271,7 +3289,17 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot)
+
+ /* Open and lock the parent heap relation */
+ heapRelation = table_open(heapId, ShareUpdateExclusiveLock);
+- /* And the target index relation */
++
++ /*
++ * Switch to the table owner's userid, so that any index functions are run
++ * as that user. Also lock down security-restricted operations and
++ * arrange to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(heapRelation->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++
+ indexRelation = index_open(indexId, RowExclusiveLock);
+
+ /*
+@@ -3284,16 +3312,6 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot)
+ /* mark build is concurrent just for consistency */
+ indexInfo->ii_Concurrent = true;
+
+- /*
+- * Switch to the table owner's userid, so that any index functions are run
+- * as that user. Also lock down security-restricted operations and
+- * arrange to make GUC variable changes local to this command.
+- */
+- GetUserIdAndSecContext(&save_userid, &save_sec_context);
+- SetUserIdAndSecContext(heapRelation->rd_rel->relowner,
+- save_sec_context | SECURITY_RESTRICTED_OPERATION);
+- save_nestlevel = NewGUCNestLevel();
+-
+ /*
+ * Scan the index and gather up all the TIDs into a tuplesort object.
+ */
+@@ -3497,6 +3515,9 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence,
+ Relation iRel,
+ heapRelation;
+ Oid heapId;
++ Oid save_userid;
++ int save_sec_context;
++ int save_nestlevel;
+ IndexInfo *indexInfo;
+ volatile bool skipped_constraint = false;
+ PGRUsage ru0;
+@@ -3527,6 +3548,16 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence,
+ */
+ iRel = index_open(indexId, AccessExclusiveLock);
+
++ /*
++ * Switch to the table owner's userid, so that any index functions are run
++ * as that user. Also lock down security-restricted operations and
++ * arrange to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(heapRelation->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++
+ if (progress)
+ pgstat_progress_update_param(PROGRESS_CREATEIDX_ACCESS_METHOD_OID,
+ iRel->rd_rel->relam);
+@@ -3684,12 +3715,18 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence,
+ errdetail_internal("%s",
+ pg_rusage_show(&ru0))));
+
+- if (progress)
+- pgstat_progress_end_command();
++ /* Roll back any GUC changes executed by index functions */
++ AtEOXact_GUC(false, save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(save_userid, save_sec_context);
+
+ /* Close rels, but keep locks */
+ index_close(iRel, NoLock);
+ table_close(heapRelation, NoLock);
++
++ if (progress)
++ pgstat_progress_end_command();
+ }
+
+ /*
+diff --git a/src/backend/commands/cluster.c b/src/backend/commands/cluster.c
+index bd6f408..74db03e 100644
+--- a/src/backend/commands/cluster.c
++++ b/src/backend/commands/cluster.c
+@@ -266,6 +266,9 @@ void
+ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ {
+ Relation OldHeap;
++ Oid save_userid;
++ int save_sec_context;
++ int save_nestlevel;
+ bool verbose = ((options & CLUOPT_VERBOSE) != 0);
+ bool recheck = ((options & CLUOPT_RECHECK) != 0);
+
+@@ -295,6 +298,16 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ return;
+ }
+
++ /*
++ * Switch to the table owner's userid, so that any index functions are run
++ * as that user. Also lock down security-restricted operations and
++ * arrange to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(OldHeap->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++
+ /*
+ * Since we may open a new transaction for each relation, we have to check
+ * that the relation still is what we think it is.
+@@ -309,11 +322,10 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ Form_pg_index indexForm;
+
+ /* Check that the user still owns the relation */
+- if (!pg_class_ownercheck(tableOid, GetUserId()))
++ if (!pg_class_ownercheck(tableOid, save_userid))
+ {
+ relation_close(OldHeap, AccessExclusiveLock);
+- pgstat_progress_end_command();
+- return;
++ goto out;
+ }
+
+ /*
+@@ -327,8 +339,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ if (RELATION_IS_OTHER_TEMP(OldHeap))
+ {
+ relation_close(OldHeap, AccessExclusiveLock);
+- pgstat_progress_end_command();
+- return;
++ goto out;
+ }
+
+ if (OidIsValid(indexOid))
+@@ -339,8 +350,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ if (!SearchSysCacheExists1(RELOID, ObjectIdGetDatum(indexOid)))
+ {
+ relation_close(OldHeap, AccessExclusiveLock);
+- pgstat_progress_end_command();
+- return;
++ goto out;
+ }
+
+ /*
+@@ -350,8 +360,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ if (!HeapTupleIsValid(tuple)) /* probably can't happen */
+ {
+ relation_close(OldHeap, AccessExclusiveLock);
+- pgstat_progress_end_command();
+- return;
++ goto out;
+ }
+ indexForm = (Form_pg_index) GETSTRUCT(tuple);
+ if (!indexForm->indisclustered)
+@@ -413,8 +422,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+ !RelationIsPopulated(OldHeap))
+ {
+ relation_close(OldHeap, AccessExclusiveLock);
+- pgstat_progress_end_command();
+- return;
++ goto out;
+ }
+
+ /*
+@@ -430,6 +438,13 @@ cluster_rel(Oid tableOid, Oid indexOid, int options)
+
+ /* NB: rebuild_relation does table_close() on OldHeap */
+
++out:
++ /* Roll back any GUC changes executed by index functions */
++ AtEOXact_GUC(false, save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(save_userid, save_sec_context);
++
+ pgstat_progress_end_command();
+ }
+
+diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c
+index be1cf8c..167b377 100644
+--- a/src/backend/commands/indexcmds.c
++++ b/src/backend/commands/indexcmds.c
+@@ -470,21 +470,22 @@ DefineIndex(Oid relationId,
+ LOCKTAG heaplocktag;
+ LOCKMODE lockmode;
+ Snapshot snapshot;
+- int save_nestlevel = -1;
++ Oid root_save_userid;
++ int root_save_sec_context;
++ int root_save_nestlevel;
+ int i;
+
++ root_save_nestlevel = NewGUCNestLevel();
++
+ /*
+ * Some callers need us to run with an empty default_tablespace; this is a
+ * necessary hack to be able to reproduce catalog state accurately when
+ * recreating indexes after table-rewriting ALTER TABLE.
+ */
+ if (stmt->reset_default_tblspc)
+- {
+- save_nestlevel = NewGUCNestLevel();
+ (void) set_config_option("default_tablespace", "",
+ PGC_USERSET, PGC_S_SESSION,
+ GUC_ACTION_SAVE, true, 0, false);
+- }
+
+ /*
+ * Force non-concurrent build on temporary relations, even if CONCURRENTLY
+@@ -563,6 +564,15 @@ DefineIndex(Oid relationId,
+ lockmode = concurrent ? ShareUpdateExclusiveLock : ShareLock;
+ rel = table_open(relationId, lockmode);
+
++ /*
++ * Switch to the table owner's userid, so that any index functions are run
++ * as that user. Also lock down security-restricted operations. We
++ * already arranged to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context);
++ SetUserIdAndSecContext(rel->rd_rel->relowner,
++ root_save_sec_context | SECURITY_RESTRICTED_OPERATION);
++
+ namespaceId = RelationGetNamespace(rel);
+
+ /* Ensure that it makes sense to index this kind of relation */
+@@ -648,7 +658,7 @@ DefineIndex(Oid relationId,
+ {
+ AclResult aclresult;
+
+- aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(),
++ aclresult = pg_namespace_aclcheck(namespaceId, root_save_userid,
+ ACL_CREATE);
+ if (aclresult != ACLCHECK_OK)
+ aclcheck_error(aclresult, OBJECT_SCHEMA,
+@@ -680,7 +690,7 @@ DefineIndex(Oid relationId,
+ {
+ AclResult aclresult;
+
+- aclresult = pg_tablespace_aclcheck(tablespaceId, GetUserId(),
++ aclresult = pg_tablespace_aclcheck(tablespaceId, root_save_userid,
+ ACL_CREATE);
+ if (aclresult != ACLCHECK_OK)
+ aclcheck_error(aclresult, OBJECT_TABLESPACE,
+@@ -1066,15 +1076,17 @@ DefineIndex(Oid relationId,
+
+ ObjectAddressSet(address, RelationRelationId, indexRelationId);
+
+- /*
+- * Revert to original default_tablespace. Must do this before any return
+- * from this function, but after index_create, so this is a good time.
+- */
+- if (save_nestlevel >= 0)
+- AtEOXact_GUC(true, save_nestlevel);
+-
+ if (!OidIsValid(indexRelationId))
+ {
++ /*
++ * Roll back any GUC changes executed by index functions. Also revert
++ * to original default_tablespace if we changed it above.
++ */
++ AtEOXact_GUC(false, root_save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(root_save_userid, root_save_sec_context);
++
+ table_close(rel, NoLock);
+
+ /* If this is the top-level index, we're done */
+@@ -1084,6 +1096,17 @@ DefineIndex(Oid relationId,
+ return address;
+ }
+
++ /*
++ * Roll back any GUC changes executed by index functions, and keep
++ * subsequent changes local to this command. It's barely possible that
++ * some index function changed a behavior-affecting GUC, e.g. xmloption,
++ * that affects subsequent steps. This improves bug-compatibility with
++ * older PostgreSQL versions. They did the AtEOXact_GUC() here for the
++ * purpose of clearing the above default_tablespace change.
++ */
++ AtEOXact_GUC(false, root_save_nestlevel);
++ root_save_nestlevel = NewGUCNestLevel();
++
+ /* Add any requested comment */
+ if (stmt->idxcomment != NULL)
+ CreateComments(indexRelationId, RelationRelationId, 0,
+@@ -1130,6 +1153,9 @@ DefineIndex(Oid relationId,
+ {
+ Oid childRelid = part_oids[i];
+ Relation childrel;
++ Oid child_save_userid;
++ int child_save_sec_context;
++ int child_save_nestlevel;
+ List *childidxs;
+ ListCell *cell;
+ AttrNumber *attmap;
+@@ -1138,6 +1164,12 @@ DefineIndex(Oid relationId,
+
+ childrel = table_open(childRelid, lockmode);
+
++ GetUserIdAndSecContext(&child_save_userid,
++ &child_save_sec_context);
++ SetUserIdAndSecContext(childrel->rd_rel->relowner,
++ child_save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ child_save_nestlevel = NewGUCNestLevel();
++
+ /*
+ * Don't try to create indexes on foreign tables, though. Skip
+ * those if a regular index, or fail if trying to create a
+@@ -1153,6 +1185,9 @@ DefineIndex(Oid relationId,
+ errdetail("Table \"%s\" contains partitions that are foreign tables.",
+ RelationGetRelationName(rel))));
+
++ AtEOXact_GUC(false, child_save_nestlevel);
++ SetUserIdAndSecContext(child_save_userid,
++ child_save_sec_context);
+ table_close(childrel, lockmode);
+ continue;
+ }
+@@ -1226,6 +1261,9 @@ DefineIndex(Oid relationId,
+ }
+
+ list_free(childidxs);
++ AtEOXact_GUC(false, child_save_nestlevel);
++ SetUserIdAndSecContext(child_save_userid,
++ child_save_sec_context);
+ table_close(childrel, NoLock);
+
+ /*
+@@ -1280,12 +1318,21 @@ DefineIndex(Oid relationId,
+ if (found_whole_row)
+ elog(ERROR, "cannot convert whole-row table reference");
+
++ /*
++ * Recurse as the starting user ID. Callee will use that
++ * for permission checks, then switch again.
++ */
++ Assert(GetUserId() == child_save_userid);
++ SetUserIdAndSecContext(root_save_userid,
++ root_save_sec_context);
+ DefineIndex(childRelid, childStmt,
+ InvalidOid, /* no predefined OID */
+ indexRelationId, /* this is our child */
+ createdConstraintId,
+ is_alter_table, check_rights, check_not_in_use,
+ skip_build, quiet);
++ SetUserIdAndSecContext(child_save_userid,
++ child_save_sec_context);
+ }
+
+ pgstat_progress_update_param(PROGRESS_CREATEIDX_PARTITIONS_DONE,
+@@ -1322,12 +1369,17 @@ DefineIndex(Oid relationId,
+ * Indexes on partitioned tables are not themselves built, so we're
+ * done here.
+ */
++ AtEOXact_GUC(false, root_save_nestlevel);
++ SetUserIdAndSecContext(root_save_userid, root_save_sec_context);
+ table_close(rel, NoLock);
+ if (!OidIsValid(parentIndexId))
+ pgstat_progress_end_command();
+ return address;
+ }
+
++ AtEOXact_GUC(false, root_save_nestlevel);
++ SetUserIdAndSecContext(root_save_userid, root_save_sec_context);
++
+ if (!concurrent)
+ {
+ /* Close the heap and we're done, in the non-concurrent case */
+@@ -3040,6 +3092,9 @@ ReindexRelationConcurrently(Oid relationOid, int options)
+ Oid newIndexId;
+ Relation indexRel;
+ Relation heapRel;
++ Oid save_userid;
++ int save_sec_context;
++ int save_nestlevel;
+ Relation newIndexRel;
+ LockRelId *lockrelid;
+
+@@ -3047,6 +3102,16 @@ ReindexRelationConcurrently(Oid relationOid, int options)
+ heapRel = table_open(indexRel->rd_index->indrelid,
+ ShareUpdateExclusiveLock);
+
++ /*
++ * Switch to the table owner's userid, so that any index functions are
++ * run as that user. Also lock down security-restricted operations
++ * and arrange to make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(heapRel->rd_rel->relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
++
+ /* This function shouldn't be called for temporary relations. */
+ if (indexRel->rd_rel->relpersistence == RELPERSISTENCE_TEMP)
+ elog(ERROR, "cannot reindex a temporary table concurrently");
+@@ -3101,6 +3166,13 @@ ReindexRelationConcurrently(Oid relationOid, int options)
+
+ index_close(indexRel, NoLock);
+ index_close(newIndexRel, NoLock);
++
++ /* Roll back any GUC changes executed by index functions */
++ AtEOXact_GUC(false, save_nestlevel);
++
++ /* Restore userid and security context */
++ SetUserIdAndSecContext(save_userid, save_sec_context);
++
+ table_close(heapRel, NoLock);
+ }
+
+diff --git a/src/backend/commands/matview.c b/src/backend/commands/matview.c
+index 80e9ec0..e485661 100644
+--- a/src/backend/commands/matview.c
++++ b/src/backend/commands/matview.c
+@@ -167,6 +167,17 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
+ lockmode, 0,
+ RangeVarCallbackOwnsTable, NULL);
+ matviewRel = table_open(matviewOid, NoLock);
++ relowner = matviewRel->rd_rel->relowner;
++
++ /*
++ * Switch to the owner's userid, so that any functions are run as that
++ * user. Also lock down security-restricted operations and arrange to
++ * make GUC variable changes local to this command.
++ */
++ GetUserIdAndSecContext(&save_userid, &save_sec_context);
++ SetUserIdAndSecContext(relowner,
++ save_sec_context | SECURITY_RESTRICTED_OPERATION);
++ save_nestlevel = NewGUCNestLevel();
+
+ /* Make sure it is a materialized view. */
+ if (matviewRel->rd_rel->relkind != RELKIND_MATVIEW)
+@@ -268,19 +279,6 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
+ */
+ SetMatViewPopulatedState(matviewRel, !stmt->skipData);
+
+- relowner = matviewRel->rd_rel->relowner;
+-
+- /*
+- * Switch to the owner's userid, so that any functions are run as that
+- * user. Also arrange to make GUC variable changes local to this command.
+- * Don't lock it down too tight to create a temporary table just yet. We
+- * will switch modes when we are about to execute user code.
+- */
+- GetUserIdAndSecContext(&save_userid, &save_sec_context);
+- SetUserIdAndSecContext(relowner,
+- save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
+- save_nestlevel = NewGUCNestLevel();
+-
+ /* Concurrent refresh builds new data in temp tablespace, and does diff. */
+ if (concurrent)
+ {
+@@ -303,12 +301,6 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString,
+ LockRelationOid(OIDNewHeap, AccessExclusiveLock);
+ dest = CreateTransientRelDestReceiver(OIDNewHeap);
+
+- /*
+- * Now lock down security-restricted operations.
+- */
+- SetUserIdAndSecContext(relowner,
+- save_sec_context | SECURITY_RESTRICTED_OPERATION);
+-
+ /* Generate the data, if wanted. */
+ if (!stmt->skipData)
+ processed = refresh_matview_datafill(dest, dataQuery, queryString);
+diff --git a/src/backend/utils/init/miscinit.c b/src/backend/utils/init/miscinit.c
+index de554e2..c9f858e 100644
+--- a/src/backend/utils/init/miscinit.c
++++ b/src/backend/utils/init/miscinit.c
+@@ -455,15 +455,21 @@ GetAuthenticatedUserId(void)
+ * with guc.c's internal state, so SET ROLE has to be disallowed.
+ *
+ * SECURITY_RESTRICTED_OPERATION indicates that we are inside an operation
+- * that does not wish to trust called user-defined functions at all. This
+- * bit prevents not only SET ROLE, but various other changes of session state
+- * that normally is unprotected but might possibly be used to subvert the
+- * calling session later. An example is replacing an existing prepared
+- * statement with new code, which will then be executed with the outer
+- * session's permissions when the prepared statement is next used. Since
+- * these restrictions are fairly draconian, we apply them only in contexts
+- * where the called functions are really supposed to be side-effect-free
+- * anyway, such as VACUUM/ANALYZE/REINDEX.
++ * that does not wish to trust called user-defined functions at all. The
++ * policy is to use this before operations, e.g. autovacuum and REINDEX, that
++ * enumerate relations of a database or schema and run functions associated
++ * with each found relation. The relation owner is the new user ID. Set this
++ * as soon as possible after locking the relation. Restore the old user ID as
++ * late as possible before closing the relation; restoring it shortly after
++ * close is also tolerable. If a command has both relation-enumerating and
++ * non-enumerating modes, e.g. ANALYZE, both modes set this bit. This bit
++ * prevents not only SET ROLE, but various other changes of session state that
++ * normally is unprotected but might possibly be used to subvert the calling
++ * session later. An example is replacing an existing prepared statement with
++ * new code, which will then be executed with the outer session's permissions
++ * when the prepared statement is next used. These restrictions are fairly
++ * draconian, but the functions called in relation-enumerating operations are
++ * really supposed to be side-effect-free anyway.
+ *
+ * SECURITY_NOFORCE_RLS indicates that we are inside an operation which should
+ * ignore the FORCE ROW LEVEL SECURITY per-table indication. This is used to
+diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
+index 186d2fb..0f0c1b3 100644
+--- a/src/test/regress/expected/privileges.out
++++ b/src/test/regress/expected/privileges.out
+@@ -1336,6 +1336,61 @@ SELECT has_table_privilege('regress_priv_user1', 'atest4', 'SELECT WITH GRANT OP
+ -- security-restricted operations
+ \c -
+ CREATE ROLE regress_sro_user;
++-- Check that index expressions and predicates are run as the table's owner
++-- A dummy index function checking current_user
++CREATE FUNCTION sro_ifun(int) RETURNS int AS $$
++BEGIN
++ -- Below we set the table's owner to regress_sro_user
++ ASSERT current_user = 'regress_sro_user',
++ format('sro_ifun(%s) called by %s', $1, current_user);
++ RETURN $1;
++END;
++$$ LANGUAGE plpgsql IMMUTABLE;
++-- Create a table owned by regress_sro_user
++CREATE TABLE sro_tab (a int);
++ALTER TABLE sro_tab OWNER TO regress_sro_user;
++INSERT INTO sro_tab VALUES (1), (2), (3);
++-- Create an expression index with a predicate
++CREATE INDEX sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0)))
++ WHERE sro_ifun(a + 10) > sro_ifun(10);
++DROP INDEX sro_idx;
++-- Do the same concurrently
++CREATE INDEX CONCURRENTLY sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0)))
++ WHERE sro_ifun(a + 10) > sro_ifun(10);
++-- REINDEX
++REINDEX TABLE sro_tab;
++REINDEX INDEX sro_idx;
++REINDEX TABLE CONCURRENTLY sro_tab;
++DROP INDEX sro_idx;
++-- CLUSTER
++CREATE INDEX sro_cluster_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0)));
++CLUSTER sro_tab USING sro_cluster_idx;
++DROP INDEX sro_cluster_idx;
++-- BRIN index
++CREATE INDEX sro_brin ON sro_tab USING brin ((sro_ifun(a) + sro_ifun(0)));
++SELECT brin_desummarize_range('sro_brin', 0);
++ brin_desummarize_range
++------------------------
++
++(1 row)
++
++SELECT brin_summarize_range('sro_brin', 0);
++ brin_summarize_range
++----------------------
++ 1
++(1 row)
++
++DROP TABLE sro_tab;
++-- Check with a partitioned table
++CREATE TABLE sro_ptab (a int) PARTITION BY RANGE (a);
++ALTER TABLE sro_ptab OWNER TO regress_sro_user;
++CREATE TABLE sro_part PARTITION OF sro_ptab FOR VALUES FROM (1) TO (10);
++ALTER TABLE sro_part OWNER TO regress_sro_user;
++INSERT INTO sro_ptab VALUES (1), (2), (3);
++CREATE INDEX sro_pidx ON sro_ptab ((sro_ifun(a) + sro_ifun(0)))
++ WHERE sro_ifun(a + 10) > sro_ifun(10);
++REINDEX TABLE sro_ptab;
++REINDEX INDEX CONCURRENTLY sro_pidx;
+ SET SESSION AUTHORIZATION regress_sro_user;
+ CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS
+ 'GRANT regress_priv_group2 TO regress_sro_user';
+@@ -1373,6 +1428,22 @@ CONTEXT: SQL function "unwanted_grant" statement 1
+ SQL statement "SELECT unwanted_grant()"
+ PL/pgSQL function sro_trojan() line 1 at PERFORM
+ SQL function "mv_action" statement 1
++-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions()
++SET SESSION AUTHORIZATION regress_sro_user;
++CREATE FUNCTION unwanted_grant_nofail(int) RETURNS int
++ IMMUTABLE LANGUAGE plpgsql AS $$
++BEGIN
++ PERFORM unwanted_grant();
++ RAISE WARNING 'owned';
++ RETURN 1;
++EXCEPTION WHEN OTHERS THEN
++ RETURN 2;
++END$$;
++CREATE MATERIALIZED VIEW sro_index_mv AS SELECT 1 AS c;
++CREATE UNIQUE INDEX ON sro_index_mv (c) WHERE unwanted_grant_nofail(1) > 0;
++\c -
++REFRESH MATERIALIZED VIEW CONCURRENTLY sro_index_mv;
++REFRESH MATERIALIZED VIEW sro_index_mv;
+ DROP OWNED BY regress_sro_user;
+ DROP ROLE regress_sro_user;
+ -- Admin options
+diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
+index 34fbf0e..c0b88a6 100644
+--- a/src/test/regress/sql/privileges.sql
++++ b/src/test/regress/sql/privileges.sql
+@@ -826,6 +826,53 @@ SELECT has_table_privilege('regress_priv_user1', 'atest4', 'SELECT WITH GRANT OP
+ \c -
+ CREATE ROLE regress_sro_user;
+
++-- Check that index expressions and predicates are run as the table's owner
++
++-- A dummy index function checking current_user
++CREATE FUNCTION sro_ifun(int) RETURNS int AS $$
++BEGIN
++ -- Below we set the table's owner to regress_sro_user
++ ASSERT current_user = 'regress_sro_user',
++ format('sro_ifun(%s) called by %s', $1, current_user);
++ RETURN $1;
++END;
++$$ LANGUAGE plpgsql IMMUTABLE;
++-- Create a table owned by regress_sro_user
++CREATE TABLE sro_tab (a int);
++ALTER TABLE sro_tab OWNER TO regress_sro_user;
++INSERT INTO sro_tab VALUES (1), (2), (3);
++-- Create an expression index with a predicate
++CREATE INDEX sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0)))
++ WHERE sro_ifun(a + 10) > sro_ifun(10);
++DROP INDEX sro_idx;
++-- Do the same concurrently
++CREATE INDEX CONCURRENTLY sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0)))
++ WHERE sro_ifun(a + 10) > sro_ifun(10);
++-- REINDEX
++REINDEX TABLE sro_tab;
++REINDEX INDEX sro_idx;
++REINDEX TABLE CONCURRENTLY sro_tab;
++DROP INDEX sro_idx;
++-- CLUSTER
++CREATE INDEX sro_cluster_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0)));
++CLUSTER sro_tab USING sro_cluster_idx;
++DROP INDEX sro_cluster_idx;
++-- BRIN index
++CREATE INDEX sro_brin ON sro_tab USING brin ((sro_ifun(a) + sro_ifun(0)));
++SELECT brin_desummarize_range('sro_brin', 0);
++SELECT brin_summarize_range('sro_brin', 0);
++DROP TABLE sro_tab;
++-- Check with a partitioned table
++CREATE TABLE sro_ptab (a int) PARTITION BY RANGE (a);
++ALTER TABLE sro_ptab OWNER TO regress_sro_user;
++CREATE TABLE sro_part PARTITION OF sro_ptab FOR VALUES FROM (1) TO (10);
++ALTER TABLE sro_part OWNER TO regress_sro_user;
++INSERT INTO sro_ptab VALUES (1), (2), (3);
++CREATE INDEX sro_pidx ON sro_ptab ((sro_ifun(a) + sro_ifun(0)))
++ WHERE sro_ifun(a + 10) > sro_ifun(10);
++REINDEX TABLE sro_ptab;
++REINDEX INDEX CONCURRENTLY sro_pidx;
++
+ SET SESSION AUTHORIZATION regress_sro_user;
+ CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS
+ 'GRANT regress_priv_group2 TO regress_sro_user';
+@@ -852,6 +899,23 @@ REFRESH MATERIALIZED VIEW sro_mv;
+ REFRESH MATERIALIZED VIEW sro_mv;
+ BEGIN; SET CONSTRAINTS ALL IMMEDIATE; REFRESH MATERIALIZED VIEW sro_mv; COMMIT;
+
++-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions()
++SET SESSION AUTHORIZATION regress_sro_user;
++CREATE FUNCTION unwanted_grant_nofail(int) RETURNS int
++ IMMUTABLE LANGUAGE plpgsql AS $$
++BEGIN
++ PERFORM unwanted_grant();
++ RAISE WARNING 'owned';
++ RETURN 1;
++EXCEPTION WHEN OTHERS THEN
++ RETURN 2;
++END$$;
++CREATE MATERIALIZED VIEW sro_index_mv AS SELECT 1 AS c;
++CREATE UNIQUE INDEX ON sro_index_mv (c) WHERE unwanted_grant_nofail(1) > 0;
++\c -
++REFRESH MATERIALIZED VIEW CONCURRENTLY sro_index_mv;
++REFRESH MATERIALIZED VIEW sro_index_mv;
++
+ DROP OWNED BY regress_sro_user;
+ DROP ROLE regress_sro_user;
+
+--
+2.25.1
+
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch
new file mode 100644
index 000000000..6417d8a2b
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch
@@ -0,0 +1,904 @@
+From 84375c1db25ef650902cf80712495fc514b0ff63 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 13 Oct 2022 10:35:32 +0530
+Subject: [PATCH] CVE-2022-2625
+
+Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5579726bd60a6e7afb04a3548bced348cd5ffd89]
+CVE: CVE-2022-2625
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ doc/src/sgml/extend.sgml | 11 --
+ src/backend/catalog/pg_collation.c | 49 ++++--
+ src/backend/catalog/pg_depend.c | 74 ++++++++-
+ src/backend/catalog/pg_operator.c | 2 +-
+ src/backend/catalog/pg_type.c | 7 +-
+ src/backend/commands/createas.c | 18 ++-
+ src/backend/commands/foreigncmds.c | 19 ++-
+ src/backend/commands/schemacmds.c | 25 ++-
+ src/backend/commands/sequence.c | 8 +
+ src/backend/commands/statscmds.c | 4 +
+ src/backend/commands/view.c | 16 +-
+ src/backend/parser/parse_utilcmd.c | 10 ++
+ src/include/catalog/dependency.h | 2 +
+ src/test/modules/test_extensions/Makefile | 5 +-
+ .../expected/test_extensions.out | 153 ++++++++++++++++++
+ .../test_extensions/sql/test_extensions.sql | 110 +++++++++++++
+ .../test_ext_cine--1.0--1.1.sql | 26 +++
+ .../test_extensions/test_ext_cine--1.0.sql | 25 +++
+ .../test_extensions/test_ext_cine.control | 3 +
+ .../test_extensions/test_ext_cor--1.0.sql | 20 +++
+ .../test_extensions/test_ext_cor.control | 3 +
+ 21 files changed, 540 insertions(+), 50 deletions(-)
+ create mode 100644 src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql
+ create mode 100644 src/test/modules/test_extensions/test_ext_cine--1.0.sql
+ create mode 100644 src/test/modules/test_extensions/test_ext_cine.control
+ create mode 100644 src/test/modules/test_extensions/test_ext_cor--1.0.sql
+ create mode 100644 src/test/modules/test_extensions/test_ext_cor.control
+
+diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml
+index 53f2638..bcc7a80 100644
+--- a/doc/src/sgml/extend.sgml
++++ b/doc/src/sgml/extend.sgml
+@@ -1109,17 +1109,6 @@ SELECT * FROM pg_extension_update_paths('<replaceable>extension_name</replaceabl
+ <varname>search_path</varname>. However, no mechanism currently exists
+ to require that.
+ </para>
+-
+- <para>
+- Do <emphasis>not</emphasis> use <command>CREATE OR REPLACE
+- FUNCTION</command>, except in an update script that must change the
+- definition of a function that is known to be an extension member
+- already. (Likewise for other <literal>OR REPLACE</literal> options.)
+- Using <literal>OR REPLACE</literal> unnecessarily not only has a risk
+- of accidentally overwriting someone else's function, but it creates a
+- security hazard since the overwritten function would still be owned by
+- its original owner, who could modify it.
+- </para>
+ </sect3>
+ </sect2>
+
+diff --git a/src/backend/catalog/pg_collation.c b/src/backend/catalog/pg_collation.c
+index dd99d53..ba4c3ef 100644
+--- a/src/backend/catalog/pg_collation.c
++++ b/src/backend/catalog/pg_collation.c
+@@ -78,15 +78,25 @@ CollationCreate(const char *collname, Oid collnamespace,
+ * friendlier error message. The unique index provides a backstop against
+ * race conditions.
+ */
+- if (SearchSysCacheExists3(COLLNAMEENCNSP,
+- PointerGetDatum(collname),
+- Int32GetDatum(collencoding),
+- ObjectIdGetDatum(collnamespace)))
++ oid = GetSysCacheOid3(COLLNAMEENCNSP,
++ Anum_pg_collation_oid,
++ PointerGetDatum(collname),
++ Int32GetDatum(collencoding),
++ ObjectIdGetDatum(collnamespace));
++ if (OidIsValid(oid))
+ {
+ if (quiet)
+ return InvalidOid;
+ else if (if_not_exists)
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(myself, CollationRelationId, oid);
++ checkMembershipInCurrentExtension(&myself);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ collencoding == -1
+@@ -116,16 +126,19 @@ CollationCreate(const char *collname, Oid collnamespace,
+ * so we take a ShareRowExclusiveLock earlier, to protect against
+ * concurrent changes fooling this check.
+ */
+- if ((collencoding == -1 &&
+- SearchSysCacheExists3(COLLNAMEENCNSP,
+- PointerGetDatum(collname),
+- Int32GetDatum(GetDatabaseEncoding()),
+- ObjectIdGetDatum(collnamespace))) ||
+- (collencoding != -1 &&
+- SearchSysCacheExists3(COLLNAMEENCNSP,
+- PointerGetDatum(collname),
+- Int32GetDatum(-1),
+- ObjectIdGetDatum(collnamespace))))
++ if (collencoding == -1)
++ oid = GetSysCacheOid3(COLLNAMEENCNSP,
++ Anum_pg_collation_oid,
++ PointerGetDatum(collname),
++ Int32GetDatum(GetDatabaseEncoding()),
++ ObjectIdGetDatum(collnamespace));
++ else
++ oid = GetSysCacheOid3(COLLNAMEENCNSP,
++ Anum_pg_collation_oid,
++ PointerGetDatum(collname),
++ Int32GetDatum(-1),
++ ObjectIdGetDatum(collnamespace));
++ if (OidIsValid(oid))
+ {
+ if (quiet)
+ {
+@@ -134,6 +147,14 @@ CollationCreate(const char *collname, Oid collnamespace,
+ }
+ else if (if_not_exists)
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(myself, CollationRelationId, oid);
++ checkMembershipInCurrentExtension(&myself);
++
++ /* OK to skip */
+ table_close(rel, NoLock);
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+diff --git a/src/backend/catalog/pg_depend.c b/src/backend/catalog/pg_depend.c
+index 9ffadbb..71c7cef 100644
+--- a/src/backend/catalog/pg_depend.c
++++ b/src/backend/catalog/pg_depend.c
+@@ -124,15 +124,23 @@ recordMultipleDependencies(const ObjectAddress *depender,
+
+ /*
+ * If we are executing a CREATE EXTENSION operation, mark the given object
+- * as being a member of the extension. Otherwise, do nothing.
++ * as being a member of the extension, or check that it already is one.
++ * Otherwise, do nothing.
+ *
+ * This must be called during creation of any user-definable object type
+ * that could be a member of an extension.
+ *
+- * If isReplace is true, the object already existed (or might have already
+- * existed), so we must check for a pre-existing extension membership entry.
+- * Passing false is a guarantee that the object is newly created, and so
+- * could not already be a member of any extension.
++ * isReplace must be true if the object already existed, and false if it is
++ * newly created. In the former case we insist that it already be a member
++ * of the current extension. In the latter case we can skip checking whether
++ * it is already a member of any extension.
++ *
++ * Note: isReplace = true is typically used when updating a object in
++ * CREATE OR REPLACE and similar commands. We used to allow the target
++ * object to not already be an extension member, instead silently absorbing
++ * it into the current extension. However, this was both error-prone
++ * (extensions might accidentally overwrite free-standing objects) and
++ * a security hazard (since the object would retain its previous ownership).
+ */
+ void
+ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+@@ -150,6 +158,12 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ {
+ Oid oldext;
+
++ /*
++ * Side note: these catalog lookups are safe only because the
++ * object is a pre-existing one. In the not-isReplace case, the
++ * caller has most likely not yet done a CommandCounterIncrement
++ * that would make the new object visible.
++ */
+ oldext = getExtensionOfObject(object->classId, object->objectId);
+ if (OidIsValid(oldext))
+ {
+@@ -163,6 +177,13 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ getObjectDescription(object),
+ get_extension_name(oldext))));
+ }
++ /* It's a free-standing object, so reject */
++ ereport(ERROR,
++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++ errmsg("%s is not a member of extension \"%s\"",
++ getObjectDescription(object),
++ get_extension_name(CurrentExtensionObject)),
++ errdetail("An extension is not allowed to replace an object that it does not own.")));
+ }
+
+ /* OK, record it as a member of CurrentExtensionObject */
+@@ -174,6 +195,49 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ }
+ }
+
++/*
++ * If we are executing a CREATE EXTENSION operation, check that the given
++ * object is a member of the extension, and throw an error if it isn't.
++ * Otherwise, do nothing.
++ *
++ * This must be called whenever a CREATE IF NOT EXISTS operation (for an
++ * object type that can be an extension member) has found that an object of
++ * the desired name already exists. It is insecure for an extension to use
++ * IF NOT EXISTS except when the conflicting object is already an extension
++ * member; otherwise a hostile user could substitute an object with arbitrary
++ * properties.
++ */
++void
++checkMembershipInCurrentExtension(const ObjectAddress *object)
++{
++ /*
++ * This is actually the same condition tested in
++ * recordDependencyOnCurrentExtension; but we want to issue a
++ * differently-worded error, and anyway it would be pretty confusing to
++ * call recordDependencyOnCurrentExtension in these circumstances.
++ */
++
++ /* Only whole objects can be extension members */
++ Assert(object->objectSubId == 0);
++
++ if (creating_extension)
++ {
++ Oid oldext;
++
++ oldext = getExtensionOfObject(object->classId, object->objectId);
++ /* If already a member of this extension, OK */
++ if (oldext == CurrentExtensionObject)
++ return;
++ /* Else complain */
++ ereport(ERROR,
++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++ errmsg("%s is not a member of extension \"%s\"",
++ getObjectDescription(object),
++ get_extension_name(CurrentExtensionObject)),
++ errdetail("An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.")));
++ }
++}
++
+ /*
+ * deleteDependencyRecordsFor -- delete all records with given depender
+ * classId/objectId. Returns the number of records deleted.
+diff --git a/src/backend/catalog/pg_operator.c b/src/backend/catalog/pg_operator.c
+index bcaa26c..84784e6 100644
+--- a/src/backend/catalog/pg_operator.c
++++ b/src/backend/catalog/pg_operator.c
+@@ -867,7 +867,7 @@ makeOperatorDependencies(HeapTuple tuple, bool isUpdate)
+ oper->oprowner);
+
+ /* Dependency on extension */
+- recordDependencyOnCurrentExtension(&myself, true);
++ recordDependencyOnCurrentExtension(&myself, isUpdate);
+
+ return myself;
+ }
+diff --git a/src/backend/catalog/pg_type.c b/src/backend/catalog/pg_type.c
+index 2a51501..3ff017f 100644
+--- a/src/backend/catalog/pg_type.c
++++ b/src/backend/catalog/pg_type.c
+@@ -528,10 +528,9 @@ TypeCreate(Oid newTypeOid,
+ * If rebuild is true, we remove existing dependencies and rebuild them
+ * from scratch. This is needed for ALTER TYPE, and also when replacing
+ * a shell type. We don't remove an existing extension dependency, though.
+- * (That means an extension can't absorb a shell type created in another
+- * extension, nor ALTER a type created by another extension. Also, if it
+- * replaces a free-standing shell type or ALTERs a free-standing type,
+- * that type will become a member of the extension.)
++ * That means an extension can't absorb a shell type that is free-standing
++ * or belongs to another extension, nor ALTER a type that is free-standing or
++ * belongs to another extension.
+ */
+ void
+ GenerateTypeDependencies(Oid typeObjectId,
+diff --git a/src/backend/commands/createas.c b/src/backend/commands/createas.c
+index 4c1d909..a68d945 100644
+--- a/src/backend/commands/createas.c
++++ b/src/backend/commands/createas.c
+@@ -243,15 +243,27 @@ ExecCreateTableAs(CreateTableAsStmt *stmt, const char *queryString,
+ if (stmt->if_not_exists)
+ {
+ Oid nspid;
++ Oid oldrelid;
+
+- nspid = RangeVarGetCreationNamespace(stmt->into->rel);
++ nspid = RangeVarGetCreationNamespace(into->rel);
+
+- if (get_relname_relid(stmt->into->rel->relname, nspid))
++ oldrelid = get_relname_relid(into->rel->relname, nspid);
++ if (OidIsValid(oldrelid))
+ {
++ /*
++ * The relation exists and IF NOT EXISTS has been specified.
++ *
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(address, RelationRelationId, oldrelid);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_TABLE),
+ errmsg("relation \"%s\" already exists, skipping",
+- stmt->into->rel->relname)));
++ into->rel->relname)));
+ return InvalidObjectAddress;
+ }
+ }
+diff --git a/src/backend/commands/foreigncmds.c b/src/backend/commands/foreigncmds.c
+index d7bc6e3..bc583c6 100644
+--- a/src/backend/commands/foreigncmds.c
++++ b/src/backend/commands/foreigncmds.c
+@@ -887,13 +887,22 @@ CreateForeignServer(CreateForeignServerStmt *stmt)
+ ownerId = GetUserId();
+
+ /*
+- * Check that there is no other foreign server by this name. Do nothing if
+- * IF NOT EXISTS was enforced.
++ * Check that there is no other foreign server by this name. If there is
++ * one, do nothing if IF NOT EXISTS was specified.
+ */
+- if (GetForeignServerByName(stmt->servername, true) != NULL)
++ srvId = get_foreign_server_oid(stmt->servername, true);
++ if (OidIsValid(srvId))
+ {
+ if (stmt->if_not_exists)
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(myself, ForeignServerRelationId, srvId);
++ checkMembershipInCurrentExtension(&myself);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ errmsg("server \"%s\" already exists, skipping",
+@@ -1182,6 +1191,10 @@ CreateUserMapping(CreateUserMappingStmt *stmt)
+ {
+ if (stmt->if_not_exists)
+ {
++ /*
++ * Since user mappings aren't members of extensions (see comments
++ * below), no need for checkMembershipInCurrentExtension here.
++ */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ errmsg("user mapping for \"%s\" already exists for server \"%s\", skipping",
+diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
+index 6cf94a3..6bc4edc 100644
+--- a/src/backend/commands/schemacmds.c
++++ b/src/backend/commands/schemacmds.c
+@@ -113,14 +113,25 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
+ * the permissions checks, but since CREATE TABLE IF NOT EXISTS makes its
+ * creation-permission check first, we do likewise.
+ */
+- if (stmt->if_not_exists &&
+- SearchSysCacheExists1(NAMESPACENAME, PointerGetDatum(schemaName)))
++ if (stmt->if_not_exists)
+ {
+- ereport(NOTICE,
+- (errcode(ERRCODE_DUPLICATE_SCHEMA),
+- errmsg("schema \"%s\" already exists, skipping",
+- schemaName)));
+- return InvalidOid;
++ namespaceId = get_namespace_oid(schemaName, true);
++ if (OidIsValid(namespaceId))
++ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(address, NamespaceRelationId, namespaceId);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
++ ereport(NOTICE,
++ (errcode(ERRCODE_DUPLICATE_SCHEMA),
++ errmsg("schema \"%s\" already exists, skipping",
++ schemaName)));
++ return InvalidOid;
++ }
+ }
+
+ /*
+diff --git a/src/backend/commands/sequence.c b/src/backend/commands/sequence.c
+index 0960b33..0577184 100644
+--- a/src/backend/commands/sequence.c
++++ b/src/backend/commands/sequence.c
+@@ -149,6 +149,14 @@ DefineSequence(ParseState *pstate, CreateSeqStmt *seq)
+ RangeVarGetAndCheckCreationNamespace(seq->sequence, NoLock, &seqoid);
+ if (OidIsValid(seqoid))
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(address, RelationRelationId, seqoid);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_TABLE),
+ errmsg("relation \"%s\" already exists, skipping",
+diff --git a/src/backend/commands/statscmds.c b/src/backend/commands/statscmds.c
+index 5678d31..409cf28 100644
+--- a/src/backend/commands/statscmds.c
++++ b/src/backend/commands/statscmds.c
+@@ -173,6 +173,10 @@ CreateStatistics(CreateStatsStmt *stmt)
+ {
+ if (stmt->if_not_exists)
+ {
++ /*
++ * Since stats objects aren't members of extensions (see comments
++ * below), no need for checkMembershipInCurrentExtension here.
++ */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ errmsg("statistics object \"%s\" already exists, skipping",
+diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
+index 87ed453..dd7cc97 100644
+--- a/src/backend/commands/view.c
++++ b/src/backend/commands/view.c
+@@ -205,7 +205,7 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace,
+ CommandCounterIncrement();
+
+ /*
+- * Finally update the view options.
++ * Update the view's options.
+ *
+ * The new options list replaces the existing options list, even if
+ * it's empty.
+@@ -218,8 +218,22 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace,
+ /* EventTriggerAlterTableStart called by ProcessUtilitySlow */
+ AlterTableInternal(viewOid, atcmds, true);
+
++ /*
++ * There is very little to do here to update the view's dependencies.
++ * Most view-level dependency relationships, such as those on the
++ * owner, schema, and associated composite type, aren't changing.
++ * Because we don't allow changing type or collation of an existing
++ * view column, those dependencies of the existing columns don't
++ * change either, while the AT_AddColumnToView machinery took care of
++ * adding such dependencies for new view columns. The dependencies of
++ * the view's query could have changed arbitrarily, but that was dealt
++ * with inside StoreViewQuery. What remains is only to check that
++ * view replacement is allowed when we're creating an extension.
++ */
+ ObjectAddressSet(address, RelationRelationId, viewOid);
+
++ recordDependencyOnCurrentExtension(&address, true);
++
+ /*
+ * Seems okay, so return the OID of the pre-existing view.
+ */
+diff --git a/src/backend/parser/parse_utilcmd.c b/src/backend/parser/parse_utilcmd.c
+index 44aa38a..8f4d940 100644
+--- a/src/backend/parser/parse_utilcmd.c
++++ b/src/backend/parser/parse_utilcmd.c
+@@ -206,6 +206,16 @@ transformCreateStmt(CreateStmt *stmt, const char *queryString)
+ */
+ if (stmt->if_not_exists && OidIsValid(existing_relid))
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddress address;
++
++ ObjectAddressSet(address, RelationRelationId, existing_relid);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_TABLE),
+ errmsg("relation \"%s\" already exists, skipping",
+diff --git a/src/include/catalog/dependency.h b/src/include/catalog/dependency.h
+index 8b1e3aa..27c7509 100644
+--- a/src/include/catalog/dependency.h
++++ b/src/include/catalog/dependency.h
+@@ -201,6 +201,8 @@ extern void recordMultipleDependencies(const ObjectAddress *depender,
+ extern void recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ bool isReplace);
+
++extern void checkMembershipInCurrentExtension(const ObjectAddress *object);
++
+ extern long deleteDependencyRecordsFor(Oid classId, Oid objectId,
+ bool skipExtensionDeps);
+
+diff --git a/src/test/modules/test_extensions/Makefile b/src/test/modules/test_extensions/Makefile
+index d18108e..7428f15 100644
+--- a/src/test/modules/test_extensions/Makefile
++++ b/src/test/modules/test_extensions/Makefile
+@@ -4,10 +4,13 @@ MODULE = test_extensions
+ PGFILEDESC = "test_extensions - regression testing for EXTENSION support"
+
+ EXTENSION = test_ext1 test_ext2 test_ext3 test_ext4 test_ext5 test_ext6 \
+- test_ext7 test_ext8 test_ext_cyclic1 test_ext_cyclic2
++ test_ext7 test_ext8 test_ext_cine test_ext_cor \
++ test_ext_cyclic1 test_ext_cyclic2
+ DATA = test_ext1--1.0.sql test_ext2--1.0.sql test_ext3--1.0.sql \
+ test_ext4--1.0.sql test_ext5--1.0.sql test_ext6--1.0.sql \
+ test_ext7--1.0.sql test_ext7--1.0--2.0.sql test_ext8--1.0.sql \
++ test_ext_cine--1.0.sql test_ext_cine--1.0--1.1.sql \
++ test_ext_cor--1.0.sql \
+ test_ext_cyclic1--1.0.sql test_ext_cyclic2--1.0.sql
+
+ REGRESS = test_extensions test_extdepend
+diff --git a/src/test/modules/test_extensions/expected/test_extensions.out b/src/test/modules/test_extensions/expected/test_extensions.out
+index b5cbdfc..1e91640 100644
+--- a/src/test/modules/test_extensions/expected/test_extensions.out
++++ b/src/test/modules/test_extensions/expected/test_extensions.out
+@@ -154,3 +154,156 @@ DROP TABLE test_ext4_tab;
+ DROP FUNCTION create_extension_with_temp_schema();
+ RESET client_min_messages;
+ \unset SHOW_CONTEXT
++-- It's generally bad style to use CREATE OR REPLACE unnecessarily.
++-- Test what happens if an extension does it anyway.
++-- Replacing a shell type or operator is sort of like CREATE OR REPLACE;
++-- check that too.
++CREATE FUNCTION ext_cor_func() RETURNS text
++ AS $$ SELECT 'ext_cor_func: original'::text $$ LANGUAGE sql;
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: function ext_cor_func() is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++SELECT ext_cor_func();
++ ext_cor_func
++------------------------
++ ext_cor_func: original
++(1 row)
++
++DROP FUNCTION ext_cor_func();
++CREATE VIEW ext_cor_view AS
++ SELECT 'ext_cor_view: original'::text AS col;
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: view ext_cor_view is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++SELECT ext_cor_func();
++ERROR: function ext_cor_func() does not exist
++LINE 1: SELECT ext_cor_func();
++ ^
++HINT: No function matches the given name and argument types. You might need to add explicit type casts.
++SELECT * FROM ext_cor_view;
++ col
++------------------------
++ ext_cor_view: original
++(1 row)
++
++DROP VIEW ext_cor_view;
++CREATE TYPE test_ext_type;
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: type test_ext_type is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++DROP TYPE test_ext_type;
++-- this makes a shell "point <<@@ polygon" operator too
++CREATE OPERATOR @@>> ( PROCEDURE = poly_contain_pt,
++ LEFTARG = polygon, RIGHTARG = point,
++ COMMUTATOR = <<@@ );
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: operator <<@@(point,polygon) is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++DROP OPERATOR <<@@ (point, polygon);
++CREATE EXTENSION test_ext_cor; -- now it should work
++SELECT ext_cor_func();
++ ext_cor_func
++------------------------------
++ ext_cor_func: from extension
++(1 row)
++
++SELECT * FROM ext_cor_view;
++ col
++------------------------------
++ ext_cor_view: from extension
++(1 row)
++
++SELECT 'x'::test_ext_type;
++ test_ext_type
++---------------
++ x
++(1 row)
++
++SELECT point(0,0) <<@@ polygon(circle(point(0,0),1));
++ ?column?
++----------
++ t
++(1 row)
++
++\dx+ test_ext_cor
++Objects in extension "test_ext_cor"
++ Object description
++------------------------------
++ function ext_cor_func()
++ operator <<@@(point,polygon)
++ type test_ext_type
++ view ext_cor_view
++(4 rows)
++
++--
++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension
++-- to be doing, but let's at least plug the major security hole in it.
++--
++CREATE COLLATION ext_cine_coll
++ ( LC_COLLATE = "C", LC_CTYPE = "C" );
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: collation ext_cine_coll is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP COLLATION ext_cine_coll;
++CREATE MATERIALIZED VIEW ext_cine_mv AS SELECT 11 AS f1;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: materialized view ext_cine_mv is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP MATERIALIZED VIEW ext_cine_mv;
++CREATE FOREIGN DATA WRAPPER dummy;
++CREATE SERVER ext_cine_srv FOREIGN DATA WRAPPER dummy;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: server ext_cine_srv is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP SERVER ext_cine_srv;
++CREATE SCHEMA ext_cine_schema;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: schema ext_cine_schema is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP SCHEMA ext_cine_schema;
++CREATE SEQUENCE ext_cine_seq;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: sequence ext_cine_seq is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP SEQUENCE ext_cine_seq;
++CREATE TABLE ext_cine_tab1 (x int);
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: table ext_cine_tab1 is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP TABLE ext_cine_tab1;
++CREATE TABLE ext_cine_tab2 AS SELECT 42 AS y;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: table ext_cine_tab2 is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP TABLE ext_cine_tab2;
++CREATE EXTENSION test_ext_cine;
++\dx+ test_ext_cine
++Objects in extension "test_ext_cine"
++ Object description
++-----------------------------------
++ collation ext_cine_coll
++ foreign-data wrapper ext_cine_fdw
++ materialized view ext_cine_mv
++ schema ext_cine_schema
++ sequence ext_cine_seq
++ server ext_cine_srv
++ table ext_cine_tab1
++ table ext_cine_tab2
++(8 rows)
++
++ALTER EXTENSION test_ext_cine UPDATE TO '1.1';
++\dx+ test_ext_cine
++Objects in extension "test_ext_cine"
++ Object description
++-----------------------------------
++ collation ext_cine_coll
++ foreign-data wrapper ext_cine_fdw
++ materialized view ext_cine_mv
++ schema ext_cine_schema
++ sequence ext_cine_seq
++ server ext_cine_srv
++ table ext_cine_tab1
++ table ext_cine_tab2
++ table ext_cine_tab3
++(9 rows)
++
+diff --git a/src/test/modules/test_extensions/sql/test_extensions.sql b/src/test/modules/test_extensions/sql/test_extensions.sql
+index f505466..b3d4579 100644
+--- a/src/test/modules/test_extensions/sql/test_extensions.sql
++++ b/src/test/modules/test_extensions/sql/test_extensions.sql
+@@ -93,3 +93,113 @@ DROP TABLE test_ext4_tab;
+ DROP FUNCTION create_extension_with_temp_schema();
+ RESET client_min_messages;
+ \unset SHOW_CONTEXT
++
++-- It's generally bad style to use CREATE OR REPLACE unnecessarily.
++-- Test what happens if an extension does it anyway.
++-- Replacing a shell type or operator is sort of like CREATE OR REPLACE;
++-- check that too.
++
++CREATE FUNCTION ext_cor_func() RETURNS text
++ AS $$ SELECT 'ext_cor_func: original'::text $$ LANGUAGE sql;
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++SELECT ext_cor_func();
++
++DROP FUNCTION ext_cor_func();
++
++CREATE VIEW ext_cor_view AS
++ SELECT 'ext_cor_view: original'::text AS col;
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++SELECT ext_cor_func();
++
++SELECT * FROM ext_cor_view;
++
++DROP VIEW ext_cor_view;
++
++CREATE TYPE test_ext_type;
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++DROP TYPE test_ext_type;
++
++-- this makes a shell "point <<@@ polygon" operator too
++CREATE OPERATOR @@>> ( PROCEDURE = poly_contain_pt,
++ LEFTARG = polygon, RIGHTARG = point,
++ COMMUTATOR = <<@@ );
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++DROP OPERATOR <<@@ (point, polygon);
++
++CREATE EXTENSION test_ext_cor; -- now it should work
++
++SELECT ext_cor_func();
++
++SELECT * FROM ext_cor_view;
++
++SELECT 'x'::test_ext_type;
++
++SELECT point(0,0) <<@@ polygon(circle(point(0,0),1));
++
++\dx+ test_ext_cor
++
++--
++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension
++-- to be doing, but let's at least plug the major security hole in it.
++--
++
++CREATE COLLATION ext_cine_coll
++ ( LC_COLLATE = "C", LC_CTYPE = "C" );
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP COLLATION ext_cine_coll;
++
++CREATE MATERIALIZED VIEW ext_cine_mv AS SELECT 11 AS f1;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP MATERIALIZED VIEW ext_cine_mv;
++
++CREATE FOREIGN DATA WRAPPER dummy;
++
++CREATE SERVER ext_cine_srv FOREIGN DATA WRAPPER dummy;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP SERVER ext_cine_srv;
++
++CREATE SCHEMA ext_cine_schema;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP SCHEMA ext_cine_schema;
++
++CREATE SEQUENCE ext_cine_seq;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP SEQUENCE ext_cine_seq;
++
++CREATE TABLE ext_cine_tab1 (x int);
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP TABLE ext_cine_tab1;
++
++CREATE TABLE ext_cine_tab2 AS SELECT 42 AS y;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP TABLE ext_cine_tab2;
++
++CREATE EXTENSION test_ext_cine;
++
++\dx+ test_ext_cine
++
++ALTER EXTENSION test_ext_cine UPDATE TO '1.1';
++
++\dx+ test_ext_cine
+diff --git a/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql b/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql
+new file mode 100644
+index 0000000..6dadfd2
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql
+@@ -0,0 +1,26 @@
++/* src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql */
++-- complain if script is sourced in psql, rather than via ALTER EXTENSION
++\echo Use "ALTER EXTENSION test_ext_cine UPDATE TO '1.1'" to load this file. \quit
++
++--
++-- These are the same commands as in the 1.0 script; we expect them
++-- to do nothing.
++--
++
++CREATE COLLATION IF NOT EXISTS ext_cine_coll
++ ( LC_COLLATE = "POSIX", LC_CTYPE = "POSIX" );
++
++CREATE MATERIALIZED VIEW IF NOT EXISTS ext_cine_mv AS SELECT 42 AS f1;
++
++CREATE SERVER IF NOT EXISTS ext_cine_srv FOREIGN DATA WRAPPER ext_cine_fdw;
++
++CREATE SCHEMA IF NOT EXISTS ext_cine_schema;
++
++CREATE SEQUENCE IF NOT EXISTS ext_cine_seq;
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab1 (x int);
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab2 AS SELECT 42 AS y;
++
++-- just to verify the script ran
++CREATE TABLE ext_cine_tab3 (z int);
+diff --git a/src/test/modules/test_extensions/test_ext_cine--1.0.sql b/src/test/modules/test_extensions/test_ext_cine--1.0.sql
+new file mode 100644
+index 0000000..01408ff
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cine--1.0.sql
+@@ -0,0 +1,25 @@
++/* src/test/modules/test_extensions/test_ext_cine--1.0.sql */
++-- complain if script is sourced in psql, rather than via CREATE EXTENSION
++\echo Use "CREATE EXTENSION test_ext_cine" to load this file. \quit
++
++--
++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension
++-- to be doing, but let's at least plug the major security hole in it.
++--
++
++CREATE COLLATION IF NOT EXISTS ext_cine_coll
++ ( LC_COLLATE = "POSIX", LC_CTYPE = "POSIX" );
++
++CREATE MATERIALIZED VIEW IF NOT EXISTS ext_cine_mv AS SELECT 42 AS f1;
++
++CREATE FOREIGN DATA WRAPPER ext_cine_fdw;
++
++CREATE SERVER IF NOT EXISTS ext_cine_srv FOREIGN DATA WRAPPER ext_cine_fdw;
++
++CREATE SCHEMA IF NOT EXISTS ext_cine_schema;
++
++CREATE SEQUENCE IF NOT EXISTS ext_cine_seq;
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab1 (x int);
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab2 AS SELECT 42 AS y;
+diff --git a/src/test/modules/test_extensions/test_ext_cine.control b/src/test/modules/test_extensions/test_ext_cine.control
+new file mode 100644
+index 0000000..ced713b
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cine.control
+@@ -0,0 +1,3 @@
++comment = 'Test extension using CREATE IF NOT EXISTS'
++default_version = '1.0'
++relocatable = true
+diff --git a/src/test/modules/test_extensions/test_ext_cor--1.0.sql b/src/test/modules/test_extensions/test_ext_cor--1.0.sql
+new file mode 100644
+index 0000000..2e8d89c
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cor--1.0.sql
+@@ -0,0 +1,20 @@
++/* src/test/modules/test_extensions/test_ext_cor--1.0.sql */
++-- complain if script is sourced in psql, rather than via CREATE EXTENSION
++\echo Use "CREATE EXTENSION test_ext_cor" to load this file. \quit
++
++-- It's generally bad style to use CREATE OR REPLACE unnecessarily.
++-- Test what happens if an extension does it anyway.
++
++CREATE OR REPLACE FUNCTION ext_cor_func() RETURNS text
++ AS $$ SELECT 'ext_cor_func: from extension'::text $$ LANGUAGE sql;
++
++CREATE OR REPLACE VIEW ext_cor_view AS
++ SELECT 'ext_cor_view: from extension'::text AS col;
++
++-- These are for testing replacement of a shell type/operator, which works
++-- enough like an implicit OR REPLACE to be important to check.
++
++CREATE TYPE test_ext_type AS ENUM('x', 'y');
++
++CREATE OPERATOR <<@@ ( PROCEDURE = pt_contained_poly,
++ LEFTARG = point, RIGHTARG = polygon );
+diff --git a/src/test/modules/test_extensions/test_ext_cor.control b/src/test/modules/test_extensions/test_ext_cor.control
+new file mode 100644
+index 0000000..0e972e5
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cor.control
+@@ -0,0 +1,3 @@
++comment = 'Test extension using CREATE OR REPLACE'
++default_version = '1.0'
++relocatable = true
+--
+2.25.1
+
diff --git a/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch b/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch
new file mode 100644
index 000000000..92a3dcc71
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch
@@ -0,0 +1,38 @@
+Remove duplicate code for riscv
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+--- a/src/include/storage/s_lock.h
++++ b/src/include/storage/s_lock.h
+@@ -341,30 +341,6 @@ tas(volatile slock_t *lock)
+ #endif /* HAVE_GCC__SYNC_INT32_TAS */
+ #endif /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */
+
+-
+-/*
+- * RISC-V likewise uses __sync_lock_test_and_set(int *, int) if available.
+- */
+-#if defined(__riscv)
+-#ifdef HAVE_GCC__SYNC_INT32_TAS
+-#define HAS_TEST_AND_SET
+-
+-#define TAS(lock) tas(lock)
+-
+-typedef int slock_t;
+-
+-static __inline__ int
+-tas(volatile slock_t *lock)
+-{
+- return __sync_lock_test_and_set(lock, 1);
+-}
+-
+-#define S_UNLOCK(lock) __sync_lock_release(lock)
+-
+-#endif /* HAVE_GCC__SYNC_INT32_TAS */
+-#endif /* __riscv */
+-
+-
+ /* S/390 and S/390x Linux (32- and 64-bit zSeries) */
+ #if defined(__s390__) || defined(__s390x__)
+ #define HAS_TEST_AND_SET
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.7.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
index 18ba2178f..860e821b2 100644
--- a/meta-oe/recipes-dbs/postgresql/postgresql_12.7.bb
+++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
@@ -6,6 +6,9 @@ SRC_URI += "\
file://not-check-libperl.patch \
file://0001-Add-support-for-RISC-V.patch \
file://0001-Improve-reproducibility.patch \
+ file://remove_duplicate.patch \
+ file://CVE-2022-1552.patch \
+ file://CVE-2022-2625.patch \
"
-SRC_URI[sha256sum] = "8490741f47c88edc8b6624af009ce19fda4dc9b31c4469ce2551d84075d5d995"
+SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce"
diff --git a/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb b/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb
index b9038df81..f97131991 100644
--- a/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb
+++ b/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb
@@ -10,7 +10,7 @@ SRCREV = "551a110918493a19d11243f53408b97485de1411"
SRCBRANCH = "6.6.fb"
PV = "6.6.4"
-SRC_URI = "git://github.com/facebook/${BPN}.git;branch=${SRCBRANCH} \
+SRC_URI = "git://github.com/facebook/${BPN}.git;branch=${SRCBRANCH};protocol=https \
file://0001-db-write_thread.cc-Initialize-state.patch \
file://0001-cmake-Add-check-for-atomic-support.patch \
"
diff --git a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb
index e874e4a5e..87f9c23eb 100644
--- a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb
+++ b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=df52c6edb7adc22e533b2bacc3bd3915"
PV = "20190808+git${SRCPV}"
SRCREV = "aa844899c937bde5d2b24f276b59997e5b668bde"
BRANCH = "lts_2019_08_08"
-SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH} \
+SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH};protocol=https \
file://0001-Remove-maes-option-from-cross-compilation.patch \
file://0002-Add-forgotten-ABSL_HAVE_VDSO_SUPPORT-conditional.patch \
file://0003-Add-fPIC-option.patch \
diff --git a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb
index fb6125e2a..ef440471b 100644
--- a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb
+++ b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb
@@ -19,6 +19,7 @@ SRCREV_libhardware = "be55eb1f4d840c82ffaf7c47460df17ff5bc4d9b"
SRCREV_libselinux = "07e9e1339ad1ba608acfba9dce2d0f474b252feb"
SRCREV_build = "16e987def3d7d8f7d30805eb95cef69e52a87dbc"
+SRCREV_FORMAT = "core_extras_libhardware_libselinux_build"
SRC_URI = " \
git://${ANDROID_MIRROR}/platform/system/core;name=core;protocol=https;nobranch=1;destsuffix=git/system/core \
git://${ANDROID_MIRROR}/platform/system/extras;name=extras;protocol=https;nobranch=1;destsuffix=git/system/extras \
diff --git a/meta-oe/recipes-devtools/bootchart/bootchart_git.bb b/meta-oe/recipes-devtools/bootchart/bootchart_git.bb
index 2b75eaac9..79754050d 100644
--- a/meta-oe/recipes-devtools/bootchart/bootchart_git.bb
+++ b/meta-oe/recipes-devtools/bootchart/bootchart_git.bb
@@ -8,7 +8,7 @@ PV = "1.17"
PR = "r1"
PE = "1"
-SRC_URI = "git://gitorious.org/meego-developer-tools/bootchart.git;protocol=https \
+SRC_URI = "git://gitorious.org/meego-developer-tools/bootchart.git;protocol=https;branch=master \
file://0001-svg-add-rudimentary-support-for-ARM-cpuinfo.patch \
file://0002-svg-open-etc-os-release-and-use-PRETTY_NAME-for-the-.patch \
"
diff --git a/meta-oe/recipes-devtools/breakpad/breakpad_git.bb b/meta-oe/recipes-devtools/breakpad/breakpad_git.bb
index daf262ed6..1e474225a 100644
--- a/meta-oe/recipes-devtools/breakpad/breakpad_git.bb
+++ b/meta-oe/recipes-devtools/breakpad/breakpad_git.bb
@@ -26,11 +26,11 @@ SRCREV_protobuf = "cb6dd4ef5f82e41e06179dcd57d3b1d9246ad6ac"
SRCREV_lss = "8048ece6c16c91acfe0d36d1d3cc0890ab6e945c"
SRCREV_gyp = "324dd166b7c0b39d513026fa52d6280ac6d56770"
-SRC_URI = "git://github.com/google/breakpad;name=breakpad \
- git://github.com/google/googletest.git;destsuffix=git/src/testing/gtest;name=gtest \
- git://github.com/google/protobuf.git;destsuffix=git/src/third_party/protobuf/protobuf;name=protobuf \
- git://chromium.googlesource.com/linux-syscall-support;protocol=https;destsuffix=git/src/third_party/lss;name=lss \
- git://chromium.googlesource.com/external/gyp;protocol=https;destsuffix=git/src/tools/gyp;name=gyp \
+SRC_URI = "git://github.com/google/breakpad;name=breakpad;branch=main;protocol=https \
+ git://github.com/google/googletest.git;destsuffix=git/src/testing/gtest;name=gtest;branch=main;protocol=https \
+ git://github.com/google/protobuf.git;destsuffix=git/src/third_party/protobuf/protobuf;name=protobuf;branch=main;protocol=https \
+ git://chromium.googlesource.com/linux-syscall-support;protocol=https;destsuffix=git/src/third_party/lss;name=lss;branch=main \
+ git://chromium.googlesource.com/external/gyp;protocol=https;destsuffix=git/src/tools/gyp;name=gyp;branch=master \
file://0001-include-sys-reg.h-to-get-__WORDSIZE-on-musl-libc.patch \
file://0003-Fix-conflict-between-musl-libc-dirent.h-and-lss.patch \
file://0001-Turn-off-sign-compare-for-musl-libc.patch \
diff --git a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb
index c6bab5ec2..fa1751e56 100644
--- a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb
+++ b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb
@@ -5,7 +5,9 @@ SECTION = "console/tools"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://../LICENSE;md5=a05663ae6cca874123bf667a60dca8c9"
-SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV}"
+SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https \
+ file://CVE-2022-46149.patch \
+"
SRCREV = "3f44c6db0f0f6c0cab0633f15f15d0a2acd01d19"
S = "${WORKDIR}/git/c++"
diff --git a/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch
new file mode 100644
index 000000000..b6b1fa651
--- /dev/null
+++ b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch
@@ -0,0 +1,49 @@
+From 25d34c67863fd960af34fc4f82a7ca3362ee74b9 Mon Sep 17 00:00:00 2001
+From: Kenton Varda <kenton@cloudflare.com>
+Date: Wed, 23 Nov 2022 12:02:29 -0600
+Subject: [PATCH] Apply data offset for list-of-pointers at access time rather
+ than ListReader creation time.
+
+Baking this offset into `ptr` reduced ops needed at access time but made the interpretation of `ptr` inconsistent depending on what type of list was expected.
+
+CVE: CVE-2022-46149
+Upstream-Status: Backport [https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+ c++/src/capnp/layout.c++ | 4 ----
+ c++/src/capnp/layout.h | 6 +++++-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+Index: c++/src/capnp/layout.c++
+===================================================================
+--- c++.orig/src/capnp/layout.c++
++++ c++/src/capnp/layout.c++
+@@ -2322,10 +2322,6 @@ struct WireHelpers {
+ break;
+
+ case ElementSize::POINTER:
+- // We expected a list of pointers but got a list of structs. Assuming the first field
+- // in the struct is the pointer we were looking for, we want to munge the pointer to
+- // point at the first element's pointer section.
+- ptr += tag->structRef.dataSize.get();
+ KJ_REQUIRE(tag->structRef.ptrCount.get() > ZERO * POINTERS,
+ "Expected a pointer list, but got a list of data-only structs.") {
+ goto useDefault;
+Index: c++/src/capnp/layout.h
+===================================================================
+--- c++.orig/src/capnp/layout.h
++++ c++/src/capnp/layout.h
+@@ -1235,8 +1235,12 @@ inline Void ListReader::getDataElement<V
+ }
+
+ inline PointerReader ListReader::getPointerElement(ElementCount index) const {
++ // If the list elements have data sections we need to skip those. Note that for pointers to be
++ // present at all (which already must be true if we get here), then `structDataSize` must be a
++ // whole number of words, so we don't have to worry about unaligned reads here.
++ auto offset = structDataSize / BITS_PER_BYTE;
+ return PointerReader(segment, capTable, reinterpret_cast<const WirePointer*>(
+- ptr + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit);
++ ptr + offset + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit);
+ }
+
+ // -------------------------------------------------------------------
diff --git a/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb b/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb
index e6174821f..7af05acf9 100644
--- a/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb
+++ b/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb
@@ -5,7 +5,7 @@ SECTION = "libs"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=218947f77e8cb8e2fa02918dc41c50d0"
-SRC_URI = "git://github.com/DaveGamble/cJSON.git"
+SRC_URI = "git://github.com/DaveGamble/cJSON.git;branch=master;protocol=https"
SRCREV = "39853e5148dad8dc5d32ea2b00943cf4a0c6f120"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb b/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb
index 8c6cf7db2..996314a75 100644
--- a/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb
+++ b/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb
@@ -10,7 +10,7 @@ SECTION = "base"
PV = "0.5.1+git${SRCPV}"
SRCREV = "f97d3da5c375ac2fc5a9173cdd36cb828915a2e1"
LIC_FILES_CHKSUM = "file://LICENSE;md5=a0b24c1a8f9ad516a297d055b0294231"
-SRC_URI = "git://github.com/concurrencykit/ck.git \
+SRC_URI = "git://github.com/concurrencykit/ck.git;branch=master;protocol=https \
file://cross.patch \
"
diff --git a/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb b/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb
index 406494ebb..d1b7134b8 100644
--- a/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb
+++ b/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb
@@ -3,11 +3,11 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRC_URI = "git://github.com/ubinux/dnf-plugin-tui.git;branch=master "
+SRC_URI = "git://github.com/ubinux/dnf-plugin-tui.git;branch=master;protocol=https"
SRCREV = "c5416adeb210154dc4ccc4c3e1c5297d83ebd41e"
PV = "1.1"
-SRC_URI_append_class-target = "file://oe-remote.repo.sample"
+SRC_URI_append_class-target = " file://oe-remote.repo.sample"
inherit distutils3-base
diff --git a/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb b/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb
index 7b8d47d8d..c4f3594f3 100644
--- a/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb
+++ b/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57"
SRCREV = "6df40a2471737b27271bdd9b900ab5f3aec746c7"
-SRC_URI = "git://github.com/google/flatbuffers.git"
+SRC_URI = "git://github.com/google/flatbuffers.git;branch=master;protocol=https"
# affects only flatbuffers rust crate
CVE_CHECK_WHITELIST += "CVE-2020-35864"
@@ -24,12 +24,17 @@ BUILD_CXXFLAGS += "-std=c++11 -fPIC"
# BUILD_TYPE=Release is required, otherwise flatc is not installed
EXTRA_OECMAKE += "\
-DCMAKE_BUILD_TYPE=Release \
- -DFLATBUFFERS_BUILD_TESTS=OFF \
+ -DFLATBUFFERS_BUILD_TESTS=OFF \
-DFLATBUFFERS_BUILD_SHAREDLIB=ON \
"
inherit cmake
+rm_flatc_cmaketarget_for_target() {
+ rm -f "${SYSROOT_DESTDIR}/${libdir}/cmake/flatbuffers/FlatcTargets.cmake"
+}
+SYSROOT_PREPROCESS_FUNCS:class-target += "rm_flatc_cmaketarget_for_target"
+
S = "${WORKDIR}/git"
FILES_${PN}-compiler = "${bindir}"
diff --git a/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb b/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb
index 752562eb3..8a055412f 100644
--- a/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb
+++ b/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb
@@ -15,9 +15,10 @@ SRCREV_grpc = "2de2e8dd8921e1f7d043e01faf7fe8a291fbb072"
SRCREV_upb = "9effcbcb27f0a665f9f345030188c0b291e32482"
BRANCH = "v1.24.x"
SRC_URI = "git://github.com/grpc/grpc.git;protocol=https;name=grpc;branch=${BRANCH} \
- git://github.com/protocolbuffers/upb;name=upb;destsuffix=git/third_party/upb \
+ git://github.com/protocolbuffers/upb;name=upb;destsuffix=git/third_party/upb;branch=main;protocol=https \
file://0001-CMakeLists.txt-Fix-libraries-installation-for-Linux.patch \
"
+SRCREV_FORMAT = "grpc_upb"
SRC_URI_append_class-target = " file://0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch \
"
SRC_URI_append_class-nativesdk = " file://0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch"
@@ -62,6 +63,6 @@ do_configure_prepend_toolchain-clang_x86() {
BBCLASSEXTEND = "native nativesdk"
-SYSROOT_DIRS_BLACKLIST_append_class-target = "${baselib}/cmake/grpc"
+SYSROOT_DIRS_BLACKLIST_append_class-target = " ${baselib}/cmake/grpc"
FILES_${PN}-dev += "${bindir}"
diff --git a/meta-oe/recipes-devtools/guider/guider_3.9.7.bb b/meta-oe/recipes-devtools/guider/guider_3.9.7.bb
index 88fad936b..cc81443d5 100644
--- a/meta-oe/recipes-devtools/guider/guider_3.9.7.bb
+++ b/meta-oe/recipes-devtools/guider/guider_3.9.7.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2c1c00f9d3ed9e24fa69b932b7e7aff2"
PV = "3.9.7+git${SRCPV}"
-SRC_URI = "git://github.com/iipeace/${BPN}"
+SRC_URI = "git://github.com/iipeace/${BPN};branch=master;protocol=https"
SRCREV = "459b5189a46023fc98e19888b196bdc2674022fd"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb b/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb
index 8a5db3da3..629881f0c 100644
--- a/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb
+++ b/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb
@@ -14,7 +14,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=fa2a23dd1dc6c139f35105379d76df2b"
SRCREV = "d2e6a971f4544c55b8e3b25cf96db266971b778f"
-SRC_URI = "git://github.com/open-source-parsers/jsoncpp"
+SRC_URI = "git://github.com/open-source-parsers/jsoncpp;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb b/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb
index ca9675ed6..e9672ea4d 100644
--- a/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb
+++ b/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb
@@ -9,7 +9,7 @@ SECTION = "libs"
DEPENDS = "curl jsoncpp libmicrohttpd hiredis"
-SRC_URI = "git://github.com/cinemast/libjson-rpc-cpp"
+SRC_URI = "git://github.com/cinemast/libjson-rpc-cpp;branch=master;protocol=https"
SRCREV = "c696f6932113b81cd20cd4a34fdb1808e773f23e"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb b/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb
index 62d4df5e0..72f06ae44 100644
--- a/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb
+++ b/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb
@@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=930f8aa500a47c7dab0f8efb5a1c9a40"
DEPENDS = "libgfortran"
SRCREV = "6acc99d5f39130be7cec00fb835606042101a970"
-SRC_URI = "git://github.com/Reference-LAPACK/lapack.git;protocol=https"
+SRC_URI = "git://github.com/Reference-LAPACK/lapack.git;protocol=https;branch=master"
S = "${WORKDIR}/git"
EXTRA_OECMAKE = " -DBUILD_SHARED_LIBS=ON "
diff --git a/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb b/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb
index b83e86a48..2dc3776e8 100644
--- a/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb
+++ b/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb
@@ -7,7 +7,7 @@ Cluster segmentation described in Annex #29 (UAX #29)."
LICENSE = "Artistic-1.0 | GPLv1+"
LIC_FILES_CHKSUM = "file://COPYING;md5=5b122a36d0f6dc55279a0ebc69f3c60b"
-SRC_URI = "git://github.com/hatukanezumi/sombok.git;protocol=https \
+SRC_URI = "git://github.com/hatukanezumi/sombok.git;protocol=https;branch=master \
file://0001-configure.ac-fix-cross-compiling-issue.patch \
"
diff --git a/meta-oe/recipes-devtools/libubox/libubox_git.bb b/meta-oe/recipes-devtools/libubox/libubox_git.bb
index 7dbefa115..18f26b009 100644
--- a/meta-oe/recipes-devtools/libubox/libubox_git.bb
+++ b/meta-oe/recipes-devtools/libubox/libubox_git.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "\
"
SRC_URI = "\
- git://git.openwrt.org/project/libubox.git \
+ git://git.openwrt.org/project/libubox.git;branch=master \
file://0001-version-libraries.patch \
file://fix-libdir.patch \
file://0001-blobmsg-fix-array-out-of-bounds-GCC-10-warning.patch \
diff --git a/meta-oe/recipes-devtools/ltrace/ltrace_git.bb b/meta-oe/recipes-devtools/ltrace/ltrace_git.bb
index 5710943d7..339841acf 100644
--- a/meta-oe/recipes-devtools/ltrace/ltrace_git.bb
+++ b/meta-oe/recipes-devtools/ltrace/ltrace_git.bb
@@ -14,7 +14,7 @@ PV = "7.91+git${SRCPV}"
SRCREV = "c22d359433b333937ee3d803450dc41998115685"
DEPENDS = "elfutils"
-SRC_URI = "git://github.com/sparkleholic/ltrace.git;branch=master;protocol=http \
+SRC_URI = "git://github.com/sparkleholic/ltrace.git;branch=master;protocol=http;protocol=https \
file://configure-allow-to-disable-selinux-support.patch \
file://0001-replace-readdir_r-with-readdir.patch \
file://0001-Use-correct-enum-type.patch \
diff --git a/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
new file mode 100644
index 000000000..606c9ea98
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
@@ -0,0 +1,73 @@
+From a38684e4cb4e1439e5f2f7370724496d5b363b32 Mon Sep 17 00:00:00 2001
+From: Steve Sakoman <steve@sakoman.com>
+Date: Mon, 18 Apr 2022 09:04:08 -1000
+Subject: [PATCH] lua: fix CVE-2022-28805
+
+singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
+call, leading to a heap-based buffer over-read that might affect a system that
+compiles untrusted Lua code.
+
+https://nvd.nist.gov/vuln/detail/CVE-2022-28805
+
+(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)
+
+Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354)
+Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
+---
+ .../lua/lua/CVE-2022-28805.patch | 28 +++++++++++++++++++
+ meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 +
+ 2 files changed, 29 insertions(+)
+ create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
+
+diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
+new file mode 100644
+index 000000000..0a21d1ce7
+--- /dev/null
++++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
+@@ -0,0 +1,28 @@
++From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
++From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
++Date: Tue, 15 Feb 2022 12:28:46 -0300
++Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
++
++CVE: CVE-2022-28805
++
++Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]
++
++Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
++Signed-off-by: Steve Sakoman <steve@sakoman.com>
++---
++ src/lparser.c | 1 +
++ 1 files changed, 1 insertions(+)
++
++diff --git a/src/lparser.c b/src/lparser.c
++index 3abe3d751..a5cd55257 100644
++--- a/src/lparser.c
+++++ b/src/lparser.c
++@@ -300,6 +300,7 @@
++ expdesc key;
++ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
++ lua_assert(var->k != VVOID); /* this one must exist */
+++ luaK_exp2anyregup(fs, var); /* but could be a constant */
++ codestring(ls, &key, varname); /* key is variable name */
++ luaK_indexed(fs, var, &key); /* env[varname] */
++ }
++
+diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+index 342ed1b54..0137cc3c5 100644
+--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
++++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
+ file://CVE-2020-15888.patch \
+ file://CVE-2020-15945.patch \
+ file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
++ file://CVE-2022-28805.patch \
+ "
+
+ # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
+--
+2.17.1
+
diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
new file mode 100644
index 000000000..0a21d1ce7
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
@@ -0,0 +1,28 @@
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+CVE: CVE-2022-28805
+
+Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]
+
+Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ src/lparser.c | 1 +
+ 1 files changed, 1 insertions(+)
+
+diff --git a/src/lparser.c b/src/lparser.c
+index 3abe3d751..a5cd55257 100644
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -300,6 +300,7 @@
+ expdesc key;
+ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
+ lua_assert(var->k != VVOID); /* this one must exist */
++ luaK_exp2anyregup(fs, var); /* but could be a constant */
+ codestring(ls, &key, varname); /* key is variable name */
+ luaK_indexed(fs, var, &key); /* env[varname] */
+ }
+
diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
index 342ed1b54..d46d402aa 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
file://CVE-2020-15888.patch \
file://CVE-2020-15945.patch \
file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
+ file://CVE-2022-28805.patch \
"
# if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
@@ -31,7 +32,7 @@ PACKAGECONFIG ??= "readline"
PACKAGECONFIG[readline] = ",,readline"
UCLIBC_PATCHES += "file://uclibc-pthread.patch"
-SRC_URI_append_libc-uclibc = "${UCLIBC_PATCHES}"
+SRC_URI_append_libc-uclibc = " ${UCLIBC_PATCHES}"
TARGET_CC_ARCH += " -fPIC ${LDFLAGS}"
EXTRA_OEMAKE = "'CC=${CC} -fPIC' 'MYCFLAGS=${CFLAGS} -fPIC' MYLDFLAGS='${LDFLAGS}'"
diff --git a/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb b/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb
index 1bee9fe0b..83f6aa0f4 100644
--- a/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb
+++ b/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7dd2aad04bb7ca212e69127ba8d58f9f"
DEPENDS += "lua-native lua"
-SRC_URI = "git://github.com/luaposix/luaposix.git;branch=release \
+SRC_URI = "git://github.com/luaposix/luaposix.git;branch=release;protocol=https \
file://0001-fix-avoid-race-condition-between-test-and-mkdir.patch \
"
SRCREV = "8e4902ed81c922ed8f76a7ed85be1eaa3fd7e66d"
diff --git a/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb b/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb
index d410dc6e0..90b55ad2d 100644
--- a/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb
+++ b/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://NOTICE;md5=7a858c074723608e08614061dc044352 \
PV .= "+git${SRCPV}"
-SRC_URI = "git://github.com/msgpack/msgpack-c \
+SRC_URI = "git://github.com/msgpack/msgpack-c;branch=master;protocol=https \
"
# cpp-3.2.1
SRCREV = "8085ab8721090a447cf98bb802d1406ad7afe420"
diff --git a/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb b/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb
index 21d110aee..5b1e2dfbf 100644
--- a/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb
+++ b/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f"
DEPENDS = "protobuf-native"
-SRC_URI = "git://github.com/nanopb/nanopb.git"
+SRC_URI = "git://github.com/nanopb/nanopb.git;branch=master;protocol=https"
SRCREV = "70f0de9877b1ce12abc0229d5df84db6349fcbfc"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb b/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb
index a97eb53c1..62fdecf6f 100644
--- a/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb
+++ b/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb
@@ -4,7 +4,7 @@ SECTION = "libs"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.MIT;md5=b67209a1e36b682a8226de19d265b1e0"
-SRC_URI = "git://github.com/nlohmann/fifo_map.git"
+SRC_URI = "git://github.com/nlohmann/fifo_map.git;branch=master;protocol=https"
PV = "1.0.0+git${SRCPV}"
diff --git a/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb b/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb
index 5766194d2..2749f4497 100644
--- a/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb
+++ b/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb
@@ -4,7 +4,7 @@ SECTION = "libs"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.MIT;md5=f5f7c71504da070bcf4f090205ce1080"
-SRC_URI = "git://github.com/nlohmann/json.git;nobranch=1 \
+SRC_URI = "git://github.com/nlohmann/json.git;nobranch=1;protocol=https \
file://0001-Templatize-basic_json-ctor-from-json_ref.patch \
file://0001-typo-fix.patch \
"
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.21.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb
index b9e382177..8dbdd088e 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_12.21.0.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb
@@ -1,7 +1,7 @@
DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript"
HOMEPAGE = "http://nodejs.org"
LICENSE = "MIT & BSD & Artistic-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=8c66ff8861d9f96076a7cb61e3d75f54"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=93997aa7a45ba0f25f9c61aaab153ab8"
DEPENDS = "openssl"
DEPENDS_append_class-target = " nodejs-native"
@@ -26,7 +26,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
SRC_URI_append_class-target = " \
file://0002-Using-native-binaries.patch \
"
-SRC_URI[sha256sum] = "052f37ace6f569b513b5a1154b2a45d3c4d8b07d7d7c807b79f1566db61e979d"
+SRC_URI[sha256sum] = "bc42b7f8495b9bfc7f7850dd180bb02a5bdf139cc232b8c6f02a6967e20714f2"
S = "${WORKDIR}/node-v${PV}"
diff --git a/meta-oe/recipes-devtools/openocd/openocd_git.bb b/meta-oe/recipes-devtools/openocd/openocd_git.bb
index e95f1cfa5..9ff23d17a 100644
--- a/meta-oe/recipes-devtools/openocd/openocd_git.bb
+++ b/meta-oe/recipes-devtools/openocd/openocd_git.bb
@@ -5,10 +5,10 @@ DEPENDS = "libusb-compat libftdi"
RDEPENDS_${PN} = "libusb1"
SRC_URI = " \
- git://repo.or.cz/openocd.git;protocol=http;name=openocd \
- git://repo.or.cz/r/git2cl.git;protocol=http;destsuffix=tools/git2cl;name=git2cl \
- git://repo.or.cz/r/jimtcl.git;protocol=http;destsuffix=git/jimtcl;name=jimtcl \
- git://repo.or.cz/r/libjaylink.git;protocol=http;destsuffix=git/src/jtag/drivers/libjaylink;name=libjaylink \
+ git://repo.or.cz/openocd.git;protocol=http;name=openocd;branch=master \
+ git://repo.or.cz/r/git2cl.git;protocol=http;destsuffix=tools/git2cl;name=git2cl;branch=master \
+ git://repo.or.cz/r/jimtcl.git;protocol=http;destsuffix=git/jimtcl;name=jimtcl;branch=master \
+ git://repo.or.cz/r/libjaylink.git;protocol=http;destsuffix=git/src/jtag/drivers/libjaylink;name=libjaylink;branch=master \
file://0001-Do-not-include-syscrtl.h-with-glibc.patch \
"
diff --git a/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb b/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb
index 107d5a8b7..84f6c3ce2 100644
--- a/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb
+++ b/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=b234ee4d69f5fce4486a80fdaf4a4263"
COMPATIBLE_HOST = "(x86_64|aarch64|arm)"
SRCREV = "09724edb1783a98da2b7ae53c5aaa87493aabc9b"
-SRC_URI = "git://github.com/billfarrow/pcimem.git "
+SRC_URI = "git://github.com/billfarrow/pcimem.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb b/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb
index c812ae137..03812e901 100644
--- a/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb
+++ b/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb
@@ -9,7 +9,7 @@ LICENSE = "Artistic-1.0 | GPL-1.0+"
LIC_FILES_CHKSUM = "file://LICENSE;md5=0ebd37caf53781e8b7223e6b99b63f4e"
DEPENDS = "perl"
-SRC_URI = "git://github.com/toddr/IPC-Run.git"
+SRC_URI = "git://github.com/toddr/IPC-Run.git;branch=master;protocol=https"
SRCREV = "0b409702490729eeb97ae65f5b94d949ec083134"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb b/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb
index 049dc665d..760c0ad0a 100644
--- a/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb
+++ b/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb
@@ -15,7 +15,7 @@ DEPENDS += "libdev-checklib-perl-native libdbi-perl-native libmysqlclient"
LIC_FILES_CHKSUM = "file://LICENSE;md5=d0a06964340e5c0cde88b7af611f755c"
SRCREV = "9b5b70ea372f49fe9bc9e592dae3870596d1e3d6"
-SRC_URI = "git://github.com/perl5-dbi/DBD-mysql.git;protocol=https"
+SRC_URI = "git://github.com/perl5-dbi/DBD-mysql.git;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb b/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb
index 4e5a8a6ff..29bc99e14 100644
--- a/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb
+++ b/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://README;beginline=1171;endline=1176;md5=3be2cb8159d094
DEPENDS += "perl"
-SRC_URI = "git://github.com/makamaka/JSON.git;protocol=https"
+SRC_URI = "git://github.com/makamaka/JSON.git;protocol=https;branch=master"
SRCREV = "42a6324df654e92419512cee80c0b49155d9e56d"
diff --git a/meta-oe/recipes-devtools/php/php_7.4.21.bb b/meta-oe/recipes-devtools/php/php_7.4.33.bb
index c7c00ac30..caaaa2342 100644
--- a/meta-oe/recipes-devtools/php/php_7.4.21.bb
+++ b/meta-oe/recipes-devtools/php/php_7.4.33.bb
@@ -33,7 +33,7 @@ SRC_URI_append_class-target = " \
"
S = "${WORKDIR}/php-${PV}"
-SRC_URI[sha256sum] = "36ec6102e757e2c2b7742057a700bbff77c76fa0ccbe9c860398c3d24e32822a"
+SRC_URI[sha256sum] = "4e8117458fe5a475bf203128726b71bcbba61c42ad463dffadee5667a198a98a"
inherit autotools pkgconfig python3native gettext
diff --git a/meta-oe/recipes-devtools/ply/ply_git.bb b/meta-oe/recipes-devtools/ply/ply_git.bb
index 7d693b36d..bf789488d 100644
--- a/meta-oe/recipes-devtools/ply/ply_git.bb
+++ b/meta-oe/recipes-devtools/ply/ply_git.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
DEPENDS += "bison-native"
-SRC_URI = "git://github.com/iovisor/ply"
+SRC_URI = "git://github.com/iovisor/ply;branch=master;protocol=https"
SRCREV = "aa5b9ac31307ec1acece818be334ef801c802a12"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/pmtools/pmtools_git.bb b/meta-oe/recipes-devtools/pmtools/pmtools_git.bb
index 9afcbbb7f..f605d2c90 100644
--- a/meta-oe/recipes-devtools/pmtools/pmtools_git.bb
+++ b/meta-oe/recipes-devtools/pmtools/pmtools_git.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3"
PV = "20130209+git${SRCPV}"
-SRC_URI = "git://github.com/anyc/pmtools.git \
+SRC_URI = "git://github.com/anyc/pmtools.git;branch=master;protocol=https \
file://pmtools-switch-to-dynamic-buffer-for-huge-ACPI-table.patch \
"
SRCREV = "3ebe0e54c54061b4c627236cbe35d820de2e1168"
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb b/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb
index ed8773443..7bc1f23e7 100644
--- a/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb
+++ b/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb
@@ -14,7 +14,7 @@ DEPENDS = "protobuf-native protobuf"
SRCREV = "f20a3fa131c275a0e795d99a28f94b4dbbb5af26"
-SRC_URI = "git://github.com/protobuf-c/protobuf-c.git \
+SRC_URI = "git://github.com/protobuf-c/protobuf-c.git;branch=master;protocol=https \
file://0001-avoid-race-condition.patch \
"
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch
new file mode 100644
index 000000000..bb9594e96
--- /dev/null
+++ b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch
@@ -0,0 +1,73 @@
+From f5ce0700d80c776186b0fb0414ef20966a3a6a03 Mon Sep 17 00:00:00 2001
+From: "Sana.Kazi" <Sana.Kazi@kpit.com>
+Date: Wed, 23 Feb 2022 15:50:16 +0530
+Subject: [PATCH] protobuf: Fix CVE-2021-22570
+
+CVE: CVE-2021-22570
+Upstream-Status: Backport [https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch]
+Comment: Removed first and second hunk
+Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
+
+---
+ src/google/protobuf/descriptor.cc | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc
+index 6835a3cde..1514ae531 100644
+--- a/src/google/protobuf/descriptor.cc
++++ b/src/google/protobuf/descriptor.cc
+@@ -2603,6 +2603,8 @@ void Descriptor::DebugString(int depth, std::string* contents,
+ const Descriptor::ReservedRange* range = reserved_range(i);
+ if (range->end == range->start + 1) {
+ strings::SubstituteAndAppend(contents, "$0, ", range->start);
++ } else if (range->end > FieldDescriptor::kMaxNumber) {
++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+ } else {
+ strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
+ range->end - 1);
+@@ -2815,6 +2817,8 @@ void EnumDescriptor::DebugString(
+ const EnumDescriptor::ReservedRange* range = reserved_range(i);
+ if (range->end == range->start) {
+ strings::SubstituteAndAppend(contents, "$0, ", range->start);
++ } else if (range->end == INT_MAX) {
++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+ } else {
+ strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
+ range->end);
+@@ -4002,6 +4006,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
+ // Use its file as the parent instead.
+ if (parent == nullptr) parent = file_;
+
++ if (full_name.find('\0') != std::string::npos) {
++ AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME,
++ "\"" + full_name + "\" contains null character.");
++ return false;
++ }
+ if (tables_->AddSymbol(full_name, symbol)) {
+ if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) {
+ // This is only possible if there was already an error adding something of
+@@ -4041,6 +4050,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
+ void DescriptorBuilder::AddPackage(const std::string& name,
+ const Message& proto,
+ const FileDescriptor* file) {
++ if (name.find('\0') != std::string::npos) {
++ AddError(name, proto, DescriptorPool::ErrorCollector::NAME,
++ "\"" + name + "\" contains null character.");
++ return;
++ }
+ if (tables_->AddSymbol(name, Symbol(file))) {
+ // Success. Also add parent package, if any.
+ std::string::size_type dot_pos = name.find_last_of('.');
+@@ -4354,6 +4368,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl(
+ }
+ result->pool_ = pool_;
+
++ if (result->name().find('\0') != std::string::npos) {
++ AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME,
++ "\"" + result->name() + "\" contains null character.");
++ return nullptr;
++ }
++
+ // Add to tables.
+ if (!tables_->AddFile(result)) {
+ AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER,
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
index 4d6c5b255..55d56ff08 100644
--- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
+++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
@@ -12,11 +12,12 @@ DEPENDS_append_class-target = " protobuf-native"
SRCREV = "d0bfd5221182da1a7cc280f3337b5e41a89539cf"
-SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x \
+SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x;protocol=https \
file://run-ptest \
file://0001-protobuf-fix-configure-error.patch \
file://0001-Makefile.am-include-descriptor.cc-when-building-libp.patch \
file://0001-examples-Makefile-respect-CXX-LDFLAGS-variables-fix-.patch \
+ file://CVE-2021-22570.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb
index 5b5c8b257..04ac93e92 100644
--- a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb
+++ b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb
@@ -4,7 +4,7 @@ SECTION = "libs"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://license.txt;md5=ba04aa8f65de1396a7e59d1d746c2125"
-SRC_URI = "git://github.com/miloyip/rapidjson.git;nobranch=1"
+SRC_URI = "git://github.com/miloyip/rapidjson.git;nobranch=1;protocol=https"
SRCREV = "0ccdbf364c577803e2a751f5aededce935314313"
diff --git a/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb b/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb
index cd5e0a4e5..20cad69b5 100644
--- a/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb
+++ b/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://git.breakpoint.cc/cgit/bigeasy/serialcheck.git/"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRC_URI = "git://git.breakpoint.cc/bigeasy/serialcheck.git \
+SRC_URI = "git://git.breakpoint.cc/bigeasy/serialcheck.git;branch=master \
file://0001-Add-option-to-enable-internal-loopback.patch \
file://0002-Restore-original-loopback-config.patch \
file://0001-Makefile-Change-order-of-link-flags.patch \
diff --git a/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb b/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb
index 4a27e4b2a..9d0740556 100644
--- a/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb
+++ b/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb
@@ -8,7 +8,7 @@ inherit cmake
DEPENDS += "sqlite3"
SRCREV = "e8a9e9416f421303f4b8970caab26dadf8bae98b"
-SRC_URI = "git://github.com/fnc12/sqlite_orm;protocol=https"
+SRC_URI = "git://github.com/fnc12/sqlite_orm;protocol=https;branch=master"
S = "${WORKDIR}/git"
EXTRA_OECMAKE += "-DSqliteOrm_BuildTests=OFF"
diff --git a/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb b/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb
index 46a940803..3280dba49 100644
--- a/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb
+++ b/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb
@@ -4,7 +4,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://COPYING;md5=0ca8b9c5c5445cfa7af7e78fd27e60ed"
SRCREV = "75f440bcac1276c847f5351e14216f6e91def44d"
-SRC_URI = "git://git.code.sf.net/p/tclap/code \
+SRC_URI = "git://git.code.sf.net/p/tclap/code;branch=master \
file://Makefile.am-disable-docs.patch \
"
diff --git a/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb b/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb
index c33fa048c..a78eecfea 100644
--- a/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb
+++ b/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb
@@ -12,7 +12,7 @@ inherit autotools
# v0.9.4
SRCREV = "d648bbffedef529220896283fb59e35531c13804"
-SRC_URI = "git://github.com/namhyung/${BPN} \
+SRC_URI = "git://github.com/namhyung/${BPN};branch=master;protocol=https \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/valijson/valijson_git.bb b/meta-oe/recipes-devtools/valijson/valijson_git.bb
index c3254d16e..5cff40752 100644
--- a/meta-oe/recipes-devtools/valijson/valijson_git.bb
+++ b/meta-oe/recipes-devtools/valijson/valijson_git.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/tristanpenman/valijson"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=015106c62262b2383f6c72063f0998f2"
-SRC_URI = "git://github.com/tristanpenman/valijson.git"
+SRC_URI = "git://github.com/tristanpenman/valijson.git;branch=master;protocol=https"
PV = "0.1+git${SRCPV}"
SRCREV = "c2f22fddf599d04dc33fcd7ed257c698a05345d9"
diff --git a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb
index 6c31b6981..34df70126 100644
--- a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb
+++ b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "http://xmlrpc-c.sourceforge.net/"
LICENSE = "BSD & MIT"
LIC_FILES_CHKSUM = "file://doc/COPYING;md5=aefbf81ba0750f02176b6f86752ea951"
-SRC_URI = "git://github.com/mirror/xmlrpc-c.git \
+SRC_URI = "git://github.com/mirror/xmlrpc-c.git;branch=master;protocol=https \
file://0001-test-cpp-server_abyss-Fix-build-with-clang-libc.patch \
file://0002-fix-formatting-issues.patch \
"
diff --git a/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb b/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb
index e112a5e30..186f2c8ed 100644
--- a/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb
+++ b/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=da2e9aa80962d54e7c726f232a2bd1e8"
# Use 1.0.12 tag
SRCREV = "17b1790fb9c8abbb3c0f7e083864a6a014191d56"
-SRC_URI = "git://github.com/lloyd/yajl;nobranch=1"
+SRC_URI = "git://github.com/lloyd/yajl;nobranch=1;protocol=https"
inherit cmake lib_package
diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
index d9a5821cb..cf8dbb183 100644
--- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
+++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
@@ -8,7 +8,7 @@ HOMEPAGE = "http://lloyd.github.com/yajl/"
LICENSE = "ISC"
LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d"
-SRC_URI = "git://github.com/lloyd/yajl"
+SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https"
SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-oe/recipes-devtools/yasm/yasm_git.bb
index 53856263f..6aae29ad8 100644
--- a/meta-oe/recipes-devtools/yasm/yasm_git.bb
+++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb
@@ -9,7 +9,7 @@ DEPENDS += "flex-native bison-native xmlto-native"
PV = "1.3.0+git${SRCPV}"
# v1.3.0
SRCREV = "ba463d3c26c0ece2e797b8d6381b161633b5971a"
-SRC_URI = "git://github.com/yasm/yasm.git"
+SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch
new file mode 100644
index 000000000..c21794d14
--- /dev/null
+++ b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch
@@ -0,0 +1,44 @@
+From 95ab3786ce0f16e08e41f7bf216969a37dc86cad Mon Sep 17 00:00:00 2001
+From: Jan Kraemer <jan@spectrejan.de>
+Date: Thu, 7 Oct 2021 12:48:04 +0200
+Subject: [PATCH] brotli: fix CVE-2020-8927
+
+[No upstream tracking] --
+
+This fixes a potential overflow when input chunk is >2GiB in
+BrotliGetAvailableBits by capping the returned value to 2^30
+
+Fixed in brotli version 1.0.8
+https://github.com/google/brotli as of commit id
+223d80cfbec8fd346e32906c732c8ede21f0cea6
+
+Patch taken from Debian Buster: 1.0.7-2+deb10u1
+http://deb.debian.org/debian/pool/main/b/brotli/brotli_1.0.7-2+deb10u1.dsc
+https://security-tracker.debian.org/tracker/CVE-2020-8927
+
+
+Upstream-Status: Backported
+CVE: CVE-2020-8927
+
+Signed-off-by: Jan Kraemer <jan@spectrejan.de>
+---
+ c/dec/bit_reader.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/c/dec/bit_reader.h b/c/dec/bit_reader.h
+index c06e914..0d20312 100644
+--- a/c/dec/bit_reader.h
++++ b/c/dec/bit_reader.h
+@@ -87,8 +87,11 @@ static BROTLI_INLINE uint32_t BrotliGetAvailableBits(
+ }
+
+ /* Returns amount of unread bytes the bit reader still has buffered from the
+- BrotliInput, including whole bytes in br->val_. */
++ BrotliInput, including whole bytes in br->val_. Result is capped with
++ maximal ring-buffer size (larger number won't be utilized anyway). */
+ static BROTLI_INLINE size_t BrotliGetRemainingBytes(BrotliBitReader* br) {
++ static const size_t kCap = (size_t)1 << 30;
++ if (br->avail_in > kCap) return kCap;
+ return br->avail_in + (BrotliGetAvailableBits(br) >> 3);
+ }
+
diff --git a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb
index 70dbcaffb..77fef778a 100644
--- a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb
+++ b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb
@@ -6,7 +6,9 @@ BUGTRACKER = "https://github.com/google/brotli/issues"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=941ee9cd1609382f946352712a319b4b"
-SRC_URI = "git://github.com/google/brotli.git"
+SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https \
+ file://0001-brotli-fix-CVE-2020-8927.patch \
+ "
# tag 1.0.7
SRCREV= "d6d98957ca8ccb1ef45922e978bb10efca0ea541"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb b/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb
index 6c71d534b..388feb703 100644
--- a/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb
+++ b/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b19ee058d2d5f69af45da98051d91064"
SECTION = "Development/Libraries"
DEPENDS = "swig-native python3 sblim-cmpi-devel"
-SRC_URI = "git://github.com/kkaempf/cmpi-bindings.git;protocol=http \
+SRC_URI = "git://github.com/kkaempf/cmpi-bindings.git;protocol=http;branch=master;protocol=https \
file://cmpi-bindings-0.4.17-no-ruby-perl.patch \
file://cmpi-bindings-0.4.17-sblim-sigsegv.patch \
file://cmpi-bindings-0.9.5-python-lib-dir.patch \
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb
index 842652889..2a045f579 100644
--- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb
@@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8184208060df880fe3137b93eb88aeea"
DEPENDS = "zlib gzip-native json-c"
-SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https \
+SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https;branch=master \
file://0002-Don-t-execute-processes-as-a-specific-user.patch \
file://0004-Modify-systemd-config-directory.patch \
file://317.patch \
diff --git a/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb b/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb
index aa55ebf84..162f5aa33 100644
--- a/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb
+++ b/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb
@@ -18,7 +18,7 @@ SRCREV = "3dd23e3280f213bacefdf5fcb04857bf52e90917"
PV = "0.6.2+git${SRCPV}"
SRC_URI = "\
- git://github.com/docopt/docopt.cpp.git;protocol=https \
+ git://github.com/docopt/docopt.cpp.git;protocol=https;branch=master \
file://0001-Set-library-VERSION-and-SOVERSION.patch \
"
diff --git a/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb b/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb
index 09eab9dcd..eb00092c7 100644
--- a/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb
+++ b/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb
@@ -4,7 +4,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=5940d39995ea6857d01b8227109c2e9c"
SRCREV = "b1e978e486114797347deefcc03ab12629a13cc3"
-SRC_URI = "git://github.com/Yelp/dumb-init"
+SRC_URI = "git://github.com/Yelp/dumb-init;branch=master;protocol=https"
S = "${WORKDIR}/git"
EXTRA_OEMAKE = "CC='${CC}' CFLAGS='${CFLAGS} ${LDFLAGS}'"
diff --git a/meta-oe/recipes-extended/figlet/figlet_git.bb b/meta-oe/recipes-extended/figlet/figlet_git.bb
index 4611646b9..61b050aac 100644
--- a/meta-oe/recipes-extended/figlet/figlet_git.bb
+++ b/meta-oe/recipes-extended/figlet/figlet_git.bb
@@ -4,7 +4,7 @@ HOMEPAGE = "http://www.figlet.org/"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=1688bcd97b27704f1afcac7336409857"
-SRC_URI = "git://github.com/cmatsuoka/figlet.git \
+SRC_URI = "git://github.com/cmatsuoka/figlet.git;branch=master;protocol=https \
file://0001-build-add-autotools-support-to-allow-easy-cross-comp.patch"
SRCREV = "5bbcd7383a8c3a531299b216b0c734e1495c6db3"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb
index 926d8851d..b2c41756e 100644
--- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb
+++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb
@@ -32,7 +32,7 @@ BBCLASSEXTEND = "native"
DEPENDS_class-native = "readline-native"
PACKAGECONFIG_class-native = ""
-SRC_URI_append_class-native = "file://0001-reduce-build-to-conversion-tools-for-native-build.patch"
+SRC_URI_append_class-native = " file://0001-reduce-build-to-conversion-tools-for-native-build.patch"
do_install_class-native() {
install -d ${D}${bindir}
diff --git a/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb b/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb
index 50326ea2f..19b0d8dbd 100644
--- a/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb
+++ b/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM="file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
# v1.9.9
SRCREV = "1283a65c541c4a83e152024a63faf7b267b9b1cd"
-SRC_URI = "git://github.com/jirka-h/haveged.git \
+SRC_URI = "git://github.com/jirka-h/haveged.git;branch=master;protocol=https \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb b/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb
index 050b7da3d..c0d1b1b8b 100644
--- a/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb
+++ b/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb
@@ -6,7 +6,7 @@ DEPENDS = "ncurses"
LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3"
-SRC_URI = "git://github.com/pixel/hexedit.git \
+SRC_URI = "git://github.com/pixel/hexedit.git;branch=master;protocol=https \
"
SRCREV = "800e4b2e6280531a84fd23ee0b48e16baeb90878"
diff --git a/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb b/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb
index 29f8de8d2..cee1f342b 100644
--- a/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb
+++ b/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb
@@ -6,7 +6,7 @@ DEPENDS = "redis"
LIC_FILES_CHKSUM = "file://COPYING;md5=d84d659a35c666d23233e54503aaea51"
SRCREV = "685030652cd98c5414ce554ff5b356dfe8437870"
-SRC_URI = "git://github.com/redis/hiredis;protocol=git \
+SRC_URI = "git://github.com/redis/hiredis;protocol=https;branch=master \
file://0001-Makefile-remove-hardcoding-of-CC.patch"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/iotop/iotop_0.6.bb b/meta-oe/recipes-extended/iotop/iotop_0.6.bb
index 3a597218d..19af46cb1 100644
--- a/meta-oe/recipes-extended/iotop/iotop_0.6.bb
+++ b/meta-oe/recipes-extended/iotop/iotop_0.6.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4325afd396febcb659c36b49533135d4"
PV .= "+git${SRCPV}"
SRCREV = "1bfb3bc70febb1ffb95146b6dcd65257228099a3"
-SRC_URI = "git://repo.or.cz/iotop.git"
+SRC_URI = "git://repo.or.cz/iotop.git;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb b/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb
index b7899a11b..2f4724a33 100644
--- a/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb
+++ b/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb
@@ -7,7 +7,7 @@ RDEPENDS_${BPN} = "openssl curl"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b"
-SRC_URI = "git://github.com/rhinstaller/isomd5sum.git;branch=master \
+SRC_URI = "git://github.com/rhinstaller/isomd5sum.git;branch=master;protocol=https \
file://0001-tweak-install-prefix.patch \
file://0002-fix-parallel-error.patch \
"
diff --git a/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb b/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb
index d6e56ea76..7beea9f1e 100644
--- a/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb
+++ b/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb
@@ -11,4 +11,7 @@ SRC_URI[sha256sum] = "f4f377da17b10201a60c1108613e78ee15df6b12016b116b6de42209f4
inherit autotools pkgconfig
+# upstream considers it isn't a real bug https://github.com/akheron/jansson/issues/548
+CVE_CHECK_WHITELIST = "CVE-2020-36325 "
+
BBCLASSEXTEND = "native"
diff --git a/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb b/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb
index 50dd74b68..ba1fece05 100644
--- a/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb
+++ b/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=892f569a555ba9c07a568a7c0c4fa63a"
PV = "2.3.5+git${SRCPV}"
-SRC_URI = "git://github.com/snarlistic/jpnevulator.git;protocol=http"
+SRC_URI = "git://github.com/snarlistic/jpnevulator.git;protocol=http;branch=master;protocol=https"
SRCREV = "c2d857091c0dfed05139ac07ea9b0f36ad259638"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb b/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb
index e6d5663f8..977aabf04 100644
--- a/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb
+++ b/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f673270bfc350d9ce1efc8724c6c1873"
DEPENDS_append_class-target = " swig-native sblim-cmpi-devel python3"
DEPENDS_append_class-native = " cmpi-bindings-native"
-SRC_URI = "git://github.com/rnovacek/konkretcmpi.git \
+SRC_URI = "git://github.com/rnovacek/konkretcmpi.git;branch=master;protocol=https \
file://0001-CMakeLists.txt-fix-lib64-can-not-be-shiped-in-64bit-.patch \
file://0001-drop-including-rpath-cmake-module.patch \
"
diff --git a/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb b/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb
index 99cdee5bb..c1023e625 100644
--- a/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb
+++ b/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c07cb499d259452f324bb90c3067d85c"
inherit autotools gobject-introspection
-SRC_URI = "git://github.com/storaged-project/libblockdev;branch=2.x-branch"
+SRC_URI = "git://github.com/storaged-project/libblockdev;branch=2.x-branch;protocol=https"
SRCREV = "f5a4ba8bb298f8cbc435707d0b19b4b2ff836a8e"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/libcec/libcec_git.bb b/meta-oe/recipes-extended/libcec/libcec_git.bb
index 39ceb489e..07320e42b 100644
--- a/meta-oe/recipes-extended/libcec/libcec_git.bb
+++ b/meta-oe/recipes-extended/libcec/libcec_git.bb
@@ -12,7 +12,7 @@ DEPENDS_append_rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', ''
PV = "5.0.0"
SRCREV = "43bc27fe7be491149e6f57d14110e02abdac2f24"
-SRC_URI = "git://github.com/Pulse-Eight/libcec.git;branch=release \
+SRC_URI = "git://github.com/Pulse-Eight/libcec.git;branch=release;protocol=https \
file://0001-CheckPlatformSupport.cmake-Do-not-hardcode-lib-path.patch \
file://0001-Enhance-reproducibility.patch \
"
diff --git a/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb b/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb
index b7c1958ee..e763a701e 100644
--- a/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb
+++ b/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb
@@ -11,7 +11,7 @@ inherit autotools pkgconfig
PV = "0.6.0"
SRCREV = "1195abc2f4acc7b10175d570ec73549d0938c83e"
-SRC_URI = "git://github.com/libdivecomputer/libdivecomputer.git;protocol=https \
+SRC_URI = "git://github.com/libdivecomputer/libdivecomputer.git;protocol=https;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb b/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb
index a990deb91..0906e9a64 100644
--- a/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb
+++ b/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb
@@ -9,7 +9,7 @@ DEPENDS = "libxml2 glib-2.0 swig python3"
inherit autotools pkgconfig python3native python3targetconfig
SRCREV = "3df02d4d0e9008771e8622fdc10de8333b3f0d85"
-SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https \
+SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb b/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb
index 36fc5c858..e9c58bf58 100644
--- a/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb
+++ b/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb
@@ -9,7 +9,7 @@ inherit autotools pkgconfig gitpkgv
PKGV = "${GITPKGVTAG}"
SRCREV = "78df9be5fc8222ed53846cb553de9b5d24c85c6c"
-SRC_URI = "git://github.com/libimobiledevice/libusbmuxd;protocol=https"
+SRC_URI = "git://github.com/libimobiledevice/libusbmuxd;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb b/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb
index 7fc599798..bbfee1ff7 100644
--- a/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb
+++ b/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=84dcc94da3adb52b53ae4fa38fe49e5d"
inherit cmake pkgconfig
-SRC_URI = "git://github.com/Jacajack/liblightmodbus.git;protocol=https \
+SRC_URI = "git://github.com/Jacajack/liblightmodbus.git;protocol=https;branch=master \
file://0001-cmake-Use-GNUInstallDirs-instead-of-hardcoding-lib-p.patch \
"
SRCREV = "59d2b405f95701e5b04326589786dbb43ce49e81"
diff --git a/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb b/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb
index c9d259b1a..29c35caf5 100644
--- a/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb
+++ b/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb
@@ -17,7 +17,7 @@ PV = "1.3+git${SRCPV}"
SRCREV = "116219e215858f4af9370171d3ead63baca8fdb4"
-SRC_URI = "git://github.com/thkukuk/libnss_nisplus \
+SRC_URI = "git://github.com/thkukuk/libnss_nisplus;branch=master;protocol=https \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb b/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb
index cd4019666..dbe03fede 100644
--- a/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb
+++ b/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb
@@ -11,7 +11,7 @@ inherit autotools pkgconfig
# v1.0.5
SRCREV = "d08dbcf08b0da418bce9b5427dfd89522916322a"
-SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=version_1 \
+SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=version_1;protocol=https \
file://0001-build-fix-configure-script-neglecting-re-enable-out-.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb b/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb
index 4276c4917..24784f77a 100644
--- a/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb
+++ b/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb
@@ -11,7 +11,7 @@ DEPENDS = "xmlrpc-c xmlrpc-c-native intltool-native \
LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
-SRC_URI = "git://github.com/abrt/libreport.git;protocol=https"
+SRC_URI = "git://github.com/abrt/libreport.git;protocol=https;branch=master"
SRC_URI += "file://0001-Makefile.am-remove-doc-and-apidoc.patch \
file://0002-configure.ac-remove-prog-test-of-xmlto-and-asciidoc.patch \
file://0003-without-build-plugins.patch \
diff --git a/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb b/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb
index a081cb17a..27fe0e2c4 100644
--- a/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb
+++ b/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb
@@ -31,4 +31,4 @@ FILES_statgrab-dbg = "${bindir}/.debug/statgrab"
FILES_saidar = "${bindir}/saidar"
FILES_saidar-dbg = "${bindir}/.debug/saidar"
FILES_${PN}-mrtg = "${bindir}/statgrab-make-mrtg-config ${bindir}/statgrab-make-mrtg-index"
-RDEPENDS_${PN}-mrtg_append = "perl statgrab"
+RDEPENDS_${PN}-mrtg_append = " perl statgrab"
diff --git a/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb b/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb
index dd34c180a..0278e55f3 100644
--- a/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb
+++ b/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb
@@ -3,7 +3,7 @@ SECTION = "base"
LICENSE = "GPL-2.0"
LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-SRC_URI = "git://git.code.sf.net/p/libuio/code \
+SRC_URI = "git://git.code.sf.net/p/libuio/code;branch=master \
file://replace_inline_with_static-inline.patch \
file://0001-include-fcntl.h-for-O_RDWR-define.patch \
"
diff --git a/meta-oe/recipes-extended/md5deep/md5deep_git.bb b/meta-oe/recipes-extended/md5deep/md5deep_git.bb
index e8c6864c1..cc31323c3 100644
--- a/meta-oe/recipes-extended/md5deep/md5deep_git.bb
+++ b/meta-oe/recipes-extended/md5deep/md5deep_git.bb
@@ -9,7 +9,7 @@ PV = "4.4+git${SRCPV}"
SRCREV = "877613493ff44807888ce1928129574be393cbb0"
-SRC_URI = "git://github.com/jessek/hashdeep.git \
+SRC_URI = "git://github.com/jessek/hashdeep.git;branch=master;protocol=https \
file://wrong-variable-expansion.patch \
file://0001-Fix-literal-and-identifier-spacing-as-dictated-by-C-.patch \
"
diff --git a/meta-oe/recipes-extended/mraa/mraa_git.bb b/meta-oe/recipes-extended/mraa/mraa_git.bb
index 0b40dcb71..540ef6e12 100644
--- a/meta-oe/recipes-extended/mraa/mraa_git.bb
+++ b/meta-oe/recipes-extended/mraa/mraa_git.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=91e7de50a8d3cf01057f318d72460acd"
SRCREV = "e15ce6fbc76148ba8835adc92196b0d0a3f245e7"
PV = "2.1.0+git${SRCPV}"
-SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http \
+SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http;branch=master;protocol=https \
file://0001-cmake-Use-a-regular-expression-to-match-x86-architec.patch \
"
diff --git a/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb b/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb
index 9d5a2307e..f635a9b13 100644
--- a/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb
+++ b/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb
@@ -17,7 +17,7 @@ REQUIRED_DISTRO_FEATURES = "pam"
SRCREV = "d8eba6cb6682b59d84ca1da67a523520b879ade6"
-SRC_URI = "git://github.com/Openwsman/openwsman.git \
+SRC_URI = "git://github.com/Openwsman/openwsman.git;branch=master;protocol=https \
file://libssl-is-required-if-eventint-supported.patch \
file://openwsmand.service \
file://0001-lock.c-Define-PTHREAD_MUTEX_RECURSIVE_NP-if-undefine.patch \
diff --git a/meta-oe/recipes-extended/ostree/ostree_2020.3.bb b/meta-oe/recipes-extended/ostree/ostree_2020.3.bb
index c1f43feb6..5b0171d8c 100644
--- a/meta-oe/recipes-extended/ostree/ostree_2020.3.bb
+++ b/meta-oe/recipes-extended/ostree/ostree_2020.3.bb
@@ -22,7 +22,7 @@ DEPENDS = " \
PREMIRRORS = ""
SRC_URI = " \
- gitsm://github.com/ostreedev/ostree;branch=main \
+ gitsm://github.com/ostreedev/ostree;branch=main;protocol=https \
file://run-ptest \
"
SRCREV = "6ed48234ba579ff73eb128af237212b0a00f2057"
@@ -181,7 +181,7 @@ RDEPENDS_${PN}-ptest += " \
"
RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils glibc-localedata-en-us"
-RRECOMMENDS_${PN} += "kernel-module-overlay"
+RRECOMMENDS_${PN}_append_class-target = " kernel-module-overlay"
SYSTEMD_SERVICE_${PN} = "ostree-remount.service ostree-finalize-staged.path"
SYSTEMD_SERVICE_${PN}-switchroot = "ostree-prepare-root.service"
diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch
new file mode 100644
index 000000000..98e186cbf
--- /dev/null
+++ b/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch
@@ -0,0 +1,27 @@
+p7zip: Update CVE-2016-9296 patch URL.
+From: Robert Luberda <robert@debian.org>
+Date: Sat, 19 Nov 2016 08:48:08 +0100
+Subject: Fix nullptr dereference (CVE-2016-9296)
+
+Patch taken from https://sourceforge.net/p/p7zip/bugs/185/
+This patch file taken from Debian's patch set for p7zip
+
+Upstream-Status: Backport [https://sourceforge.net/p/p7zip/bugs/185/]
+CVE: CVE-2016-9296
+
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+Index: p7zip_16.02/CPP/7zip/Archive/7z/7zIn.cpp
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Archive/7z/7zIn.cpp
++++ p7zip_16.02/CPP/7zip/Archive/7z/7zIn.cpp
+@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS
+ if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+ ThrowIncorrect();
+ }
+- HeadersSize += folders.PackPositions[folders.NumPackStreams];
++ if (folders.PackPositions)
++ HeadersSize += folders.PackPositions[folders.NumPackStreams];
+ return S_OK;
+ }
+
diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch
new file mode 100644
index 000000000..b6deb5d3a
--- /dev/null
+++ b/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch
@@ -0,0 +1,226 @@
+From: Robert Luberda <robert@debian.org>
+Date: Sun, 28 Jan 2018 23:47:40 +0100
+Subject: CVE-2018-5996
+
+Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by
+applying a few changes from 7Zip 18.00-beta.
+
+Bug-Debian: https://bugs.debian.org/#888314
+
+Upstream-Status: Backport [https://sources.debian.org/data/non-free/p/p7zip-rar/16.02-3/debian/patches/06-CVE-2018-5996.patch]
+CVE: CVE-2018-5996
+
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ CPP/7zip/Compress/Rar1Decoder.cpp | 13 +++++++++----
+ CPP/7zip/Compress/Rar1Decoder.h | 1 +
+ CPP/7zip/Compress/Rar2Decoder.cpp | 10 +++++++++-
+ CPP/7zip/Compress/Rar2Decoder.h | 1 +
+ CPP/7zip/Compress/Rar3Decoder.cpp | 23 ++++++++++++++++++++---
+ CPP/7zip/Compress/Rar3Decoder.h | 2 ++
+ 6 files changed, 42 insertions(+), 8 deletions(-)
+
+Index: p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.cpp
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Compress/Rar1Decoder.cpp
++++ p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.cpp
+@@ -29,7 +29,7 @@ public:
+ };
+ */
+
+-CDecoder::CDecoder(): m_IsSolid(false) { }
++CDecoder::CDecoder(): m_IsSolid(false), _errorMode(false) { }
+
+ void CDecoder::InitStructures()
+ {
+@@ -406,9 +406,14 @@ HRESULT CDecoder::CodeReal(ISequentialIn
+ InitData();
+ if (!m_IsSolid)
+ {
++ _errorMode = false;
+ InitStructures();
+ InitHuff();
+ }
++
++ if (_errorMode)
++ return S_FALSE;
++
+ if (m_UnpackSize > 0)
+ {
+ GetFlagsBuf();
+@@ -477,9 +482,9 @@ STDMETHODIMP CDecoder::Code(ISequentialI
+ const UInt64 *inSize, const UInt64 *outSize, ICompressProgressInfo *progress)
+ {
+ try { return CodeReal(inStream, outStream, inSize, outSize, progress); }
+- catch(const CInBufferException &e) { return e.ErrorCode; }
+- catch(const CLzOutWindowException &e) { return e.ErrorCode; }
+- catch(...) { return S_FALSE; }
++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; }
++ catch(const CLzOutWindowException &e) { _errorMode = true; return e.ErrorCode; }
++ catch(...) { _errorMode = true; return S_FALSE; }
+ }
+
+ STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size)
+Index: p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.h
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Compress/Rar1Decoder.h
++++ p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.h
+@@ -39,6 +39,7 @@ public:
+
+ Int64 m_UnpackSize;
+ bool m_IsSolid;
++ bool _errorMode;
+
+ UInt32 ReadBits(int numBits);
+ HRESULT CopyBlock(UInt32 distance, UInt32 len);
+Index: p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.cpp
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Compress/Rar2Decoder.cpp
++++ p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.cpp
+@@ -80,7 +80,8 @@ static const UInt32 kHistorySize = 1 <<
+ static const UInt32 kWindowReservSize = (1 << 22) + 256;
+
+ CDecoder::CDecoder():
+- m_IsSolid(false)
++ m_IsSolid(false),
++ m_TablesOK(false)
+ {
+ }
+
+@@ -100,6 +101,8 @@ UInt32 CDecoder::ReadBits(unsigned numBi
+
+ bool CDecoder::ReadTables(void)
+ {
++ m_TablesOK = false;
++
+ Byte levelLevels[kLevelTableSize];
+ Byte newLevels[kMaxTableSize];
+ m_AudioMode = (ReadBits(1) == 1);
+@@ -170,6 +173,8 @@ bool CDecoder::ReadTables(void)
+ }
+
+ memcpy(m_LastLevels, newLevels, kMaxTableSize);
++ m_TablesOK = true;
++
+ return true;
+ }
+
+@@ -344,6 +349,9 @@ HRESULT CDecoder::CodeReal(ISequentialIn
+ return S_FALSE;
+ }
+
++ if (!m_TablesOK)
++ return S_FALSE;
++
+ UInt64 startPos = m_OutWindowStream.GetProcessedSize();
+ while (pos < unPackSize)
+ {
+Index: p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.h
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Compress/Rar2Decoder.h
++++ p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.h
+@@ -139,6 +139,7 @@ class CDecoder :
+
+ UInt64 m_PackSize;
+ bool m_IsSolid;
++ bool m_TablesOK;
+
+ void InitStructures();
+ UInt32 ReadBits(unsigned numBits);
+Index: p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.cpp
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Compress/Rar3Decoder.cpp
++++ p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.cpp
+@@ -92,7 +92,8 @@ CDecoder::CDecoder():
+ _writtenFileSize(0),
+ _vmData(0),
+ _vmCode(0),
+- m_IsSolid(false)
++ m_IsSolid(false),
++ _errorMode(false)
+ {
+ Ppmd7_Construct(&_ppmd);
+ }
+@@ -545,6 +546,9 @@ HRESULT CDecoder::ReadTables(bool &keepD
+ return InitPPM();
+ }
+
++ TablesRead = false;
++ TablesOK = false;
++
+ _lzMode = true;
+ PrevAlignBits = 0;
+ PrevAlignCount = 0;
+@@ -606,6 +610,9 @@ HRESULT CDecoder::ReadTables(bool &keepD
+ }
+ }
+ }
++ if (InputEofError())
++ return S_FALSE;
++
+ TablesRead = true;
+
+ // original code has check here:
+@@ -623,6 +630,9 @@ HRESULT CDecoder::ReadTables(bool &keepD
+ RIF(m_LenDecoder.Build(&newLevels[kMainTableSize + kDistTableSize + kAlignTableSize]));
+
+ memcpy(m_LastLevels, newLevels, kTablesSizesSum);
++
++ TablesOK = true;
++
+ return S_OK;
+ }
+
+@@ -824,7 +834,12 @@ HRESULT CDecoder::CodeReal(ICompressProg
+ PpmEscChar = 2;
+ PpmError = true;
+ InitFilters();
++ _errorMode = false;
+ }
++
++ if (_errorMode)
++ return S_FALSE;
++
+ if (!m_IsSolid || !TablesRead)
+ {
+ bool keepDecompressing;
+@@ -838,6 +853,8 @@ HRESULT CDecoder::CodeReal(ICompressProg
+ bool keepDecompressing;
+ if (_lzMode)
+ {
++ if (!TablesOK)
++ return S_FALSE;
+ RINOK(DecodeLZ(keepDecompressing))
+ }
+ else
+@@ -901,8 +918,8 @@ STDMETHODIMP CDecoder::Code(ISequentialI
+ _unpackSize = outSize ? *outSize : (UInt64)(Int64)-1;
+ return CodeReal(progress);
+ }
+- catch(const CInBufferException &e) { return e.ErrorCode; }
+- catch(...) { return S_FALSE; }
++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; }
++ catch(...) { _errorMode = true; return S_FALSE; }
+ // CNewException is possible here. But probably CNewException is caused
+ // by error in data stream.
+ }
+Index: p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.h
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Compress/Rar3Decoder.h
++++ p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.h
+@@ -192,6 +192,7 @@ class CDecoder:
+ UInt32 _lastFilter;
+
+ bool m_IsSolid;
++ bool _errorMode;
+
+ bool _lzMode;
+ bool _unsupportedFilter;
+@@ -200,6 +201,7 @@ class CDecoder:
+ UInt32 PrevAlignCount;
+
+ bool TablesRead;
++ bool TablesOK;
+
+ CPpmd7 _ppmd;
+ int PpmEscChar;
diff --git a/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch b/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch
new file mode 100644
index 000000000..dcde83e8a
--- /dev/null
+++ b/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch
@@ -0,0 +1,27 @@
+fixes the below error
+
+| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp: In member function 'virtual LONG NArchive::NWim::CHandler::GetArchiveProperty(PROPID, PROPVARIANT*)':
+| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:308:11: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17
+| 308 | numMethods++;
+| | ^~~~~~~~~~
+| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:318:9: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17
+| 318 | numMethods++;
+
+
+use unsigned instead of bool
+Signed-off-by: Nisha Parrakat <Nisha.Parrakat@kpit.com>
+
+Upstream-Status: Pending
+Index: p7zip_16.02/CPP/7zip/Archive/Wim/WimHandler.cpp
+===================================================================
+--- p7zip_16.02.orig/CPP/7zip/Archive/Wim/WimHandler.cpp
++++ p7zip_16.02/CPP/7zip/Archive/Wim/WimHandler.cpp
+@@ -298,7 +298,7 @@ STDMETHODIMP CHandler::GetArchivePropert
+
+ AString res;
+
+- bool numMethods = 0;
++ unsigned numMethods = 0;
+ for (unsigned i = 0; i < ARRAY_SIZE(k_Methods); i++)
+ {
+ if (methodMask & ((UInt32)1 << i))
diff --git a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
index 13479a90f..79677c648 100644
--- a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
+++ b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
@@ -9,6 +9,9 @@ SRC_URI = "http://downloads.sourceforge.net/p7zip/p7zip/${PV}/p7zip_${PV}_src_al
file://do_not_override_compiler_and_do_not_strip.patch \
file://CVE-2017-17969.patch \
file://0001-Fix-narrowing-errors-Wc-11-narrowing.patch \
+ file://change_numMethods_from_bool_to_unsigned.patch \
+ file://CVE-2018-5996.patch \
+ file://CVE-2016-9296.patch \
"
SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf"
@@ -16,10 +19,26 @@ SRC_URI[sha256sum] = "5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6
S = "${WORKDIR}/${BPN}_${PV}"
+do_compile_append() {
+ oe_runmake 7z
+}
+FILES_${PN} += "${libdir}/* ${bindir}/7z"
+
+FILES_SOLIBSDEV = ""
+INSANE_SKIP_${PN} += "dev-so"
+
do_install() {
install -d ${D}${bindir}
- install -m 0755 ${S}/bin/* ${D}${bindir}
+ install -d ${D}${bindir}/Codecs
+ install -d ${D}${libdir}
+ install -d ${D}${libdir}/Codecs
+ install -m 0755 ${S}/bin/7za ${D}${bindir}
ln -s 7za ${D}${bindir}/7z
+ install -m 0755 ${S}/bin/Codecs/* ${D}${libdir}/Codecs/
+ install -m 0755 ${S}/bin/7z.so ${D}${libdir}/lib7z.so
}
-BBCLASSEXTEND = "native"
+RPROVIDES_${PN} += "lib7z.so()(64bit) 7z lib7z.so"
+RPROVIDES_${PN}-dev += "lib7z.so()(64bit) 7z lib7z.so"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-oe/recipes-extended/p8platform/p8platform_git.bb b/meta-oe/recipes-extended/p8platform/p8platform_git.bb
index 0690d4ba3..2e52caeff 100644
--- a/meta-oe/recipes-extended/p8platform/p8platform_git.bb
+++ b/meta-oe/recipes-extended/p8platform/p8platform_git.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://src/os.h;md5=752555fa94e82005d45fd201fee5bd33"
PV = "2.1.0.1"
-SRC_URI = "git://github.com/Pulse-Eight/platform.git \
+SRC_URI = "git://github.com/Pulse-Eight/platform.git;branch=master;protocol=https \
file://0001-Make-resulting-cmake-config-relocatable.patch"
SRCREV = "2d90f98620e25f47702c9e848380c0d93f29462b"
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
index 9838e75ef..5c2af44c7 100644
--- a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
@@ -11,7 +11,7 @@ REQUIRED_DISTRO_FEATURES = "pam"
SRCREV = "e2145df09469bf84878e4729b4ecd814efb797d1"
-SRC_URI = "git://github.com/PADL/pam_ccreds"
+SRC_URI = "git://github.com/PADL/pam_ccreds;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb b/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb
index 626b22fe4..5022300ba 100644
--- a/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb
@@ -11,7 +11,7 @@ inherit features_check
REQUIRED_DISTRO_FEATURES = "pam"
SRCREV = "84d7b260f1ae6857ae36e014c9a5968e8aa1cbe8"
-SRC_URI = "git://github.com/rmbreak/pam_ldapdb \
+SRC_URI = "git://github.com/rmbreak/pam_ldapdb;branch=master;protocol=https \
file://0001-include-stdexcept-for-std-invalid_argument.patch \
"
diff --git a/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb b/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb
index f5066da0d..5c56a16f4 100644
--- a/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb
+++ b/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb
@@ -11,7 +11,7 @@ DEPENDS_append_libc-musl = " fts"
S = "${WORKDIR}/git"
-SRC_URI = "git://github.com/pmem/pmdk.git \
+SRC_URI = "git://github.com/pmem/pmdk.git;branch=master;protocol=https \
file://0001-jemalloc-jemalloc.cfg-Specify-the-host-when-building.patch \
file://0002-Makefile-Don-t-install-the-docs.patch \
file://0001-os_posix-Use-__FreeBSD__-to-control-secure_getenv-de.patch \
diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch
new file mode 100644
index 000000000..cab1c83c0
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch
@@ -0,0 +1,74 @@
+From ed8b418f1341cf7fc576f6b17de5c6dd4017e034 Mon Sep 17 00:00:00 2001
+From: "Jeremy A. Puhlman" <jpuhlman@mvista.com>
+Date: Thu, 27 Jan 2022 00:01:27 +0000
+Subject: [PATCH] CVE-2021-4034: Local privilege escalation in pkexec due to
+ incorrect handling of argument vector
+
+Upstream-Status: Backport https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
+CVE: CVE-2021-4034
+
+Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
+---
+ src/programs/pkcheck.c | 6 ++++++
+ src/programs/pkexec.c | 21 ++++++++++++++++++++-
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
+index f1bb4e1..aff4f60 100644
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -363,6 +363,12 @@ main (int argc, char *argv[])
+ local_agent_handle = NULL;
+ ret = 126;
+
++ if (argc < 1)
++ {
++ help();
++ exit(1);
++ }
++
+ /* Disable remote file access from GIO. */
+ setenv ("GIO_USE_VFS", "local", 1);
+
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 7698c5c..3ff4c58 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -488,6 +488,17 @@ main (int argc, char *argv[])
+ pid_t pid_of_caller;
+ gpointer local_agent_handle;
+
++
++ /*
++ * If 'pkexec' is called wrong, just show help and bail out.
++ */
++ if (argc<1)
++ {
++ clearenv();
++ usage(argc, argv);
++ exit(1);
++ }
++
+ ret = 127;
+ authority = NULL;
+ subject = NULL;
+@@ -636,7 +647,15 @@ main (int argc, char *argv[])
+ goto out;
+ }
+ g_free (path);
+- argv[n] = path = s;
++ path = s;
++
++ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++ */
++ if (argv[n] != NULL)
++ {
++ argv[n] = path;
++ }
+ }
+ if (access (path, F_OK) != 0)
+ {
+--
+2.26.2
+
diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch
new file mode 100644
index 000000000..37e0d6063
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch
@@ -0,0 +1,87 @@
+From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Mon, 21 Feb 2022 08:29:05 +0000
+Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/41cb093f554da8772362654a128a84dd8a5542a7.patch]
+CVE: CVE-2021-4115
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++----
+ 1 file changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8ed1363..2fbf5f1 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -62,6 +62,10 @@ enum
+ PROP_NAME,
+ };
+
++
++guint8 dbus_call_respond_fails; // has to be global because of callback
++
++
+ static void subject_iface_init (PolkitSubjectIface *subject_iface);
+
+ G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
+@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
+ if (!v)
+ {
+ data->caught_error = TRUE;
++ dbus_call_respond_fails += 1;
+ }
+ else
+ {
+@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ tmp_context = g_main_context_new ();
+ g_main_context_push_thread_default (tmp_context);
+
++ dbus_call_respond_fails = 0;
++
+ /* Do two async calls as it's basically as fast as one sync call.
+ */
+ g_dbus_connection_call (connection,
+@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ on_retrieved_unix_uid_pid,
+ &data);
+
+- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+- g_main_context_iteration (tmp_context, TRUE);
++ while (TRUE)
++ {
++ /* If one dbus call returns error, we must wait until the other call
++ * calls _call_finish(), otherwise fd leak is possible.
++ * Resolves: GHSL-2021-077
++ */
+
+- if (data.caught_error)
+- goto out;
++ if ( (dbus_call_respond_fails > 1) )
++ {
++ // we got two faults, we can leave
++ goto out;
++ }
++
++ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
++ {
++ // we got one fault and the other call finally finished, we can leave
++ goto out;
++ }
++
++ if ( !(data.retrieved_uid && data.retrieved_pid) )
++ {
++ g_main_context_iteration (tmp_context, TRUE);
++ }
++ else
++ {
++ break;
++ }
++ }
+
+ if (out_uid)
+ *out_uid = data.uid;
+--
+GitLab
+
diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch
new file mode 100644
index 000000000..76308ffdb
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch
@@ -0,0 +1,33 @@
+From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Wed, 2 Jun 2021 15:43:38 +0200
+Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit
+
+initial values returned if error caught
+
+CVE: CVE-2021-3560
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/polkit/polkitsystembusname.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8daa12c..8ed1363 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+ g_main_context_iteration (tmp_context, TRUE);
+
++ if (data.caught_error)
++ goto out;
++
+ if (out_uid)
+ *out_uid = data.uid;
+ if (out_pid)
+--
+2.29.2
+
diff --git a/meta-oe/recipes-extended/polkit/polkit_0.116.bb b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
index ad1973b13..dd8e20861 100644
--- a/meta-oe/recipes-extended/polkit/polkit_0.116.bb
+++ b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
@@ -25,6 +25,9 @@ PAM_SRC_URI = "file://polkit-1_pam.patch"
SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
file://0003-make-netgroup-support-optional.patch \
+ file://CVE-2021-3560.patch \
+ file://CVE-2021-4034.patch \
+ file://CVE-2021-4115.patch \
"
SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a"
SRC_URI[sha256sum] = "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1"
diff --git a/meta-oe/recipes-extended/redis/redis_5.0.9.bb b/meta-oe/recipes-extended/redis/redis_5.0.14.bb
index d04293369..3d849ec8c 100644
--- a/meta-oe/recipes-extended/redis/redis_5.0.9.bb
+++ b/meta-oe/recipes-extended/redis/redis_5.0.14.bb
@@ -17,8 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://GNU_SOURCE.patch \
"
-SRC_URI[md5sum] = "c94523c9f4ee662027ddf90575d0e058"
-SRC_URI[sha256sum] = "53d0ae164cd33536c3d4b720ae9a128ea6166ebf04ff1add3b85f1242090cb85"
+SRC_URI[sha256sum] = "3ea5024766d983249e80d4aa9457c897a9f079957d0fb1f35682df233f997f32"
inherit autotools-brokensep update-rc.d systemd useradd
diff --git a/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb b/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb
index 5662e6347..914b12e7c 100644
--- a/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb
+++ b/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb
@@ -10,7 +10,7 @@ SRCREV = "56a83f4f52e6745cd4352f9ee008be3183a6dedf"
PV = "1.7.2"
SRC_URI = "\
- git://github.com/oetiker/rrdtool-1.x.git;branch=master;protocol=http; \
+ git://github.com/oetiker/rrdtool-1.x.git;branch=master;protocol=http;protocol=https \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb b/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb
index b84dde3d3..3b63971e5 100644
--- a/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb
+++ b/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a958bb07122368f3e1d9b2efe07d231f"
DEPENDS = ""
-SRC_URI = "git://github.com/rsyslog/libfastjson.git;protocol=https \
+SRC_URI = "git://github.com/rsyslog/libfastjson.git;protocol=https;branch=master \
file://0001-fix-jump-misses-init-gcc-8-warning.patch"
SRCREV = "4758b1caf69ada911ef79e1d80793fe489b98dff"
diff --git a/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb b/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb
index a4663148c..9da9d7c96 100644
--- a/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb
+++ b/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1fb9c10ed9fd6826757615455ca893a9"
DEPENDS = "gmp nettle libidn zlib gnutls openssl"
-SRC_URI = "git://github.com/rsyslog/librelp.git;protocol=https \
+SRC_URI = "git://github.com/rsyslog/librelp.git;protocol=https;branch=master \
"
SRCREV = "0beb2258e12e4131dc31e261078ea53d18f787d7"
diff --git a/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb b/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb
index ffd46da0a..e720d3e5c 100644
--- a/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb
+++ b/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://../README.license;md5=60487bf0bf429d6b5aa72b6d37a0eb2
PV .= "+git${SRCPV}"
-SRC_URI = "git://pagure.io/sanlock.git;protocol=http \
+SRC_URI = "git://pagure.io/sanlock.git;protocol=http;branch=master \
file://0001-sanlock-Replace-cp-a-with-cp-R-no-dereference-preser.patch;patchdir=../ \
"
SRCREV = "cff348800722f7dadf030ffe7494c2df714996e3"
diff --git a/meta-oe/recipes-extended/sedutil/sedutil_git.bb b/meta-oe/recipes-extended/sedutil/sedutil_git.bb
index 765618433..03446c324 100644
--- a/meta-oe/recipes-extended/sedutil/sedutil_git.bb
+++ b/meta-oe/recipes-extended/sedutil/sedutil_git.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://Common/LICENSE.txt;md5=d32239bcb673463ab874e80d47fae5
BASEPV = "1.15.1"
PV = "${BASEPV}+git${SRCPV}"
SRCREV = "358cc758948be788284d5faba46ccf4cc1813796"
-SRC_URI = "git://github.com/Drive-Trust-Alliance/sedutil.git \
+SRC_URI = "git://github.com/Drive-Trust-Alliance/sedutil.git;branch=master;protocol=https \
file://0001-Fix-build-on-big-endian-architectures.patch \
"
diff --git a/meta-oe/recipes-extended/socketcan/can-isotp_git.bb b/meta-oe/recipes-extended/socketcan/can-isotp_git.bb
index e40e1cd26..7d016bc96 100644
--- a/meta-oe/recipes-extended/socketcan/can-isotp_git.bb
+++ b/meta-oe/recipes-extended/socketcan/can-isotp_git.bb
@@ -3,7 +3,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=72d977d697c3c05830fdff00a7448931"
SRCREV = "b31bce98d65f894aad6427bcf6f3f7822e261a59"
PV = "1.0+git${SRCPV}"
-SRC_URI = "git://github.com/hartkopp/can-isotp.git;protocol=https"
+SRC_URI = "git://github.com/hartkopp/can-isotp.git;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/socketcan/can-utils_git.bb b/meta-oe/recipes-extended/socketcan/can-utils_git.bb
index 519368817..92b38030f 100644
--- a/meta-oe/recipes-extended/socketcan/can-utils_git.bb
+++ b/meta-oe/recipes-extended/socketcan/can-utils_git.bb
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://include/linux/can.h;endline=44;md5=a9e1169c6c9a114a61
DEPENDS = "libsocketcan"
-SRC_URI = "git://github.com/linux-can/${BPN}.git;protocol=git"
+SRC_URI = "git://github.com/linux-can/${BPN}.git;protocol=https;branch=master"
SRCREV = "da65fdfe0d1986625ee00af0b56ae17ec132e700"
diff --git a/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb b/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb
index e1508af85..56466a6cd 100644
--- a/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb
+++ b/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
DEPENDS = "libsocketcan"
SRCREV = "299dff7f5322bf0348dcdd60071958ebedf5f09d"
-SRC_URI = "git://git.pengutronix.de/git/tools/canutils.git;protocol=git \
+SRC_URI = "git://git.pengutronix.de/git/tools/canutils.git;protocol=git;branch=master \
file://0001-canutils-candump-Add-error-frame-s-handling.patch \
"
diff --git a/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb b/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb
index 0debe47e0..6a44cff93 100644
--- a/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb
+++ b/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://src/libsocketcan.c;beginline=3;endline=17;md5=97e38ad
SRCREV = "0ff01ae7e4d271a7b81241e7a7026bfcea0add3f"
-SRC_URI = "git://git.pengutronix.de/git/tools/libsocketcan.git;protocol=git"
+SRC_URI = "git://git.pengutronix.de/git/tools/libsocketcan.git;protocol=git;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/sysdig/sysdig_git.bb b/meta-oe/recipes-extended/sysdig/sysdig_git.bb
index 04a022af4..d15ecdb03 100644
--- a/meta-oe/recipes-extended/sysdig/sysdig_git.bb
+++ b/meta-oe/recipes-extended/sysdig/sysdig_git.bb
@@ -18,7 +18,7 @@ JIT_riscv32 = ""
DEPENDS += "lua${JIT} zlib c-ares grpc-native grpc curl ncurses jsoncpp tbb jq openssl elfutils protobuf protobuf-native jq-native"
RDEPENDS_${PN} = "bash"
-SRC_URI = "git://github.com/draios/sysdig.git;branch=dev \
+SRC_URI = "git://github.com/draios/sysdig.git;branch=dev;protocol=https \
file://0001-fix-build-with-LuaJIT-2.1-betas.patch \
file://0001-Fix-build-with-musl-backtrace-APIs-are-glibc-specifi.patch \
file://fix-uint64-const.patch \
diff --git a/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb b/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb
index 637770af2..c9d9fb572 100644
--- a/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb
+++ b/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb
@@ -2,7 +2,7 @@ SUMMARY = "Transparent Inter-Process Communication protocol"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://tipclog/tipc.h;endline=35;md5=985b6ea8735818511d276c1b466cce98"
-SRC_URI = "git://git.code.sf.net/p/tipc/tipcutils \
+SRC_URI = "git://git.code.sf.net/p/tipc/tipcutils;branch=master \
file://0001-include-sys-select.h-for-FD_-definitions.patch \
file://0002-replace-non-standard-uint-with-unsigned-int.patch \
file://0001-multicast_blast-tipcc-Fix-struct-type-for-TIPC_GROUP.patch \
diff --git a/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb b/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb
index 38ce4f557..c62cef36d 100644
--- a/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb
+++ b/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
# matches debian/0.5.0-1 tag
SRCREV = "44a173195986d0d853316cb02a58785ded66c12b"
PV = "0.5.0+git${SRCPV}"
-SRC_URI = "git://github.com/wertarbyte/${BPN}.git;branch=debian"
+SRC_URI = "git://github.com/wertarbyte/${BPN}.git;branch=debian;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/upm/upm_git.bb b/meta-oe/recipes-extended/upm/upm_git.bb
index 6a7611f38..7643d13e2 100644
--- a/meta-oe/recipes-extended/upm/upm_git.bb
+++ b/meta-oe/recipes-extended/upm/upm_git.bb
@@ -10,7 +10,7 @@ DEPENDS = "libjpeg-turbo mraa"
SRCREV = "5cf20df96c6b35c19d5b871ba4e319e96b4df72d"
PV = "2.0.0+git${SRCPV}"
-SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http \
+SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http;branch=master;protocol=https \
file://0001-CMakeLists.txt-Use-SWIG_SUPPORT_FILES-to-find-the-li.patch \
file://0001-Use-stdint-types.patch \
file://0001-initialize-local-variables-before-use.patch \
diff --git a/meta-oe/recipes-extended/wipe/wipe_0.24.bb b/meta-oe/recipes-extended/wipe/wipe_0.24.bb
index 831d514a4..3ccc5afd5 100644
--- a/meta-oe/recipes-extended/wipe/wipe_0.24.bb
+++ b/meta-oe/recipes-extended/wipe/wipe_0.24.bb
@@ -9,7 +9,7 @@ HOMEPAGE = "http://lambda-diode.com/software/wipe/"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://GPL;md5=0636e73ff0215e8d672dc4c32c317bb3"
-SRC_URI = "git://github.com/berke/wipe.git;branch=master \
+SRC_URI = "git://github.com/berke/wipe.git;branch=master;protocol=https \
file://support-cross-compile-for-linux.patch \
file://makefile-add-ldflags.patch \
"
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb b/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb
index 06337b79c..8f766ac87 100644
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb
@@ -21,7 +21,7 @@ DEPENDS += " \
tiff \
"
-SRC_URI = "git://github.com/wxWidgets/wxWidgets.git"
+SRC_URI = "git://github.com/wxWidgets/wxWidgets.git;branch=master;protocol=https"
PV = "3.1.3"
SRCREV= "8a40d23b27ed1c80b5a2ca9f7e8461df4fbc1a31"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb b/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb
index b94664c33..eddf1ed96 100644
--- a/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb
+++ b/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb
@@ -4,7 +4,7 @@ LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
SRCREV = "8fc78c3c65cb705953a2f3f9a813c3ef3c8b2270"
-SRC_URI = "git://github.com/HardySimpson/zlog"
+SRC_URI = "git://github.com/HardySimpson/zlog;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb b/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb
index cd0b471e1..f8fa226f6 100644
--- a/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb
+++ b/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb
@@ -9,7 +9,7 @@ LICENSE = "BSD-3-Clause & GPLv2"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c7f0b161edbe52f5f345a3d1311d0b32 \
file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0"
-SRC_URI = "git://github.com/facebook/zstd.git;nobranch=1 \
+SRC_URI = "git://github.com/facebook/zstd.git;nobranch=1;protocol=https \
file://0001-Fix-legacy-build-after-2103.patch \
"
diff --git a/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb b/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb
index a957c1d67..6fa31c58f 100644
--- a/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb
+++ b/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb
@@ -5,7 +5,7 @@ LICENSE = "LGPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=f30a9716ef3762e3467a2f62bf790f0a"
SRCREV = "7db14dcf4c4305c3859a2d9fcf9f5da2db328330"
-SRC_URI = "git://anongit.freedesktop.org/xdg/pyxdg"
+SRC_URI = "git://anongit.freedesktop.org/xdg/pyxdg;branch=master"
inherit distutils3
diff --git a/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb b/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb
index 32f081592..2d13f26a3 100644
--- a/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb
+++ b/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb
@@ -8,7 +8,7 @@ PV = "0.3"
PR = "r1"
SRCREV = "ef2e1a390e768e21e6a6268977580ee129a96633"
-SRC_URI = "git://github.com/lucasdemarchi/dietsplash.git \
+SRC_URI = "git://github.com/lucasdemarchi/dietsplash.git;branch=master;protocol=https \
file://0001-configure.ac-Do-not-demand-linker-hash-style.patch \
"
diff --git a/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb b/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb
index 007385101..24f8e44d8 100644
--- a/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb
+++ b/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb
@@ -3,7 +3,7 @@ LICENSE = "GPLv3"
LIC_FILES_CHKSUM = "file://LICENSE;md5=d32239bcb673463ab874e80d47fae504 \
"
-SRC_URI = "git://github.com/manatools/dnfdragora.git \
+SRC_URI = "git://github.com/manatools/dnfdragora.git;branch=master;protocol=https \
file://0001-disable-build-manpages.patch \
file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
file://0001-To-fix-error-when-do_package.patch \
diff --git a/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb b/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb
index e3dff9191..8036d5f7a 100644
--- a/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb
+++ b/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb
@@ -4,7 +4,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=ea5bed2f60d357618ca161ad539f7c0a"
SECTION = "console/utils"
DEPENDS = "libpng zlib"
-SRC_URI = "git://github.com/GunnarMonell/fbgrab.git;protocol=https"
+SRC_URI = "git://github.com/GunnarMonell/fbgrab.git;protocol=https;branch=master"
SRCREV = "b179e2a42b8a5d72516b9c8d91713c9025cf6044"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
index 1863f95f0..8f65da2c1 100644
--- a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
+++ b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
@@ -15,7 +15,7 @@ REQUIRED_DISTRO_FEATURES_append_class-target = " x11"
# tag 20190801
SRCREV = "ac635b818e38ddb8e7e2e1057330a32b4e25476e"
-SRC_URI = "git://github.com/${BPN}/${BPN}.git \
+SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \
file://0001-include-sys-select-on-non-glibc-platforms.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb b/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb
index 3b01a216b..d405cb877 100644
--- a/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb
+++ b/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb
@@ -32,7 +32,7 @@ DEPENDS = " \
"
SRC_URI = " \
- git://github.com/fvwmorg/fvwm.git;protocol=https \
+ git://github.com/fvwmorg/fvwm.git;protocol=https;branch=master \
file://0001-Fix-compilation-for-disabled-gnome.patch \
"
diff --git a/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb b/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb
index e2f4dbebc..b44f06c55 100644
--- a/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb
+++ b/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb
@@ -9,7 +9,7 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://copying.txt;md5=4a735e33f271f57404fda17e80085411"
SRC_URI = " \
- git://github.com/g-truc/glm;branch=master \
+ git://github.com/g-truc/glm;branch=master;protocol=https \
file://0001-Fix-Wimplicit-int-float-conversion-warnings-with-cla.patch \
file://glmConfig.cmake.in \
file://glmConfigVersion.cmake.in \
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb
index d393ae2a1..72e2f5cc7 100644
--- a/