aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-gnome/recipes-gnome/libgtop/libgtop/0001-fix-compile-error-for-cross-compile.patch37
-rw-r--r--meta-gnome/recipes-gnome/libgtop/libgtop_2.40.0.bb2
-rw-r--r--meta-initramfs/recipes-core/images/initramfs-debug-image.bb7
-rw-r--r--meta-initramfs/recipes-core/images/initramfs-kexecboot-image.bb8
-rw-r--r--meta-networking/recipes-connectivity/samba/samba_4.10.18.bb4
-rw-r--r--meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb3
-rw-r--r--meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch25
-rw-r--r--meta-networking/recipes-daemons/squid/squid_4.15.bb (renamed from meta-networking/recipes-daemons/squid/squid_4.14.bb)2
-rw-r--r--meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch19
-rw-r--r--meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.1.bb (renamed from meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.bb)53
-rw-r--r--meta-networking/recipes-support/cifs/cifs-utils_6.13.bb17
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb3
-rwxr-xr-xmeta-networking/recipes-support/ntp/ntp/ntpdate5
-rw-r--r--meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb3
-rw-r--r--meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb3
-rw-r--r--meta-networking/recipes-support/wireshark/wireshark_3.4.6.bb (renamed from meta-networking/recipes-support/wireshark/wireshark_3.4.5.bb)2
-rw-r--r--meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb/0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch714
-rw-r--r--meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb7
-rw-r--r--meta-oe/licenses/MINPACK51
-rw-r--r--meta-oe/recipes-benchmark/sysbench/sysbench/0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch40
-rw-r--r--meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb4
-rw-r--r--meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb2
-rw-r--r--meta-oe/recipes-extended/minifi-cpp/minifi-cpp_0.7.0.bb5
-rw-r--r--meta-oe/recipes-kernel/libpfm/libpfm4_4.10.1.bb3
-rw-r--r--meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb9
-rw-r--r--meta-oe/recipes-support/libiio/files/0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch37
-rw-r--r--meta-oe/recipes-support/libiio/libiio_git.bb4
-rw-r--r--meta-oe/recipes-support/nss/nss_3.64.bb5
-rw-r--r--meta-python/recipes-devtools/python/python3-django_2.2.22.bb9
-rw-r--r--meta-python/recipes-devtools/python/python3-django_2.2.24.bb9
-rw-r--r--meta-python/recipes-devtools/python/python3-django_3.2.4.bb (renamed from meta-python/recipes-devtools/python/python3-django_3.2.2.bb)2
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch45
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch49
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch39
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch35
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch66
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb5
-rw-r--r--meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch46
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx.inc1
-rw-r--r--meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch97
-rw-r--r--meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch208
-rw-r--r--meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb4
42 files changed, 891 insertions, 798 deletions
diff --git a/meta-gnome/recipes-gnome/libgtop/libgtop/0001-fix-compile-error-for-cross-compile.patch b/meta-gnome/recipes-gnome/libgtop/libgtop/0001-fix-compile-error-for-cross-compile.patch
new file mode 100644
index 000000000..1bd6e101b
--- /dev/null
+++ b/meta-gnome/recipes-gnome/libgtop/libgtop/0001-fix-compile-error-for-cross-compile.patch
@@ -0,0 +1,37 @@
+From e865a93000913b4597607289356114cd159f4e28 Mon Sep 17 00:00:00 2001
+From: Your Name <you@example.com>
+Date: Fri, 21 May 2021 03:02:29 +0000
+Subject: [PATCH] fix compile error for cross compile
+
+On some distros, such as fedora32, cross compile failed with following
+error since host library is used. undefined reference to
+`stat64@GLIBC_2.33'
+
+According doc of ld, set searchdir begins with "=", but not hardcoded
+locations.
+
+Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libgtop/-/merge_requests/26]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ configure.ac | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 472f44b..ed6a4d7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -270,8 +270,8 @@ AC_ARG_ENABLE(fatal-warnings,
+ [Define to enable fatal warnings]))
+
+ dnl These definitions are expanded in make.
+-LIBGTOP_LIBS='-L$(libdir)'
+-LIBGTOP_INCS='-I$(includedir)/libgtop-2.0'
++LIBGTOP_LIBS='-L=$(libdir)'
++LIBGTOP_INCS='-I=$(includedir)/libgtop-2.0'
+
+ if test x$libgtop_have_sysinfo = xyes ; then
+ LIBGTOP_INCS="$LIBGTOP_INCS -DHAVE_LIBGTOP_SYSINFO"
+--
+2.26.2
+
diff --git a/meta-gnome/recipes-gnome/libgtop/libgtop_2.40.0.bb b/meta-gnome/recipes-gnome/libgtop/libgtop_2.40.0.bb
index 63615e433..6d9398f4e 100644
--- a/meta-gnome/recipes-gnome/libgtop/libgtop_2.40.0.bb
+++ b/meta-gnome/recipes-gnome/libgtop/libgtop_2.40.0.bb
@@ -8,6 +8,8 @@ inherit gnomebase lib_package gtk-doc gobject-introspection gettext upstream-ver
inherit features_check
REQUIRED_DISTRO_FEATURES = "x11"
+SRC_URI += "file://0001-fix-compile-error-for-cross-compile.patch"
+
SRC_URI[archive.sha256sum] = "78f3274c0c79c434c03655c1b35edf7b95ec0421430897fb1345a98a265ed2d4"
DEPENDS = "glib-2.0 libxau"
diff --git a/meta-initramfs/recipes-core/images/initramfs-debug-image.bb b/meta-initramfs/recipes-core/images/initramfs-debug-image.bb
index c3dcd2b82..601056b7e 100644
--- a/meta-initramfs/recipes-core/images/initramfs-debug-image.bb
+++ b/meta-initramfs/recipes-core/images/initramfs-debug-image.bb
@@ -11,7 +11,12 @@ IMAGE_FEATURES = ""
export IMAGE_BASENAME = "initramfs-debug-image"
IMAGE_LINGUAS = ""
-IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
+# Some BSPs use IMAGE_FSTYPES_<machine override> which would override
+# an assignment to IMAGE_FSTYPES so we need anon python
+python () {
+ d.setVar("IMAGE_FSTYPES", d.getVar("INITRAMFS_FSTYPES"))
+}
+
inherit core-image
IMAGE_ROOTFS_SIZE = "8192"
diff --git a/meta-initramfs/recipes-core/images/initramfs-kexecboot-image.bb b/meta-initramfs/recipes-core/images/initramfs-kexecboot-image.bb
index 9a686f366..dd082ba52 100644
--- a/meta-initramfs/recipes-core/images/initramfs-kexecboot-image.bb
+++ b/meta-initramfs/recipes-core/images/initramfs-kexecboot-image.bb
@@ -1,9 +1,13 @@
SUMMARY = "Initramfs image for kexecboot kernel"
DESCRIPTION = "This image provides kexecboot (linux as bootloader) and helpers."
-inherit image
+# Some BSPs use IMAGE_FSTYPES_<machine override> which would override
+# an assignment to IMAGE_FSTYPES so we need anon python
+python () {
+ d.setVar("IMAGE_FSTYPES", d.getVar("INITRAMFS_FSTYPES"))
+}
-IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
+inherit image
# avoid circular dependencies
EXTRA_IMAGEDEPENDS = ""
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
index 166bf5727..018c74839 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
@@ -44,6 +44,10 @@ SRC_URI[sha256sum] = "7dcfc2aaaac565b959068788e6a43fc79ce2a03e7d523f5843f7a9fddf
UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.10(\.\d+)+).tar.gz"
inherit systemd waf-samba cpan-base perlnative update-rc.d
+
+# CVE-2011-2411 is valnerble only on HP NonStop Servers.
+CVE_CHECK_WHITELIST += "CVE-2011-2411"
+
# remove default added RDEPENDS on perl
RDEPENDS_${PN}_remove = "perl"
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
index 33de8ca7e..c4b41ace8 100644
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
@@ -96,3 +96,6 @@ FILES_${PN}-dbg += "${libdir}/sasl2/.debug"
FILES_${PN}-staticdev += "${libdir}/sasl2/*.a"
INSANE_SKIP_${PN} += "dev-so"
+
+# CVE-2020-8032 affects only openSUSE
+CVE_CHECK_WHITELIST += "CVE-2020-8032"
diff --git a/meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch b/meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch
index 28a410c26..ff51f5344 100644
--- a/meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch
+++ b/meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch
@@ -11,10 +11,8 @@ Upstream-Status: Backport [https://github.com/kraj/squid/commit/1f8b5f0e1cc27634
src/Makefile.am | 4 ++++
src/ip/QosConfig.cc | 1 +
src/ipc/mem/PageStack.cc | 1 +
- src/proxyp/Parser.cc | 1 +
- src/security/ServerOptions.cc | 2 ++
src/ssl/helper.cc | 2 ++
- 6 files changed, 11 insertions(+)
+ 4 files changed, 8 insertions(+)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -70,17 +68,6 @@ Upstream-Status: Backport [https://github.com/kraj/squid/commit/1f8b5f0e1cc27634
/// used to mark a stack slot available for storing free page offsets
const Ipc::Mem::PageStack::Value Writable = 0;
---- a/src/security/ServerOptions.cc
-+++ b/src/security/ServerOptions.cc
-@@ -24,6 +24,8 @@
- #endif
- #endif
-
-+#include <limits>
-+
- Security::ServerOptions &
- Security::ServerOptions::operator =(const Security::ServerOptions &old) {
- if (this != &old) {
--- a/src/ssl/helper.cc
+++ b/src/ssl/helper.cc
@@ -19,6 +19,8 @@
@@ -92,14 +79,4 @@ Upstream-Status: Backport [https://github.com/kraj/squid/commit/1f8b5f0e1cc27634
Ssl::CertValidationHelper::LruCache *Ssl::CertValidationHelper::HelperCache = nullptr;
#if USE_SSL_CRTD
---- a/src/acl/ConnMark.cc
-+++ b/src/acl/ConnMark.cc
-@@ -16,6 +16,8 @@
- #include "http/Stream.h"
- #include "sbuf/Stream.h"
-+#include <limits>
-+
- bool
- Acl::ConnMark::empty() const
- {
diff --git a/meta-networking/recipes-daemons/squid/squid_4.14.bb b/meta-networking/recipes-daemons/squid/squid_4.15.bb
index 6d154c87e..8ba10674c 100644
--- a/meta-networking/recipes-daemons/squid/squid_4.14.bb
+++ b/meta-networking/recipes-daemons/squid/squid_4.15.bb
@@ -29,7 +29,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2
SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch"
-SRC_URI[sha256sum] = "4ad08884f065f8e1dac166aa13db6a872cde419a1717dff4c82c2c5337ee5756"
+SRC_URI[sha256sum] = "71635811e766ce8b155225a9e3c7757cfc7ff93df26b28d82e5e6fc021b9a605"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
file://errors/COPYRIGHT;md5=0e03cd976052c45697ad5d96e7dff8dc \
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch
index da6d80ef4..022eb958f 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch
@@ -1,6 +1,6 @@
-From b6a3d6c8af35f1ef27b80b0516742fce89f4eb29 Mon Sep 17 00:00:00 2001
-From: Marian Florea <marian.florea@windriver.com>
-Date: Thu, 20 Jul 2017 16:55:24 +0800
+From 1e3178835217ba89aa355e2b6b88e490f17be16d Mon Sep 17 00:00:00 2001
+From: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
+Date: Wed, 9 Jun 2021 15:47:30 +0900
Subject: [PATCH] net snmp: fix engineBoots value on SIGHUP
Upstream-Status: Pending
@@ -14,17 +14,17 @@ Signed-off-by: Li Zhou <li.zhou@windriver.com>
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/agent/snmpd.c b/agent/snmpd.c
-index ae73eda..66b4560 100644
+index 1af439f..355b510 100644
--- a/agent/snmpd.c
+++ b/agent/snmpd.c
-@@ -1207,6 +1207,7 @@ receive(void)
+@@ -1208,6 +1208,7 @@ receive(void)
snmp_log(LOG_INFO, "NET-SNMP version %s restarted\n",
netsnmp_get_version());
update_config();
-+ snmp_store(app_name);
++ snmp_store(app_name);
send_easy_trap(SNMP_TRAP_ENTERPRISESPECIFIC, 3);
- #if HAVE_SIGHOLD
- sigrelse(SIGHUP);
+ #if HAVE_SIGPROCMASK
+ ret = sigprocmask(SIG_UNBLOCK, &set, NULL);
diff --git a/snmplib/snmpv3.c b/snmplib/snmpv3.c
index 29c2a0f..ada961c 100644
--- a/snmplib/snmpv3.c
@@ -41,3 +41,6 @@ index 29c2a0f..ada961c 100644
engineBoots = 1;
}
+--
+2.25.1
+
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.1.bb
index d9040c164..7c3d5babd 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.1.bb
@@ -5,7 +5,8 @@ LICENSE = "BSD & MIT"
LIC_FILES_CHKSUM = "file://COPYING;md5=9d100a395a38584f2ec18a8275261687"
-DEPENDS = "openssl libnl pciutils"
+DEPENDS = "openssl"
+DEPENDS_append_class-target = " pciutils"
SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
file://init \
@@ -27,7 +28,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
file://reproducibility-have-printcap.patch \
file://0001-ac_add_search_path.m4-keep-consistent-between-32bit.patch \
"
-SRC_URI[sha256sum] = "04303a66f85d6d8b16d3cc53bde50428877c82ab524e17591dfceaeb94df6071"
+SRC_URI[sha256sum] = "eb7fd4a44de6cddbffd9a92a85ad1309e5c1054fb9d5a7dd93079c8953f48c3f"
UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/net-snmp/files/net-snmp/"
UPSTREAM_CHECK_REGEX = "/net-snmp/(?P<pver>\d+(\.\d+)+)/"
@@ -41,24 +42,23 @@ CCACHE = ""
TARGET_CC_ARCH += "${LDFLAGS}"
-PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} des smux"
+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6 systemd', d)} des smux"
+PACKAGECONFIG[des] = "--enable-des, --disable-des"
PACKAGECONFIG[elfutils] = "--with-elf, --without-elf, elfutils"
+PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6"
PACKAGECONFIG[libnl] = "--with-nl, --without-nl, libnl"
-
-PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,,"
-
-PACKAGECONFIG[perl] = "--enable-embedded-perl --with-perl-modules=yes, --disable-embedded-perl --with-perl-modules=no,\
- perl,"
-PACKAGECONFIG[des] = "--enable-des,--disable-des"
+PACKAGECONFIG[perl] = "--enable-embedded-perl --with-perl-modules=yes, --disable-embedded-perl --with-perl-modules=no, perl"
PACKAGECONFIG[smux] = ""
-
-EXTRA_OECONF = "--enable-shared \
- --disable-manuals \
- --with-defaults \
- --with-install-prefix=${D} \
- --with-persistent-directory=${localstatedir}/lib/net-snmp \
- ${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le', '--with-endianness=little', '--with-endianness=big', d)} \
- --with-mib-modules='${MIB_MODULES}' \
+PACKAGECONFIG[systemd] = "--with-systemd, --without-systemd"
+
+EXTRA_OECONF = " \
+ --enable-shared \
+ --disable-manuals \
+ --with-defaults \
+ --with-install-prefix=${D} \
+ --with-persistent-directory=${localstatedir}/lib/net-snmp \
+ --with-endianness=${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le', 'little', 'big', d)} \
+ --with-mib-modules='${MIB_MODULES}' \
"
MIB_MODULES = ""
@@ -73,8 +73,10 @@ CACHED_CONFIGUREVARS = " \
ac_cv_file__etc_printcap=no \
NETSNMP_CONFIGURE_OPTIONS= \
"
-export PERLPROG="${bindir}/env perl"
+PERLPROG = "${bindir}/env perl"
+PERLPROG_class-native = "${bindir_native}/env perl"
PERLPROG_append = "${@bb.utils.contains('PACKAGECONFIG', 'perl', ' -I${WORKDIR}', '', d)}"
+export PERLPROG
HAS_PERL = "${@bb.utils.contains('PACKAGECONFIG', 'perl', '1', '0', d)}"
@@ -117,7 +119,7 @@ do_install_append() {
install -d ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/snmpd.service ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/snmptrapd.service ${D}${systemd_unitdir}/system
- sed -e "s@^NSC_SRCDIR=.*@NSC_SRCDIR=.@g" \
+ sed -e "s@^NSC_SRCDIR=.*@NSC_SRCDIR=.@g" \
-i ${D}${bindir}/net-snmp-create-v3-user
sed -e 's@^NSC_SRCDIR=.*@NSC_SRCDIR=.@g' \
-e 's@[^ ]*-fdebug-prefix-map=[^ "]*@@g' \
@@ -127,11 +129,14 @@ do_install_append() {
-e 's@[^ ]*--with-install-prefix=[^ "]*@@g' \
-e 's@[^ ]*PKG_CONFIG_PATH=[^ "]*@@g' \
-e 's@[^ ]*PKG_CONFIG_LIBDIR=[^ "]*@@g' \
- -e 's@${STAGING_DIR_HOST}@@g' \
-i ${D}${bindir}/net-snmp-config
- sed -e 's@${STAGING_DIR_HOST}@@g' \
- -i ${D}${libdir}/pkgconfig/netsnmp*.pc
+ # ${STAGING_DIR_HOST} is empty for native builds, and the sed command below
+ # will result in errors if run for native.
+ if [ "${STAGING_DIR_HOST}" ]; then
+ sed -e 's@${STAGING_DIR_HOST}@@g' \
+ -i ${D}${bindir}/net-snmp-config ${D}${libdir}/pkgconfig/netsnmp*.pc
+ fi
sed -e "s@^NSC_INCLUDEDIR=.*@NSC_INCLUDEDIR=\$\{includedir\}@g" \
-e "s@^NSC_LIBDIR=-L.*@NSC_LIBDIR=-L\$\{libdir\}@g" \
@@ -232,8 +237,6 @@ INITSCRIPT_PACKAGES = "${PN}-server-snmpd"
INITSCRIPT_NAME_${PN}-server-snmpd = "snmpd"
INITSCRIPT_PARAMS_${PN}-server-snmpd = "start 90 2 3 4 5 . stop 60 0 1 6 ."
-EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)}"
-
SYSTEMD_PACKAGES = "${PN}-server-snmpd \
${PN}-server-snmptrapd"
@@ -273,3 +276,5 @@ RCONFLICTS_${PN}-server-snmptrapd += "${PN}-server-snmptrapd-systemd"
LEAD_SONAME = "libnetsnmp.so"
MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/net-snmp-config"
+
+BBCLASSEXTEND = "native"
diff --git a/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb b/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb
index 41a9b8e76..bf8b18043 100644
--- a/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb
+++ b/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb
@@ -22,10 +22,21 @@ PACKAGECONFIG[pam] = "--enable-pam --with-pamdir=${base_libdir}/security,--disab
inherit autotools pkgconfig
+do_configure_prepend() {
+ # want installed to /usr/sbin rather than /sbin to be DISTRO_FEATURES usrmerge compliant
+ # must override ROOTSBINDIR (default '/sbin'),
+ # setting --exec-prefix or --prefix in EXTRA_OECONF does not work
+ if ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','fakse',d)}; then
+ export ROOTSBINDIR=${sbindir}
+ fi
+}
+
do_install_append() {
- # Remove empty /usr/bin and /usr/sbin directories since the mount helper
- # is installed to /sbin
- rmdir --ignore-fail-on-non-empty ${D}${bindir} ${D}${sbindir}
+ if ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','false','true',d)}; then
+ # Remove empty /usr/bin and /usr/sbin directories since the mount helper
+ # is installed to /sbin
+ rmdir --ignore-fail-on-non-empty ${D}${bindir} ${D}${sbindir}
+ fi
}
FILES_${PN} += "${base_libdir}/security"
diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb b/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb
index c0f2863db..f767eb843 100644
--- a/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb
+++ b/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb
@@ -71,3 +71,6 @@ FILES_${PN} += "${libdir}/dovecot/*plugin.so \
FILES_${PN}-staticdev += "${libdir}/dovecot/*/*.a"
FILES_${PN}-dev += "${libdir}/dovecot/libdovecot*.so"
FILES_${PN}-dbg += "${libdir}/dovecot/*/.debug"
+
+# CVE-2016-4983 affects only postinstall script on specific distribution
+CVE_CHECK_WHITELIST += "CVE-2016-4983"
diff --git a/meta-networking/recipes-support/ntp/ntp/ntpdate b/meta-networking/recipes-support/ntp/ntp/ntpdate
index 17b64d133..be3bacfcd 100755
--- a/meta-networking/recipes-support/ntp/ntp/ntpdate
+++ b/meta-networking/recipes-support/ntp/ntp/ntpdate
@@ -52,3 +52,8 @@ if [ -x /usr/bin/lockfile-create ] ; then
fi
) &
+
+# wait for all subprocesses to finish
+# this is required when using systemd service as ntpd will start before ntpdate finishes
+# and results in a bind error (port 123)
+wait
diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
index 7e168825e..e668113c5 100644
--- a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
+++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
@@ -26,6 +26,9 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19"
+# CVE-2016-9312 is only for windows.
+CVE_CHECK_WHITELIST += "CVE-2016-9312"
+
inherit autotools update-rc.d useradd systemd pkgconfig
# The ac_cv_header_readline_history is to stop ntpdc depending on either
diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb b/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb
index f82107dbe..646f0387a 100644
--- a/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb
+++ b/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb
@@ -17,6 +17,9 @@ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
SRC_URI[md5sum] = "7643f135b49aee49df7d83c1f434dc4e"
SRC_URI[sha256sum] = "b9d295988b34e39964ac475b619c3585d667b36c350cf1adec19e5e3c843ba11"
+# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn.
+CVE_CHECK_WHITELIST += "CVE-2020-7224 CVE-2020-27569"
+
SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service"
SYSTEMD_AUTO_ENABLE = "disable"
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.5.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.6.bb
index f44032802..6acd849f8 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.5.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.6.bb
@@ -19,7 +19,7 @@ SRC_URI += " \
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
-SRC_URI[sha256sum] = "de1aafd100a1e1207c850d180e97dd91ab8da0f5eb6beec545f725cdb145d333"
+SRC_URI[sha256sum] = "12a678208f8cb009e6b9d96026e41a6ef03c7ad086b9e1029f42053b249b4628"
PE = "1"
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb/0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb/0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch
deleted file mode 100644
index df4cee2b4..000000000
--- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb/0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch
+++ /dev/null
@@ -1,714 +0,0 @@
-From 44272ce47e768e090263df5cb9cb7ce17e544ad3 Mon Sep 17 00:00:00 2001
-From: Vincent Prince <vincent.prince.external@saftbatteries.com>
-Date: Tue, 15 Sep 2020 11:40:15 +0200
-Subject: [PATCH] kms-message: bump libmongocrypto to v1.0.4
-
-This fixes compilation with alpinelinux
-see https://github.com/mongodb/libmongocrypt/pull/89
-
-Upstream-Status: Pending
-
-Signed-off-by: Vincent Prince <vincent.prince.fr@gmail.com>
----
- .../kms-message/THIRD_PARTY_NOTICES | 2 +-
- src/third_party/kms-message/src/hexlify.c | 21 +----
- src/third_party/kms-message/src/hexlify.h | 2 -
- .../kms-message/src/kms_crypto_apple.c | 5 +
- .../kms-message/src/kms_crypto_libcrypto.c | 94 +++++++++++++++++++
- .../kms-message/src/kms_crypto_none.c | 4 +
- .../kms-message/src/kms_crypto_windows.c | 4 +
- .../kms-message/src/kms_decrypt_request.c | 2 +-
- .../kms-message/src/kms_encrypt_request.c | 2 +-
- src/third_party/kms-message/src/kms_kv_list.c | 11 ++-
- .../kms-message/src/kms_message/kms_message.h | 2 +
- .../src/kms_message/kms_message_defines.h | 10 ++
- src/third_party/kms-message/src/kms_port.c | 33 +++++++
- src/third_party/kms-message/src/kms_port.h | 27 +++---
- src/third_party/kms-message/src/kms_request.c | 41 +++++---
- .../kms-message/src/kms_request_str.c | 13 ++-
- .../kms-message/src/kms_request_str.h | 5 -
- .../kms-message/src/kms_response_parser.c | 26 ++++-
- .../scripts/kms_message_get_sources.sh | 2 +-
- 19 files changed, 244 insertions(+), 62 deletions(-)
- create mode 100644 src/third_party/kms-message/src/kms_crypto_libcrypto.c
- create mode 100644 src/third_party/kms-message/src/kms_port.c
-
-diff --git a/src/third_party/kms-message/THIRD_PARTY_NOTICES b/src/third_party/kms-message/THIRD_PARTY_NOTICES
-index 3fc095170c..4110c1b91e 100644
---- a/src/third_party/kms-message/THIRD_PARTY_NOTICES
-+++ b/src/third_party/kms-message/THIRD_PARTY_NOTICES
-@@ -1,4 +1,4 @@
--License notice for common-b64.c
-+License notice for kms_b64.c
- -------------------------------------------------------------------------------
-
- ISC License
-diff --git a/src/third_party/kms-message/src/hexlify.c b/src/third_party/kms-message/src/hexlify.c
-index be9ee030b9..941fc93d1b 100644
---- a/src/third_party/kms-message/src/hexlify.c
-+++ b/src/third_party/kms-message/src/hexlify.c
-@@ -24,6 +24,8 @@ char *
- hexlify (const uint8_t *buf, size_t len)
- {
- char *hex_chars = malloc (len * 2 + 1);
-+ KMS_ASSERT (hex_chars);
-+
- char *p = hex_chars;
- size_t i;
-
-@@ -35,22 +37,3 @@ hexlify (const uint8_t *buf, size_t len)
-
- return hex_chars;
- }
--
--uint8_t *
--unhexlify (const char *hex_chars, size_t *len)
--{
-- uint8_t *buf;
-- uint8_t *pos;
--
-- *len = strlen (hex_chars) / 2;
-- buf = malloc (*len);
-- pos = buf;
--
-- while (*hex_chars) {
-- KMS_ASSERT (1 == sscanf (hex_chars, "%2hhx", pos));
-- pos++;
-- hex_chars += 2;
-- }
--
-- return buf;
--}
-diff --git a/src/third_party/kms-message/src/hexlify.h b/src/third_party/kms-message/src/hexlify.h
-index e0096eb6ca..a6a504ebe8 100644
---- a/src/third_party/kms-message/src/hexlify.h
-+++ b/src/third_party/kms-message/src/hexlify.h
-@@ -19,5 +19,3 @@
-
- char *
- hexlify (const uint8_t *buf, size_t len);
--uint8_t *
--unhexlify (const char *hex_chars, size_t *len);
-diff --git a/src/third_party/kms-message/src/kms_crypto_apple.c b/src/third_party/kms-message/src/kms_crypto_apple.c
-index 61da0a6288..a26e0d65e8 100644
---- a/src/third_party/kms-message/src/kms_crypto_apple.c
-+++ b/src/third_party/kms-message/src/kms_crypto_apple.c
-@@ -16,9 +16,12 @@
-
- #include "kms_crypto.h"
-
-+#ifdef KMS_MESSAGE_ENABLE_CRYPTO_COMMON_CRYPTO
-+
- #include <CommonCrypto/CommonDigest.h>
- #include <CommonCrypto/CommonHMAC.h>
-
-+
- int
- kms_crypto_init ()
- {
-@@ -54,3 +57,5 @@ kms_sha256_hmac (void *unused_ctx,
- CCHmac (kCCHmacAlgSHA256, key_input, key_len, input, len, hash_out);
- return true;
- }
-+
-+#endif /* KMS_MESSAGE_ENABLE_CRYPTO_COMMON_CRYPTO */
-diff --git a/src/third_party/kms-message/src/kms_crypto_libcrypto.c b/src/third_party/kms-message/src/kms_crypto_libcrypto.c
-new file mode 100644
-index 0000000000..6f25657fdd
---- /dev/null
-+++ b/src/third_party/kms-message/src/kms_crypto_libcrypto.c
-@@ -0,0 +1,94 @@
-+/*
-+ * Copyright 2018-present MongoDB, Inc.
-+ *
-+ * Licensed under the Apache License, Version 2.0 (the "License");
-+ * you may not use this file except in compliance with the License.
-+ * You may obtain a copy of the License at
-+ *
-+ * http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+#include "kms_crypto.h"
-+
-+#ifdef KMS_MESSAGE_ENABLE_CRYPTO_LIBCRYPTO
-+
-+#include <openssl/sha.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
-+static EVP_MD_CTX *
-+EVP_MD_CTX_new (void)
-+{
-+ return calloc (sizeof (EVP_MD_CTX), 1);
-+}
-+
-+static void
-+EVP_MD_CTX_free (EVP_MD_CTX *ctx)
-+{
-+ EVP_MD_CTX_cleanup (ctx);
-+ free (ctx);
-+}
-+#endif
-+
-+int
-+kms_crypto_init ()
-+{
-+ return 0;
-+}
-+
-+void
-+kms_crypto_cleanup ()
-+{
-+}
-+
-+bool
-+kms_sha256 (void *unused_ctx,
-+ const char *input,
-+ size_t len,
-+ unsigned char *hash_out)
-+{
-+ EVP_MD_CTX *digest_ctxp = EVP_MD_CTX_new ();
-+ bool rval = false;
-+
-+ if (1 != EVP_DigestInit_ex (digest_ctxp, EVP_sha256 (), NULL)) {
-+ goto cleanup;
-+ }
-+
-+ if (1 != EVP_DigestUpdate (digest_ctxp, input, len)) {
-+ goto cleanup;
-+ }
-+
-+ rval = (1 == EVP_DigestFinal_ex (digest_ctxp, hash_out, NULL));
-+
-+cleanup:
-+ EVP_MD_CTX_free (digest_ctxp);
-+
-+ return rval;
-+}
-+
-+bool
-+kms_sha256_hmac (void *unused_ctx,
-+ const char *key_input,
-+ size_t key_len,
-+ const char *input,
-+ size_t len,
-+ unsigned char *hash_out)
-+{
-+ return HMAC (EVP_sha256 (),
-+ key_input,
-+ key_len,
-+ (unsigned char *) input,
-+ len,
-+ hash_out,
-+ NULL) != NULL;
-+}
-+
-+#endif /* KMS_MESSAGE_ENABLE_CRYPTO_LIBCRYPTO */
-diff --git a/src/third_party/kms-message/src/kms_crypto_none.c b/src/third_party/kms-message/src/kms_crypto_none.c
-index 9ef2147687..94da5abd88 100644
---- a/src/third_party/kms-message/src/kms_crypto_none.c
-+++ b/src/third_party/kms-message/src/kms_crypto_none.c
-@@ -16,6 +16,8 @@
-
- #include "kms_crypto.h"
-
-+#ifndef KMS_MESSAGE_ENABLE_CRYPTO
-+
- int
- kms_crypto_init ()
- {
-@@ -48,3 +50,5 @@ kms_sha256_hmac (void *unused_ctx,
- /* only gets called if hooks were mistakenly not set */
- return false;
- }
-+
-+#endif /* KMS_MESSAGE_ENABLE_CRYPTO */
-diff --git a/src/third_party/kms-message/src/kms_crypto_windows.c b/src/third_party/kms-message/src/kms_crypto_windows.c
-index ccdc7e095d..8177b0ddc0 100644
---- a/src/third_party/kms-message/src/kms_crypto_windows.c
-+++ b/src/third_party/kms-message/src/kms_crypto_windows.c
-@@ -16,6 +16,8 @@
-
- #include "kms_crypto.h"
-
-+#ifdef KMS_MESSAGE_ENABLE_CRYPTO_CNG
-+
- // tell windows.h not to include a bunch of headers we don't need:
- #define WIN32_LEAN_AND_MEAN
-
-@@ -130,3 +132,5 @@ cleanup:
-
- return status == STATUS_SUCCESS ? 1 : 0;
- }
-+
-+#endif /* KMS_MESSAGE_ENABLE_CRYPTO_CNG */
-diff --git a/src/third_party/kms-message/src/kms_decrypt_request.c b/src/third_party/kms-message/src/kms_decrypt_request.c
-index 06faa43119..f1ca282768 100644
---- a/src/third_party/kms-message/src/kms_decrypt_request.c
-+++ b/src/third_party/kms-message/src/kms_decrypt_request.c
-@@ -48,7 +48,7 @@ kms_decrypt_request_new (const uint8_t *ciphertext_blob,
- if (!(b64 = malloc (b64_len))) {
- KMS_ERROR (request,
- "Could not allocate %d bytes for base64-encoding payload",
-- b64_len);
-+ (int) b64_len);
- goto done;
- }
-
-diff --git a/src/third_party/kms-message/src/kms_encrypt_request.c b/src/third_party/kms-message/src/kms_encrypt_request.c
-index b5f4d6436e..24b064d95f 100644
---- a/src/third_party/kms-message/src/kms_encrypt_request.c
-+++ b/src/third_party/kms-message/src/kms_encrypt_request.c
-@@ -47,7 +47,7 @@ kms_encrypt_request_new (const uint8_t *plaintext,
- if (!(b64 = malloc (b64_len))) {
- KMS_ERROR (request,
- "Could not allocate %d bytes for base64-encoding payload",
-- b64_len);
-+ (int) b64_len);
- goto done;
- }
-
-diff --git a/src/third_party/kms-message/src/kms_kv_list.c b/src/third_party/kms-message/src/kms_kv_list.c
-index 2d6845a1aa..0cff3dc2c6 100644
---- a/src/third_party/kms-message/src/kms_kv_list.c
-+++ b/src/third_party/kms-message/src/kms_kv_list.c
-@@ -17,6 +17,7 @@
-
- #include "kms_kv_list.h"
- #include "kms_message/kms_message.h"
-+#include "kms_message_private.h"
- #include "kms_request_str.h"
- #include "kms_port.h"
- #include "sort.h"
-@@ -39,9 +40,12 @@ kms_kv_list_t *
- kms_kv_list_new (void)
- {
- kms_kv_list_t *lst = malloc (sizeof (kms_kv_list_t));
-+ KMS_ASSERT (lst);
-
- lst->size = 16;
- lst->kvs = malloc (lst->size * sizeof (kms_kv_t));
-+ KMS_ASSERT (lst->kvs);
-+
- lst->len = 0;
-
- return lst;
-@@ -72,6 +76,7 @@ kms_kv_list_add (kms_kv_list_t *lst,
- if (lst->len == lst->size) {
- lst->size *= 2;
- lst->kvs = realloc (lst->kvs, lst->size * sizeof (kms_kv_t));
-+ KMS_ASSERT (lst->kvs);
- }
-
- kv_init (&lst->kvs[lst->len], key, value);
-@@ -84,7 +89,7 @@ kms_kv_list_find (const kms_kv_list_t *lst, const char *key)
- size_t i;
-
- for (i = 0; i < lst->len; i++) {
-- if (0 == strcasecmp (lst->kvs[i].key->str, key)) {
-+ if (0 == kms_strcasecmp (lst->kvs[i].key->str, key)) {
- return &lst->kvs[i];
- }
- }
-@@ -119,8 +124,12 @@ kms_kv_list_dup (const kms_kv_list_t *lst)
- }
-
- dup = malloc (sizeof (kms_kv_list_t));
-+ KMS_ASSERT (dup);
-+
- dup->size = dup->len = lst->len;
- dup->kvs = malloc (lst->len * sizeof (kms_kv_t));
-+ KMS_ASSERT (dup->kvs);
-+
-
- for (i = 0; i < lst->len; i++) {
- kv_init (&dup->kvs[i], lst->kvs[i].key, lst->kvs[i].value);
-diff --git a/src/third_party/kms-message/src/kms_message/kms_message.h b/src/third_party/kms-message/src/kms_message/kms_message.h
-index 6ea95dd04c..8048528f2e 100644
---- a/src/third_party/kms-message/src/kms_message/kms_message.h
-+++ b/src/third_party/kms-message/src/kms_message/kms_message.h
-@@ -17,6 +17,8 @@
- #ifndef KMS_MESSAGE_H
- #define KMS_MESSAGE_H
-
-+#include <sys/types.h>
-+
- #include "kms_message_defines.h"
- #include "kms_request_opt.h"
- #include "kms_request.h"
-diff --git a/src/third_party/kms-message/src/kms_message/kms_message_defines.h b/src/third_party/kms-message/src/kms_message/kms_message_defines.h
-index a4d019bd77..a539d531ef 100644
---- a/src/third_party/kms-message/src/kms_message/kms_message_defines.h
-+++ b/src/third_party/kms-message/src/kms_message/kms_message_defines.h
-@@ -53,4 +53,14 @@ kms_message_cleanup (void);
- } /* extern "C" */
- #endif
-
-+#ifdef _MSC_VER
-+#include <basetsd.h>
-+#pragma warning(disable : 4142)
-+#ifndef _SSIZE_T_DEFINED
-+#define _SSIZE_T_DEFINED
-+typedef SSIZE_T ssize_t;
-+#endif
-+#pragma warning(default : 4142)
-+#endif
-+
- #endif /* KMS_MESSAGE_DEFINES_H */
-diff --git a/src/third_party/kms-message/src/kms_port.c b/src/third_party/kms-message/src/kms_port.c
-new file mode 100644
-index 0000000000..ee9e6ed9c9
---- /dev/null
-+++ b/src/third_party/kms-message/src/kms_port.c
-@@ -0,0 +1,33 @@
-+/*
-+ * Copyright 2020-present MongoDB, Inc.
-+ *
-+ * Licensed under the Apache License, Version 2.0 (the "License");
-+ * you may not use this file except in compliance with the License.
-+ * You may obtain a copy of the License at
-+ *
-+ * http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+#include "kms_port.h"
-+#if defined(_WIN32)
-+#include <stdlib.h>
-+#include <string.h>
-+char * kms_strndup (const char *src, size_t len)
-+{
-+ char *dst = (char *) malloc (len + 1);
-+ if (!dst) {
-+ return 0;
-+ }
-+
-+ memcpy (dst, src, len);
-+ dst[len] = '\0';
-+
-+ return dst;
-+}
-+#endif
-\ No newline at end of file
-diff --git a/src/third_party/kms-message/src/kms_port.h b/src/third_party/kms-message/src/kms_port.h
-index c3cbbac369..2123a99dc9 100644
---- a/src/third_party/kms-message/src/kms_port.h
-+++ b/src/third_party/kms-message/src/kms_port.h
-@@ -15,21 +15,18 @@
- * limitations under the License.
- */
-
--#if defined(_WIN32)
--#define strcasecmp _stricmp
--
--inline char *
--strndup (const char *src, size_t len)
--{
-- char *dst = (char *) malloc (len + 1);
-- if (!dst) {
-- return 0;
-- }
--
-- memcpy (dst, src, len);
-- dst[len] = '\0';
-+#ifndef KMS_PORT_H
-+#define KMS_PORT_H
-
-- return dst;
--}
-+#include <stddef.h>
-
-+#if defined(_WIN32)
-+#define kms_strcasecmp _stricmp
-+char *
-+kms_strndup (const char *src, size_t len);
-+#else
-+#define kms_strndup strndup
-+#define kms_strcasecmp strcasecmp
- #endif
-+
-+#endif /* KMS_PORT_H */
-\ No newline at end of file
-diff --git a/src/third_party/kms-message/src/kms_request.c b/src/third_party/kms-message/src/kms_request.c
-index fa2d487123..ac2b07ea6b 100644
---- a/src/third_party/kms-message/src/kms_request.c
-+++ b/src/third_party/kms-message/src/kms_request.c
-@@ -61,6 +61,7 @@ kms_request_new (const char *method,
- kms_request_t *request = calloc (1, sizeof (kms_request_t));
- const char *question_mark;
-
-+ KMS_ASSERT (request);
- /* parsing may set failed to true */
- request->failed = false;
-
-@@ -92,10 +93,14 @@ kms_request_new (const char *method,
- request->header_fields = kms_kv_list_new ();
- request->auto_content_length = true;
-
-- kms_request_set_date (request, NULL);
-+ if (!kms_request_set_date (request, NULL)) {
-+ return request;
-+ }
-
- if (opt && opt->connection_close) {
-- kms_request_add_header_field (request, "Connection", "close");
-+ if (!kms_request_add_header_field (request, "Connection", "close")) {
-+ return request;
-+ }
- }
-
- if (opt && opt->crypto.sha256) {
-@@ -164,7 +169,9 @@ kms_request_set_date (kms_request_t *request, const struct tm *tm)
- kms_request_str_set_chars (request->date, buf, sizeof "YYYYmmDD" - 1);
- kms_request_str_set_chars (request->datetime, buf, sizeof AMZ_DT_FORMAT - 1);
- kms_kv_list_del (request->header_fields, "X-Amz-Date");
-- kms_request_add_header_field (request, "X-Amz-Date", buf);
-+ if (!kms_request_add_header_field (request, "X-Amz-Date", buf)) {
-+ return false;
-+ }
-
- return true;
- }
-@@ -309,7 +316,8 @@ append_canonical_headers (kms_kv_list_t *lst, kms_request_str_t *str)
- * values in headers that have multiple values." */
- for (i = 0; i < lst->len; i++) {
- kv = &lst->kvs[i];
-- if (previous_key && 0 == strcasecmp (previous_key->str, kv->key->str)) {
-+ if (previous_key &&
-+ 0 == kms_strcasecmp (previous_key->str, kv->key->str)) {
- /* duplicate header */
- kms_request_str_append_char (str, ',');
- kms_request_str_append_stripped (str, kv->value);
-@@ -339,12 +347,13 @@ append_signed_headers (kms_kv_list_t *lst, kms_request_str_t *str)
-
- for (i = 0; i < lst->len; i++) {
- kv = &lst->kvs[i];
-- if (previous_key && 0 == strcasecmp (previous_key->str, kv->key->str)) {
-+ if (previous_key &&
-+ 0 == kms_strcasecmp (previous_key->str, kv->key->str)) {
- /* duplicate header */
- continue;
- }
-
-- if (0 == strcasecmp (kv->key->str, "connection")) {
-+ if (0 == kms_strcasecmp (kv->key->str, "connection")) {
- continue;
- }
-
-@@ -412,7 +421,8 @@ finalize (kms_request_t *request)
- static int
- cmp_header_field_names (const void *a, const void *b)
- {
-- return strcasecmp (((kms_kv_t *) a)->key->str, ((kms_kv_t *) b)->key->str);
-+ return kms_strcasecmp (((kms_kv_t *) a)->key->str,
-+ ((kms_kv_t *) b)->key->str);
- }
-
- static kms_kv_list_t *
-@@ -447,6 +457,7 @@ kms_request_get_canonical (kms_request_t *request)
- kms_request_str_append_newline (canonical);
- normalized = kms_request_str_path_normalized (request->path);
- kms_request_str_append_escaped (canonical, normalized, false);
-+ kms_request_str_destroy (normalized);
- kms_request_str_append_newline (canonical);
- append_canonical_query (request, canonical);
- kms_request_str_append_newline (canonical);
-@@ -454,12 +465,14 @@ kms_request_get_canonical (kms_request_t *request)
- append_canonical_headers (lst, canonical);
- kms_request_str_append_newline (canonical);
- append_signed_headers (lst, canonical);
-- kms_request_str_append_newline (canonical);
-- kms_request_str_append_hashed (
-- &request->crypto, canonical, request->payload);
--
-- kms_request_str_destroy (normalized);
- kms_kv_list_destroy (lst);
-+ kms_request_str_append_newline (canonical);
-+ if (!kms_request_str_append_hashed (
-+ &request->crypto, canonical, request->payload)) {
-+ KMS_ERROR (request, "could not generate hash");
-+ kms_request_str_destroy (canonical);
-+ return NULL;
-+ }
-
- return kms_request_str_detach (canonical);
- }
-@@ -514,6 +527,10 @@ kms_request_get_string_to_sign (kms_request_t *request)
- kms_request_str_append_chars (sts, "/aws4_request\n", -1);
-
- creq = kms_request_str_wrap (kms_request_get_canonical (request), -1);
-+ if (!creq) {
-+ goto done;
-+ }
-+
- if (!kms_request_str_append_hashed (&request->crypto, sts, creq)) {
- goto done;
- }
-diff --git a/src/third_party/kms-message/src/kms_request_str.c b/src/third_party/kms-message/src/kms_request_str.c
-index 0f7c19c972..65207d2f4f 100644
---- a/src/third_party/kms-message/src/kms_request_str.c
-+++ b/src/third_party/kms-message/src/kms_request_str.c
-@@ -51,10 +51,13 @@ kms_request_str_t *
- kms_request_str_new (void)
- {
- kms_request_str_t *s = malloc (sizeof (kms_request_str_t));
-+ KMS_ASSERT (s);
-
- s->len = 0;
- s->size = 16;
- s->str = malloc (s->size);
-+ KMS_ASSERT (s->str);
-+
- s->str[0] = '\0';
-
- return s;
-@@ -64,11 +67,15 @@ kms_request_str_t *
- kms_request_str_new_from_chars (const char *chars, ssize_t len)
- {
- kms_request_str_t *s = malloc (sizeof (kms_request_str_t));
-+ KMS_ASSERT (s);
-+
- size_t actual_len;
-
- actual_len = len < 0 ? strlen (chars) : (size_t) len;
- s->size = actual_len + 1;
- s->str = malloc (s->size);
-+ KMS_ASSERT (s->str);
-+
- memcpy (s->str, chars, actual_len);
- s->str[actual_len] = '\0';
- s->len = actual_len;
-@@ -86,6 +93,8 @@ kms_request_str_wrap (char *chars, ssize_t len)
- }
-
- s = malloc (sizeof (kms_request_str_t));
-+ KMS_ASSERT (s);
-+
-
- s->str = chars;
- s->len = len < 0 ? strlen (chars) : (size_t) len;
-@@ -148,8 +157,10 @@ kms_request_str_t *
- kms_request_str_dup (kms_request_str_t *str)
- {
- kms_request_str_t *dup = malloc (sizeof (kms_request_str_t));
-+ KMS_ASSERT (dup);
-+
-
-- dup->str = strndup (str->str, str->len);
-+ dup->str = kms_strndup (str->str, str->len);
- dup->len = str->len;
- dup->size = str->len + 1;
-
-diff --git a/src/third_party/kms-message/src/kms_request_str.h b/src/third_party/kms-message/src/kms_request_str.h
-index f053a595aa..0898f59067 100644
---- a/src/third_party/kms-message/src/kms_request_str.h
-+++ b/src/third_party/kms-message/src/kms_request_str.h
-@@ -25,11 +25,6 @@
- #include <stdint.h>
- #include <string.h>
-
--#if defined(_WIN32)
--#include <basetsd.h>
--typedef SSIZE_T ssize_t;
--#endif // _WIN32
--
- typedef struct {
- char *str;
- size_t len;
-diff --git a/src/third_party/kms-message/src/kms_response_parser.c b/src/third_party/kms-message/src/kms_response_parser.c
-index 31e4868a68..6f86fac854 100644
---- a/src/third_party/kms-message/src/kms_response_parser.c
-+++ b/src/third_party/kms-message/src/kms_response_parser.c
-@@ -1,7 +1,7 @@
- #include "kms_message/kms_response_parser.h"
- #include "kms_message_private.h"
-
--#include "kms_message_private.h"
-+#include <errno.h>
- #include <limits.h>
- #include <stdio.h>
- #include <stdlib.h>
-@@ -24,6 +24,7 @@ _parser_init (kms_response_parser_t *parser)
- parser->raw_response = kms_request_str_new ();
- parser->content_length = -1;
- parser->response = calloc (1, sizeof (kms_response_t));
-+ KMS_ASSERT (parser->response);
- parser->response->headers = kms_kv_list_new ();
- parser->state = PARSING_STATUS_LINE;
- parser->start = 0;
-@@ -34,6 +35,8 @@ kms_response_parser_t *
- kms_response_parser_new (void)
- {
- kms_response_parser_t *parser = malloc (sizeof (kms_response_parser_t));
-+ KMS_ASSERT (parser);
-+
- _parser_init (parser);
- return parser;
- }
-@@ -59,11 +62,26 @@ static bool
- _parse_int (const char *str, int *result)
- {
- char *endptr = NULL;
-+ int64_t long_result;
-
-- *result = (int) strtol (str, &endptr, 10);
-- if (*endptr) {
-+ errno = 0;
-+ long_result = strtol (str, &endptr, 10);
-+ if (endptr == str) {
-+ /* No digits were parsed. Consider this an error */
-+ return false;
-+ }
-+ if (endptr != NULL && *endptr != '\0') {
-+ /* endptr points to the first invalid character. */
-+ return false;
-+ }
-+ if (errno == EINVAL || errno == ERANGE) {
-+ return false;
-+ }
-+ if (long_result > INT32_MAX || long_result < INT32_MIN) {
- return false;
- }
-+ *result = (int) long_result;
-+
- return true;
- }
-
-@@ -72,6 +90,8 @@ static bool
- _parse_int_from_view (const char *str, int start, int end, int *result)
- {
- char *num_str = malloc (end - start + 1);
-+ KMS_ASSERT (num_str);
-+
- bool ret;
-
- strncpy (num_str, str + start, end - start);
-diff --git a/src/third_party/scripts/kms_message_get_sources.sh b/src/third_party/scripts/kms_message_get_sources.sh
-index 6ad2fbb0e6..52ce21b9dd 100755
---- a/src/third_party/scripts/kms_message_get_sources.sh
-+++ b/src/third_party/scripts/kms_message_get_sources.sh
-@@ -18,7 +18,7 @@ if grep -q Microsoft /proc/version; then
- fi
-
- NAME=libmongocrypt
--REVISION=59c8c17bbdfa1cf0fdec60cfdde73a437a868221
-+REVISION=052f7fc610f0cea83a2adf3dd263a5ff04833371
-
- if grep -q Microsoft /proc/version; then
- SRC_ROOT=$(wslpath -u $(powershell.exe -Command "Get-ChildItem Env:TEMP | Get-Content | Write-Host"))
---
-2.24.0
-
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
index b78255a04..fcabf8132 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
@@ -11,11 +11,10 @@ DEPENDS = "openssl libpcap zlib boost curl python3 \
inherit scons dos2unix siteinfo python3native systemd useradd
-PV = "4.4.4"
-#v4.4.4
-SRCREV = "8db30a63db1a9d84bdcad0c83369623f708e0397"
+PV = "4.4.6"
+#v4.4.6
+SRCREV = "72e66213c2c3eab37d9358d5e78ad7f5c1d0d0d7"
SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.4 \
- file://0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch \
file://0001-Tell-scons-to-use-build-settings-from-environment-va.patch \
file://0001-Use-long-long-instead-of-int64_t.patch \
file://0001-Use-__GLIBC__-to-control-use-of-gnu_get_libc_version.patch \
diff --git a/meta-oe/licenses/MINPACK b/meta-oe/licenses/MINPACK
new file mode 100644
index 000000000..132cc3f33
--- /dev/null
+++ b/meta-oe/licenses/MINPACK
@@ -0,0 +1,51 @@
+Minpack Copyright Notice (1999) University of Chicago. All rights reserved
+
+Redistribution and use in source and binary forms, with or
+without modification, are permitted provided that the
+following conditions are met:
+
+1. Redistributions of source code must retain the above
+copyright notice, this list of conditions and the following
+disclaimer.
+
+2. Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following
+disclaimer in the documentation and/or other materials
+provided with the distribution.
+
+3. The end-user documentation included with the
+redistribution, if any, must include the following
+acknowledgment:
+
+ "This product includes software developed by the
+ University of Chicago, as Operator of Argonne National
+ Laboratory.
+
+Alternately, this acknowledgment may appear in the software
+itself, if and wherever such third-party acknowledgments
+normally appear.
+
+4. WARRANTY DISCLAIMER. THE SOFTWARE IS SUPPLIED "AS IS"
+WITHOUT WARRANTY OF ANY KIND. THE COPYRIGHT HOLDER, THE
+UNITED STATES, THE UNITED STATES DEPARTMENT OF ENERGY, AND
+THEIR EMPLOYEES: (1) DISCLAIM ANY WARRANTIES, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE
+OR NON-INFRINGEMENT, (2) DO NOT ASSUME ANY LEGAL LIABILITY
+OR RESPONSIBILITY FOR THE ACCURACY, COMPLETENESS, OR
+USEFULNESS OF THE SOFTWARE, (3) DO NOT REPRESENT THAT USE OF
+THE SOFTWARE WOULD NOT INFRINGE PRIVATELY OWNED RIGHTS, (4)
+DO NOT WARRANT THAT THE SOFTWARE WILL FUNCTION
+UNINTERRUPTED, THAT IT IS ERROR-FREE OR THAT ANY ERRORS WILL
+BE CORRECTED.
+
+5. LIMITATION OF LIABILITY. IN NO EVENT WILL THE COPYRIGHT
+HOLDER, THE UNITED STATES, THE UNITED STATES DEPARTMENT OF
+ENERGY, OR THEIR EMPLOYEES: BE LIABLE FOR ANY INDIRECT,
+INCIDENTAL, CONSEQUENTIAL, SPECIAL OR PUNITIVE DAMAGES OF
+ANY KIND OR NATURE, INCLUDING BUT NOT LIMITED TO LOSS OF
+PROFITS OR LOSS OF DATA, FOR ANY REASON WHATSOEVER, WHETHER
+SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT
+(INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE,
+EVEN IF ANY OF SAID PARTIES HAS BEEN WARNED OF THE
+POSSIBILITY OF SUCH LOSS OR DAMAGES.
diff --git a/meta-oe/recipes-benchmark/sysbench/sysbench/0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch b/meta-oe/recipes-benchmark/sysbench/sysbench/0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch
new file mode 100644
index 000000000..d628e81b5
--- /dev/null
+++ b/meta-oe/recipes-benchmark/sysbench/sysbench/0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch
@@ -0,0 +1,40 @@
+From c1ebf893e32a0a77e820484d48a903523fef7c1b Mon Sep 17 00:00:00 2001
+From: Vasily Tarasov <tarasov@vasily.name>
+Date: Fri, 10 Jun 2016 14:33:48 -0400
+Subject: [PATCH] Adding volatile modifier to tmp variable in memory test
+
+Issue explanation:
+
+./sysbench/sysbench --test=memory --num-threads=16 \
+ --memory-block-size=268435456 \
+ --memory-total-size=137438953472 \
+ --memory-oper=read \
+ --memory-access-mode=seq \
+ --memory-scope=local run
+
+Without this commit the time to run the above command is 0.0004 seconds.
+With this commit the time is greater than 3 seconds. Essentially,
+without the volatile modifier, the compiler optimizes read access so
+that no real access happens.
+
+Upstream-Status: Backport [part of v1.0.0 https://github.com/akopytov/sysbench/commit/8753cb93be4c0b81a20b704ced91e7a422da52b1]
+
+(cherry picked from commit 8753cb93be4c0b81a20b704ced91e7a422da52b1)
+Signed-off-by: massimo toscanelli <massimo.toscanelli@leica-geosystems.com>
+---
+ sysbench/tests/memory/sb_memory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sysbench/tests/memory/sb_memory.c b/sysbench/tests/memory/sb_memory.c
+index 2e8998f..7d22bb9 100644
+--- a/sysbench/tests/memory/sb_memory.c
++++ b/sysbench/tests/memory/sb_memory.c
+@@ -244,7 +244,7 @@ sb_request_t memory_get_request(int tid)
+ int memory_execute_request(sb_request_t *sb_req, int thread_id)
+ {
+ sb_mem_request_t *mem_req = &sb_req->u.mem_request;
+- int tmp = 0;
++ volatile int tmp = 0;
+ int idx;
+ int *buf, *end;
+ log_msg_t msg;
diff --git a/meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb b/meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb
index 708c71f4f..d1725dddd 100644
--- a/meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb
+++ b/meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb
@@ -8,7 +8,9 @@ inherit autotools
# The project has moved from Sourceforge to Launchpad, to Github. Use the source tarball from
# Launchpad until the next release is available from Github.
-SRC_URI = "https://launchpad.net/ubuntu/+archive/primary/+files/${BPN}_${PV}.orig.tar.gz"
+SRC_URI = "https://launchpad.net/ubuntu/+archive/primary/+files/${BPN}_${PV}.orig.tar.gz \
+ file://0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch \
+ "
SRC_URI[md5sum] = "3a6d54fdd3fe002328e4458206392b9d"
SRC_URI[sha256sum] = "83fa7464193e012c91254e595a89894d8e35b4a38324b52a5974777e3823ea9e"
diff --git a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb
index 5b5c8b257..ac803294e 100644
--- a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb
+++ b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb
@@ -14,7 +14,7 @@ S = "${WORKDIR}/git"
inherit cmake
-EXTRA_OECMAKE += "-DRAPIDJSON_BUILD_DOC=OFF -DRAPIDJSON_BUILD_TESTS=OFF -DRAPIDJSON_BUILD_EXAMPLES=OFF -DLIB_INSTALL_DIR:STRING=${libdir}"
+EXTRA_OECMAKE += "-DRAPIDJSON_BUILD_DOC=OFF -DRAPIDJSON_BUILD_TESTS=OFF -DRAPIDJSON_BUILD_EXAMPLES=OFF"
# RapidJSON is a header-only C++ library, so the main package will be empty.
diff --git a/meta-oe/recipes-extended/minifi-cpp/minifi-cpp_0.7.0.bb b/meta-oe/recipes-extended/minifi-cpp/minifi-cpp_0.7.0.bb
index 322b58477..68d83eb00 100644
--- a/meta-oe/recipes-extended/minifi-cpp/minifi-cpp_0.7.0.bb
+++ b/meta-oe/recipes-extended/minifi-cpp/minifi-cpp_0.7.0.bb
@@ -88,6 +88,7 @@ do_install() {
install -d ${D}${MINIFI_BIN}
install -d ${D}${MINIFI_HOME}/conf
install -m 755 -d ${D}${localstatedir}/lib/minifi
+ install -m 755 -d ${D}${libexecdir}/minifi-python
cp -a ${WORKDIR}/minifi-install/usr/bin/* ${D}${MINIFI_BIN}/
cp -a ${WORKDIR}/minifi-install/usr/conf/* ${D}${MINIFI_HOME}/conf/
@@ -101,6 +102,8 @@ do_install() {
${D}${MINIFI_HOME}/conf/minifi.properties
sed -i 's|nifi.flow.configuration.file=.*|nifi.flow.configuration.file='${MINIFI_HOME}'/conf/config.yml|g' \
${D}${MINIFI_HOME}/conf/minifi.properties
+ sed -i 's|nifi.python.processor.dir=.*|nifi.python.processor.dir=${libexecdir}/minifi-python|g' \
+ ${D}${MINIFI_HOME}/conf/minifi.properties
sed -i 's|export MINIFI_HOME=.*|export MINIFI_HOME='${MINIFI_HOME}'|g' ${D}${MINIFI_BIN}/minifi.sh
sed -i 's|bin_dir=${MINIFI_HOME}/bin|bin_dir='${MINIFI_BIN}'|g' ${D}${MINIFI_BIN}/minifi.sh
@@ -135,3 +138,5 @@ pkg_postinst_${PN}() {
fi
fi
}
+
+CLEANBROKEN = "1"
diff --git a/meta-oe/recipes-kernel/libpfm/libpfm4_4.10.1.bb b/meta-oe/recipes-kernel/libpfm/libpfm4_4.10.1.bb
index ff56d4804..6da0f5d9a 100644
--- a/meta-oe/recipes-kernel/libpfm/libpfm4_4.10.1.bb
+++ b/meta-oe/recipes-kernel/libpfm/libpfm4_4.10.1.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0de488f3bd4424e308e2e399cb99c788"
SECTION = "devel"
-COMPATIBLE_HOST = "powerpc64"
+COMPATIBLE_HOST = "powerpc64|aarch64"
SRC_URI = "${SOURCEFORGE_MIRROR}/perfmon2/${BPN}/libpfm-${PV}.tar.gz \
file://0001-Include-poll.h-instead-of-sys-poll.h.patch \
@@ -24,6 +24,7 @@ EXTRA_OEMAKE = "DESTDIR=\"${D}\" PREFIX=\"${prefix}\" LIBDIR=\"${libdir}\" LDCON
EXTRA_OEMAKE_append_powerpc = " ARCH=\"powerpc\""
EXTRA_OEMAKE_append_powerpc64 = " ARCH=\"powerpc\" BITMODE=\"64\""
EXTRA_OEMAKE_append_powerpc64le = " ARCH=\"powerpc\" BITMODE=\"64\""
+EXTRA_OEMAKE_append_aarch64 = " ARCH=\"arm64\""
S = "${WORKDIR}/libpfm-${PV}"
diff --git a/meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb b/meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb
index 6ce318d0b..fe15f2eb2 100644
--- a/meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb
+++ b/meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb
@@ -1,8 +1,13 @@
DESCRIPTION = "Eigen is a C++ template library for linear algebra: matrices, vectors, numerical solvers, and related algorithms."
AUTHOR = "Benoît Jacob and Gaël Guennebaud and others"
HOMEPAGE = "http://eigen.tuxfamily.org/"
-LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYING.MPL2;md5=815ca599c9df247a0c7f619bab123dad"
+LICENSE = "MPL-2.0 & Apache-2.0 & BSD-3-Clause & GPLv3 & LGPLv2.1 & MINPACK"
+LIC_FILES_CHKSUM = "file://COPYING.MPL2;md5=815ca599c9df247a0c7f619bab123dad \
+ file://COPYING.BSD;md5=543367b8e11f07d353ef894f71b574a0 \
+ file://COPYING.GPL;md5=d32239bcb673463ab874e80d47fae504 \
+ file://COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c \
+ file://COPYING.MINPACK;md5=5fe4603e80ef7390306f51ef74449bbd \
+"
SRC_URI = "git://gitlab.com/libeigen/eigen.git;protocol=http;nobranch=1"
diff --git a/meta-oe/recipes-support/libiio/files/0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch b/meta-oe/recipes-support/libiio/files/0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch
new file mode 100644
index 000000000..5566aa0ff
--- /dev/null
+++ b/meta-oe/recipes-support/libiio/files/0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch
@@ -0,0 +1,37 @@
+From 3a26f0536706fa7c241c9de986799ae440c68c8a Mon Sep 17 00:00:00 2001
+From: Julien Malik <julien.malik@unseenlabs.fr>
+Date: Mon, 27 Jul 2020 14:34:44 +0200
+Subject: [PATCH] python: Do not verify whether libiio is installed when
+ cross-compiling
+
+This should fix #561
+
+Upstream-Status: Backport
+
+Signed-off-by: Julien Malik <julien.malik@paraiso.me>
+Signed-off-by: Sam Van Den Berge <sam.van.den.berge@gmail.com>
+---
+ bindings/python/setup.py.cmakein | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/bindings/python/setup.py.cmakein b/bindings/python/setup.py.cmakein
+index cd14e2e..96d58a8 100644
+--- a/bindings/python/setup.py.cmakein
++++ b/bindings/python/setup.py.cmakein
+@@ -54,6 +54,13 @@ class InstallWrapper(install):
+ install.run(self)
+
+ def _check_libiio_installed(self):
++ cross_compiling = ("${CMAKE_CROSSCOMPILING}" == "TRUE")
++ if cross_compiling:
++ # When cross-compiling, we generally cannot dlopen
++ # the libiio shared lib from the build platform.
++ # Simply skip this check in that case.
++ return
++
+ from platform import system as _system
+ from ctypes import CDLL as _cdll
+ from ctypes.util import find_library
+--
+2.25.1
+
diff --git a/meta-oe/recipes-support/libiio/libiio_git.bb b/meta-oe/recipes-support/libiio/libiio_git.bb
index 00c016db4..d7e4cc60a 100644
--- a/meta-oe/recipes-support/libiio/libiio_git.bb
+++ b/meta-oe/recipes-support/libiio/libiio_git.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING.txt;md5=7c13b3376cea0ce68d2d2da0a1b3a72c"
SRCREV = "565bf68eccfdbbf22cf5cb6d792e23de564665c7"
PV = "0.21+git${SRCPV}"
-SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https"
+SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https \
+ file://0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch \
+"
UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/nss/nss_3.64.bb b/meta-oe/recipes-support/nss/nss_3.64.bb
index 1863db131..97193aff5 100644
--- a/meta-oe/recipes-support/nss/nss_3.64.bb
+++ b/meta-oe/recipes-support/nss/nss_3.64.bb
@@ -49,6 +49,8 @@ TUNE_CCARGS_remove = "-mcpu=cortex-a55+crc -mcpu=cortex-a55 -mcpu=cortex-a55+crc
TARGET_CC_ARCH += "${LDFLAGS}"
+CFLAGS_append_class-native = " -D_XOPEN_SOURCE "
+
do_configure_prepend_libc-musl () {
sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk
}
@@ -280,3 +282,6 @@ FILES_${PN}-dev = "\
RDEPENDS_${PN}-smime = "perl"
BBCLASSEXTEND = "native nativesdk"
+
+# CVE-2006-5201 affects only Sun Solaris
+CVE_CHECK_WHITELIST += "CVE-2006-5201"
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.22.bb b/meta-python/recipes-devtools/python/python3-django_2.2.22.bb
deleted file mode 100644
index a0b884025..000000000
--- a/meta-python/recipes-devtools/python/python3-django_2.2.22.bb
+++ /dev/null
@@ -1,9 +0,0 @@
-require python-django.inc
-inherit setuptools3
-
-SRC_URI[md5sum] = "dca447b605dcabd924ac7ba17680cf73"
-SRC_URI[sha256sum] = "db2214db1c99017cbd971e58824e6f424375154fe358afc30e976f5b99fc6060"
-
-RDEPENDS_${PN} += "\
- ${PYTHON_PN}-sqlparse \
-"
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.24.bb b/meta-python/recipes-devtools/python/python3-django_2.2.24.bb
new file mode 100644
index 000000000..964ca6ba0
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.24.bb
@@ -0,0 +1,9 @@
+require python-django.inc
+inherit setuptools3
+
+SRC_URI[md5sum] = "ebf3bbb7716a7b11029e860475b9a122"
+SRC_URI[sha256sum] = "3339ff0e03dee13045aef6ae7b523edff75b6d726adf7a7a48f53d5a501f7db7"
+
+RDEPENDS_${PN} += "\
+ ${PYTHON_PN}-sqlparse \
+"
diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.2.bb b/meta-python/recipes-devtools/python/python3-django_3.2.4.bb
index 7deac2ca9..52504885e 100644
--- a/meta-python/recipes-devtools/python/python3-django_3.2.2.bb
+++ b/meta-python/recipes-devtools/python/python3-django_3.2.4.bb
@@ -1,7 +1,7 @@
require python-django.inc
inherit setuptools3
-SRC_URI[sha256sum] = "0a1d195ad65c52bf275b8277b3d49680bd1137a5f55039a806f25f6b9752ce3d"
+SRC_URI[sha256sum] = "66c9d8db8cc6fe938a28b7887c1596e42d522e27618562517cc8929eb7e7f296"
RDEPENDS_${PN} += "\
${PYTHON_PN}-sqlparse \
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch
new file mode 100644
index 000000000..4eb6b85b1
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch
@@ -0,0 +1,45 @@
+From 8c162db8b65b2193e622b780e8c6516d4265f68b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 11 May 2015 15:48:58 +0000
+Subject: [PATCH] mod_proxy_http: follow up to r1656259. The proxy connection
+ may be NULL during prefetch, don't try to dereference it! Still
+ origin->keepalive will be set according to p_conn->close by the caller
+ (proxy_http_handler).
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1678771 13f79535-47bb-0310-9956-ffa450edef68
+
+Upstream-Status: Backport
+CVE: CVE-2020-35504
+
+Reference to upstream patch:
+https://bugzilla.redhat.com/show_bug.cgi?id=1966738
+https://github.com/apache/httpd/commit/8c162db8b65b2193e622b780e8c6516d4265f68b
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ modules/proxy/mod_proxy_http.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
+index ec1e042..5f507d5 100644
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -570,7 +570,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
+ apr_off_t bytes;
+ int force10, rv;
+ apr_read_type_e block;
+- conn_rec *origin = p_conn->connection;
+
+ if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
+ if (req->expecting_100) {
+@@ -630,7 +629,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
+ "chunked body with Content-Length (C-L ignored)",
+ c->client_ip, c->remote_host ? c->remote_host: "");
+ req->old_cl_val = NULL;
+- origin->keepalive = AP_CONN_CLOSE;
+ p_conn->close = 1;
+ }
+
+--
+2.7.4
+
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch
new file mode 100644
index 000000000..001ca9252
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch
@@ -0,0 +1,49 @@
+From 3b6431eb9c9dba603385f70a2131ab4a01bf0d3b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 18 Jan 2021 17:39:12 +0000
+Subject: [PATCH] Merge r1885659 from trunk:
+
+mod_auth_digest: Fast validation of the nonce's base64 to fail early if
+ the format can't match anyway.
+
+Submitted by: ylavic
+Reviewed by: ylavic, covener, jailletc36
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1885666 13f79535-47bb-0310-9956-ffa450edef68
+
+Upstream-Status: Backport
+CVE: CVE-2020-35452
+
+Reference to upstream patch:
+https://security-tracker.debian.org/tracker/CVE-2020-35452
+https://github.com/apache/httpd/commit/3b6431eb9c9dba603385f70a2131ab4a01bf0d3b
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ modules/aaa/mod_auth_digest.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
+index b760941..0825b1b 100644
+--- a/modules/aaa/mod_auth_digest.c
++++ b/modules/aaa/mod_auth_digest.c
+@@ -1422,9 +1422,14 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
+ time_rec nonce_time;
+ char tmp, hash[NONCE_HASH_LEN+1];
+
+- if (strlen(resp->nonce) != NONCE_LEN) {
++ /* Since the time part of the nonce is a base64 encoding of an
++ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
++ */
++ if (strlen(resp->nonce) != NONCE_LEN
++ || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
+- "invalid nonce %s received - length is not %d",
++ "invalid nonce '%s' received - length is not %d "
++ "or time encoding is incorrect",
+ resp->nonce, NONCE_LEN);
+ note_digest_auth_failure(r, conf, resp, 1);
+ return HTTP_UNAUTHORIZED;
+--
+2.7.4
+
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch
new file mode 100644
index 000000000..d3aea9e12
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch
@@ -0,0 +1,39 @@
+From 67bd9bfe6c38831e14fe7122f1d84391472498f8 Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 1 Mar 2021 20:07:08 +0000
+Subject: [PATCH] mod_session: save one apr_strtok() in
+ session_identity_decode().
+
+When the encoding is invalid (missing '='), no need to parse further.
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68
+
+Upstream-Status: Backport
+CVE: CVE-2021-26690
+
+Reference to upstream patch:
+https://security-tracker.debian.org/tracker/CVE-2021-26690
+https://github.com/apache/httpd/commit/67bd9bfe6c38831e14fe7122f1d84391472498f8
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ modules/session/mod_session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index ebd05b0..af70f6b 100644
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -404,8 +404,8 @@ static apr_status_t session_identity_decode(request_rec * r, session_rec * z)
+ char *plast = NULL;
+ const char *psep = "=";
+ char *key = apr_strtok(pair, psep, &plast);
+- char *val = apr_strtok(NULL, psep, &plast);
+ if (key && *key) {
++ char *val = apr_strtok(NULL, sep, &plast);
+ if (!val || !*val) {
+ apr_table_unset(z->entries, key);
+ }
+--
+2.7.4
+
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch
new file mode 100644
index 000000000..f9cf868d0
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch
@@ -0,0 +1,35 @@
+From 7e09dd714fc62c08c5b0319ed7b9702594faf49b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 1 Mar 2021 20:13:54 +0000
+Subject: [PATCH] mod_session: account for the '&' in identity_concat().
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68
+
+Upstream-Status: Backport
+CVE: CVE-2021-26691
+
+Reference to upstream patch:
+https://bugzilla.redhat.com/show_bug.cgi?id=1966732
+https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ modules/session/mod_session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index 7ee477c..ebd05b0 100644
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -317,7 +317,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z,
+ static int identity_count(void *v, const char *key, const char *val)
+ {
+ int *count = v;
+- *count += strlen(key) * 3 + strlen(val) * 3 + 1;
++ *count += strlen(key) * 3 + strlen(val) * 3 + 2;
+ return 1;
+ }
+
+--
+2.7.4
+
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch
new file mode 100644
index 000000000..7f74c85e3
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch
@@ -0,0 +1,66 @@
+From 6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 21 Apr 2021 01:02:11 +0000
+Subject: [PATCH] legacy default slash-matching behavior w/ 'MergeSlashes OFF'
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889036 13f79535-47bb-0310-9956-ffa450edef68
+
+Upstream-Status: Backport
+CVE: CVE-2021-30641
+
+Reference to upstream patch:
+https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641
+https://github.com/apache/httpd/commit/6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ server/request.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/server/request.c b/server/request.c
+index d5c558a..18625af 100644
+--- a/server/request.c
++++ b/server/request.c
+@@ -1419,7 +1419,20 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
+
+ cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r);
+ cached = (cache->cached != NULL);
+- entry_uri = r->uri;
++
++ /*
++ * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri
++ * have not been merged. But for Location walks we always go with merged
++ * slashes no matter what merge_slashes is set to.
++ */
++ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) {
++ entry_uri = r->uri;
++ }
++ else {
++ char *uri = apr_pstrdup(r->pool, r->uri);
++ ap_no2slash(uri);
++ entry_uri = uri;
++ }
+
+ /* If we have an cache->cached location that matches r->uri,
+ * and the vhost's list of locations hasn't changed, we can skip
+@@ -1486,7 +1499,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
+ pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t));
+ }
+
+- if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) {
++ if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) {
+ continue;
+ }
+
+@@ -1496,7 +1509,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
+ apr_table_setn(r->subprocess_env,
+ ((const char **)entry_core->refs->elts)[i],
+ apr_pstrndup(r->pool,
+- entry_uri + pmatch[i].rm_so,
++ r->uri + pmatch[i].rm_so,
+ pmatch[i].rm_eo - pmatch[i].rm_so));
+ }
+ }
+--
+2.7.4
+
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
index 197cb83e6..4fc1f1631 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
@@ -15,6 +15,11 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
file://0007-apache2-allow-to-disable-selinux-support.patch \
file://apache-configure_perlbin.patch \
file://0001-support-apxs.in-force-destdir-to-be-empty-string.patch \
+ file://CVE-2020-13950.patch \
+ file://CVE-2020-35452.patch \
+ file://CVE-2021-26690.patch \
+ file://CVE-2021-26691.patch \
+ file://CVE-2021-30641.patch \
"
SRC_URI_append_class-target = " \
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch
new file mode 100644
index 000000000..a70803377
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch
@@ -0,0 +1,46 @@
+From 7199ebc203f74fd9e44595474de6bdc41740c5cf Mon Sep 17 00:00:00 2001
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Tue, 25 May 2021 15:17:36 +0300
+Subject: [PATCH] Resolver: fixed off-by-one write in ngx_resolver_copy().
+
+Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH.
+
+Upstream-Status: Backport
+CVE: CVE-2021-23017
+
+Reference to upstream patch:
+https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/core/ngx_resolver.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index 79390701..63b26193 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -4008,15 +4008,15 @@ done:
+ n = *src++;
+
+ } else {
++ if (dst != name->data) {
++ *dst++ = '.';
++ }
++
+ ngx_strlow(dst, src, n);
+ dst += n;
+ src += n;
+
+ n = *src++;
+-
+- if (n != 0) {
+- *dst++ = '.';
+- }
+ }
+
+ if (n == 0) {
+--
+2.17.1
+
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index de080a2b0..a4583ed8f 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -22,6 +22,7 @@ SRC_URI = " \
file://nginx-volatile.conf \
file://nginx.service \
file://nginx-fix-pidfile.patch \
+ file://CVE-2021-23017.patch \
"
inherit siteinfo update-rc.d useradd systemd
diff --git a/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch
new file mode 100644
index 000000000..f942f990b
--- /dev/null
+++ b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch
@@ -0,0 +1,97 @@
+From 9165a61f95e43cc0b5abf9b98eee2818a0191e0b Mon Sep 17 00:00:00 2001
+From: Alexander Schwinn <alexxcons@xfce.org>
+Date: Sat, 1 May 2021 00:40:44 +0200
+Subject: [PATCH 1/2] Dont execute files, passed via command line due to
+ security risks
+
+Instead open the containing folder and select the file.
+
+Fixes #121
+
+Upstream-Status: Backport
+CVE: CVE-2021-32563
+
+Reference to upstream patch:
+[https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ thunar/thunar-application.c | 25 +++++++++++++++++++++++--
+ thunar/thunar-window.c | 4 +---
+ thunar/thunar-window.h | 2 ++
+ 3 files changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c
+index df862fd..1243940 100644
+--- a/thunar/thunar-application.c
++++ b/thunar/thunar-application.c
+@@ -1512,8 +1512,29 @@ thunar_application_process_files_finish (ThunarBrowser *browser,
+ }
+ else
+ {
+- /* try to open the file or directory */
+- thunar_file_launch (target_file, screen, startup_id, &error);
++ if (thunar_file_is_directory (file))
++ {
++ thunar_application_open_window (application, file, screen, startup_id, FALSE);
++ }
++ else
++ {
++ /* Note that for security reasons we do not execute files passed via command line */
++ /* Lets rather open the containing directory and select the file */
++ ThunarFile *parent = thunar_file_get_parent (file, NULL);
++
++ if (G_LIKELY (parent != NULL))
++ {
++ GList* files = NULL;
++ GtkWidget *window;
++
++ window = thunar_application_open_window (application, parent, screen, startup_id, FALSE);
++ g_object_unref (parent);
++
++ files = g_list_append (files, thunar_file_get_file (file));
++ thunar_window_select_files (THUNAR_WINDOW (window), files);
++ g_list_free (files);
++ }
++ }
+
+ /* remove the file from the list */
+ application->files_to_launch = g_list_delete_link (application->files_to_launch,
+diff --git a/thunar/thunar-window.c b/thunar/thunar-window.c
+index b330a87..b234fd3 100644
+--- a/thunar/thunar-window.c
++++ b/thunar/thunar-window.c
+@@ -243,8 +243,6 @@ static void thunar_window_update_go_menu (ThunarWindow
+ GtkWidget *menu);
+ static void thunar_window_update_help_menu (ThunarWindow *window,
+ GtkWidget *menu);
+-static void thunar_window_select_files (ThunarWindow *window,
+- GList *path_list);
+ static void thunar_window_binding_create (ThunarWindow *window,
+ gpointer src_object,
+ const gchar *src_prop,
+@@ -891,7 +889,7 @@ thunar_window_screen_changed (GtkWidget *widget,
+ *
+ * Visually selects the files, given by the list
+ **/
+-static void
++void
+ thunar_window_select_files (ThunarWindow *window,
+ GList *files_to_selected)
+ {
+diff --git a/thunar/thunar-window.h b/thunar/thunar-window.h
+index 9cbcc85..3c1aad2 100644
+--- a/thunar/thunar-window.h
++++ b/thunar/thunar-window.h
+@@ -126,6 +126,8 @@ void thunar_window_redirect_menu_tooltips_to_statusbar (Thu
+ GtkMenu *menu);
+ const XfceGtkActionEntry* thunar_window_get_action_entry (ThunarWindow *window,
+ ThunarWindowAction action);
++ void thunar_window_select_files (ThunarWindow *window,
++ GList *path_list);
+ G_END_DECLS;
+
+ #endif /* !__THUNAR_WINDOW_H__ */
+--
+2.17.1
+
diff --git a/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch
new file mode 100644
index 000000000..a22cdc6d8
--- /dev/null
+++ b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch
@@ -0,0 +1,208 @@
+From 3b54d9d7dbd7fd16235e2141c43a7f18718f5664 Mon Sep 17 00:00:00 2001
+From: Alexander Schwinn <alexxcons@xfce.org>
+Date: Fri, 7 May 2021 15:21:27 +0200
+Subject: [PATCH 2/2] Regression: Activating Desktop Icon does not Use Default
+ Application (Issue #575)
+
+- Introduced by 9165a61f (Dont execute files, passed via command line
+due to security risks)
+- Now via DBus files are executed, and via CLI, files are just selected
+
+Fixes #575
+
+Upstream-Status: Backport
+CVE: CVE-2021-32563
+
+Reference to upstream patch:
+[https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ thunar/thunar-application.c | 68 +++++++++++++++++++++---------------
+ thunar/thunar-application.h | 9 ++++-
+ thunar/thunar-dbus-service.c | 2 +-
+ 3 files changed, 49 insertions(+), 30 deletions(-)
+
+diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c
+index 1243940..53d0b23 100644
+--- a/thunar/thunar-application.c
++++ b/thunar/thunar-application.c
+@@ -182,37 +182,38 @@ struct _ThunarApplicationClass
+
+ struct _ThunarApplication
+ {
+- GtkApplication __parent__;
++ GtkApplication __parent__;
+
+- ThunarSessionClient *session_client;
++ ThunarSessionClient *session_client;
+
+- ThunarPreferences *preferences;
+- GtkWidget *progress_dialog;
++ ThunarPreferences *preferences;
++ GtkWidget *progress_dialog;
+
+- ThunarThumbnailCache *thumbnail_cache;
+- ThunarThumbnailer *thumbnailer;
++ ThunarThumbnailCache *thumbnail_cache;
++ ThunarThumbnailer *thumbnailer;
+
+- ThunarDBusService *dbus_service;
++ ThunarDBusService *dbus_service;
+
+- gboolean daemon;
++ gboolean daemon;
+
+- guint accel_map_save_id;
+- GtkAccelMap *accel_map;
++ guint accel_map_save_id;
++ GtkAccelMap *accel_map;
+
+- guint show_dialogs_timer_id;
++ guint show_dialogs_timer_id;
+
+ #ifdef HAVE_GUDEV
+- GUdevClient *udev_client;
++ GUdevClient *udev_client;
+
+- GSList *volman_udis;
+- guint volman_idle_id;
+- guint volman_watch_id;
++ GSList *volman_udis;
++ guint volman_idle_id;
++ guint volman_watch_id;
+ #endif
+
+- GList *files_to_launch;
++ GList *files_to_launch;
++ ThunarApplicationProcessAction process_file_action;
+
+- guint dbus_owner_id_xfce;
+- guint dbus_owner_id_fdo;
++ guint dbus_owner_id_xfce;
++ guint dbus_owner_id_fdo;
+ };
+
+
+@@ -279,6 +280,7 @@ thunar_application_init (ThunarApplication *application)
+ * in the primary instance anyways */
+
+ application->files_to_launch = NULL;
++ application->process_file_action = THUNAR_APPLICATION_SELECT_FILES;
+ application->progress_dialog = NULL;
+ application->preferences = NULL;
+
+@@ -531,7 +533,7 @@ thunar_application_command_line (GApplication *gapp,
+ }
+ else if (filenames != NULL)
+ {
+- if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error))
++ if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES))
+ {
+ /* we failed to process the filenames or the bulk rename failed */
+ g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message);
+@@ -539,7 +541,7 @@ thunar_application_command_line (GApplication *gapp,
+ }
+ else if (!daemon)
+ {
+- if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error))
++ if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES))
+ {
+ /* we failed to process the filenames or the bulk rename failed */
+ g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message);
+@@ -1512,7 +1514,12 @@ thunar_application_process_files_finish (ThunarBrowser *browser,
+ }
+ else
+ {
+- if (thunar_file_is_directory (file))
++ if (application->process_file_action == THUNAR_APPLICATION_LAUNCH_FILES)
++ {
++ /* try to launch the file / open the directory */
++ thunar_file_launch (target_file, screen, startup_id, &error);
++ }
++ else if (thunar_file_is_directory (file))
+ {
+ thunar_application_open_window (application, file, screen, startup_id, FALSE);
+ }
+@@ -1603,18 +1610,20 @@ thunar_application_process_files (ThunarApplication *application)
+ * @startup_id : startup id to finish startup notification and properly focus the
+ * window when focus stealing is enabled or %NULL.
+ * @error : return location for errors or %NULL.
++ * @action : action to invoke on the files
+ *
+ * Tells @application to process the given @filenames and launch them appropriately.
+ *
+ * Return value: %TRUE on success, %FALSE if @error is set.
+ **/
+ gboolean
+-thunar_application_process_filenames (ThunarApplication *application,
+- const gchar *working_directory,
+- gchar **filenames,
+- GdkScreen *screen,
+- const gchar *startup_id,
+- GError **error)
++thunar_application_process_filenames (ThunarApplication *application,
++ const gchar *working_directory,
++ gchar **filenames,
++ GdkScreen *screen,
++ const gchar *startup_id,
++ GError **error,
++ ThunarApplicationProcessAction action)
+ {
+ ThunarFile *file;
+ GError *derror = NULL;
+@@ -1686,7 +1695,10 @@ thunar_application_process_filenames (ThunarApplication *application,
+
+ /* start processing files if we have any to launch */
+ if (application->files_to_launch != NULL)
+- thunar_application_process_files (application);
++ {
++ application->process_file_action = action;
++ thunar_application_process_files (application);
++ }
+
+ /* free the file list */
+ g_list_free (file_list);
+diff --git a/thunar/thunar-application.h b/thunar/thunar-application.h
+index 547cb70..8c180e8 100644
+--- a/thunar/thunar-application.h
++++ b/thunar/thunar-application.h
+@@ -31,6 +31,12 @@ G_BEGIN_DECLS;
+ typedef struct _ThunarApplicationClass ThunarApplicationClass;
+ typedef struct _ThunarApplication ThunarApplication;
+
++typedef enum
++{
++ THUNAR_APPLICATION_LAUNCH_FILES,
++ THUNAR_APPLICATION_SELECT_FILES
++} ThunarApplicationProcessAction;
++
+ #define THUNAR_TYPE_APPLICATION (thunar_application_get_type ())
+ #define THUNAR_APPLICATION(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), THUNAR_TYPE_APPLICATION, ThunarApplication))
+ #define THUNAR_APPLICATION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), THUNAR_TYPE_APPLICATION, ThunarApplicationClass))
+@@ -74,7 +80,8 @@ gboolean thunar_application_process_filenames (ThunarAppli
+ gchar **filenames,
+ GdkScreen *screen,
+ const gchar *startup_id,
+- GError **error);
++ GError **error,
++ ThunarApplicationProcessAction action);
+
+ void thunar_application_rename_file (ThunarApplication *application,
+ ThunarFile *file,
+diff --git a/thunar/thunar-dbus-service.c b/thunar/thunar-dbus-service.c
+index 2d27642..4205a2b 100644
+--- a/thunar/thunar-dbus-service.c
++++ b/thunar/thunar-dbus-service.c
+@@ -991,7 +991,7 @@ thunar_dbus_service_launch_files (ThunarDBusFileManager *object,
+ {
+ /* let the application process the filenames */
+ application = thunar_application_get ();
+- thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error);
++ thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error, THUNAR_APPLICATION_LAUNCH_FILES);
+ g_object_unref (G_OBJECT (application));
+
+ /* release the screen */
+--
+2.17.1
+
diff --git a/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb b/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb
index 128043d19..7bef08ed9 100644
--- a/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb
+++ b/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb
@@ -8,6 +8,10 @@ inherit xfce gobject-introspection features_check mime-xdg
REQUIRED_DISTRO_FEATURES = "x11"
+SRC_URI += "file://CVE-2021-32563-1.patch \
+ file://CVE-2021-32563-2.patch \
+ "
+
SRC_URI[sha256sum] = "cb531d3fe67196a43ca04979ef271ece7858bbc80c15b0ee4323c1252a1a02b7"
PACKAGECONFIG ??= ""