aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.5.17.bb (renamed from meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb)5
-rw-r--r--meta-gnome/recipes-gnome/tracker/tracker_3.3.2.bb (renamed from meta-gnome/recipes-gnome/tracker/tracker_3.3.0.bb)2
-rw-r--r--meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb2
-rw-r--r--meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb39
-rw-r--r--meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb2
-rw-r--r--meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch27
-rw-r--r--meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb1
-rw-r--r--meta-networking/recipes-protocols/openflow/openflow.inc9
-rw-r--r--meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb4
-rw-r--r--meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb2
-rw-r--r--meta-networking/recipes-support/chrony/chrony_4.2.bb4
-rw-r--r--meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch191
-rw-r--r--meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb1
-rw-r--r--meta-networking/recipes-support/ndisc6/ndisc6_1.0.6.bb (renamed from meta-networking/recipes-support/ndisc6/ndisc6_git.bb)3
-rw-r--r--meta-networking/recipes-support/netperf/files/netserver_permissions.patch29
-rw-r--r--meta-networking/recipes-support/netperf/netperf_git.bb1
-rw-r--r--meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb26
-rw-r--r--meta-networking/recipes-support/spice/spice_git.bb6
-rw-r--r--meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch31
-rw-r--r--meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch92
-rw-r--r--meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb (renamed from meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb)4
-rw-r--r--meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch24
-rw-r--r--meta-networking/recipes-support/stunnel/stunnel_5.65.bb (renamed from meta-networking/recipes-support/stunnel/stunnel_5.63.bb)2
-rw-r--r--meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb (renamed from meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb)2
-rw-r--r--meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb6
-rw-r--r--meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb2
-rw-r--r--meta-oe/recipes-benchmark/iperf3/iperf3_3.11.bb2
-rw-r--r--meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb4
-rw-r--r--meta-oe/recipes-connectivity/modemmanager/files/0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch42
-rw-r--r--meta-oe/recipes-connectivity/modemmanager/files/0002-fcc-unlock-Make-scripts-POSIX-shell-compatible.patch100
-rw-r--r--meta-oe/recipes-connectivity/modemmanager/modemmanager_1.18.8.bb (renamed from meta-oe/recipes-connectivity/modemmanager/modemmanager_1.18.6.bb)5
-rw-r--r--meta-oe/recipes-connectivity/thrift/thrift_0.16.0.bb2
-rw-r--r--meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb (renamed from meta-oe/recipes-connectivity/zabbix/zabbix_5.2.6.bb)6
-rw-r--r--meta-oe/recipes-core/emlog/emlog_git.bb11
-rw-r--r--meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb2
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch6
-rw-r--r--meta-oe/recipes-dbs/postgresql/postgresql_14.4.bb (renamed from meta-oe/recipes-dbs/postgresql/postgresql_14.3.bb)6
-rw-r--r--meta-oe/recipes-devtools/php/php_8.1.8.bb (renamed from meta-oe/recipes-devtools/php/php_8.1.6.bb)8
-rw-r--r--meta-oe/recipes-devtools/protobuf/protobuf-c_1.4.1.bb (renamed from meta-oe/recipes-devtools/protobuf/protobuf-c_1.4.0.bb)4
-rw-r--r--meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb4
-rw-r--r--meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.8.bb7
-rw-r--r--meta-oe/recipes-extended/libimobiledevice/libplist_2.2.0.bb6
-rw-r--r--meta-oe/recipes-extended/redis/redis/GNU_SOURCE.patch14
-rw-r--r--meta-oe/recipes-extended/redis/redis_6.2.7.bb (renamed from meta-oe/recipes-extended/redis/redis_6.2.6.bb)2
-rw-r--r--meta-oe/recipes-extended/redis/redis_7.0.4.bb (renamed from meta-oe/recipes-extended/redis/redis_7.0-rc3.bb)2
-rw-r--r--meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb (renamed from meta-oe/recipes-extended/rsyslog/rsyslog_8.2202.0.bb)2
-rw-r--r--meta-oe/recipes-extended/sanlock/sanlock_3.8.4.bb4
-rw-r--r--meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb4
-rw-r--r--meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb4
-rw-r--r--meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb4
-rw-r--r--meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb4
-rw-r--r--meta-oe/recipes-graphics/tesseract/tesseract-lang_4.1.0.bb2
-rw-r--r--meta-oe/recipes-support/atop/atop_2.4.0.bb4
-rw-r--r--meta-oe/recipes-support/emacs/emacs_27.2.bb4
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb8
-rw-r--r--meta-oe/recipes-support/libgpiod/libgpiod_1.6.3.bb3
-rw-r--r--meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb5
-rw-r--r--meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd2
-rw-r--r--meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit2
-rw-r--r--meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch99
-rw-r--r--meta-python/recipes-devtools/python/python3-lxml_4.8.0.bb3
-rw-r--r--meta-python/recipes-devtools/python/python3-matplotlib_3.5.1.bb1
-rw-r--r--meta-python/recipes-devtools/python/python3-pybluez/0001-Use-Py_ssize_t-when-parsing-buffer-length-fix-426-42.patch153
-rw-r--r--meta-python/recipes-devtools/python/python3-pybluez_0.23.bb1
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch8
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2_2.4.54.bb (renamed from meta-webserver/recipes-httpd/apache2/apache2_2.4.53.bb)2
-rw-r--r--meta-xfce/recipes-apps/catfish/catfish_4.16.3.bb9
-rw-r--r--meta-xfce/recipes-xfce/exo/exo_4.16.4.bb (renamed from meta-xfce/recipes-xfce/exo/exo_4.16.3.bb)2
68 files changed, 795 insertions, 285 deletions
diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.5.17.bb
index aa1b4c2e9..b29716ad4 100644
--- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
+++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.5.17.bb
@@ -10,8 +10,7 @@ SRC_URI = "http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \
file://0001-libntfs-3g-Makefile.am-fix-install-failed-while-host.patch \
"
S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}"
-SRC_URI[md5sum] = "90da343e78877d388eb34cefae6799ae"
-SRC_URI[sha256sum] = "55b883aa05d94b2ec746ef3966cb41e66bed6db99f22ddd41d1b8b94bb202efb"
+SRC_URI[sha256sum] = "0489fbb6972581e1b417ab578d543f6ae522e7fa648c3c9b49c789510fd5eb93"
UPSTREAM_CHECK_URI = "https://www.tuxera.com/community/open-source-ntfs-3g/"
UPSTREAM_CHECK_REGEX = "ntfs-3g_ntfsprogs-(?P<pver>\d+(\.\d+)+)\.tgz"
@@ -50,3 +49,5 @@ do_install:append() {
# Satisfy the -dev runtime dependency
ALLOW_EMPTY:${PN} = "1"
+
+CVE_PRODUCT = "tuxera:ntfs-3g"
diff --git a/meta-gnome/recipes-gnome/tracker/tracker_3.3.0.bb b/meta-gnome/recipes-gnome/tracker/tracker_3.3.2.bb
index bb2396af7..eaa0e065d 100644
--- a/meta-gnome/recipes-gnome/tracker/tracker_3.3.0.bb
+++ b/meta-gnome/recipes-gnome/tracker/tracker_3.3.2.bb
@@ -22,7 +22,7 @@ GNOMEBASEBUILDCLASS = "meson"
inherit gnomebase gsettings gobject-introspection vala gtk-doc manpages bash-completion features_check python3native
-SRC_URI[archive.sha256sum] = "0706f96fe7f95df42acec812c1de7b4593a0d648321ca83506a9d71e22417bda"
+SRC_URI[archive.sha256sum] = "0ed2b98918956d6f16429c607dd8a14c84f4da0a48970fd2eb8c93aba3cf9913"
# gobject-introspection is mandatory and cannot be configured
REQUIRED_DISTRO_FEATURES = "gobject-introspection-data"
diff --git a/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb b/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb
index b848b820c..cb919d79e 100644
--- a/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb
+++ b/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb
@@ -3,7 +3,7 @@ LICENSE = "CC-BY-3.0"
# http://www.bigbuckbunny.org/index.php/about/
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/CC-BY-3.0;md5=dfa02b5755629022e267f10b9c0a2ab7"
-SRC_URI = "https://www.mediaspip.net/IMG/avi/big_buck_bunny_1080p_surround.avi"
+SRC_URI = "http://www.peach.themazzone.com/big_buck_bunny_1080p_surround.avi"
SRC_URI[md5sum] = "223991c8b33564eb77988a4c13c1c76a"
SRC_URI[sha256sum] = "69fe2cfe7154a6e752688e3a0d7d6b07b1605bbaf75b56f6470dc7b4c20c06ea"
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
index da7e60419..d6477e340 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
@@ -34,8 +34,15 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0
file://check-openssl-cmds-in-script-bootstrap.patch \
"
+raddbdir="${sysconfdir}/${MLPREFIX}raddb"
+
SRCREV = "af428abda249b2279ba0582180985a9f6f4a144a"
+CVE_CHECK_IGNORE = "\
+ CVE-2002-0318 \
+ CVE-2011-4966 \
+"
+
PARALLEL_MAKE = ""
S = "${WORKDIR}/git"
@@ -48,6 +55,7 @@ EXTRA_OECONF = " --enable-strict-dependencies \
--with-docdir=${docdir}/freeradius-${PV} \
--with-openssl-includes=${STAGING_INCDIR} \
--with-openssl-libraries=${STAGING_LIBDIR} \
+ --with-raddbdir=${raddbdir} \
--without-rlm_ippool \
--without-rlm_cache_memcached \
--without-rlm_counter \
@@ -98,7 +106,9 @@ PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl"
PACKAGECONFIG[rlm-eap-fast] = "--with-rlm_eap_fast, --without-rlm_eap_fast"
PACKAGECONFIG[rlm-eap-pwd] = "--with-rlm_eap_pwd, --without-rlm_eap_pwd"
-inherit useradd autotools-brokensep update-rc.d systemd
+inherit useradd autotools-brokensep update-rc.d systemd multilib_script multilib_header
+
+MULTILIB_SCRIPTS = "${PN}:${sbindir}/checkrad"
# This is not a cpan or python based package, but it needs some definitions
# from cpan-base and python3-dir bbclasses for building rlm_perl and rlm_python
@@ -141,7 +151,7 @@ do_install() {
oe_runmake install R=${D} INSTALLSTRIP=""
# remove unsupported config files
- rm -f ${D}/${sysconfdir}/raddb/experimental.conf
+ rm -f ${D}/${raddbdir}/experimental.conf
# remove scripts that required Perl(DBI)
rm -rf ${D}/${bindir}/radsqlrelay
@@ -153,7 +163,7 @@ do_install() {
rm -rf ${D}/${localstatedir}/log/
install -m 0644 ${WORKDIR}/volatiles.58_radiusd ${D}${sysconfdir}/default/volatiles/58_radiusd
- chown -R radiusd:radiusd ${D}/${sysconfdir}/raddb/
+ chown -R radiusd:radiusd ${D}/${raddbdir}
chown -R radiusd:radiusd ${D}/${localstatedir}/lib/radiusd
# For systemd
@@ -169,6 +179,9 @@ do_install() {
install -d ${D}${sysconfdir}/tmpfiles.d/
install -m 0644 ${WORKDIR}/radiusd-volatiles.conf ${D}${sysconfdir}/tmpfiles.d/radiusd.conf
fi
+ oe_multilib_header freeradius/autoconf.h
+ oe_multilib_header freeradius/missing.h
+ oe_multilib_header freeradius/radpaths.h
}
# This is only needed when we install/update on a running target.
@@ -183,7 +196,7 @@ pkg_postinst:${PN} () {
fi
# Fix ownership for /etc/raddb/*, /var/lib/radiusd
- chown -R radiusd:radiusd ${sysconfdir}/raddb
+ chown -R radiusd:radiusd ${raddbdir}
chown -R radiusd:radiusd ${localstatedir}/lib/radiusd
fi
}
@@ -204,30 +217,30 @@ PACKAGES =+ "${PN}-utils ${PN}-ldap ${PN}-krb5 ${PN}-perl \
FILES:${PN}-utils = "${bindir}/*"
FILES:${PN}-ldap = "${libdir}/rlm_ldap.so* \
- ${sysconfdir}/raddb/mods-available/ldap \
+ ${raddbdir}/mods-available/ldap \
"
FILES:${PN}-krb5 = "${libdir}/rlm_krb5.so* \
- ${sysconfdir}/raddb/mods-available/krb5 \
+ ${raddbdir}/mods-available/krb5 \
"
FILES:${PN}-perl = "${libdir}/rlm_perl.so* \
- ${sysconfdir}/raddb/mods-config/perl \
- ${sysconfdir}/raddb/mods-available/perl \
+ ${raddbdir}/mods-config/perl \
+ ${raddbdir}/mods-available/perl \
"
FILES:${PN}-python = "${libdir}/rlm_python3.so* \
- ${sysconfdir}/raddb/mods-config/python3 \
- ${sysconfdir}/raddb/mods-available/python3 \
+ ${raddbdir}/mods-config/python3 \
+ ${raddbdir}/mods-available/python3 \
"
FILES:${PN}-mysql = "${libdir}/rlm_sql_mysql.so* \
- ${sysconfdir}/raddb/mods-config/sql/*/mysql \
- ${sysconfdir}/raddb/mods-available/sql \
+ ${raddbdir}/mods-config/sql/*/mysql \
+ ${raddbdir}/mods-available/sql \
"
FILES:${PN}-postgresql = "${libdir}/rlm_sql_postgresql.so* \
- ${sysconfdir}/raddb/mods-config/sql/*/postgresql \
+ ${raddbdir}/mods-config/sql/*/postgresql \
"
FILES:${PN}-unixodbc = "${libdir}/rlm_sql_unixodbc.so*"
diff --git a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb
index 6c665d53b..e3b1296a6 100644
--- a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb
+++ b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.36.2.bb
@@ -83,7 +83,7 @@ PACKAGECONFIG[bluez5] = "-Dbluez5_dun=true,-Dbluez5_dun=false,bluez5"
# consolekit is not picked by shlibs, so add it to RDEPENDS too
PACKAGECONFIG[consolekit] = "-Dsession_tracking_consolekit=true,-Dsession_tracking_consolekit=false,consolekit,consolekit"
PACKAGECONFIG[modemmanager] = "-Dmodem_manager=true,-Dmodem_manager=false,modemmanager mobile-broadband-provider-info"
-PACKAGECONFIG[ppp] = "-Dppp=true,-Dppp=false,ppp,ppp"
+PACKAGECONFIG[ppp] = "-Dppp=true -Dpppd=/usr/sbin/pppd,-Dppp=false,ppp,ppp"
PACKAGECONFIG[dnsmasq] = "-Ddnsmasq=${bindir}/dnsmasq"
PACKAGECONFIG[nss] = "-Dcrypto=nss,,nss"
PACKAGECONFIG[resolvconf] = "-Dresolvconf=${base_sbindir}/resolvconf,-Dresolvconf=no,,resolvconf"
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
new file mode 100644
index 000000000..3d67f4741
--- /dev/null
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch
@@ -0,0 +1,27 @@
+From 078f98ea154475d953ce5b7cd851732f4dc270a7 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 5 Jul 2022 09:31:07 +0530
+Subject: [PATCH] CVE-2022-24407
+
+Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc]
+CVE: CVE-2022-24407
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ plugins/sql.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plugins/sql.c b/plugins/sql.c
+index 6ac81c2f..d90dbac9 100644
+--- a/plugins/sql.c
++++ b/plugins/sql.c
+@@ -1127,6 +1127,7 @@ static int sql_auxprop_lookup(void *glob_context,
+ done:
+ if (escap_userid) sparams->utils->free(escap_userid);
+ if (escap_realm) sparams->utils->free(escap_realm);
++ if (escap_passwd) sparams->utils->free(escap_passwd);
+ if (conn) settings->sql_engine->sql_close(conn);
+ if (userid) sparams->utils->free(userid);
+ if (realm) sparams->utils->free(realm);
+--
+2.25.1
+
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb
index 98899dfd5..e344733ef 100644
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.28.bb
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=cyrus-sas
file://saslauthd.service \
file://saslauthd.conf \
file://CVE-2019-19906.patch \
+ file://CVE-2022-24407.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives"
diff --git a/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-networking/recipes-protocols/openflow/openflow.inc
index 15eb65ad3..aaad0e00e 100644
--- a/meta-networking/recipes-protocols/openflow/openflow.inc
+++ b/meta-networking/recipes-protocols/openflow/openflow.inc
@@ -13,6 +13,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e870c934e2c3d6ccf085fd7cf0a1e2e2"
SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git;branch=master"
+CVE_CHECK_IGNORE = "\
+ CVE-2015-1611 \
+ CVE-2015-1612 \
+"
+
DEPENDS = "virtual/libc"
PACKAGECONFIG ??= ""
@@ -53,3 +58,7 @@ do_install:append() {
}
FILES:${PN} += "${nonarch_libdir}/tmpfiles.d"
+
+# This CVE is not for this product but cve-check assumes it is
+# because two CPE collides when checking the NVD database
+CVE_CHECK_IGNORE = "CVE-2018-1078"
diff --git a/meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb b/meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb
index a7697a1ae..984264a30 100644
--- a/meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb
+++ b/meta-networking/recipes-protocols/quagga/quagga_1.2.4.bb
@@ -2,3 +2,7 @@ require quagga.inc
SRC_URI[md5sum] = "eced21b054d71c9e1b7c6ac43286a166"
SRC_URI[sha256sum] = "e364c082c3309910e1eb7b068bf39ee298e2f2f3f31a6431a5c115193bd653d3"
+
+CVE_CHECK_IGNORE += "\
+ CVE-2016-4049 \
+"
diff --git a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb
index 4f8e4d428..dcfa7406d 100644
--- a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb
+++ b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb
@@ -23,3 +23,5 @@ PACKAGECONFIG[inet] = "--enable-inet,--disable-inet,"
PACKAGECONFIG[inet6] = "--enable-inet6,--disable-inet6,"
EXTRA_OECONF += "--disable-debug"
+
+CVE_VERSION = "0.9.3.0"
diff --git a/meta-networking/recipes-support/chrony/chrony_4.2.bb b/meta-networking/recipes-support/chrony/chrony_4.2.bb
index 57dd635dc..8ce9e1db5 100644
--- a/meta-networking/recipes-support/chrony/chrony_4.2.bb
+++ b/meta-networking/recipes-support/chrony/chrony_4.2.bb
@@ -126,6 +126,10 @@ do_install() {
${D}${systemd_unitdir}/system/chronyd.service
sed -i 's!^PATH=.*!PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}${sysconfdir}/init.d/chronyd
sed -i 's!^EnvironmentFile=.*!EnvironmentFile=-${sysconfdir}/default/chronyd!' ${D}${systemd_unitdir}/system/chronyd.service
+
+ install -d ${D}${sysconfdir}/tmpfiles.d
+ echo "d /var/lib/chrony 0755 root root -" > ${D}${sysconfdir}/tmpfiles.d/chronyd.conf
+
}
FILES:${PN} = "${sbindir}/chronyd ${sysconfdir} ${localstatedir}/lib/chrony ${localstatedir}"
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch
new file mode 100644
index 000000000..6bd734d75
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch
@@ -0,0 +1,191 @@
+From 3cdecc159e0f417a2f8d43d99632af26beea630f Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 31 Mar 2022 21:35:20 +0100
+Subject: [PATCH] Fix write-after-free error in DHCPv6 code. CVE-2022-0934
+ refers.
+
+CVE: CVE-2022-0934
+
+Upstream-Status: Backport
+[https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=03345ecefe]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ CHANGELOG | 3 +++
+ src/rfc3315.c | 48 +++++++++++++++++++++++++++---------------------
+ 2 files changed, 30 insertions(+), 21 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 5e54df9..a28da2a 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -1,4 +1,7 @@
+ version 2.86
++ Fix write-after-free error in DHCPv6 server code.
++ CVE-2022-0934 refers.
++
+ Handle DHCPREBIND requests in the DHCPv6 server code.
+ Thanks to Aichun Li for spotting this omission, and the initial
+ patch.
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 5c2ff97..6ecfeeb 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -33,9 +33,9 @@ struct state {
+ unsigned int mac_len, mac_type;
+ };
+
+-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
+ struct in6_addr *client_addr, int is_unicast, time_t now);
+-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now);
++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now);
+ static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts);
+ static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string);
+ static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string);
+@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if
+ }
+
+ /* This cost me blood to write, it will probably cost you blood to understand - srk. */
+-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
+ struct in6_addr *client_addr, int is_unicast, time_t now)
+ {
+ void *end = inbuff + sz;
+ void *opts = inbuff + 34;
+- int msg_type = *((unsigned char *)inbuff);
++ int msg_type = *inbuff;
+ unsigned char *outmsgtypep;
+ void *opt;
+ struct dhcp_vendor *vendor;
+@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+ return 1;
+ }
+
+-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now)
++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now)
+ {
+ void *opt;
+- int i, o, o1, start_opts;
++ int i, o, o1, start_opts, start_msg;
+ struct dhcp_opt *opt_cfg;
+ struct dhcp_netid *tagif;
+ struct dhcp_config *config = NULL;
+ struct dhcp_netid known_id, iface_id, v6_id;
+- unsigned char *outmsgtypep;
++ unsigned char outmsgtype;
+ struct dhcp_vendor *vendor;
+ struct dhcp_context *context_tmp;
+ struct dhcp_mac *mac_opt;
+@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ v6_id.next = state->tags;
+ state->tags = &v6_id;
+
+- /* copy over transaction-id, and save pointer to message type */
+- if (!(outmsgtypep = put_opt6(inbuff, 4)))
++ start_msg = save_counter(-1);
++ /* copy over transaction-id */
++ if (!put_opt6(inbuff, 4))
+ return 0;
+ start_opts = save_counter(-1);
+- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16;
+-
++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16;
++
+ /* We're going to be linking tags from all context we use.
+ mark them as unused so we don't link one twice and break the list */
+ for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current)
+@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE))
+
+ {
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ o1 = new_opt6(OPTION6_STATUS_CODE);
+ put_opt6_short(DHCP6USEMULTI);
+ put_opt6_string("Use multicast");
+@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ struct dhcp_netid *solicit_tags;
+ struct dhcp_context *c;
+
+- *outmsgtypep = DHCP6ADVERTISE;
++ outmsgtype = DHCP6ADVERTISE;
+
+ if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0))
+ {
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ state->lease_allocate = 1;
+ o = new_opt6(OPTION6_RAPID_COMMIT);
+ end_opt6(o);
+@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ int start = save_counter(-1);
+
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ state->lease_allocate = 1;
+
+ log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL);
+@@ -924,7 +925,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ int address_assigned = 0;
+
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL);
+
+@@ -1057,7 +1058,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ int good_addr = 0;
+
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPCONFIRM", NULL, NULL);
+
+@@ -1121,7 +1122,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname);
+ if (ignore)
+ return 0;
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+ tagif = add_options(state, 1);
+ break;
+ }
+@@ -1130,7 +1131,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ case DHCP6RELEASE:
+ {
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPRELEASE", NULL, NULL);
+
+@@ -1195,7 +1196,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ case DHCP6DECLINE:
+ {
+ /* set reply message type */
+- *outmsgtypep = DHCP6REPLY;
++ outmsgtype = DHCP6REPLY;
+
+ log6_quiet(state, "DHCPDECLINE", NULL, NULL);
+
+@@ -1275,7 +1276,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
+ }
+
+ }
+-
++
++ /* Fill in the message type. Note that we store the offset,
++ not a direct pointer, since the packet memory may have been
++ reallocated. */
++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype;
++
+ log_tags(tagif, state->xid);
+ log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1));
+
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb
index 31ca51ec6..0f7880ce8 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb
@@ -3,5 +3,6 @@ require dnsmasq.inc
SRC_URI[dnsmasq-2.86.sha256sum] = "ef15f608a83ee2b1d1d2c1f11d089a7e0ac401ffb0991de73fc01ce5f290e512"
SRC_URI += "\
file://lua.patch \
+ file://CVE-2022-0934.patch \
"
diff --git a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb b/meta-networking/recipes-support/ndisc6/ndisc6_1.0.6.bb
index f5467794e..6861314a0 100644
--- a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb
+++ b/meta-networking/recipes-support/ndisc6/ndisc6_1.0.6.bb
@@ -5,8 +5,7 @@ HOMEPAGE = "http://www.remlab.net/ndisc6/"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
-PV = "1.0.5"
-SRCREV = "b706f5f01aa82aa0db678fffd15a1527f330c507"
+SRCREV = "7e314b23329f9c24c4c097b8513673fed7e7158a"
SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http;branch=master \
file://0001-autogen-Do-not-symlink-gettext.h-from-build-host.patch \
"
diff --git a/meta-networking/recipes-support/netperf/files/netserver_permissions.patch b/meta-networking/recipes-support/netperf/files/netserver_permissions.patch
new file mode 100644
index 000000000..55316363e
--- /dev/null
+++ b/meta-networking/recipes-support/netperf/files/netserver_permissions.patch
@@ -0,0 +1,29 @@
+From 78c9ae7d9a6735575bc72dd28a19b2bc3a251981 Mon Sep 17 00:00:00 2001
+From: Andrew Elble <aweits@rit.edu>
+Date: Mon, 8 Oct 2018 14:31:20 -0400
+Subject: [PATCH] netserver: don't change permissions on /dev/null
+
+the (now default) suppress_debug=1 changes permissions on /dev/null
+to 0644. Don't do this.
+
+Upstream-Status: Pending [https://github.com/HewlettPackard/netperf/pull/27/commits/78c9ae7d9a6735575bc72dd28a19b2bc3a251981]
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+---
+ src/netserver.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/netserver.c b/src/netserver.c
+index 00c8d23..86a1c45 100644
+--- a/src/netserver.c
++++ b/src/netserver.c
+@@ -278,7 +278,8 @@ open_debug_file()
+
+ #if !defined(WIN32)
+
+- chmod(FileName,0644);
++ if (!suppress_debug)
++ chmod(FileName,0644);
+
+ /* redirect stdin to "/dev/null" */
+ rd_null_fp = fopen(NETPERF_NULL,"r");
diff --git a/meta-networking/recipes-support/netperf/netperf_git.bb b/meta-networking/recipes-support/netperf/netperf_git.bb
index 62ba966d0..06b2eddbb 100644
--- a/meta-networking/recipes-support/netperf/netperf_git.bb
+++ b/meta-networking/recipes-support/netperf/netperf_git.bb
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/HewlettPackard/netperf.git;branch=master;protocol=ht
file://netserver.service \
file://0001-netlib.c-Move-including-sched.h-out-og-function.patch \
file://0001-nettest_omni-Remove-duplicate-variable-definitions.patch \
+ file://netserver_permissions.patch \
"
SRCREV = "3bc455b23f901dae377ca0a558e1e32aa56b31c4"
diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
index fe2bd0773..a30f720bb 100644
--- a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
+++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb
@@ -29,7 +29,31 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19"
# CVE-2016-9312 is only for windows.
-CVE_CHECK_IGNORE += "CVE-2016-9312"
+# The other CVEs are not correctly identified because cve-check
+# is not able to check the version correctly (it only checks for 4.2.8 omitting p15 that makes the difference)
+CVE_CHECK_IGNORE += "\
+ CVE-2016-9312 \
+ CVE-2015-5146 \
+ CVE-2015-5300 \
+ CVE-2015-7975 \
+ CVE-2015-7976 \
+ CVE-2015-7977 \
+ CVE-2015-7978 \
+ CVE-2015-7979 \
+ CVE-2015-8138 \
+ CVE-2015-8139 \
+ CVE-2015-8140 \
+ CVE-2015-8158 \
+ CVE-2016-1547 \
+ CVE-2016-2516 \
+ CVE-2016-2517 \
+ CVE-2016-2519 \
+ CVE-2016-7429 \
+ CVE-2016-7433 \
+ CVE-2016-9310 \
+ CVE-2016-9311 \
+"
+
inherit autotools update-rc.d useradd systemd pkgconfig
diff --git a/meta-networking/recipes-support/spice/spice_git.bb b/meta-networking/recipes-support/spice/spice_git.bb
index d9083bcbe..1887a5582 100644
--- a/meta-networking/recipes-support/spice/spice_git.bb
+++ b/meta-networking/recipes-support/spice/spice_git.bb
@@ -30,6 +30,12 @@ SRC_URI = " \
S = "${WORKDIR}/git"
+CVE_CHECK_IGNORE += "\
+ CVE-2016-0749 \
+ CVE-2016-2150 \
+ CVE-2018-10893 \
+"
+
inherit autotools gettext python3native python3-dir pkgconfig
DEPENDS += "spice-protocol jpeg pixman alsa-lib glib-2.0 python3-pyparsing-native python3-six-native glib-2.0-native"
diff --git a/meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch b/meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch
new file mode 100644
index 000000000..e730fe1cd
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/0001-enum-Fix-compiler-warning.patch
@@ -0,0 +1,31 @@
+From d23c0ea81e630af3cfda89aeeb52146c0c84c960 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Mon, 2 May 2022 09:31:49 +0200
+Subject: [PATCH] enum: Fix compiler warning
+
+Closes strongswan/strongswan#1025
+
+Upstream-Status: Backport
+[https://github.com/strongswan/strongswan/commit/d23c0ea81e630af3cfda89aeeb52146c0c84c960]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/libstrongswan/utils/enum.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libstrongswan/utils/enum.c b/src/libstrongswan/utils/enum.c
+index 79da450f0c..1e77489f6f 100644
+--- a/src/libstrongswan/utils/enum.c
++++ b/src/libstrongswan/utils/enum.c
+@@ -97,7 +97,7 @@ char *enum_flags_to_string(enum_name_t *e, u_int val, char *buf, size_t len)
+ return buf;
+ }
+
+- if (snprintf(buf, len, e->names[0]) >= len)
++ if (snprintf(buf, len, "%s", e->names[0]) >= len)
+ {
+ return NULL;
+ }
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch b/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch
deleted file mode 100644
index 7da48cd2c..000000000
--- a/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From 3eecd40cec6415fc033f8d9141ab652047e71524 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Wed, 23 Feb 2022 17:29:02 +0100
-Subject: [PATCH] openssl: Don't unload providers
-
-There is a conflict between atexit() handlers registered by OpenSSL and
-some executables (e.g. swanctl or pki) to deinitialize libstrongswan.
-Because plugins are usually loaded after atexit() has been called, the
-handler registered by OpenSSL will run before our handler. So when the
-latter destroys the plugins it's a bad idea to try to access any OpenSSL
-objects as they might already be invalid.
-
-Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.")
-Closes strongswan/strongswan#921
-
-Upstream-Status: Backport
-[https://github.com/strongswan/strongswan/commit/3eecd40cec6415fc033f8d9141ab652047e71524]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- .../plugins/openssl/openssl_plugin.c | 27 +++----------------
- 1 file changed, 3 insertions(+), 24 deletions(-)
-
-diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
-index 6b4923649..1491d5cf8 100644
---- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
-+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
-@@ -16,7 +16,6 @@
-
- #include <library.h>
- #include <utils/debug.h>
--#include <collections/array.h>
- #include <threading/thread.h>
- #include <threading/mutex.h>
- #include <threading/thread_value.h>
-@@ -74,13 +73,6 @@ struct private_openssl_plugin_t {
- * public functions
- */
- openssl_plugin_t public;
--
--#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-- /**
-- * Loaded providers
-- */
-- array_t *providers;
--#endif
- };
-
- /**
-@@ -887,15 +879,6 @@ METHOD(plugin_t, get_features, int,
- METHOD(plugin_t, destroy, void,
- private_openssl_plugin_t *this)
- {
--#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-- OSSL_PROVIDER *provider;
-- while (array_remove(this->providers, ARRAY_TAIL, &provider))
-- {
-- OSSL_PROVIDER_unload(provider);
-- }
-- array_destroy(this->providers);
--#endif /* OPENSSL_VERSION_NUMBER */
--
- /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
- * can't call it as we couldn't re-initialize the library (as required by the
- * unit tests and the Android app) */
-@@ -1009,20 +992,16 @@ plugin_t *openssl_plugin_create()
- DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
- return NULL;
- }
-- array_insert_create(&this->providers, ARRAY_TAIL, fips);
- /* explicitly load the base provider containing encoding functions */
-- array_insert_create(&this->providers, ARRAY_TAIL,
-- OSSL_PROVIDER_load(NULL, "base"));
-+ OSSL_PROVIDER_load(NULL, "base");
- }
- else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
- TRUE, lib->ns))
- {
- /* load the legacy provider for algorithms like MD4, DES, BF etc. */
-- array_insert_create(&this->providers, ARRAY_TAIL,
-- OSSL_PROVIDER_load(NULL, "legacy"));
-+ OSSL_PROVIDER_load(NULL, "legacy");
- /* explicitly load the default provider, as mentioned by crypto(7) */
-- array_insert_create(&this->providers, ARRAY_TAIL,
-- OSSL_PROVIDER_load(NULL, "default"));
-+ OSSL_PROVIDER_load(NULL, "default");
- }
- ossl_provider_names_t data = {};
- OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);
---
-2.25.1
-
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb
index cfb7b41fa..1b82dceac 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb
@@ -9,10 +9,10 @@ DEPENDS = "flex-native flex bison-native"
DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}"
SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
- file://0001-openssl-Don-t-unload-providers.patch \
+ file://0001-enum-Fix-compiler-warning.patch \
"
-SRC_URI[sha256sum] = "983e4ef4a4c6c9d69f5fe6707c7fe0b2b9a9291943bbf4e008faab6bf91c0bdd"
+SRC_URI[sha256sum] = "91d0978ac448912759b85452d8ff0d578aafd4507aaf4f1c1719f9d0c7318ab7"
UPSTREAM_CHECK_REGEX = "strongswan-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
index aeb0bece9..0840cbbd8 100644
--- a/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
+++ b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
@@ -1,3 +1,8 @@
+From 7ff4eba20b5c4fc7365e5ee0dfb775ed29bdd5ce Mon Sep 17 00:00:00 2001
+From: Kai Kang <kai.kang@windriver.com>
+Date: Wed, 1 Nov 2017 09:23:41 -0400
+Subject: [PATCH] stunnel: fix compile error when openssl disable des support
+
Upstream-Status: Pending
When openssl disable des support with configure option 'no-des', it doesn't
@@ -6,12 +11,17 @@ failed. Fix it by checking macro OPENSSL_NO_DES to use openssl des related
library conditionaly.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
---
+ src/common.h | 2 ++
+ src/protocol.c | 6 +++---
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
diff --git a/src/common.h b/src/common.h
-index f7d38b0..bf485af 100644
+index bc37eb5..03ee3e5 100644
--- a/src/common.h
+++ b/src/common.h
-@@ -478,7 +478,9 @@ extern char *sys_errlist[];
+@@ -486,7 +486,9 @@ extern char *sys_errlist[];
#ifndef OPENSSL_NO_MD4
#include <openssl/md4.h>
#endif /* !defined(OPENSSL_NO_MD4) */
@@ -22,19 +32,19 @@ index f7d38b0..bf485af 100644
#include <openssl/dh.h>
#if OPENSSL_VERSION_NUMBER<0x10100000L
diff --git a/src/protocol.c b/src/protocol.c
-index 587df09..8198eb6 100644
+index 804f115..d9b2b50 100644
--- a/src/protocol.c
+++ b/src/protocol.c
-@@ -67,7 +67,7 @@ NOEXPORT char *imap_server(CLI *, SERVICE_OPTIONS *, const PHASE);
+@@ -66,7 +66,7 @@ NOEXPORT char *nntp_client(CLI *, SERVICE_OPTIONS *, const PHASE);
NOEXPORT char *ldap_client(CLI *, SERVICE_OPTIONS *, const PHASE);
NOEXPORT char *connect_server(CLI *, SERVICE_OPTIONS *, const PHASE);
NOEXPORT char *connect_client(CLI *, SERVICE_OPTIONS *, const PHASE);
-#ifndef OPENSSL_NO_MD4
+#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES)
NOEXPORT void ntlm(CLI *, SERVICE_OPTIONS *);
- NOEXPORT char *ntlm1();
+ NOEXPORT char *ntlm1(void);
NOEXPORT char *ntlm3(char *, char *, char *, char *);
-@@ -1332,7 +1332,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
+@@ -1351,7 +1351,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
fd_printf(c, c->remote_fd.fd, "Host: %s", opt->protocol_host);
if(opt->protocol_username && opt->protocol_password) {
if(!strcasecmp(opt->protocol_authentication, "ntlm")) {
@@ -43,7 +53,7 @@ index 587df09..8198eb6 100644
ntlm(c, opt);
#else
s_log(LOG_ERR, "NTLM authentication is not available");
-@@ -1376,7 +1376,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
+@@ -1395,7 +1395,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
return NULL;
}
diff --git a/meta-networking/recipes-support/stunnel/stunnel_5.63.bb b/meta-networking/recipes-support/stunnel/stunnel_5.65.bb
index 325737e8c..ab7ff4322 100644
--- a/meta-networking/recipes-support/stunnel/stunnel_5.63.bb
+++ b/meta-networking/recipes-support/stunnel/stunnel_5.65.bb
@@ -11,7 +11,7 @@ SRC_URI = "https://stunnel.org/archive/5.x/${BP}.tar.gz \
file://fix-openssl-no-des.patch \
"
-SRC_URI[sha256sum] = "c74c4e15144a3ae34b8b890bb31c909207301490bd1e51bfaaa5ffeb0a994617"
+SRC_URI[sha256sum] = "60c500063bd1feff2877f5726e38278c086f96c178f03f09d264a2012d6bf7fc"
inherit autotools bash-completion pkgconfig
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
index f1dba227a..38fdbce89 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb
@@ -19,7 +19,7 @@ SRC_URI += " \
UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
-SRC_URI[sha256sum] = "a0e227bce2cc3a51ef3301891a0243231990b52a39b68a84a6e32f69c4e75279"
+SRC_URI[sha256sum] = "881a13303e263b7dc7fe337534c8a541d4914552287879bed30bbe76c5bf68ca"
PE = "1"
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
index 7ea728aad..ff4a16e9f 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
@@ -45,6 +45,12 @@ SRC_URI:append:toolchain-clang = "\
S = "${WORKDIR}/git"
+CVE_CHECK_IGNORE += "\
+ CVE-2014-8180 \
+ CVE-2017-18381 \
+ CVE-2017-2665 \
+"
+
COMPATIBLE_HOST ?= '(x86_64|i.86|powerpc64|arm|aarch64).*-linux'
PACKAGECONFIG ??= "tcmalloc system-pcre"
diff --git a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb
index 4a520e3be..86e5fef53 100644
--- a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb
+++ b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb
@@ -19,3 +19,5 @@ EXTRA_OECONF = "--exec-prefix=${STAGING_DIR_HOST}${layout_exec_prefix}"
PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}"
PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
+
+CVE_PRODUCT = "iperf_project:iperf"
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.11.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.11.bb
index a6af23aec..2142a8ef1 100644
--- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.11.bb
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.11.bb
@@ -30,3 +30,5 @@ PACKAGECONFIG[lksctp] = "ac_cv_header_netinet_sctp_h=yes,ac_cv_header_netinet_sc
PACKAGECONFIG[openssl] = "--with-openssl=${RECIPE_SYSROOT}${prefix},--without-openssl,openssl"
CFLAGS += "-D_GNU_SOURCE"
+
+CVE_PRODUCT = "iperf_project:iperf"
diff --git a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
index 2fa24b29b..28a3e1e77 100644
--- a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
+++ b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
@@ -11,6 +11,10 @@ SRC_URI = "git://github.com/rakshasa/libtorrent;branch=master;protocol=https \
"
SRCREV = "756f70010779927dc0691e1e722ed433d5d295e1"
+CVE_CHECK_IGNORE += "\
+ CVE-2009-1760 \
+"
+
PV = "0.13.8"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-connectivity/modemmanager/files/0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch b/meta-oe/recipes-connectivity/modemmanager/files/0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch
index 7c3e7750a..914760512 100644
--- a/meta-oe/recipes-connectivity/modemmanager/files/0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch
+++ b/meta-oe/recipes-connectivity/modemmanager/files/0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch
@@ -1,42 +1,44 @@
-From f7a3292c1c753b29384e216693f51a4213fea7d0 Mon Sep 17 00:00:00 2001
+From 35173fa04d0116ba30a86dc1a19f859f2be14a24 Mon Sep 17 00:00:00 2001
From: "Bruce A. Johnson" <waterfordtrack@gmail.com>
Date: Wed, 22 Dec 2021 14:24:02 -0500
-Subject: [PATCH 1/2] core: switch bash shell scripts to use /bin/sh for use
+Subject: [PATCH] core: switch bash shell scripts to use /bin/sh for use
w/Busybox.
Fixes https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/issues/483
+
+%% original patch: 0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch
---
- data/fcc-unlock/105b | 2 +-
- data/fcc-unlock/1199 | 2 +-
- data/fcc-unlock/1eac | 2 +-
- test/mmcli-test-sms | 2 +-
- tools/tests/test-wrapper.sh.in | 2 +-
+ data/dispatcher-fcc-unlock/105b | 2 +-
+ data/dispatcher-fcc-unlock/1199 | 2 +-
+ data/dispatcher-fcc-unlock/1eac | 2 +-
+ test/mmcli-test-sms | 2 +-
+ tools/tests/test-wrapper.sh.in | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
-diff --git a/data/fcc-unlock/105b b/data/fcc-unlock/105b
-index 21fe5329..f276050f 100644
---- a/data/fcc-unlock/105b
-+++ b/data/fcc-unlock/105b
+diff --git a/data/dispatcher-fcc-unlock/105b b/data/dispatcher-fcc-unlock/105b
+index 444bd51f..772c90f4 100644
+--- a/data/dispatcher-fcc-unlock/105b
++++ b/data/dispatcher-fcc-unlock/105b
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
# SPDX-License-Identifier: CC0-1.0
# 2021 Aleksander Morgado <aleksander@aleksander.es>
-diff --git a/data/fcc-unlock/1199 b/data/fcc-unlock/1199
-index 0109c6ab..e1d3804c 100644
---- a/data/fcc-unlock/1199
-+++ b/data/fcc-unlock/1199
+diff --git a/data/dispatcher-fcc-unlock/1199 b/data/dispatcher-fcc-unlock/1199
+index 83ab2c9e..6dbf8d1b 100644
+--- a/data/dispatcher-fcc-unlock/1199
++++ b/data/dispatcher-fcc-unlock/1199
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
# SPDX-License-Identifier: CC0-1.0
# 2021 Aleksander Morgado <aleksander@aleksander.es>
-diff --git a/data/fcc-unlock/1eac b/data/fcc-unlock/1eac
-index 1068d9c2..d9342852 100644
---- a/data/fcc-unlock/1eac
-+++ b/data/fcc-unlock/1eac
+diff --git a/data/dispatcher-fcc-unlock/1eac b/data/dispatcher-fcc-unlock/1eac
+index 1a048dc8..44ce46d7 100644
+--- a/data/dispatcher-fcc-unlock/1eac
++++ b/data/dispatcher-fcc-unlock/1eac
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
@@ -64,5 +66,5 @@ index d64ea4cb..fcdb56de 100644
# For debugging behavior of test-modemmanager-service.py, you can modify
# this line to add --log-file option
--
-2.34.1
+2.35.3
diff --git a/meta-oe/recipes-connectivity/modemmanager/files/0002-fcc-unlock-Make-scripts-POSIX-shell-compatible.patch b/meta-oe/recipes-connectivity/modemmanager/files/0002-fcc-unlock-Make-scripts-POSIX-shell-compatible.patch
deleted file mode 100644
index d911d54ce..000000000
--- a/meta-oe/recipes-connectivity/modemmanager/files/0002-fcc-unlock-Make-scripts-POSIX-shell-compatible.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From ddf634b92bf96b35f521db6da329628b4525c2eb Mon Sep 17 00:00:00 2001
-From: Sven Schwermer <sven.schwermer@disruptive-technologies.com>
-Date: Fri, 25 Feb 2022 21:37:13 +0100
-Subject: [PATCH 2/2] fcc-unlock: Make scripts POSIX shell compatible
-
-This allows us to not rely on bash which may not be available on
-constrained systems, e.g. Yocto-built embedded systems. The scripts now
-pass shellcheck.
-
-Signed-off-by: Sven Schwermer <sven.schwermer@disruptive-technologies.com>
----
- data/fcc-unlock/105b | 8 ++++----
- data/fcc-unlock/1199 | 6 +++---
- data/fcc-unlock/1eac | 8 ++++----
- 3 files changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/data/fcc-unlock/105b b/data/fcc-unlock/105b
-index f276050f..772c90f4 100644
---- a/data/fcc-unlock/105b
-+++ b/data/fcc-unlock/105b
-@@ -15,20 +15,20 @@ shift
- # second and next arguments are control port names
- for PORT in "$@"; do
- # match port type in Linux 5.14 and newer
-- grep -q MBIM /sys/class/wwan/${PORT}/type 2>/dev/null && {
-+ grep -q MBIM "/sys/class/wwan/$PORT/type" 2>/dev/null && {
- MBIM_PORT=$PORT
- break
- }
- # match port name in Linux 5.13
-- [[ $PORT == *"MBIM"* ]] && {
-+ echo "$PORT" | grep -q MBIM && {
- MBIM_PORT=$PORT
- break
- }
- done
-
- # fail if no MBIM port exposed
--[ -n "${MBIM_PORT}" ] || exit 2
-+[ -n "$MBIM_PORT" ] || exit 2
-
- # run qmicli operation over MBIM
--qmicli --device-open-proxy --device=/dev/${MBIM_PORT} --dms-foxconn-set-fcc-authentication=0
-+qmicli --device-open-proxy --device="/dev/$MBIM_PORT" --dms-foxconn-set-fcc-authentication=0
- exit $?
-diff --git a/data/fcc-unlock/1199 b/data/fcc-unlock/1199
-index e1d3804c..6dbf8d1b 100644
---- a/data/fcc-unlock/1199
-+++ b/data/fcc-unlock/1199
-@@ -19,15 +19,15 @@ shift
- # second and next arguments are control port names
- for PORT in "$@"; do
- # match port name
-- [[ $PORT == *"cdc-wdm"* ]] && {
-+ echo "$PORT" | grep -q cdc-wdm && {
- CDC_WDM_PORT=$PORT
- break
- }
- done
-
- # fail if no cdc-wdm port exposed
--[ -n "${CDC_WDM_PORT}" ] || exit 2
-+[ -n "$CDC_WDM_PORT" ] || exit 2
-
- # run qmicli operation
--qmicli --device-open-proxy --device=/dev/${CDC_WDM_PORT} --dms-set-fcc-authentication
-+qmicli --device-open-proxy --device="/dev/$CDC_WDM_PORT" --dms-set-fcc-authentication
- exit $?
-diff --git a/data/fcc-unlock/1eac b/data/fcc-unlock/1eac
-index d9342852..44ce46d7 100644
---- a/data/fcc-unlock/1eac
-+++ b/data/fcc-unlock/1eac
-@@ -15,20 +15,20 @@ shift
- # second and next arguments are control port names
- for PORT in "$@"; do
- # match port type in Linux 5.14 and newer
-- grep -q MBIM /sys/class/wwan/${PORT}/type 2>/dev/null && {
-+ grep -q MBIM "/sys/class/wwan/$PORT/type" 2>/dev/null && {
- MBIM_PORT=$PORT
- break
- }
- # match port name in Linux 5.13
-- [[ $PORT == *"MBIM"* ]] && {
-+ echo "$PORT" | grep -q MBIM && {
- MBIM_PORT=$PORT
- break
- }
- done
-
- # fail if no MBIM port exposed
--[ -n "${MBIM_PORT}" ] || exit 2
-+[ -n "$MBIM_PORT" ] || exit 2
-
- # run mbimcli operation
--mbimcli --device-open-proxy --device=/dev/${MBIM_PORT} --quectel-set-radio-state=on
-+mbimcli --device-open-proxy --device="/dev/$MBIM_PORT" --quectel-set-radio-state=on
- exit $?
---
-2.34.1
-
diff --git a/meta-oe/recipes-connectivity/modemmanager/modemmanager_1.18.6.bb b/meta-oe/recipes-connectivity/modemmanager/modemmanager_1.18.8.bb
index 14d9942c0..28f81ba6e 100644
--- a/meta-oe/recipes-connectivity/modemmanager/modemmanager_1.18.6.bb
+++ b/meta-oe/recipes-connectivity/modemmanager/modemmanager_1.18.8.bb
@@ -12,13 +12,12 @@ inherit gnomebase gettext systemd gobject-introspection bash-completion
DEPENDS = "glib-2.0 libgudev libxslt-native dbus"
-SRCREV ?= "a7bcf2036b34d5043dbc33fee7d98bae5859c4d3"
+SRCREV ?= "0d8b5e93fc62eb0f41e18a2d9d845331d7af36ec"
-# Patches 0001, 0002 will be in ModemManager > 1.18.6
+# Patch 0001 will be in ModemManager > 1.19
SRC_URI = " \
git://gitlab.freedesktop.org/mobile-broadband/ModemManager.git;protocol=https;branch=mm-1-18 \
file://0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch \
- file://0002-fcc-unlock-Make-scripts-POSIX-shell-compatible.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-connectivity/thrift/thrift_0.16.0.bb b/meta-oe/recipes-connectivity/thrift/thrift_0.16.0.bb
index 2d601a2f9..8141abef5 100644
--- a/meta-oe/recipes-connectivity/thrift/thrift_0.16.0.bb
+++ b/meta-oe/recipes-connectivity/thrift/thrift_0.16.0.bb
@@ -15,6 +15,8 @@ SRC_URI[sha256sum] = "f460b5c1ca30d8918ff95ea3eb6291b3951cf518553566088f3f2be898
BBCLASSEXTEND = "native nativesdk"
+CVE_PRODUCT = "apache:thrift"
+
inherit pkgconfig cmake python3native
export STAGING_INCDIR
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_5.2.6.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
index 66c80758c..f5d89d6c3 100644
--- a/meta-oe/recipes-connectivity/zabbix/zabbix_5.2.6.bb
+++ b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb
@@ -23,13 +23,13 @@ DEPENDS = "libevent libpcre openldap virtual/libiconv zlib"
PACKAGE_ARCH = "${MACHINE_ARCH}"
-SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.2/${BPN}-${PV}.tar.gz \
+SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.4/${BPN}-${PV}.tar.gz \
file://0001-Fix-configure.ac.patch \
file://zabbix-agent.service \
"
-SRC_URI[md5sum] = "31dab3535a1fa212f5724902727f6d4d"
-SRC_URI[sha256sum] = "76cb704f2a04fbc87bb3eff44fa71339c355d467f7bbd8fb53f8927c760e1680"
+SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e"
+SRC_URI[sha256sum] = "d60d5515807c30c05d0900b83a7e6ef6479929aef7d6f248fba481c4816bacf4"
inherit autotools-brokensep linux-kernel-base pkgconfig systemd useradd
diff --git a/meta-oe/recipes-core/emlog/emlog_git.bb b/meta-oe/recipes-core/emlog/emlog_git.bb
index be9ae5823..05fa0c334 100644
--- a/meta-oe/recipes-core/emlog/emlog_git.bb
+++ b/meta-oe/recipes-core/emlog/emlog_git.bb
@@ -24,3 +24,14 @@ do_install() {
}
RRECOMMENDS:${PN} += "kernel-module-emlog"
+
+# The NVD database doesn't have a CPE for this product,
+# the name of this product is exactly the same as github.com/emlog/emlog
+# but it's not related in any way. The following CVEs are from that project
+# so they can be safely ignored
+CVE_CHECK_IGNORE += "\
+ CVE-2019-16868 \
+ CVE-2019-17073 \
+ CVE-2021-44584 \
+ CVE-2022-1526 \
+"
diff --git a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb
index 87750ec79..6afc45ab7 100644
--- a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb
+++ b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb
@@ -4,7 +4,7 @@ HOMEPAGE = "https://github.com/google/leveldb"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=92d1b128950b11ba8495b64938fc164d"
-SRC_URI = "git://github.com/google/${BPN}.git;branch=master;protocol=https \
+SRC_URI = "git://github.com/google/${BPN}.git;branch=main;protocol=https \
file://run-ptest"
SRCREV = "78b39d68c15ba020c0d60a3906fb66dbf1697595"
diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch b/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch
index 78f24585e..2256bccec 100644
--- a/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch
@@ -1,4 +1,4 @@
-From f7084ba49758a6b8db46b917b7c0f831bd65a08f Mon Sep 17 00:00:00 2001
+From 07e605015fad0621c3e67133ff9330a5c6318daa Mon Sep 17 00:00:00 2001
From: Yi Fan Yu <yifan.yu@windriver.com>
Date: Fri, 5 Feb 2021 17:15:42 -0500
Subject: [PATCH] configure.ac: bypass autoconf 2.69 version check
@@ -14,12 +14,12 @@ Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
1 file changed, 4 deletions(-)
diff --git a/configure.ac b/configure.ac
-index d3c55f2..9120184 100644
+index 04ef7be..0eb595b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros
- AC_INIT([PostgreSQL], [14.3], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
+ AC_INIT([PostgreSQL], [14.4], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
-m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required.
-Untested combinations of 'autoconf' and PostgreSQL versions are not
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_14.3.bb b/meta-oe/recipes-dbs/postgresql/postgresql_14.4.bb
index c686c9b35..64e83b2cd 100644
--- a/meta-oe/recipes-dbs/postgresql/postgresql_14.3.bb
+++ b/meta-oe/recipes-dbs/postgresql/postgresql_14.4.bb
@@ -10,4 +10,8 @@ SRC_URI += "\
file://remove_duplicate.patch \
"
-SRC_URI[sha256sum] = "279057368bf59a919c05ada8f95c5e04abb43e74b9a2a69c3d46a20e07a9af38"
+SRC_URI[sha256sum] = "c23b6237c5231c791511bdc79098617d6852e9e3bdf360efd8b5d15a1a3d8f6a"
+
+CVE_CHECK_IGNORE += "\
+ CVE-2017-8806 \
+"
diff --git a/meta-oe/recipes-devtools/php/php_8.1.6.bb b/meta-oe/recipes-devtools/php/php_8.1.8.bb
index 96af595a4..d5cf7d8b2 100644
--- a/meta-oe/recipes-devtools/php/php_8.1.6.bb
+++ b/meta-oe/recipes-devtools/php/php_8.1.8.bb
@@ -33,7 +33,13 @@ SRC_URI:append:class-target = " \
"
S = "${WORKDIR}/php-${PV}"
-SRC_URI[sha256sum] = "7b353304b7407554f70d3e101a226a1fc22decae5c4c42ed270c4e389bfa1b66"
+SRC_URI[sha256sum] = "b8815a5a02431453d4261e3598bd1f28516e4c0354f328c12890f257870e4c01"
+
+CVE_CHECK_IGNORE += "\
+ CVE-2007-2728 \
+ CVE-2007-3205 \
+ CVE-2007-4596 \
+"
inherit autotools pkgconfig python3native gettext
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf-c_1.4.0.bb b/meta-oe/recipes-devtools/protobuf/protobuf-c_1.4.1.bb
index b3423ba84..d724287d6 100644
--- a/meta-oe/recipes-devtools/protobuf/protobuf-c_1.4.0.bb
+++ b/meta-oe/recipes-devtools/protobuf/protobuf-c_1.4.1.bb
@@ -8,12 +8,12 @@ has been split out into the protobuf-c-rpc project."
HOMEPAGE = "https://github.com/protobuf-c/protobuf-c"
SECTION = "console/tools"
LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=cb901168715f4782a2b06c3ddaefa558"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=9f725889e0d77383e26cb42b0b62cea2"
DEPENDS = "protobuf-native protobuf"
SRC_URI = "git://github.com/protobuf-c/protobuf-c.git;branch=master;protocol=https"
-SRCREV = "f224ab2eeb648a818eb20687d7150a285442c907"
+SRCREV = "abc67a11c6db271bedbb9f58be85d6f4e2ea8389"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb b/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb
index e9cb7adb8..df90b629a 100644
--- a/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb
+++ b/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb
@@ -18,6 +18,10 @@ SRC_URI[sha256sum] = "53e15a2b5c1bc80161d42e9f69792a3fa18332b7b771910131004eb520
S = "${WORKDIR}/imap-${PV}"
+CVE_CHECK_IGNORE += "\
+ CVE-2005-0198 \
+"
+
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
PACKAGECONFIG[pam] = ",,libpam"
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.8.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.8.bb
index 2cea50dfb..7a613bcc9 100644
--- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.8.bb
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.8.bb
@@ -19,7 +19,7 @@ SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https;branch=master \
file://0004-Modify-systemd-config-directory.patch \
file://0001-cmake-Link-with-libatomic-on-rv32-rv64.patch \
"
-SRCREV = "0138c00811c86eab4ff6bff3c6528163885ade19"
+SRCREV = "6a3bd901d825c7206797e36ea98e10a218f5aad2"
PV .= "+2.18.9git${SRCPV}"
@@ -27,7 +27,7 @@ S = "${WORKDIR}/git"
LDFLAGS:append:riscv64 = " -latomic"
-PACKAGECONFIG ?= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' systemd systemd-watchdog systemd-journal dlt-examples dlt-adaptor dlt-console ', '', d)} \
+PACKAGECONFIG ?= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' systemd systemd-watchdog systemd-journal dlt-examples dlt-adaptor dlt-adaptor-udp dlt-console ', '', d)} \
udp-connection dlt-system dlt-filetransfer "
# dlt-dbus
@@ -44,6 +44,7 @@ PACKAGECONFIG[udp-connection] = "-DWITH_UDP_CONNECTION=ON,-DWITH_UDP_CONNECTION=
# Command line options
PACKAGECONFIG[dlt-system] = "-DWITH_DLT_SYSTEM=ON,-DWITH_DLT_SYSTEM=OFF"
PACKAGECONFIG[dlt-adaptor] = "-DWITH_DLT_ADAPTOR=ON,-DWITH_DLT_ADAPTOR=OFF,,dlt-daemon-systemd"
+PACKAGECONFIG[dlt-adaptor-udp] = "-DWITH_DLT_ADAPTOR_UDP=ON,-DWITH_DLT_ADAPTOR_UDP=OFF,,dlt-daemon-systemd"
PACKAGECONFIG[dlt-filetransfer] = "-DWITH_DLT_FILETRANSFER=ON,-DWITH_DLT_FILETRANSFER=OFF"
PACKAGECONFIG[dlt-console] = "-DWITH_DLT_CONSOLE=ON,-DWITH_DLT_CONSOLE=OFF,,dlt-daemon-systemd"
@@ -58,7 +59,7 @@ SYSTEMD_SERVICE:${PN} = " ${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'dlt.
${@bb.utils.contains('PACKAGECONFIG', 'dlt-dbus', 'dlt-dbus.service', '', d)}"
SYSTEMD_AUTO_ENABLE:${PN} = "enable"
SYSTEMD_SERVICE:${PN}-systemd = " \
- ${@bb.utils.contains('PACKAGECONFIG', 'dlt-adaptor', 'dlt-adaptor-udp.service', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'dlt-adaptor-udp', 'dlt-adaptor-udp.service', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'dlt-examples', 'dlt-example-user.service', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'dlt-examples dlt-console', 'dlt-receive.service', '', d)} \
"
diff --git a/meta-oe/recipes-extended/libimobiledevice/libplist_2.2.0.bb b/meta-oe/recipes-extended/libimobiledevice/libplist_2.2.0.bb
index db4f507b7..daaff0039 100644
--- a/meta-oe/recipes-extended/libimobiledevice/libplist_2.2.0.bb
+++ b/meta-oe/recipes-extended/libimobiledevice/libplist_2.2.0.bb
@@ -13,6 +13,12 @@ SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https;branch=mast
S = "${WORKDIR}/git"
+CVE_CHECK_IGNORE += "\
+ CVE-2017-5834 \
+ CVE-2017-5835 \
+ CVE-2017-5836 \
+"
+
do_install:append () {
if [ -e ${D}${libdir}/python*/site-packages/plist/_plist.so ]; then
chrpath -d ${D}${libdir}/python*/site-packages/plist/_plist.so
diff --git a/meta-oe/recipes-extended/redis/redis/GNU_SOURCE.patch b/meta-oe/recipes-extended/redis/redis/GNU_SOURCE.patch
index 12994da56..20f689bd0 100644
--- a/meta-oe/recipes-extended/redis/redis/GNU_SOURCE.patch
+++ b/meta-oe/recipes-extended/redis/redis/GNU_SOURCE.patch
@@ -1,4 +1,4 @@
-From 18dc1457db8f66237e016b85a04dc50833c33c50 Mon Sep 17 00:00:00 2001
+From 98d526f76049be21bf3d77158236b2189419a78e Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Sat, 21 Dec 2019 12:09:51 -0800
Subject: [PATCH] Define _GNU_SOURCE to get PTHREAD_MUTEX_INITIALIZER
@@ -10,20 +10,22 @@ Fixes
Upstream-Status: Pending
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
---
src/zmalloc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/zmalloc.c b/src/zmalloc.c
-index ba03685..322304f 100644
+index 1f33d09..5e182d1 100644
--- a/src/zmalloc.c
+++ b/src/zmalloc.c
-@@ -32,6 +32,7 @@
- #include "config.h"
- #include "solarisfixes.h"
+@@ -28,6 +28,7 @@
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
+--
+2.25.1
+
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.6.bb b/meta-oe/recipes-extended/redis/redis_6.2.7.bb
index 87fade7e0..7f922a4e0 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.6.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.7.bb
@@ -17,7 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://GNU_SOURCE.patch \
file://0006-Define-correct-gregs-for-RISCV32.patch \
"
-SRC_URI[sha256sum] = "5b2b8b7a50111ef395bf1c1d5be11e6e167ac018125055daa8b5c2317ae131ab"
+SRC_URI[sha256sum] = "b7a79cc3b46d3c6eb52fa37dde34a4a60824079ebdfb3abfbbfa035947c55319"
inherit autotools-brokensep update-rc.d systemd useradd
diff --git a/meta-oe/recipes-extended/redis/redis_7.0-rc3.bb b/meta-oe/recipes-extended/redis/redis_7.0.4.bb
index e977d67f6..993ff34b1 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0-rc3.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.4.bb
@@ -19,7 +19,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://GNU_SOURCE.patch \
file://0006-Define-correct-gregs-for-RISCV32.patch \
"
-SRC_URI[sha256sum] = "66b2ecc2e4b53c62940589434ea8af3a85546df131001680ed294028cd84ecdc"
+SRC_URI[sha256sum] = "f0e65fda74c44a3dd4fa9d512d4d4d833dd0939c934e946a5c622a630d057f2f"
inherit autotools-brokensep update-rc.d systemd useradd
diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2202.0.bb b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb
index ebb8ecf9b..a39de3acb 100644
--- a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2202.0.bb
+++ b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2206.0.bb
@@ -31,7 +31,7 @@ SRC_URI:append:libc-musl = " \
file://0001-Include-sys-time-h.patch \
"
-SRC_URI[sha256sum] = "e41308a5a171939b3cbc246e9d4bd30be44e801521e04cd95d051fa3867d6738"
+SRC_URI[sha256sum] = "a1377218b26c0767a7a3f67d166d5338af7c24b455d35ec99974e18e6845ba27"
UPSTREAM_CHECK_URI = "https://github.com/rsyslog/rsyslog/releases"
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)"
diff --git a/meta-oe/recipes-extended/sanlock/sanlock_3.8.4.bb b/meta-oe/recipes-extended/sanlock/sanlock_3.8.4.bb
index ecbfad394..a59a5c41d 100644
--- a/meta-oe/recipes-extended/sanlock/sanlock_3.8.4.bb
+++ b/meta-oe/recipes-extended/sanlock/sanlock_3.8.4.bb
@@ -21,6 +21,10 @@ SRCREV = "a181e951376d49a82eef17920c8ebedec80b4823"
S = "${WORKDIR}/git"
+CVE_CHECK_IGNORE += "\
+ CVE-2012-5638 \
+"
+
DEPENDS = "libaio util-linux"
inherit setuptools3 useradd
diff --git a/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb b/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb
index 7e00f150d..4b9ae4758 100644
--- a/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb
+++ b/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb
@@ -32,6 +32,10 @@ SRC_URI = "http://downloads.sourceforge.net/sblim/${BP}.tar.bz2 \
SRC_URI[md5sum] = "28021cdabc73690a94f4f9d57254ce30"
SRC_URI[sha256sum] = "634a67b2f7ac3b386a79160eb44413d618e33e4e7fc74ae68b0240484af149dd"
+CVE_CHECK_IGNORE += "\
+ CVE-2012-3381 \
+"
+
inherit autotools
inherit systemd
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb b/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb
index aa597cd8e..4c51af669 100644
--- a/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb
+++ b/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb
@@ -31,6 +31,10 @@ SRC_URI:append:class-nativesdk = "\
SRC_URI[sha256sum] = "6b16bf990df114195be669773a1dae975dbbffada45e1de2849ddeb5851bb9a8"
+CVE_CHECK_IGNORE += "\
+ CVE-2014-9157 \
+"
+
PACKAGECONFIG ??= "librsvg"
PACKAGECONFIG[librsvg] = "--with-librsvg,--without-librsvg,librsvg"
diff --git a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
index 4c17105a9..27dff82df 100644
--- a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
+++ b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
@@ -6,6 +6,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb"
SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master"
SRCREV = "fe00207dc10db1d7cc6f2757961c5c6bdfd10973"
+CVE_CHECK_IGNORE += "\
+ CVE-2015-8751 \
+"
+
S = "${WORKDIR}/git"
inherit cmake
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
index f248619ec..42d2b4efb 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.4.0.bb
@@ -15,6 +15,10 @@ SRC_URI = " \
SRCREV = "37ac30ceff6640bbab502388c5e0fa0bff23f505"
S = "${WORKDIR}/git"
+CVE_CHECK_IGNORE += "\
+ CVE-2015-1239 \
+"
+
inherit cmake
# for multilib
diff --git a/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.1.0.bb b/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.1.0.bb
index 2f7fcac78..0d45ee765 100644
--- a/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.1.0.bb
+++ b/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.1.0.bb
@@ -4,7 +4,7 @@ LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
SRCREV = "4767ea922bcc460e70b87b1d303ebdfed0897da8"
-SRC_URI = "git://github.com/tesseract-ocr/tessdata.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/tesseract-ocr/tessdata.git;branch=main;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/atop/atop_2.4.0.bb b/meta-oe/recipes-support/atop/atop_2.4.0.bb
index 35540b3b8..b1d2abde7 100644
--- a/meta-oe/recipes-support/atop/atop_2.4.0.bb
+++ b/meta-oe/recipes-support/atop/atop_2.4.0.bb
@@ -24,6 +24,10 @@ SRC_URI = "http://www.atoptool.nl/download/${BP}.tar.gz \
SRC_URI[md5sum] = "1077da884ed94f2bc3c81ac3ab970436"
SRC_URI[sha256sum] = "be1c010a77086b7d98376fce96514afcd73c3f20a8d1fe01520899ff69a73d69"
+CVE_CHECK_IGNORE += "\
+ CVE-2011-3618 \
+"
+
do_compile() {
oe_runmake all
}
diff --git a/meta-oe/recipes-support/emacs/emacs_27.2.bb b/meta-oe/recipes-support/emacs/emacs_27.2.bb
index b78dc5e45..4a7e7aba5 100644
--- a/meta-oe/recipes-support/emacs/emacs_27.2.bb
+++ b/meta-oe/recipes-support/emacs/emacs_27.2.bb
@@ -11,6 +11,10 @@ SRC_URI:append:class-target = " file://usemake-docfile-native.patch"
SRC_URI[sha256sum] = "b4a7cc4e78e63f378624e0919215b910af5bb2a0afc819fad298272e9f40c1b9"
+CVE_CHECK_IGNORE = "\
+ CVE-2007-6109 \
+"
+
PACKAGECONFIG[gnutls] = "--with-gnutls=yes,--with-gnutls=no,gnutls"
PACKAGECONFIG[kerberos] = "--with-kerberos=yes,--with-kerberos=no,krb5"
PACKAGECONFIG[libgmp] = "--with-libgmp=yes,--with-libgmp=no,gmp"
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
index 008a83f46..b8167f5a7 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
@@ -4,15 +4,15 @@ HOMEPAGE = "https://www.imagemagick.org/"
DESCRIPTION = "ImageMagick is a collection of tools for displaying, converting, and \
editing raster and vector image files. It can read and write over 200 image file formats."
LICENSE = "ImageMagick"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=41b4fa9af60c88e61484b02c0561181a \
- file://NOTICE;md5=a2aa6e41f8a40700196a9ce301693e34"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b97c12a9213df1499565d69b92c73dd7 \
+ file://NOTICE;md5=d8b9d2ccf273687ad12ebd06e5d8478f"
# FIXME: There are many more checked libraries. All should be added or explicitly disabled to get consistent results.
DEPENDS = "lcms bzip2 jpeg libpng tiff zlib fftw freetype libtool"
BASE_PV := "${PV}"
-PV .= "_25"
+PV .= "-62"
SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=https"
-SRCREV = "8b4e00829eb84d4e7b4da11acf1f98f1e8166e5b"
+SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"
S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/libgpiod/libgpiod_1.6.3.bb b/meta-oe/recipes-support/libgpiod/libgpiod_1.6.3.bb
index 35e68b7e2..2cccf93bd 100644
--- a/meta-oe/recipes-support/libgpiod/libgpiod_1.6.3.bb
+++ b/meta-oe/recipes-support/libgpiod/libgpiod_1.6.3.bb
@@ -14,7 +14,7 @@ SRC_URI[sha256sum] = "841be9d788f00bab08ef22c4be5c39866f0e46cb100a3ae49ed816ac9c
inherit autotools pkgconfig python3native ptest
-PACKAGECONFIG[tests] = "--enable-tests,--disable-tests,kmod udev glib-2.0 catch2,bats python3-packaging"
+PACKAGECONFIG[tests] = "--enable-tests,--disable-tests,kmod udev glib-2.0 catch2"
PACKAGECONFIG[cxx] = "--enable-bindings-cxx,--disable-bindings-cxx"
PACKAGECONFIG[python3] = "--enable-bindings-python,--disable-bindings-python,python3"
@@ -54,6 +54,7 @@ RRECOMMENDS:${PN}-ptest += " \
coreutils \
${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3-unittest', '', d)} \
"
+RDEPENDS:${PN}-ptest += "bats python3-packaging"
PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'tests', '', d)}"
diff --git a/meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb b/meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb
index 14b1aaf01..3d8a45786 100644
--- a/meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb
+++ b/meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb
@@ -15,6 +15,11 @@ SRC_URI = "\
SRC_URI[sha256sum] = "19654ad276b149646371fbdac21bc7620742f2975f7399fed0ffc1a18fbaf603"
+CVE_CHECK_IGNORE += "\
+ CVE-2010-1624 \
+ CVE-2011-3594 \
+"
+
PACKAGECONFIG ??= "gnutls consoleui avahi dbus idn nss \
${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11 gtk startup-notification', '', d)} \
"
diff --git a/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd b/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd
index b63f46ddc..851bf252b 100644
--- a/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd
+++ b/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd
@@ -1,4 +1,4 @@
-@version: 3.31
+@version: 3.36
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# installation. Originally written by anonymous (I can't find his name)
diff --git a/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit b/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit
index 07cd3b086..70afd0da8 100644
--- a/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit
+++ b/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit
@@ -1,4 +1,4 @@
-@version: 3.31
+@version: 3.36
#
# Syslog-ng configuration file, compatible with default Debian syslogd
# installation. Originally written by anonymous (I can't find his name)
diff --git a/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch
new file mode 100644
index 000000000..5ec55dfd2
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch
@@ -0,0 +1,99 @@
+From 86368e9cf70a0ad23cccd5ee32de847149af0c6f Mon Sep 17 00:00:00 2001
+From: Stefan Behnel <stefan_ml@behnel.de>
+Date: Fri, 1 Jul 2022 21:06:10 +0200
+Subject: [PATCH] Fix a crash when incorrect parser input occurs together with
+ usages of iterwalk() on trees generated by the same parser.
+
+CVE: CVE-2022-2309
+
+Upstream-Status: Backport
+[https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f]
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ src/lxml/apihelpers.pxi | 7 ++++---
+ src/lxml/iterparse.pxi | 11 ++++++-----
+ src/lxml/tests/test_etree.py | 20 ++++++++++++++++++++
+ 3 files changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi
+index c1662762..9fae9fb1 100644
+--- a/src/lxml/apihelpers.pxi
++++ b/src/lxml/apihelpers.pxi
+@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node):
+ while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE:
+ c_ns = c_node.nsDef
+ while c_ns is not NULL:
+- prefix = funicodeOrNone(c_ns.prefix)
+- if prefix not in nsmap:
+- nsmap[prefix] = funicodeOrNone(c_ns.href)
++ if c_ns.prefix or c_ns.href:
++ prefix = funicodeOrNone(c_ns.prefix)
++ if prefix not in nsmap:
++ nsmap[prefix] = funicodeOrNone(c_ns.href)
+ c_ns = c_ns.next
+ c_node = c_node.parent
+ return nsmap
+diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi
+index 138c23a6..a7299da6 100644
+--- a/src/lxml/iterparse.pxi
++++ b/src/lxml/iterparse.pxi
+@@ -420,7 +420,7 @@ cdef int _countNsDefs(xmlNode* c_node):
+ count = 0
+ c_ns = c_node.nsDef
+ while c_ns is not NULL:
+- count += 1
++ count += (c_ns.href is not NULL)
+ c_ns = c_ns.next
+ return count
+
+@@ -431,9 +431,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1:
+ count = 0
+ c_ns = c_node.nsDef
+ while c_ns is not NULL:
+- ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '',
+- funicode(c_ns.href))
+- event_list.append( (u"start-ns", ns_tuple) )
+- count += 1
++ if c_ns.href:
++ ns_tuple = (funicodeOrEmpty(c_ns.prefix),
++ funicode(c_ns.href))
++ event_list.append( (u"start-ns", ns_tuple) )
++ count += 1
+ c_ns = c_ns.next
+ return count
+diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py
+index e5f08469..285313f6 100644
+--- a/src/lxml/tests/test_etree.py
++++ b/src/lxml/tests/test_etree.py
+@@ -1460,6 +1460,26 @@ class ETreeOnlyTestCase(HelperTestCase):
+ [1,2,1,4],
+ counts)
+
++ def test_walk_after_parse_failure(self):
++ # This used to be an issue because libxml2 can leak empty namespaces
++ # between failed parser runs. iterwalk() failed to handle such a tree.
++ try:
++ etree.XML('''<anot xmlns="1">''')
++ except etree.XMLSyntaxError:
++ pass
++ else:
++ assert False, "invalid input did not fail to parse"
++
++ et = etree.XML('''<root> </root>''')
++ try:
++ ns = next(etree.iterwalk(et, events=('start-ns',)))
++ except StopIteration:
++ # This would be the expected result, because there was no namespace
++ pass
++ else:
++ # This is a bug in libxml2
++ assert not ns, repr(ns)
++
+ def test_itertext_comment_pi(self):
+ # https://bugs.launchpad.net/lxml/+bug/1844674
+ XML = self.etree.XML
+--
+2.17.1
+
diff --git a/meta-python/recipes-devtools/python/python3-lxml_4.8.0.bb b/meta-python/recipes-devtools/python/python3-lxml_4.8.0.bb
index c4d4df383..0c78d97ab 100644
--- a/meta-python/recipes-devtools/python/python3-lxml_4.8.0.bb
+++ b/meta-python/recipes-devtools/python/python3-lxml_4.8.0.bb
@@ -20,7 +20,8 @@ DEPENDS += "libxml2 libxslt"
SRC_URI[sha256sum] = "f63f62fc60e6228a4ca9abae28228f35e1bd3ce675013d1dfb828688d50c6e23"
-SRC_URI += "${PYPI_SRC_URI}"
+SRC_URI += "${PYPI_SRC_URI} \
+ file://CVE-2022-2309.patch "
inherit pkgconfig pypi setuptools3
# {standard input}: Assembler messages:
diff --git a/meta-python/recipes-devtools/python/python3-matplotlib_3.5.1.bb b/meta-python/recipes-devtools/python/python3-matplotlib_3.5.1.bb
index b9eab3c93..cd05b455d 100644
--- a/meta-python/recipes-devtools/python/python3-matplotlib_3.5.1.bb
+++ b/meta-python/recipes-devtools/python/python3-matplotlib_3.5.1.bb
@@ -50,6 +50,7 @@ RDEPENDS:${PN} = "\
${PYTHON_PN}-dateutil \
${PYTHON_PN}-kiwisolver \
${PYTHON_PN}-pytz \
+ ${PYTHON_PN}-pillow \
"
ENABLELTO:toolchain-clang:riscv64 = "echo enable_lto = False >> ${S}/mplsetup.cfg"
diff --git a/meta-python/recipes-devtools/python/python3-pybluez/0001-Use-Py_ssize_t-when-parsing-buffer-length-fix-426-42.patch b/meta-python/recipes-devtools/python/python3-pybluez/0001-Use-Py_ssize_t-when-parsing-buffer-length-fix-426-42.patch
new file mode 100644
index 000000000..9126aba8d
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pybluez/0001-Use-Py_ssize_t-when-parsing-buffer-length-fix-426-42.patch
@@ -0,0 +1,153 @@
+From aa8ee5e5e934908f0357364f6ec90a3ecda62880 Mon Sep 17 00:00:00 2001
+From: Nicolas Schodet <nico@ni.fr.eu.org>
+Date: Mon, 3 Jan 2022 02:37:01 +0100
+Subject: [PATCH] Use Py_ssize_t when parsing buffer length, fix #426 (#427)
+
+From python 3.9 documentation:
+
+> For all # variants of formats (s#, y#, etc.), the macro
+> PY_SSIZE_T_CLEAN must be defined before including Python.h. On Python
+> 3.9 and older, the type of the length argument is Py_ssize_t if the
+> PY_SSIZE_T_CLEAN macro is defined, or int otherwise.
+
+From python 3.8 changes:
+
+> Use of # variants of formats in parsing or building value (e.g.
+> PyArg_ParseTuple(), Py_BuildValue(), PyObject_CallFunction(), etc.)
+> without PY_SSIZE_T_CLEAN defined raises DeprecationWarning now. It
+> will be removed in 3.10 or 4.0. Read Parsing arguments and building
+> values for detail. (Contributed by Inada Naoki in bpo-36381.)
+
+Fixes https://github.com/pybluez/pybluez/issues/426
+---
+Upstream-Status: Accepted
+
+ bluez/btmodule.c | 23 ++++++++++++++---------
+ msbt/_msbt.c | 6 ++++--
+ 2 files changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/bluez/btmodule.c b/bluez/btmodule.c
+index 518b723..912a489 100644
+--- a/bluez/btmodule.c
++++ b/bluez/btmodule.c
+@@ -16,7 +16,8 @@ Local naming conventions:
+ - names starting with bt_ are module-level functions
+
+ */
+-
++#define PY_SSIZE_T_CLEAN 1
++#include "Python.h"
+ #include "btmodule.h"
+ #include "structmember.h"
+
+@@ -732,7 +733,7 @@ sock_setsockopt(PySocketSockObject *s, PyObject *args)
+ int optname;
+ int res;
+ void *buf;
+- int buflen;
++ Py_ssize_t buflen;
+ int flag;
+
+ if (PyArg_ParseTuple(args, "iii:setsockopt", &level, &optname, &flag)) {
+@@ -2001,7 +2002,8 @@ static PyObject *
+ bt_hci_send_cmd(PyObject *self, PyObject *args)
+ {
+ PySocketSockObject *socko = NULL;
+- int err, plen = 0;
++ int err;
++ Py_ssize_t plen = 0;
+ uint16_t ogf, ocf;
+ char *param = NULL;
+ int dd = 0;
+@@ -2036,6 +2038,7 @@ bt_hci_send_req(PyObject *self, PyObject *args, PyObject *kwds)
+ int err;
+ int to=0;
+ char rparam[256];
++ Py_ssize_t req_clen;
+ struct hci_request req = { 0 };
+ int dd = 0;
+
+@@ -2043,9 +2046,10 @@ bt_hci_send_req(PyObject *self, PyObject *args, PyObject *kwds)
+ "timeout", 0 };
+
+ if( !PyArg_ParseTupleAndKeywords(args, kwds, "OHHii|s#i", keywords,
+- &socko, &req.ogf, &req.ocf, &req.event, &req.rlen,
+- &req.cparam, &req.clen, &to) )
++ &socko, &req.ogf, &req.ocf, &req.event, &req.rlen,
++ &req.cparam, &req_clen, &to) )
+ return 0;
++ req.clen = req_clen;
+
+ req.rparam = rparam;
+ dd = socko->sock_fd;
+@@ -2274,7 +2278,8 @@ Returns the name of the device, or raises an error on failure");
+ static PyObject * bt_hci_filter_ ## name (PyObject *self, PyObject *args )\
+ { \
+ char *param; \
+- int len, arg; \
++ Py_ssize_t len; \
++ int arg; \
+ if( !PyArg_ParseTuple(args,"s#i", &param, &len, &arg) ) \
+ return 0; \
+ if( len != sizeof(struct hci_filter) ) { \
+@@ -2303,7 +2308,7 @@ DECL_HCI_FILTER_OP_1(test_opcode, "test opcode!")
+ static PyObject * bt_hci_filter_ ## name (PyObject *self, PyObject *args )\
+ { \
+ char *param; \
+- int len; \
++ Py_ssize_t len; \
+ if( !PyArg_ParseTuple(args,"s#", &param, &len) ) \
+ return 0; \
+ if( len != sizeof(struct hci_filter) ) { \
+@@ -2364,7 +2369,7 @@ static PyObject *
+ bt_ba2str(PyObject *self, PyObject *args)
+ {
+ char *data=NULL;
+- int len=0;
++ Py_ssize_t len=0;
+ char ba_str[19] = {0};
+ if (!PyArg_ParseTuple(args, "s#", &data, &len)) return 0;
+ ba2str((bdaddr_t*)data, ba_str);
+@@ -2579,7 +2584,7 @@ bt_sdp_advertise_service( PyObject *self, PyObject *args )
+ *provider = NULL,
+ *description = NULL;
+ PyObject *service_classes, *profiles, *protocols;
+- int namelen = 0, provlen = 0, desclen = 0;
++ Py_ssize_t namelen = 0, provlen = 0, desclen = 0;
+ uuid_t svc_uuid = { 0 };
+ int i;
+ char addrbuf[256] = { 0 };
+diff --git a/msbt/_msbt.c b/msbt/_msbt.c
+index b3d27ff..81f5ee9 100644
+--- a/msbt/_msbt.c
++++ b/msbt/_msbt.c
+@@ -2,6 +2,8 @@
+ #define UNICODE
+ #endif
+
++#define PY_SSIZE_T_CLEAN 1
++
+ #include <winsock2.h>
+ #include <ws2bth.h>
+ #include <BluetoothAPIs.h>
+@@ -155,7 +157,7 @@ static PyObject *
+ msbt_bind(PyObject *self, PyObject *args)
+ {
+ wchar_t *addrstr = NULL;
+- int addrstrlen = -1;
++ Py_ssize_t addrstrlen = -1;
+ int sockfd = -1;
+ int port = -1;
+ char buf[100] = { 0 };
+@@ -765,7 +767,7 @@ msbt_set_service_raw(PyObject *self, PyObject *args)
+ WSAESETSERVICEOP op;
+
+ char *record = NULL;
+- int reclen = -1;
++ Py_ssize_t reclen = -1;
+ BTH_SET_SERVICE *si = NULL;
+ int silen = -1;
+ ULONG sdpVersion = BTH_SDP_VERSION;
+--
+2.34.1
+
diff --git a/meta-python/recipes-devtools/python/python3-pybluez_0.23.bb b/meta-python/recipes-devtools/python/python3-pybluez_0.23.bb
index b32f3a362..6a1df273a 100644
--- a/meta-python/recipes-devtools/python/python3-pybluez_0.23.bb
+++ b/meta-python/recipes-devtools/python/python3-pybluez_0.23.bb
@@ -7,6 +7,7 @@ DEPENDS = "bluez5"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=8a71d0475d08eee76d8b6d0c6dbec543"
+SRC_URI += "file://0001-Use-Py_ssize_t-when-parsing-buffer-length-fix-426-42.patch"
SRC_URI[md5sum] = "afbe8429bb82d2c46a3d0f5f4f898f9d"
SRC_URI[sha256sum] = "c8f04d2e78951eaa9de486b4d49381704e8943d0a6e6e58f55fcd7b8582e90de"
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch b/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch
index 5d8291968..a652b7969 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch
+++ b/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch
@@ -1,4 +1,4 @@
-From 37699e9be04d83c5923644e298f400e077f76e85 Mon Sep 17 00:00:00 2001
+From abd5b40c9b094e721e91a5d75132639149d7952f Mon Sep 17 00:00:00 2001
From: Paul Eggleton <paul.eggleton@linux.intel.com>
Date: Tue, 17 Jul 2012 11:27:39 +0100
Subject: [PATCH] Log the SELinux context at startup.
@@ -14,7 +14,7 @@ Note: unlikely to be any interest in this upstream
2 files changed, 31 insertions(+)
diff --git a/configure.in b/configure.in
-index c799aec..76811e7 100644
+index ea6cec3..92b74b7 100644
--- a/configure.in
+++ b/configure.in
@@ -491,6 +491,11 @@ getloadavg
@@ -30,7 +30,7 @@ index c799aec..76811e7 100644
[AC_TRY_RUN(#define _GNU_SOURCE
#include <unistd.h>
diff --git a/server/core.c b/server/core.c
-index 3020090..8fef5fd 100644
+index 4da7209..d3ca25b 100644
--- a/server/core.c
+++ b/server/core.c
@@ -65,6 +65,10 @@
@@ -43,7 +43,7 @@ index 3020090..8fef5fd 100644
+
/* LimitRequestBody handling */
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
- #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0)
+ #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */
@@ -5126,6 +5130,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
}
#endif
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.53.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.54.bb
index 8413f5379..4b0ed2f62 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.53.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.54.bb
@@ -26,7 +26,7 @@ SRC_URI:append:class-target = " \
"
LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3"
-SRC_URI[sha256sum] = "d0bbd1121a57b5f2a6ff92d7b96f8050c5a45d3f14db118f64979d525858db63"
+SRC_URI[sha256sum] = "eb397feeefccaf254f8d45de3768d9d68e8e73851c49afd5b7176d1ecf80c340"
S = "${WORKDIR}/httpd-${PV}"
diff --git a/meta-xfce/recipes-apps/catfish/catfish_4.16.3.bb b/meta-xfce/recipes-apps/catfish/catfish_4.16.3.bb
index 98cd251d2..8fe879b81 100644
--- a/meta-xfce/recipes-apps/catfish/catfish_4.16.3.bb
+++ b/meta-xfce/recipes-apps/catfish/catfish_4.16.3.bb
@@ -12,3 +12,12 @@ SRC_URI[sha256sum] = "e9a99a62d10981391508dd43f3cbfa2d50a69bd6b7d1eeef7d30ba4c67
FILES:${PN} += "${datadir}/metainfo"
RDEPENDS:${PN} += "python3-pygobject python3-dbus"
+
+do_install:append() {
+ #
+ # Until catfish upstream figures out a way to overcome this buildpath issue, we need to do such adjustments here.
+ #
+ sed -i -e 's#${RECIPE_SYSROOT_NATIVE}##g' ${D}${datadir}/applications/org.xfce.Catfish.desktop
+ sed -i -e 's#${RECIPE_SYSROOT_NATIVE}##g' ${D}${PYTHON_SITEPACKAGES_DIR}/catfish_lib/catfishconfig.py
+ rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/catfish_lib/__pycache__/catfishconfig.*.pyc
+}
diff --git a/meta-xfce/recipes-xfce/exo/exo_4.16.3.bb b/meta-xfce/recipes-xfce/exo/exo_4.16.4.bb
index 2b164442f..b97d9943f 100644
--- a/meta-xfce/recipes-xfce/exo/exo_4.16.3.bb
+++ b/meta-xfce/recipes-xfce/exo/exo_4.16.4.bb
@@ -14,7 +14,7 @@ SRC_URI += " \
file://configure.patch \
"
-SRC_URI[sha256sum] = "722dff3c3fe23f0a65405e63889cf247c99d092d3f9fb16dec78d062cfb8fae6"
+SRC_URI[sha256sum] = "82a50c67e78f1e5c420b7615515bcca759b86eeab99224ab8eca4306b89d2eca"
# Note: python bindings did not work in oe-dev and are about to be moved to
# pyxfce see http://comments.gmane.org/gmane.comp.desktop.xfce.devel.version4/19560