aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb2
-rw-r--r--meta-networking/recipes-connectivity/civetweb/civetweb_git.bb2
-rw-r--r--meta-networking/recipes-connectivity/dibbler/dibbler_git.bb2
-rw-r--r--meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb2
-rw-r--r--meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb2
-rw-r--r--meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb2
-rw-r--r--meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb2
-rw-r--r--meta-networking/recipes-connectivity/netplan/netplan_0.98.bb2
-rw-r--r--meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb2
-rw-r--r--meta-networking/recipes-connectivity/relayd/relayd_git.bb2
-rw-r--r--meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb2
-rw-r--r--meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb2
-rw-r--r--meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb2
-rw-r--r--meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb2
-rw-r--r--meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb2
-rw-r--r--meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb2
-rw-r--r--meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch46
-rw-r--r--meta-networking/recipes-daemons/postfix/postfix_3.4.23.bb (renamed from meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb)5
-rw-r--r--meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb2
-rw-r--r--meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb2
-rw-r--r--meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb2
-rw-r--r--meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb2
-rw-r--r--meta-networking/recipes-irc/znc/znc_1.7.5.bb4
-rw-r--r--meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb2
-rw-r--r--meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb2
-rw-r--r--meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb2
-rw-r--r--meta-networking/recipes-protocols/openflow/openflow.inc2
-rw-r--r--meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb2
-rw-r--r--meta-networking/recipes-support/arptables/arptables_git.bb2
-rw-r--r--meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb2
-rw-r--r--meta-networking/recipes-support/cifs/cifs-utils_6.10.bb2
-rw-r--r--meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb2
-rw-r--r--meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch1040
-rw-r--r--meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb1
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch30
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch19
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch13
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch76
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch71
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch37
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch49
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch90
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch45
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch163
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch72
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch50
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch169
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch188
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch87
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch133
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch32
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch27
-rw-r--r--meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb16
-rw-r--r--meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb5
-rw-r--r--meta-networking/recipes-support/geoip/geoip-perl_1.51.bb2
-rw-r--r--meta-networking/recipes-support/geoip/geoip_1.6.12.bb2
-rw-r--r--meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb2
-rw-r--r--meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb2
-rw-r--r--meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb2
-rw-r--r--meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb2
-rw-r--r--meta-networking/recipes-support/mtr/mtr_0.93.bb2
-rw-r--r--meta-networking/recipes-support/nbdkit/nbdkit_git.bb2
-rw-r--r--meta-networking/recipes-support/ndisc6/ndisc6_git.bb2
-rw-r--r--meta-networking/recipes-support/netcf/netcf_0.2.8.bb2
-rw-r--r--meta-networking/recipes-support/netperf/netperf_git.bb2
-rw-r--r--meta-networking/recipes-support/nis/yp-tools_4.2.3.bb2
-rw-r--r--meta-networking/recipes-support/ntimed/ntimed_git.bb2
-rw-r--r--meta-networking/recipes-support/open-isns/open-isns_0.99.bb2
-rw-r--r--meta-networking/recipes-support/phytool/phytool.bb2
-rw-r--r--meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb2
-rw-r--r--meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb2
-rw-r--r--meta-networking/recipes-support/spice/spice-protocol_git.bb2
-rw-r--r--meta-networking/recipes-support/spice/spice_git.bb4
-rw-r--r--meta-networking/recipes-support/spice/usbredir_0.8.0.bb2
-rw-r--r--meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch1
-rw-r--r--meta-networking/recipes-support/unbound/unbound_1.9.4.bb2
-rw-r--r--meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb2
77 files changed, 2496 insertions, 77 deletions
diff --git a/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb b/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb
index d4a62bd92..4cb85f815 100644
--- a/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb
+++ b/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb
@@ -2,7 +2,7 @@ SUMMARY = "a SocketCAN over Ethernet tunnel"
HOMEPAGE = "https://github.com/mguentner/cannelloni"
LICENSE = "GPLv2"
-SRC_URI = "git://github.com/mguentner/cannelloni.git;protocol=https \
+SRC_URI = "git://github.com/mguentner/cannelloni.git;protocol=https;branch=master \
file://0001-Use-GNUInstallDirs-instead-of-hard-coding-paths.patch \
file://0002-include-missing-stdexcept-for-runtime_error.patch \
"
diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb
index 2820f9fa6..e9c205618 100644
--- a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb
+++ b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=50bd1d7f135b50d7e218996ba28d0d88"
SRCREV = "4b440a339979852d5a51fb11a822952712231c23"
PV = "1.12+git${SRCPV}"
-SRC_URI = "git://github.com/civetweb/civetweb.git \
+SRC_URI = "git://github.com/civetweb/civetweb.git;branch=master;protocol=https \
file://0001-Unittest-Link-librt-and-libm-using-l-option.patch \
"
diff --git a/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb b/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb
index 90051a319..f85665590 100644
--- a/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb
+++ b/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=7236695bb6d4461c105d685a8b61c4e3"
SRCREV = "c4b0ed52e751da7823dd9a36e91f93a6310e5525"
-SRC_URI = "git://github.com/tomaszmrugalski/dibbler \
+SRC_URI = "git://github.com/tomaszmrugalski/dibbler;branch=master;protocol=https \
file://dibbler_fix_getSize_crash.patch \
file://0001-linux-port-Rename-pthread_mutex_t-variable-lock.patch \
"
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb
index 2c39c4c44..1ea0cb16d 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb
@@ -13,7 +13,7 @@ LICENSE = "GPLv2 & LGPLv2+"
LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a"
DEPENDS = "openssl-native openssl libidn libtool libpcap libtalloc"
-SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0; \
+SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0;protocol=https \
file://freeradius \
file://volatiles.58_radiusd \
file://freeradius-enble-user-in-conf.patch \
diff --git a/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb b/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb
index 5b27cfe15..c1a814611 100644
--- a/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb
+++ b/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb
@@ -4,7 +4,7 @@ SECTION = "libs"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=0036c1b155f4e999f3e0a373490b5db9"
-SRC_URI = "git://github.com/dugsong/libdnet.git;nobranch=1"
+SRC_URI = "git://github.com/dugsong/libdnet.git;nobranch=1;protocol=https"
SRCREV = "12fca29a6d4e99d1b923d6820887fe7b24226904"
UPSTREAM_CHECK_GITTAGREGEX = "libdnet-(?P<pver>\d+(\.\d+)+)"
diff --git a/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb b/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb
index 8444f0b73..66a7aaa6b 100644
--- a/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb
+++ b/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=587b3fd7fd291e418ff4d2b8f3904755"
SECTION = "libs/networking"
-SRC_URI = "git://github.com/nanomsg/nanomsg.git;protocol=https"
+SRC_URI = "git://github.com/nanomsg/nanomsg.git;protocol=https;branch=master"
SRCREV = "1749fd7b039165a91b8d556b4df18e3e632ad830"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb b/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb
index 77be27ffa..6d035f403 100644
--- a/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb
+++ b/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb
@@ -8,7 +8,7 @@ SECTION = "libs/networking"
SRCREV = "53ae1a5ab37fdfc9ad5c236df3eaf4dd63f0fee9"
-SRC_URI = "git://github.com/nanomsg/nng.git;branch=v1.2.x"
+SRC_URI = "git://github.com/nanomsg/nng.git;branch=v1.2.x;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb b/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb
index 9f123c70f..d91fc752e 100644
--- a/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb
+++ b/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb
@@ -15,7 +15,7 @@ SRCREV = "5d22e9d22c4a3724d27b80b0cd9b898ae8f59d2b"
PV = "0.98+git${SRCPV}"
SRC_URI = " \
- git://github.com/CanonicalLtd/netplan.git \
+ git://github.com/CanonicalLtd/netplan.git;branch=master;protocol=https \
"
DEPENDS = "glib-2.0 libyaml ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
diff --git a/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb b/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb
index 597c1920c..144afb484 100644
--- a/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb
+++ b/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb
@@ -3,7 +3,7 @@ LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING.LGPL;md5=243b725d71bb5df4a1e5920b344b86ad"
SRC_URI = " \
- git://git.infradead.org/users/dwmw2/openconnect.git \
+ git://git.infradead.org/users/dwmw2/openconnect.git;branch=master \
file://0001-trojans-tncc-wrapper.py-convert-to-python3.patch \
"
SRCREV = "ea73851969ae7a6ea54fdd2d2b8c94776af24b2a"
diff --git a/meta-networking/recipes-connectivity/relayd/relayd_git.bb b/meta-networking/recipes-connectivity/relayd/relayd_git.bb
index e3134e41f..a75b43e06 100644
--- a/meta-networking/recipes-connectivity/relayd/relayd_git.bb
+++ b/meta-networking/recipes-connectivity/relayd/relayd_git.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://main.c;endline=17;md5=86aad799085683e0a2e1c2684a20bab
DEPENDS = "libubox"
-SRC_URI = "git://git.openwrt.org/project/relayd.git \
+SRC_URI = "git://git.openwrt.org/project/relayd.git;branch=master \
file://0001-rtnl_flush-Error-on-failed-write.patch \
"
diff --git a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
index 54e855a09..5d968f147 100644
--- a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
+++ b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
@@ -9,7 +9,7 @@ DEPENDS += "libgcrypt"
PV .= "r550-2jnpr1"
SRCREV = "b1243d29e0c00312ead038b04a2cf5e2fa31d740"
-SRC_URI = "git://github.com/ndpgroup/vpnc \
+SRC_URI = "git://github.com/ndpgroup/vpnc;branch=master;protocol=https \
file://long-help \
file://default.conf \
file://0001-search-for-log-help-in-build-dir.patch \
diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb
index db7b0d486..b9c545e15 100644
--- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb
+++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
PROVIDES += "cyassl"
RPROVIDES_${PN} = "cyassl"
-SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https"
+SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master"
SRCREV = "e116c89a58af750421d82ece13f80516d2bde02e"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb
index ff9084dbf..ddddb1b07 100644
--- a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb
+++ b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=94d55d512a9ba36caa9b7df079bae19f"
SRCREV = "52b71f0831dcbde508bd3a961d84abb80a62480f"
-SRC_URI = "git://git.code.sf.net/p/atftp/code \
+SRC_URI = "git://git.code.sf.net/p/atftp/code;branch=master \
file://atftpd.init \
file://atftpd.service \
"
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
index d3983eb1a..db5f94444 100644
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3f55e0974e3d6db00ca6f57f2d206396"
SRCREV = "e41cfb986c1b1935770de554872247453fdbb079"
-SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https \
+SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \
file://avoid-to-call-AC_TRY_RUN.patch \
file://Fix-hardcoded-libdir.patch \
file://debian_patches_0014_avoid_pic_overwrite.diff \
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb
index 4a9cf9db4..7cf8cfa94 100644
--- a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb
@@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
SRCREV ?= "34e3ffb194f6fa3028c0eb2ff57e7db2d1026771"
-SRC_URI = "git://github.com/open-iscsi/open-iscsi \
+SRC_URI = "git://github.com/open-iscsi/open-iscsi;branch=master;protocol=https \
file://0001-Makefile-Do-not-set-Werror.patch \
file://initd.debian \
file://99_iscsi-initiator-utils \
diff --git a/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb b/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb
index 61d656b7c..d5296f6a9 100644
--- a/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb
+++ b/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb
@@ -13,7 +13,7 @@ RDEPENDS_${PN} = "python3-pygobject python3-dbus"
REQUIRED_DISTRO_FEATURES = "systemd"
SRCREV = "333ef1ed1d7c7c17264fcf7629e5c2f78ab4112c"
-SRC_URI = "git://gitlab.com/craftyguy/networkd-dispatcher;protocol=https"
+SRC_URI = "git://gitlab.com/craftyguy/networkd-dispatcher;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch b/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch
new file mode 100644
index 000000000..b6ec8c70d
--- /dev/null
+++ b/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch
@@ -0,0 +1,46 @@
+From 1f25dae3f38548bad32c5a3ebee4c07938d8c1b8 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Thu, 30 Dec 2021 10:35:57 +0800
+Subject: [PATCH] fix build with glibc 2.34
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The closefrom() function which is introduced in glibc 2.34 conflicts
+with the one provided by postfix.
+
+Fixes:
+| In file included from attr_clnt.c:88:
+| /usr/include/unistd.h:363:13: error: conflicting types for ‘closefrom’; have ‘void(int)’
+| 363 | extern void closefrom (int __lowfd) __THROW;
+| | ^~~~~~~~~
+| In file included from attr_clnt.c:87:
+| ./sys_defs.h:1506:12: note: previous declaration of ‘closefrom’ with type ‘int(int)’
+| 1506 | extern int closefrom(int);
+| | ^~~~~~~~~
+
+Upstream-Status: Backport
+[https://github.com/vdukhovni/postfix/commit/3d966d3bd5f95b2c918aefb864549fa9f0442e24]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/util/sys_defs.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h
+index 39daa16..5de5855 100644
+--- a/src/util/sys_defs.h
++++ b/src/util/sys_defs.h
+@@ -827,6 +827,9 @@ extern int initgroups(const char *, int);
+ #define HAVE_POSIX_GETPW_R
+ #endif
+ #endif
++#if HAVE_GLIBC_API_VERSION_SUPPORT(2, 34)
++#define HAS_CLOSEFROM
++#endif
+
+ #endif
+
+--
+2.17.1
+
diff --git a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb b/meta-networking/recipes-daemons/postfix/postfix_3.4.23.bb
index db5b41bfb..bb6634580 100644
--- a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb
+++ b/meta-networking/recipes-daemons/postfix/postfix_3.4.23.bb
@@ -13,6 +13,7 @@ SRC_URI += "ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-${P
file://postfix-install.patch \
file://icu-config.patch \
file://0001-makedefs-add-lnsl-and-lresolv-to-SYSLIBS-by-default.patch \
+ file://0001-fix-build-with-glibc-2.34.patch \
"
-SRC_URI[sha256sum] = "18555183ae8b52a9e76067799279c86f9f2770cdef3836deb8462ee0a0855dec"
-UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.3(\.\d+)+).tar.gz"
+SRC_URI[sha256sum] = "1759e953bf7baccb533899845c17753bf57a99ebac9c21717626262966a122f9"
+UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.4(\.\d+)+).tar.gz"
diff --git a/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb b/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb
index 115353fec..071002c5e 100644
--- a/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb
+++ b/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb
@@ -5,7 +5,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://gpl_license.txt;md5=11c7b65c4a4acb9d5175f7e9bf99c403"
SRCREV = "39276d14b659684c4c0612725ab83ea841c6ef99"
-SRC_URI = "git://github.com/arno-iptables-firewall/aif"
+SRC_URI = "git://github.com/arno-iptables-firewall/aif;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb b/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb
index 2f627d458..994825cb7 100644
--- a/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb
+++ b/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb
@@ -8,7 +8,7 @@ DEPENDS = "libnfnetlink libmnl"
SRCREV = "ba196a97e810746e5660fe3f57c87c0ed0f2b324"
PV .= "+git${SRCPV}"
-SRC_URI = "git://git.netfilter.org/libnetfilter_log"
+SRC_URI = "git://git.netfilter.org/libnetfilter_log;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb b/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb
index 896cfdfaa..1bbab6f3c 100644
--- a/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb
+++ b/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb
@@ -8,7 +8,7 @@ DEPENDS = "libnfnetlink libmnl"
SRCREV = "601abd1c71ccdf90753cf294c120ad43fb25dc54"
-SRC_URI = "git://git.netfilter.org/libnetfilter_queue \
+SRC_URI = "git://git.netfilter.org/libnetfilter_queue;branch=master \
file://0001-libnetfilter-queue-Declare-the-define-visivility-attribute-together.patch \
"
diff --git a/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb b/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb
index 4ff00bf87..fee9967eb 100644
--- a/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb
+++ b/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb
@@ -5,7 +5,7 @@ SECTION = "libs"
DEPENDS = "libmnl"
SRCREV = "eedafeb6db330b8adff1b7cdd3dac325f9144195"
-SRC_URI = "git://git.netfilter.org/libnftnl \
+SRC_URI = "git://git.netfilter.org/libnftnl;branch=master \
file://0001-avoid-naming-local-function-as-one-of-printf-family.patch \
"
diff --git a/meta-networking/recipes-irc/znc/znc_1.7.5.bb b/meta-networking/recipes-irc/znc/znc_1.7.5.bb
index a3d4b7cc5..d7467ff4a 100644
--- a/meta-networking/recipes-irc/znc/znc_1.7.5.bb
+++ b/meta-networking/recipes-irc/znc/znc_1.7.5.bb
@@ -5,8 +5,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
DEPENDS = "openssl zlib icu"
-SRC_URI = "git://github.com/znc/znc.git;name=znc \
- git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket \
+SRC_URI = "git://github.com/znc/znc.git;name=znc;branch=master;protocol=https \
+ git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket;branch=master;protocol=https \
"
SRCREV_znc = "c7f72f8bc800115ac985e7e13eace78031cb1b50"
SRCREV_Csocket = "e8d9e0bb248c521c2c7fa01e1c6a116d929c41b4"
diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb
index 6ed988baf..9215f4a6d 100644
--- a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb
+++ b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb
@@ -2,7 +2,7 @@ require wireguard.inc
SRCREV = "43f57dac7b8305024f83addc533c9eede6509129"
-SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat \
+SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat;branch=master \
file://0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch \
file://0001-compat-icmp_ndo_send-functions-were-backported-exten.patch "
diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb
index f698b9a9a..9e486ecc3 100644
--- a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb
+++ b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb
@@ -1,7 +1,7 @@
require wireguard.inc
SRCREV = "a8063adc8ae9b4fc9848500e93f94bee8ad2e585"
-SRC_URI = "git://git.zx2c4.com/wireguard-tools"
+SRC_URI = "git://git.zx2c4.com/wireguard-tools;branch=master"
inherit bash-completion systemd pkgconfig
diff --git a/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb b/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb
index 6dd15ad9f..fdcd90651 100644
--- a/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb
+++ b/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb
@@ -12,7 +12,7 @@ SECTION = "net"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENCE;md5=411a48ac3c2e9e0911b8dd9aed26f754"
-SRC_URI = "git://github.com/jech/babeld.git;protocol=git"
+SRC_URI = "git://github.com/jech/babeld.git;protocol=https;branch=master"
SRCREV = "0835d5d894ea016ab7b81562466cade2c51a12d4"
UPSTREAM_CHECK_GITTAGREGEX = "babeld-(?P<pver>\d+(\.\d+)+)"
diff --git a/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-networking/recipes-protocols/openflow/openflow.inc
index cccbfa19a..ab538c620 100644
--- a/meta-networking/recipes-protocols/openflow/openflow.inc
+++ b/meta-networking/recipes-protocols/openflow/openflow.inc
@@ -11,7 +11,7 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=e870c934e2c3d6ccf085fd7cf0a1e2e2"
-SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git"
+SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git;branch=master"
DEPENDS = "virtual/libc"
diff --git a/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb b/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb
index b02e183db..181698d77 100644
--- a/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb
+++ b/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb
@@ -8,7 +8,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRC_URI = "git://github.com/xelerance/xl2tpd.git"
+SRC_URI = "git://github.com/xelerance/xl2tpd.git;branch=master;protocol=https"
SRCREV = "ba619c79c4790c78c033df0abde4a9a5de744a08"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/arptables/arptables_git.bb b/meta-networking/recipes-support/arptables/arptables_git.bb
index c02a19944..b59dc4ca1 100644
--- a/meta-networking/recipes-support/arptables/arptables_git.bb
+++ b/meta-networking/recipes-support/arptables/arptables_git.bb
@@ -6,7 +6,7 @@ SRCREV = "efae8949e31f8b2eb6290f377a28384cecaf105a"
PV = "0.0.5+git${SRCPV}"
SRC_URI = " \
- git://git.netfilter.org/arptables \
+ git://git.netfilter.org/arptables;branch=master \
file://0001-Use-ARPCFLAGS-for-package-specific-compiler-flags.patch \
file://arptables-arpt-get-target-fix.patch \
file://arptables.service \
diff --git a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb
index 1c87c48bf..d693ae9a9 100644
--- a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb
+++ b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f9d20a453221a1b7e32ae84694da2c37"
SRCREV = "42c1aefc303fdf891fbb099ea51f00dca83ab606"
SRC_URI = "\
- git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git \
+ git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git;branch=master \
file://kernel-headers.patch \
file://0005-build-don-t-ignore-CFLAGS-from-environment.patch \
file://0006-libbridge-Modifying-the-AR-to-cross-toolchain.patch \
diff --git a/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb b/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb
index 8d82ee454..e76481cc1 100644
--- a/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb
+++ b/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
PV = "6.10"
SRCREV = "5ff5fc2ecc10353fd39ad508db5c2828fd2d8d9a"
-SRC_URI = "git://git.samba.org/cifs-utils.git"
+SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master"
S = "${WORKDIR}/git"
DEPENDS += "libtalloc"
diff --git a/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb b/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb
index 799cf8611..3da651c47 100644
--- a/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb
+++ b/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=fd0c9adf285a69aa3b4faf34384e1029"
DEPENDS = "curl"
DEPENDS_class-native = "curl-native"
-SRC_URI = "git://github.com/jpbarrette/curlpp.git"
+SRC_URI = "git://github.com/jpbarrette/curlpp.git;branch=master;protocol=https"
SRCREV = "592552a165cc569dac7674cb7fc9de3dc829906f"
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch
new file mode 100644
index 000000000..360931a83
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch
@@ -0,0 +1,1040 @@
+From 74d4fcd756a85bc1823232ea74334f7ccfb9d5d2 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 15 Mar 2021 21:59:51 +0000
+Subject: [PATCH] Use random source ports where possible if source
+ addresses/interfaces in use.
+
+CVE-2021-3448 applies.
+
+It's possible to specify the source address or interface to be
+used when contacting upstream nameservers: server=8.8.8.8@1.2.3.4
+or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
+these have, until now, used a single socket, bound to a fixed
+port. This was originally done to allow an error (non-existent
+interface, or non-local address) to be detected at start-up. This
+means that any upstream servers specified in such a way don't use
+random source ports, and are more susceptible to cache-poisoning
+attacks.
+
+We now use random ports where possible, even when the
+source is specified, so server=8.8.8.8@1.2.3.4 or
+server=8.8.8.8@eth0 will use random source
+ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
+use the explicitly configured port, and should only be done with
+understanding of the security implications.
+Note that this change changes non-existing interface, or non-local
+source address errors from fatal to run-time. The error will be
+logged and communiction with the server not possible.
+
+Upstream-Status: Backport
+CVE: CVE-2021-3448
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ CHANGELOG | 22 +++
+ man/dnsmasq.8 | 4 +-
+ src/dnsmasq.c | 31 ++--
+ src/dnsmasq.h | 26 ++--
+ src/forward.c | 392 ++++++++++++++++++++++++++++++--------------------
+ src/loop.c | 20 +--
+ src/network.c | 110 +++++---------
+ src/option.c | 3 +-
+ src/tftp.c | 6 +-
+ src/util.c | 2 +-
+ 10 files changed, 344 insertions(+), 272 deletions(-)
+
+Index: dnsmasq-2.81/man/dnsmasq.8
+===================================================================
+--- dnsmasq-2.81.orig/man/dnsmasq.8
++++ dnsmasq-2.81/man/dnsmasq.8
+@@ -489,7 +489,7 @@ source address specified but the port ma
+ part of the source address. Forcing queries to an interface is not
+ implemented on all platforms supported by dnsmasq.
+ .TP
+-.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<source-ip>|<interface>[#<port>]]
++.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<interface>][@<source-ip>[#<port>]]
+ This is functionally the same as
+ .B --server,
+ but provides some syntactic sugar to make specifying address-to-name queries easier. For example
+Index: dnsmasq-2.81/src/dnsmasq.c
+===================================================================
+--- dnsmasq-2.81.orig/src/dnsmasq.c
++++ dnsmasq-2.81/src/dnsmasq.c
+@@ -1668,6 +1668,7 @@ static int set_dns_listeners(time_t now)
+ {
+ struct serverfd *serverfdp;
+ struct listener *listener;
++ struct randfd_list *rfl;
+ int wait = 0, i;
+
+ #ifdef HAVE_TFTP
+@@ -1688,11 +1689,14 @@ static int set_dns_listeners(time_t now)
+ for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next)
+ poll_listen(serverfdp->fd, POLLIN);
+
+- if (daemon->port != 0 && !daemon->osport)
+- for (i = 0; i < RANDOM_SOCKS; i++)
+- if (daemon->randomsocks[i].refcount != 0)
+- poll_listen(daemon->randomsocks[i].fd, POLLIN);
+-
++ for (i = 0; i < RANDOM_SOCKS; i++)
++ if (daemon->randomsocks[i].refcount != 0)
++ poll_listen(daemon->randomsocks[i].fd, POLLIN);
++
++ /* Check overflow random sockets too. */
++ for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next)
++ poll_listen(rfl->rfd->fd, POLLIN);
++
+ for (listener = daemon->listeners; listener; listener = listener->next)
+ {
+ /* only listen for queries if we have resources */
+@@ -1729,18 +1733,23 @@ static void check_dns_listeners(time_t n
+ {
+ struct serverfd *serverfdp;
+ struct listener *listener;
++ struct randfd_list *rfl;
+ int i;
+ int pipefd[2];
+
+ for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next)
+ if (poll_check(serverfdp->fd, POLLIN))
+- reply_query(serverfdp->fd, serverfdp->source_addr.sa.sa_family, now);
++ reply_query(serverfdp->fd, now);
+
+- if (daemon->port != 0 && !daemon->osport)
+- for (i = 0; i < RANDOM_SOCKS; i++)
+- if (daemon->randomsocks[i].refcount != 0 &&
+- poll_check(daemon->randomsocks[i].fd, POLLIN))
+- reply_query(daemon->randomsocks[i].fd, daemon->randomsocks[i].family, now);
++ for (i = 0; i < RANDOM_SOCKS; i++)
++ if (daemon->randomsocks[i].refcount != 0 &&
++ poll_check(daemon->randomsocks[i].fd, POLLIN))
++ reply_query(daemon->randomsocks[i].fd, now);
++
++ /* Check overflow random sockets too. */
++ for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next)
++ if (poll_check(rfl->rfd->fd, POLLIN))
++ reply_query(rfl->rfd->fd, now);
+
+ /* Races. The child process can die before we read all of the data from the
+ pipe, or vice versa. Therefore send tcp_pids to zero when we wait() the
+Index: dnsmasq-2.81/src/dnsmasq.h
+===================================================================
+--- dnsmasq-2.81.orig/src/dnsmasq.h
++++ dnsmasq-2.81/src/dnsmasq.h
+@@ -542,13 +542,20 @@ struct serverfd {
+ };
+
+ struct randfd {
++ struct server *serv;
+ int fd;
+- unsigned short refcount, family;
++ unsigned short refcount; /* refcount == 0xffff means overflow record. */
+ };
+-
++
++struct randfd_list {
++ struct randfd *rfd;
++ struct randfd_list *next;
++};
++
+ struct server {
+ union mysockaddr addr, source_addr;
+ char interface[IF_NAMESIZE+1];
++ unsigned int ifindex; /* corresponding to interface, above */
+ struct serverfd *sfd;
+ char *domain; /* set if this server only handles a domain. */
+ int flags, tcpfd, edns_pktsz;
+@@ -669,8 +676,7 @@ struct frec {
+ struct frec_src *next;
+ } frec_src;
+ struct server *sentto; /* NULL means free */
+- struct randfd *rfd4;
+- struct randfd *rfd6;
++ struct randfd_list *rfds;
+ unsigned short new_id;
+ int fd, forwardall, flags;
+ time_t time;
+@@ -1100,11 +1106,12 @@ extern struct daemon {
+ int forwardcount;
+ struct server *srv_save; /* Used for resend on DoD */
+ size_t packet_len; /* " " */
+- struct randfd *rfd_save; /* " " */
++ int fd_save; /* " " */
+ pid_t tcp_pids[MAX_PROCS];
+ int tcp_pipes[MAX_PROCS];
+ int pipe_to_parent;
+ struct randfd randomsocks[RANDOM_SOCKS];
++ struct randfd_list *rfl_spare, *rfl_poll;
+ int v6pktinfo;
+ struct addrlist *interface_addrs; /* list of all addresses/prefix lengths associated with all local interfaces */
+ int log_id, log_display_id; /* ids of transactions for logging */
+@@ -1275,7 +1282,7 @@ void safe_strncpy(char *dest, const char
+ void safe_pipe(int *fd, int read_noblock);
+ void *whine_malloc(size_t size);
+ int sa_len(union mysockaddr *addr);
+-int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2);
++int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2);
+ int hostname_isequal(const char *a, const char *b);
+ int hostname_issubdomain(char *a, char *b);
+ time_t dnsmasq_time(void);
+@@ -1326,7 +1333,7 @@ char *parse_server(char *arg, union myso
+ int option_read_dynfile(char *file, int flags);
+
+ /* forward.c */
+-void reply_query(int fd, int family, time_t now);
++void reply_query(int fd, time_t now);
+ void receive_query(struct listener *listen, time_t now);
+ unsigned char *tcp_request(int confd, time_t now,
+ union mysockaddr *local_addr, struct in_addr netmask, int auth_dns);
+@@ -1336,13 +1343,12 @@ int send_from(int fd, int nowild, char *
+ union mysockaddr *to, union all_addr *source,
+ unsigned int iface);
+ void resend_query(void);
+-struct randfd *allocate_rfd(int family);
+-void free_rfd(struct randfd *rfd);
++int allocate_rfd(struct randfd_list **fdlp, struct server *serv);
++void free_rfds(struct randfd_list **fdlp);
+
+ /* network.c */
+ int indextoname(int fd, int index, char *name);
+ int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp);
+-int random_sock(int family);
+ void pre_allocate_sfds(void);
+ int reload_servers(char *fname);
+ void mark_servers(int flag);
+Index: dnsmasq-2.81/src/forward.c
+===================================================================
+--- dnsmasq-2.81.orig/src/forward.c
++++ dnsmasq-2.81/src/forward.c
+@@ -16,7 +16,7 @@
+
+ #include "dnsmasq.h"
+
+-static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash);
++static struct frec *lookup_frec(unsigned short id, int fd, void *hash);
+ static struct frec *lookup_frec_by_sender(unsigned short id,
+ union mysockaddr *addr,
+ void *hash);
+@@ -307,26 +307,18 @@ static int forward_query(int udpfd, unio
+ if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign)
+ PUTSHORT(SAFE_PKTSZ, pheader);
+
+- if (forward->sentto->addr.sa.sa_family == AF_INET)
+- log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
+- else
+- log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
+-
+-
+- if (forward->sentto->sfd)
+- fd = forward->sentto->sfd->fd;
+- else
++ if ((fd = allocate_rfd(&forward->rfds, forward->sentto)) != -1)
+ {
+- if (forward->sentto->addr.sa.sa_family == AF_INET6)
+- fd = forward->rfd6->fd;
++ if (forward->sentto->addr.sa.sa_family == AF_INET)
++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
+ else
+- fd = forward->rfd4->fd;
++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
++
++ while (retry_send(sendto(fd, (char *)header, plen, 0,
++ &forward->sentto->addr.sa,
++ sa_len(&forward->sentto->addr))));
+ }
+
+- while (retry_send(sendto(fd, (char *)header, plen, 0,
+- &forward->sentto->addr.sa,
+- sa_len(&forward->sentto->addr))));
+-
+ return 1;
+ }
+ #endif
+@@ -501,49 +493,28 @@ static int forward_query(int udpfd, unio
+
+ while (1)
+ {
++ int fd;
++
+ /* only send to servers dealing with our domain.
+ domain may be NULL, in which case server->domain
+ must be NULL also. */
+
+ if (type == (start->flags & SERV_TYPE) &&
+ (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
+- !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
++ !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) &&
++ ((fd = allocate_rfd(&forward->rfds, start)) != -1))
+ {
+- int fd;
+-
+- /* find server socket to use, may need to get random one. */
+- if (start->sfd)
+- fd = start->sfd->fd;
+- else
+- {
+- if (start->addr.sa.sa_family == AF_INET6)
+- {
+- if (!forward->rfd6 &&
+- !(forward->rfd6 = allocate_rfd(AF_INET6)))
+- break;
+- daemon->rfd_save = forward->rfd6;
+- fd = forward->rfd6->fd;
+- }
+- else
+- {
+- if (!forward->rfd4 &&
+- !(forward->rfd4 = allocate_rfd(AF_INET)))
+- break;
+- daemon->rfd_save = forward->rfd4;
+- fd = forward->rfd4->fd;
+- }
+
+ #ifdef HAVE_CONNTRACK
+- /* Copy connection mark of incoming query to outgoing connection. */
+- if (option_bool(OPT_CONNTRACK))
+- {
+- unsigned int mark;
+- if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
+- setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
+- }
+-#endif
++ /* Copy connection mark of incoming query to outgoing connection. */
++ if (option_bool(OPT_CONNTRACK))
++ {
++ unsigned int mark;
++ if (get_incoming_mark(&forward->frec_src.source, &forward->frec_src.dest, 0, &mark))
++ setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
+ }
+-
++#endif
++
+ #ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER))
+ {
+@@ -574,6 +545,7 @@ static int forward_query(int udpfd, unio
+ /* Keep info in case we want to re-send this packet */
+ daemon->srv_save = start;
+ daemon->packet_len = plen;
++ daemon->fd_save = fd;
+
+ if (!gotname)
+ strcpy(daemon->namebuff, "query");
+@@ -590,7 +562,7 @@ static int forward_query(int udpfd, unio
+ break;
+ forward->forwardall++;
+ }
+- }
++ }
+
+ if (!(start = start->next))
+ start = daemon->servers;
+@@ -805,7 +777,7 @@ static size_t process_reply(struct dns_h
+ }
+
+ /* sets new last_server */
+-void reply_query(int fd, int family, time_t now)
++void reply_query(int fd, time_t now)
+ {
+ /* packet from peer server, extract data for cache, and send to
+ original requester */
+@@ -820,9 +792,9 @@ void reply_query(int fd, int family, tim
+
+ /* packet buffer overwritten */
+ daemon->srv_save = NULL;
+-
++
+ /* Determine the address of the server replying so that we can mark that as good */
+- if ((serveraddr.sa.sa_family = family) == AF_INET6)
++ if (serveraddr.sa.sa_family == AF_INET6)
+ serveraddr.in6.sin6_flowinfo = 0;
+
+ header = (struct dns_header *)daemon->packet;
+@@ -845,7 +817,7 @@ void reply_query(int fd, int family, tim
+
+ hash = hash_questions(header, n, daemon->namebuff);
+
+- if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash)))
++ if (!(forward = lookup_frec(ntohs(header->id), fd, hash)))
+ return;
+
+ #ifdef HAVE_DUMPFILE
+@@ -900,25 +872,8 @@ void reply_query(int fd, int family, tim
+ }
+
+
+- if (start->sfd)
+- fd = start->sfd->fd;
+- else
+- {
+- if (start->addr.sa.sa_family == AF_INET6)
+- {
+- /* may have changed family */
+- if (!forward->rfd6)
+- forward->rfd6 = allocate_rfd(AF_INET6);
+- fd = forward->rfd6->fd;
+- }
+- else
+- {
+- /* may have changed family */
+- if (!forward->rfd4)
+- forward->rfd4 = allocate_rfd(AF_INET);
+- fd = forward->rfd4->fd;
+- }
+- }
++ if ((fd = allocate_rfd(&forward->rfds, start)) == -1)
++ return;
+
+ #ifdef HAVE_DUMPFILE
+ dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)plen, NULL, &start->addr);
+@@ -1126,8 +1081,7 @@ void reply_query(int fd, int family, tim
+ }
+
+ new->sentto = server;
+- new->rfd4 = NULL;
+- new->rfd6 = NULL;
++ new->rfds = NULL;
+ new->frec_src.next = NULL;
+ new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA);
+ new->forwardall = 0;
+@@ -1166,24 +1120,7 @@ void reply_query(int fd, int family, tim
+ /* Don't resend this. */
+ daemon->srv_save = NULL;
+
+- if (server->sfd)
+- fd = server->sfd->fd;
+- else
+- {
+- fd = -1;
+- if (server->addr.sa.sa_family == AF_INET6)
+- {
+- if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
+- fd = new->rfd6->fd;
+- }
+- else
+- {
+- if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
+- fd = new->rfd4->fd;
+- }
+- }
+-
+- if (fd != -1)
++ if ((fd = allocate_rfd(&new->rfds, server)) != -1)
+ {
+ #ifdef HAVE_CONNTRACK
+ /* Copy connection mark of incoming query to outgoing connection. */
+@@ -1344,7 +1281,7 @@ void receive_query(struct listener *list
+
+ /* packet buffer overwritten */
+ daemon->srv_save = NULL;
+-
++
+ dst_addr_4.s_addr = dst_addr.addr4.s_addr = 0;
+ netmask.s_addr = 0;
+
+@@ -2207,9 +2144,8 @@ static struct frec *allocate_frec(time_t
+ f->next = daemon->frec_list;
+ f->time = now;
+ f->sentto = NULL;
+- f->rfd4 = NULL;
++ f->rfds = NULL;
+ f->flags = 0;
+- f->rfd6 = NULL;
+ #ifdef HAVE_DNSSEC
+ f->dependent = NULL;
+ f->blocking_query = NULL;
+@@ -2221,46 +2157,192 @@ static struct frec *allocate_frec(time_t
+ return f;
+ }
+
+-struct randfd *allocate_rfd(int family)
++/* return a UDP socket bound to a random port, have to cope with straying into
++ occupied port nos and reserved ones. */
++static int random_sock(struct server *s)
++{
++ int fd;
++
++ if ((fd = socket(s->source_addr.sa.sa_family, SOCK_DGRAM, 0)) != -1)
++ {
++ if (local_bind(fd, &s->source_addr, s->interface, s->ifindex, 0))
++ return fd;
++
++ if (s->interface[0] == 0)
++ (void)prettyprint_addr(&s->source_addr, daemon->namebuff);
++ else
++ strcpy(daemon->namebuff, s->interface);
++
++ my_syslog(LOG_ERR, _("failed to bind server socket to %s: %s"),
++ daemon->namebuff, strerror(errno));
++ close(fd);
++ }
++
++ return -1;
++}
++
++/* compare source addresses and interface, serv2 can be null. */
++static int server_isequal(const struct server *serv1,
++ const struct server *serv2)
++{
++ return (serv2 &&
++ serv2->ifindex == serv1->ifindex &&
++ sockaddr_isequal(&serv2->source_addr, &serv1->source_addr) &&
++ strncmp(serv2->interface, serv1->interface, IF_NAMESIZE) == 0);
++}
++
++/* fdlp points to chain of randomfds already in use by transaction.
++ If there's already a suitable one, return it, else allocate a
++ new one and add it to the list.
++
++ Not leaking any resources in the face of allocation failures
++ is rather convoluted here.
++
++ Note that rfd->serv may be NULL, when a server goes away.
++*/
++int allocate_rfd(struct randfd_list **fdlp, struct server *serv)
+ {
+ static int finger = 0;
+- int i;
++ int i, j = 0;
++ struct randfd_list *rfl;
++ struct randfd *rfd = NULL;
++ int fd = 0;
++
++ /* If server has a pre-allocated fd, use that. */
++ if (serv->sfd)
++ return serv->sfd->fd;
++
++ /* existing suitable random port socket linked to this transaction? */
++ for (rfl = *fdlp; rfl; rfl = rfl->next)
++ if (server_isequal(serv, rfl->rfd->serv))
++ return rfl->rfd->fd;
++
++ /* No. need new link. */
++ if ((rfl = daemon->rfl_spare))
++ daemon->rfl_spare = rfl->next;
++ else if (!(rfl = whine_malloc(sizeof(struct randfd_list))))
++ return -1;
+
+ /* limit the number of sockets we have open to avoid starvation of
+ (eg) TFTP. Once we have a reasonable number, randomness should be OK */
+-
+ for (i = 0; i < RANDOM_SOCKS; i++)
+ if (daemon->randomsocks[i].refcount == 0)
+ {
+- if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
+- break;
+-
+- daemon->randomsocks[i].refcount = 1;
+- daemon->randomsocks[i].family = family;
+- return &daemon->randomsocks[i];
++ if ((fd = random_sock(serv)) != -1)
++ {
++ rfd = &daemon->randomsocks[i];
++ rfd->serv = serv;
++ rfd->fd = fd;
++ rfd->refcount = 1;
++ }
++ break;
+ }
+
+ /* No free ones or cannot get new socket, grab an existing one */
+- for (i = 0; i < RANDOM_SOCKS; i++)
++ if (!rfd)
++ for (j = 0; j < RANDOM_SOCKS; j++)
++ {
++ i = (j + finger) % RANDOM_SOCKS;
++ if (daemon->randomsocks[i].refcount != 0 &&
++ server_isequal(serv, daemon->randomsocks[i].serv) &&
++ daemon->randomsocks[i].refcount != 0xfffe)
++ {
++ finger = i + 1;
++ rfd = &daemon->randomsocks[i];
++ rfd->refcount++;
++ break;
++ }
++ }
++
++ if (j == RANDOM_SOCKS)
+ {
+- int j = (i+finger) % RANDOM_SOCKS;
+- if (daemon->randomsocks[j].refcount != 0 &&
+- daemon->randomsocks[j].family == family &&
+- daemon->randomsocks[j].refcount != 0xffff)
++ struct randfd_list *rfl_poll;
++
++ /* there are no free slots, and non with the same parameters we can piggy-back on.
++ We're going to have to allocate a new temporary record, distinguished by
++ refcount == 0xffff. This will exist in the frec randfd list, never be shared,
++ and be freed when no longer in use. It will also be held on
++ the daemon->rfl_poll list so the poll system can find it. */
++
++ if ((rfl_poll = daemon->rfl_spare))
++ daemon->rfl_spare = rfl_poll->next;
++ else
++ rfl_poll = whine_malloc(sizeof(struct randfd_list));
++
++ if (!rfl_poll ||
++ !(rfd = whine_malloc(sizeof(struct randfd))) ||
++ (fd = random_sock(serv)) == -1)
+ {
+- finger = j;
+- daemon->randomsocks[j].refcount++;
+- return &daemon->randomsocks[j];
++
++ /* Don't leak anything we may already have */
++ rfl->next = daemon->rfl_spare;
++ daemon->rfl_spare = rfl;
++
++ if (rfl_poll)
++ {
++ rfl_poll->next = daemon->rfl_spare;
++ daemon->rfl_spare = rfl_poll;
++ }
++
++ if (rfd)
++ free(rfd);
++
++ return -1; /* doom */
+ }
++
++ /* Note rfd->serv not set here, since it's not reused */
++ rfd->fd = fd;
++ rfd->refcount = 0xffff; /* marker for temp record */
++
++ rfl_poll->rfd = rfd;
++ rfl_poll->next = daemon->rfl_poll;
++ daemon->rfl_poll = rfl_poll;
+ }
+
+- return NULL; /* doom */
++ rfl->rfd = rfd;
++ rfl->next = *fdlp;
++ *fdlp = rfl;
++
++ return rfl->rfd->fd;
+ }
+
+-void free_rfd(struct randfd *rfd)
++void free_rfds(struct randfd_list **fdlp)
+ {
+- if (rfd && --(rfd->refcount) == 0)
+- close(rfd->fd);
++ struct randfd_list *tmp, *rfl, *poll, *next, **up;
++
++ for (rfl = *fdlp; rfl; rfl = tmp)
++ {
++ if (rfl->rfd->refcount == 0xffff || --(rfl->rfd->refcount) == 0)
++ close(rfl->rfd->fd);
++
++ /* temporary overflow record */
++ if (rfl->rfd->refcount == 0xffff)
++ {
++ free(rfl->rfd);
++
++ /* go through the link of all these by steam to delete.
++ This list is expected to be almost always empty. */
++ for (poll = daemon->rfl_poll, up = &daemon->rfl_poll; poll; poll = next)
++ {
++ next = poll->next;
++
++ if (poll->rfd == rfl->rfd)
++ {
++ *up = poll->next;
++ poll->next = daemon->rfl_spare;
++ daemon->rfl_spare = poll;
++ }
++ else
++ up = &poll->next;
++ }
++ }
++
++ tmp = rfl->next;
++ rfl->next = daemon->rfl_spare;
++ daemon->rfl_spare = rfl;
++ }
++
++ *fdlp = NULL;
+ }
+
+ static void free_frec(struct frec *f)
+@@ -2276,12 +2358,9 @@ static void free_frec(struct frec *f)
+ }
+
+ f->frec_src.next = NULL;
+- free_rfd(f->rfd4);
+- f->rfd4 = NULL;
++ free_rfds(&f->rfds);
+ f->sentto = NULL;
+ f->flags = 0;
+- free_rfd(f->rfd6);
+- f->rfd6 = NULL;
+
+ #ifdef HAVE_DNSSEC
+ if (f->stash)
+@@ -2389,26 +2468,39 @@ struct frec *get_new_frec(time_t now, in
+ }
+
+ /* crc is all-ones if not known. */
+-static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash)
++static struct frec *lookup_frec(unsigned short id, int fd, void *hash)
+ {
+ struct frec *f;
++ struct server *s;
++ int type;
++ struct randfd_list *fdl;
+
+ for(f = daemon->frec_list; f; f = f->next)
+ if (f->sentto && f->new_id == id &&
+ (memcmp(hash, f->hash, HASH_SIZE) == 0))
+ {
+ /* sent from random port */
+- if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd)
++ for (fdl = f->rfds; fdl; fdl = fdl->next)
++ if (fdl->rfd->fd == fd)
+ return f;
++ }
+
+- if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd)
+- return f;
++ /* Sent to upstream from socket associated with a server.
++ Note we have to iterate over all the possible servers, since they may
++ have different bound sockets. */
++ type = f->sentto->flags & SERV_TYPE;
++ s = f->sentto;
++ do {
++ if ((type == (s->flags & SERV_TYPE)) &&
++ (type != SERV_HAS_DOMAIN ||
++ (s->domain && hostname_isequal(f->sentto->domain, s->domain))) &&
++ !(s->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) &&
++ s->sfd && s->sfd->fd == fd)
++ return f;
++
++ s = s->next ? s->next : daemon->servers;
++ } while (s != f->sentto);
+
+- /* sent to upstream from bound socket. */
+- if (f->sentto->sfd && f->sentto->sfd->fd == fd)
+- return f;
+- }
+-
+ return NULL;
+ }
+
+@@ -2454,30 +2546,26 @@ static struct frec *lookup_frec_by_query
+ void resend_query()
+ {
+ if (daemon->srv_save)
+- {
+- int fd;
+-
+- if (daemon->srv_save->sfd)
+- fd = daemon->srv_save->sfd->fd;
+- else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
+- fd = daemon->rfd_save->fd;
+- else
+- return;
+-
+- while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
+- &daemon->srv_save->addr.sa,
+- sa_len(&daemon->srv_save->addr))));
+- }
++ while(retry_send(sendto(daemon->fd_save, daemon->packet, daemon->packet_len, 0,
++ &daemon->srv_save->addr.sa,
++ sa_len(&daemon->srv_save->addr))));
+ }
+
+ /* A server record is going away, remove references to it */
+ void server_gone(struct server *server)
+ {
+ struct frec *f;
++ int i;
+
+ for (f = daemon->frec_list; f; f = f->next)
+ if (f->sentto && f->sentto == server)
+ free_frec(f);
++
++ /* If any random socket refers to this server, NULL the reference.
++ No more references to the socket will be created in the future. */
++ for (i = 0; i < RANDOM_SOCKS; i++)
++ if (daemon->randomsocks[i].refcount != 0 && daemon->randomsocks[i].serv == server)
++ daemon->randomsocks[i].serv = NULL;
+
+ if (daemon->last_server == server)
+ daemon->last_server = NULL;
+Index: dnsmasq-2.81/src/loop.c
+===================================================================
+--- dnsmasq-2.81.orig/src/loop.c
++++ dnsmasq-2.81/src/loop.c
+@@ -22,6 +22,7 @@ static ssize_t loop_make_probe(u32 uid);
+ void loop_send_probes()
+ {
+ struct server *serv;
++ struct randfd_list *rfds = NULL;
+
+ if (!option_bool(OPT_LOOP_DETECT))
+ return;
+@@ -34,22 +35,15 @@ void loop_send_probes()
+ {
+ ssize_t len = loop_make_probe(serv->uid);
+ int fd;
+- struct randfd *rfd = NULL;
+
+- if (serv->sfd)
+- fd = serv->sfd->fd;
+- else
+- {
+- if (!(rfd = allocate_rfd(serv->addr.sa.sa_family)))
+- continue;
+- fd = rfd->fd;
+- }
++ if ((fd = allocate_rfd(&rfds, serv)) == -1)
++ continue;
+
+ while (retry_send(sendto(fd, daemon->packet, len, 0,
+ &serv->addr.sa, sa_len(&serv->addr))));
+-
+- free_rfd(rfd);
+ }
++
++ free_rfds(&rfds);
+ }
+
+ static ssize_t loop_make_probe(u32 uid)
+Index: dnsmasq-2.81/src/network.c
+===================================================================
+--- dnsmasq-2.81.orig/src/network.c
++++ dnsmasq-2.81/src/network.c
+@@ -545,6 +545,7 @@ int enumerate_interfaces(int reset)
+ #ifdef HAVE_AUTH
+ struct auth_zone *zone;
+ #endif
++ struct server *serv;
+
+ /* Do this max once per select cycle - also inhibits netlink socket use
+ in TCP child processes. */
+@@ -562,7 +563,21 @@ int enumerate_interfaces(int reset)
+
+ if ((param.fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1)
+ return 0;
+-
++
++ /* iface indexes can change when interfaces are created/destroyed.
++ We use them in the main forwarding control path, when the path
++ to a server is specified by an interface, so cache them.
++ Update the cache here. */
++ for (serv = daemon->servers; serv; serv = serv->next)
++ if (strlen(serv->interface) != 0)
++ {
++ struct ifreq ifr;
++
++ safe_strncpy(ifr.ifr_name, serv->interface, IF_NAMESIZE);
++ if (ioctl(param.fd, SIOCGIFINDEX, &ifr) != -1)
++ serv->ifindex = ifr.ifr_ifindex;
++ }
++
+ /* Mark interfaces for garbage collection */
+ for (iface = daemon->interfaces; iface; iface = iface->next)
+ iface->found = 0;
+@@ -658,7 +673,7 @@ int enumerate_interfaces(int reset)
+
+ errno = errsave;
+ spare = param.spare;
+-
++
+ return ret;
+ }
+
+@@ -798,10 +813,10 @@ int tcp_interface(int fd, int af)
+ /* use mshdr so that the CMSDG_* macros are available */
+ msg.msg_control = daemon->packet;
+ msg.msg_controllen = len = daemon->packet_buff_sz;
+-
++
+ /* we overwrote the buffer... */
+ daemon->srv_save = NULL;
+-
++
+ if (af == AF_INET)
+ {
+ if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) != -1 &&
+@@ -1102,59 +1117,6 @@ void join_multicast(int dienow)
+ }
+ #endif
+
+-/* return a UDP socket bound to a random port, have to cope with straying into
+- occupied port nos and reserved ones. */
+-int random_sock(int family)
+-{
+- int fd;
+-
+- if ((fd = socket(family, SOCK_DGRAM, 0)) != -1)
+- {
+- union mysockaddr addr;
+- unsigned int ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1;
+- int tries = ports_avail < 30 ? 3 * ports_avail : 100;
+-
+- memset(&addr, 0, sizeof(addr));
+- addr.sa.sa_family = family;
+-
+- /* don't loop forever if all ports in use. */
+-
+- if (fix_fd(fd))
+- while(tries--)
+- {
+- unsigned short port = htons(daemon->min_port + (rand16() % ((unsigned short)ports_avail)));
+-
+- if (family == AF_INET)
+- {
+- addr.in.sin_addr.s_addr = INADDR_ANY;
+- addr.in.sin_port = port;
+-#ifdef HAVE_SOCKADDR_SA_LEN
+- addr.in.sin_len = sizeof(struct sockaddr_in);
+-#endif
+- }
+- else
+- {
+- addr.in6.sin6_addr = in6addr_any;
+- addr.in6.sin6_port = port;
+-#ifdef HAVE_SOCKADDR_SA_LEN
+- addr.in6.sin6_len = sizeof(struct sockaddr_in6);
+-#endif
+- }
+-
+- if (bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == 0)
+- return fd;
+-
+- if (errno != EADDRINUSE && errno != EACCES)
+- break;
+- }
+-
+- close(fd);
+- }
+-
+- return -1;
+-}
+-
+-
+ int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp)
+ {
+ union mysockaddr addr_copy = *addr;
+@@ -1199,38 +1161,33 @@ int local_bind(int fd, union mysockaddr
+ return 1;
+ }
+
+-static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
++static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname, unsigned int ifindex)
+ {
+ struct serverfd *sfd;
+- unsigned int ifindex = 0;
+ int errsave;
+ int opt = 1;
+
+ /* when using random ports, servers which would otherwise use
+- the INADDR_ANY/port0 socket have sfd set to NULL */
+- if (!daemon->osport && intname[0] == 0)
++ the INADDR_ANY/port0 socket have sfd set to NULL, this is
++ anything without an explictly set source port. */
++ if (!daemon->osport)
+ {
+ errno = 0;
+
+ if (addr->sa.sa_family == AF_INET &&
+- addr->in.sin_addr.s_addr == INADDR_ANY &&
+ addr->in.sin_port == htons(0))
+ return NULL;
+
+ if (addr->sa.sa_family == AF_INET6 &&
+- memcmp(&addr->in6.sin6_addr, &in6addr_any, sizeof(in6addr_any)) == 0 &&
+ addr->in6.sin6_port == htons(0))
+ return NULL;
+ }
+
+- if (intname && strlen(intname) != 0)
+- ifindex = if_nametoindex(intname); /* index == 0 when not binding to an interface */
+-
+ /* may have a suitable one already */
+ for (sfd = daemon->sfds; sfd; sfd = sfd->next )
+- if (sockaddr_isequal(&sfd->source_addr, addr) &&
+- strcmp(intname, sfd->interface) == 0 &&
+- ifindex == sfd->ifindex)
++ if (ifindex == sfd->ifindex &&
++ sockaddr_isequal(&sfd->source_addr, addr) &&
++ strcmp(intname, sfd->interface) == 0)
+ return sfd;
+
+ /* need to make a new one. */
+@@ -1281,7 +1238,7 @@ void pre_allocate_sfds(void)
+ #ifdef HAVE_SOCKADDR_SA_LEN
+ addr.in.sin_len = sizeof(struct sockaddr_in);
+ #endif
+- if ((sfd = allocate_sfd(&addr, "")))
++ if ((sfd = allocate_sfd(&addr, "", 0)))
+ sfd->preallocated = 1;
+
+ memset(&addr, 0, sizeof(addr));
+@@ -1291,13 +1248,13 @@ void pre_allocate_sfds(void)
+ #ifdef HAVE_SOCKADDR_SA_LEN
+ addr.in6.sin6_len = sizeof(struct sockaddr_in6);
+ #endif
+- if ((sfd = allocate_sfd(&addr, "")))
++ if ((sfd = allocate_sfd(&addr, "", 0)))
+ sfd->preallocated = 1;
+ }
+
+ for (srv = daemon->servers; srv; srv = srv->next)
+ if (!(srv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)) &&
+- !allocate_sfd(&srv->source_addr, srv->interface) &&
++ !allocate_sfd(&srv->source_addr, srv->interface, srv->ifindex) &&
+ errno != 0 &&
+ option_bool(OPT_NOWILD))
+ {
+@@ -1506,7 +1463,7 @@ void check_servers(void)
+
+ /* Do we need a socket set? */
+ if (!serv->sfd &&
+- !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface)) &&
++ !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface, serv->ifindex)) &&
+ errno != 0)
+ {
+ my_syslog(LOG_WARNING,
+Index: dnsmasq-2.81/src/option.c
+===================================================================
+--- dnsmasq-2.81.orig/src/option.c
++++ dnsmasq-2.81/src/option.c
+@@ -810,7 +810,8 @@ char *parse_server(char *arg, union myso
+ if (interface_opt)
+ {
+ #if defined(SO_BINDTODEVICE)
+- safe_strncpy(interface, interface_opt, IF_NAMESIZE);
++ safe_strncpy(interface, source, IF_NAMESIZE);
++ source = interface_opt;
+ #else
+ return _("interface binding not supported");
+ #endif
+Index: dnsmasq-2.81/src/tftp.c
+===================================================================
+--- dnsmasq-2.81.orig/src/tftp.c
++++ dnsmasq-2.81/src/tftp.c
+@@ -601,7 +601,7 @@ void check_tftp_listeners(time_t now)
+
+ /* we overwrote the buffer... */
+ daemon->srv_save = NULL;
+-
++
+ if ((len = get_block(daemon->packet, transfer)) == -1)
+ {
+ len = tftp_err_oops(daemon->packet, transfer->file->filename);
+Index: dnsmasq-2.81/src/util.c
+===================================================================
+--- dnsmasq-2.81.orig/src/util.c
++++ dnsmasq-2.81/src/util.c
+@@ -316,7 +316,7 @@ void *whine_malloc(size_t size)
+ return ret;
+ }
+
+-int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2)
++int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2)
+ {
+ if (s1->sa.sa_family == s2->sa.sa_family)
+ {
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
index a1dc0f3a0..2fb389915 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb
@@ -10,4 +10,5 @@ SRC_URI += "\
file://CVE-2020-25685-2.patch \
file://CVE-2020-25686-1.patch \
file://CVE-2020-25686-2.patch \
+ file://CVE-2021-3448.patch \
"
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch
new file mode 100644
index 000000000..5580cd409
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch
@@ -0,0 +1,30 @@
+From bd9d2fe7da833f0e4705a8280efc56930371806b Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Wed, 6 May 2020 13:40:36 +0300
+Subject: [PATCH 1/3] auth: mech-rpa - Fail on zero len buffer
+
+---
+ src/auth/mech-rpa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12674
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c
+index 08298ebdd6..2de8705b4f 100644
+--- a/src/auth/mech-rpa.c
++++ b/src/auth/mech-rpa.c
+@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data,
+ return 0;
+
+ len = *p++;
+- if (p + len > end)
++ if (p + len > end || len == 0)
+ return 0;
+
+ *buffer = p_malloc(pool, len);
+--
+2.11.0
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch
index f86235076..3f87714dc 100644
--- a/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch
+++ b/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch
@@ -13,11 +13,11 @@ Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com>
configure.ac | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
-diff --git a/configure.ac b/configure.ac
-index 3b32614..94ec002 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -519,13 +519,10 @@ have_ioloop=no
+Index: dovecot-2.2.36.4/configure.ac
+===================================================================
+--- dovecot-2.2.36.4.orig/configure.ac
++++ dovecot-2.2.36.4/configure.ac
+@@ -490,13 +490,10 @@ have_ioloop=no
if test "$ioloop" = "best" || test "$ioloop" = "epoll"; then
AC_CACHE_CHECK([whether we can use epoll],i_cv_epoll_works,[
@@ -34,7 +34,7 @@ index 3b32614..94ec002 100644
], [
i_cv_epoll_works=yes
], [
-@@ -653,7 +650,7 @@ fi
+@@ -596,7 +593,7 @@ fi
dnl * Old glibcs have broken posix_fallocate(). Make sure not to use it.
dnl * It may also be broken in AIX.
AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[
@@ -43,7 +43,7 @@ index 3b32614..94ec002 100644
#define _XOPEN_SOURCE 600
#include <stdio.h>
#include <stdlib.h>
-@@ -662,7 +659,7 @@ AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[
+@@ -605,7 +602,7 @@ AC_CACHE_CHECK([whether posix_fallocate(
#if defined(__GLIBC__) && (__GLIBC__ < 2 || __GLIBC_MINOR__ < 7)
possibly broken posix_fallocate
#endif
@@ -52,7 +52,7 @@ index 3b32614..94ec002 100644
int fd = creat("conftest.temp", 0600);
int ret;
if (fd == -1) {
-@@ -671,8 +668,6 @@ AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[
+@@ -614,8 +611,6 @@ AC_CACHE_CHECK([whether posix_fallocate(
}
ret = posix_fallocate(fd, 1024, 1024) < 0 ? 1 : 0;
unlink("conftest.temp");
@@ -61,6 +61,3 @@ index 3b32614..94ec002 100644
], [
i_cv_posix_fallocate_works=yes
], [
---
-1.8.4.2
-
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch
index 65ae9bf91..3170ae865 100644
--- a/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch
+++ b/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch
@@ -18,11 +18,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
src/doveadm/Makefile.am | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/src/doveadm/Makefile.am b/src/doveadm/Makefile.am
-index c644646..6ae9144 100644
---- a/src/doveadm/Makefile.am
-+++ b/src/doveadm/Makefile.am
-@@ -180,8 +180,8 @@ test_libs = \
+Index: dovecot-2.2.36.4/src/doveadm/Makefile.am
+===================================================================
+--- dovecot-2.2.36.4.orig/src/doveadm/Makefile.am
++++ dovecot-2.2.36.4/src/doveadm/Makefile.am
+@@ -182,8 +182,8 @@ test_libs = \
../lib/liblib.la
test_deps = $(noinst_LTLIBRARIES) $(test_libs)
@@ -33,6 +33,3 @@ index c644646..6ae9144 100644
test_doveadm_util_DEPENDENCIES = $(test_deps)
check: check-am check-test
---
-2.14.2
-
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch
new file mode 100644
index 000000000..583f71ca5
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch
@@ -0,0 +1,76 @@
+From 667d353b0f217372e8cc43ea4fe13466689c7ed0 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 11:33:31 +0300
+Subject: [PATCH 01/13] lib-mail: message-parser - Add a message_part_finish()
+ helper function
+
+---
+ src/lib-mail/message-parser.c | 25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index b1de1950a..aaa8dd8b7 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -195,6 +195,13 @@ message_part_append(pool_t pool, struct message_part *parent)
+ return part;
+ }
+
++static void message_part_finish(struct message_parser_ctx *ctx)
++{
++ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size);
++ message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size);
++ ctx->part = ctx->part->parent;
++}
++
+ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx)
+ {
+ struct message_boundary *b;
+@@ -312,19 +319,16 @@ static int parse_part_finish(struct message_parser_ctx *ctx,
+ struct message_boundary *boundary,
+ struct message_block *block_r, bool first_line)
+ {
+- struct message_part *part;
+ size_t line_size;
+
+ i_assert(ctx->last_boundary == NULL);
+
+ /* get back to parent MIME part, summing the child MIME part sizes
+ into parent's body sizes */
+- for (part = ctx->part; part != boundary->part; part = part->parent) {
+- message_size_add(&part->parent->body_size, &part->body_size);
+- message_size_add(&part->parent->body_size, &part->header_size);
++ while (ctx->part != boundary->part) {
++ message_part_finish(ctx);
++ i_assert(ctx->part != NULL);
+ }
+- i_assert(part != NULL);
+- ctx->part = part;
+
+ if (boundary->epilogue_found) {
+ /* this boundary isn't needed anymore */
+@@ -1132,13 +1136,8 @@ int message_parser_parse_next_block(struct message_parser_ctx *ctx,
+ i_assert(ctx->input->eof || ctx->input->closed ||
+ ctx->input->stream_errno != 0 ||
+ ctx->broken_reason != NULL);
+- while (ctx->part->parent != NULL) {
+- message_size_add(&ctx->part->parent->body_size,
+- &ctx->part->body_size);
+- message_size_add(&ctx->part->parent->body_size,
+- &ctx->part->header_size);
+- ctx->part = ctx->part->parent;
+- }
++ while (ctx->part->parent != NULL)
++ message_part_finish(ctx);
+ }
+
+ if (block_r->size == 0) {
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch
new file mode 100644
index 000000000..9f24320eb
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch
@@ -0,0 +1,71 @@
+From de0da7bc8df55521db8fa787f88e293618c96386 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 11:34:22 +0300
+Subject: [PATCH 02/13] lib-mail: message-parser - Change message_part_append()
+ to do all work internally
+
+---
+ src/lib-mail/message-parser.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index aaa8dd8b7..2edf3e7a6 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -167,16 +167,17 @@ static int message_parser_read_more(struct message_parser_ctx *ctx,
+ return 1;
+ }
+
+-static struct message_part *
+-message_part_append(pool_t pool, struct message_part *parent)
++static void
++message_part_append(struct message_parser_ctx *ctx)
+ {
++ struct message_part *parent = ctx->part;
+ struct message_part *p, *part, **list;
+
+ i_assert(parent != NULL);
+ i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART |
+ MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0);
+
+- part = p_new(pool, struct message_part, 1);
++ part = p_new(ctx->part_pool, struct message_part, 1);
+ part->parent = parent;
+ for (p = parent; p != NULL; p = p->parent)
+ p->children_count++;
+@@ -192,7 +193,7 @@ message_part_append(pool_t pool, struct message_part *parent)
+ list = &(*list)->next;
+
+ *list = part;
+- return part;
++ ctx->part = part;
+ }
+
+ static void message_part_finish(struct message_parser_ctx *ctx)
+@@ -220,7 +221,7 @@ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx)
+ static int parse_next_body_message_rfc822_init(struct message_parser_ctx *ctx,
+ struct message_block *block_r)
+ {
+- ctx->part = message_part_append(ctx->part_pool, ctx->part);
++ message_part_append(ctx);
+ return parse_next_header_init(ctx, block_r);
+ }
+
+@@ -270,7 +271,7 @@ boundary_line_find(struct message_parser_ctx *ctx,
+ static int parse_next_mime_header_init(struct message_parser_ctx *ctx,
+ struct message_block *block_r)
+ {
+- ctx->part = message_part_append(ctx->part_pool, ctx->part);
++ message_part_append(ctx);
+ ctx->part->flags |= MESSAGE_PART_FLAG_IS_MIME;
+
+ return parse_next_header_init(ctx, block_r);
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch
new file mode 100644
index 000000000..81aead8aa
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch
@@ -0,0 +1,37 @@
+Backport of:
+
+From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Mon, 18 May 2020 12:33:39 +0300
+Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses
+
+Add missing check for buffer length.
+
+If this is not checked, it is possible to send message which
+causes read past buffer bug.
+
+Broken in c7480644202e5451fbed448508ea29a25cffc99c
+---
+ src/lib-ntlm/ntlm-message.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12673
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+--- a/src/lib-ntlm/ntlm-message.c
++++ b/src/lib-ntlm/ntlm-message.c
+@@ -184,6 +184,11 @@ static int ntlmssp_check_buffer(const st
+ if (length == 0 && space == 0)
+ return 1;
+
++ if (length > data_size) {
++ *error = "buffer length out of bounds";
++ return 0;
++ }
++
+ if (offset >= data_size) {
+ *error = "buffer offset out of bounds";
+ return 0;
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch b/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch
new file mode 100644
index 000000000..e53090235
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch
@@ -0,0 +1,49 @@
+From a9800b436fcf1f9633c2b136a9c5cb7a486a8a52 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 11:36:48 +0300
+Subject: [PATCH 03/13] lib-mail: message-parser - Optimize updating
+ children_count
+
+---
+ src/lib-mail/message-parser.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 2edf3e7a6..05768a058 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -171,7 +171,7 @@ static void
+ message_part_append(struct message_parser_ctx *ctx)
+ {
+ struct message_part *parent = ctx->part;
+- struct message_part *p, *part, **list;
++ struct message_part *part, **list;
+
+ i_assert(parent != NULL);
+ i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART |
+@@ -179,8 +179,6 @@ message_part_append(struct message_parser_ctx *ctx)
+
+ part = p_new(ctx->part_pool, struct message_part, 1);
+ part->parent = parent;
+- for (p = parent; p != NULL; p = p->parent)
+- p->children_count++;
+
+ /* set child position */
+ part->physical_pos =
+@@ -200,6 +198,7 @@ static void message_part_finish(struct message_parser_ctx *ctx)
+ {
+ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size);
+ message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size);
++ ctx->part->parent->children_count += 1 + ctx->part->children_count;
+ ctx->part = ctx->part->parent;
+ }
+
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch b/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch
new file mode 100644
index 000000000..ba6667fa9
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch
@@ -0,0 +1,90 @@
+From 99ee7596712cf0ea0a288b712bc898ecb2b35f9b Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 12:00:38 +0300
+Subject: [PATCH 04/13] lib-mail: message-parser - Optimize appending new part
+ to linked list
+
+---
+ src/lib-mail/message-parser.c | 28 ++++++++++++++++++++++------
+ 1 file changed, 22 insertions(+), 6 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+Index: dovecot-2.2.36.4/src/lib-mail/message-parser.c
+===================================================================
+--- dovecot-2.2.36.4.orig/src/lib-mail/message-parser.c
++++ dovecot-2.2.36.4/src/lib-mail/message-parser.c
+@@ -1,7 +1,7 @@
+ /* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */
+
+ #include "lib.h"
+-#include "buffer.h"
++#include "array.h"
+ #include "str.h"
+ #include "istream.h"
+ #include "rfc822-parser.h"
+@@ -34,6 +34,9 @@ struct message_parser_ctx {
+ const char *last_boundary;
+ struct message_boundary *boundaries;
+
++ struct message_part **next_part;
++ ARRAY(struct message_part **) next_part_stack;
++
+ size_t skip;
+ char last_chr;
+ unsigned int want_count;
+@@ -171,7 +174,7 @@ static void
+ message_part_append(struct message_parser_ctx *ctx)
+ {
+ struct message_part *parent = ctx->part;
+- struct message_part *part, **list;
++ struct message_part *part;
+
+ i_assert(parent != NULL);
+ i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART |
+@@ -186,16 +189,27 @@ message_part_append(struct message_parse
+ parent->body_size.physical_size +
+ parent->header_size.physical_size;
+
+- list = &part->parent->children;
+- while (*list != NULL)
+- list = &(*list)->next;
++ /* add to parent's linked list */
++ *ctx->next_part = part;
++ /* update the parent's end-of-linked-list pointer */
++ struct message_part **next_part = &part->next;
++ array_append(&ctx->next_part_stack, &next_part, 1);
++ /* This part is now the new parent for the next message_part_append()
++ call. Its linked list begins with the children pointer. */
++ ctx->next_part = &part->children;
+
+- *list = part;
+ ctx->part = part;
+ }
+
+ static void message_part_finish(struct message_parser_ctx *ctx)
+ {
++ struct message_part **const *parent_next_partp;
++ unsigned int count = array_count(&ctx->next_part_stack);
++
++ parent_next_partp = array_idx(&ctx->next_part_stack, count-1);
++ array_delete(&ctx->next_part_stack, count-1, 1);
++ ctx->next_part = *parent_next_partp;
++
+ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size);
+ message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size);
+ ctx->part->parent->children_count += 1 + ctx->part->children_count;
+@@ -1062,7 +1076,9 @@ message_parser_init(pool_t part_pool, st
+ ctx = message_parser_init_int(input, hdr_flags, flags);
+ ctx->part_pool = part_pool;
+ ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1);
++ ctx->next_part = &ctx->part->children;
+ ctx->parse_next_block = parse_next_header_init;
++ p_array_init(&ctx->next_part_stack, ctx->parser_pool, 4);
+ return ctx;
+ }
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch b/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch
new file mode 100644
index 000000000..4e63509b4
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch
@@ -0,0 +1,45 @@
+From e39c95b248917eb2b596ca55a957f3cbc7fd406f Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 12:10:07 +0300
+Subject: [PATCH 05/13] lib-mail: message-parser - Minor code cleanup to
+ finding the end of boundary line
+
+---
+ src/lib-mail/message-parser.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index ff4e09e5a..6c6a680b5 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -260,17 +260,16 @@ boundary_line_find(struct message_parser_ctx *ctx,
+ }
+
+ /* need to find the end of line */
+- if (memchr(data + 2, '\n', size - 2) == NULL &&
+- size < BOUNDARY_END_MAX_LEN &&
++ data += 2;
++ size -= 2;
++ if (memchr(data, '\n', size) == NULL &&
++ size+2 < BOUNDARY_END_MAX_LEN &&
+ !ctx->input->eof && !full) {
+ /* no LF found */
+ ctx->want_count = BOUNDARY_END_MAX_LEN;
+ return 0;
+ }
+
+- data += 2;
+- size -= 2;
+-
+ *boundary_r = boundary_find(ctx->boundaries, data, size);
+ if (*boundary_r == NULL)
+ return -1;
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch b/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch
new file mode 100644
index 000000000..1012d7983
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch
@@ -0,0 +1,163 @@
+From aed125484a346b4893c1a169088c39fe7ced01f3 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 12:53:12 +0300
+Subject: [PATCH 06/13] lib-mail: message-parser - Truncate excessively long
+ MIME boundaries
+
+RFC 2046 requires that the boundaries are a maximum of 70 characters
+(excluding the "--" prefix and suffix). We allow 80 characters for a bit of
+extra safety. Anything longer than that is truncated and treated the same
+as if it was just 80 characters.
+---
+ src/lib-mail/message-parser.c | 7 ++-
+ src/lib-mail/test-message-parser.c | 95 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 100 insertions(+), 2 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 6c6a680b5..92f541b02 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -10,7 +10,8 @@
+
+ /* RFC-2046 requires boundaries are max. 70 chars + "--" prefix + "--" suffix.
+ We'll add a bit more just in case. */
+-#define BOUNDARY_END_MAX_LEN (70 + 2 + 2 + 10)
++#define BOUNDARY_STRING_MAX_LEN (70 + 10)
++#define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2)
+
+ struct message_boundary {
+ struct message_boundary *next;
+@@ -526,8 +527,10 @@ static void parse_content_type(struct message_parser_ctx *ctx,
+ rfc2231_parse(&parser, &results);
+ for (; *results != NULL; results += 2) {
+ if (strcasecmp(results[0], "boundary") == 0) {
++ /* truncate excessively long boundaries */
+ ctx->last_boundary =
+- p_strdup(ctx->parser_pool, results[1]);
++ p_strndup(ctx->parser_pool, results[1],
++ BOUNDARY_STRING_MAX_LEN);
+ break;
+ }
+ }
+diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c
+index 1f1aa1437..94aa3eb7c 100644
+--- a/src/lib-mail/test-message-parser.c
++++ b/src/lib-mail/test-message-parser.c
+@@ -642,6 +642,100 @@ static void test_message_parser_no_eoh(void)
+ test_end();
+ }
+
++static void test_message_parser_long_mime_boundary(void)
++{
++ /* Close the boundaries in wrong reverse order. But because all
++ boundaries are actually truncated to the same size (..890) it
++ works the same as if all of them were duplicate boundaries. */
++static const char input_msg[] =
++"Content-Type: multipart/mixed; boundary=\"1234567890123456789012345678901234567890123456789012345678901234567890123456789012\"\n"
++"\n"
++"--1234567890123456789012345678901234567890123456789012345678901234567890123456789012\n"
++"Content-Type: multipart/mixed; boundary=\"123456789012345678901234567890123456789012345678901234567890123456789012345678901\"\n"
++"\n"
++"--123456789012345678901234567890123456789012345678901234567890123456789012345678901\n"
++"Content-Type: multipart/mixed; boundary=\"12345678901234567890123456789012345678901234567890123456789012345678901234567890\"\n"
++"\n"
++"--12345678901234567890123456789012345678901234567890123456789012345678901234567890\n"
++"Content-Type: text/plain\n"
++"\n"
++"1\n"
++"--1234567890123456789012345678901234567890123456789012345678901234567890123456789012\n"
++"Content-Type: text/plain\n"
++"\n"
++"22\n"
++"--123456789012345678901234567890123456789012345678901234567890123456789012345678901\n"
++"Content-Type: text/plain\n"
++"\n"
++"333\n"
++"--12345678901234567890123456789012345678901234567890123456789012345678901234567890\n"
++"Content-Type: text/plain\n"
++"\n"
++"4444\n";
++ struct message_parser_ctx *parser;
++ struct istream *input;
++ struct message_part *parts, *part;
++ struct message_block block;
++ pool_t pool;
++ int ret;
++
++ test_begin("message parser long mime boundary");
++ pool = pool_alloconly_create("message parser", 10240);
++ input = test_istream_create(input_msg);
++
++ parser = message_parser_init(pool, input, 0, 0);
++ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ;
++ test_assert(ret < 0);
++ message_parser_deinit(&parser, &parts);
++
++ part = parts;
++ test_assert(part->children_count == 6);
++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME));
++ test_assert(part->header_size.lines == 2);
++ test_assert(part->header_size.physical_size == 126);
++ test_assert(part->header_size.virtual_size == 126+2);
++ test_assert(part->body_size.lines == 22);
++ test_assert(part->body_size.physical_size == 871);
++ test_assert(part->body_size.virtual_size == 871+22);
++
++ part = parts->children;
++ test_assert(part->children_count == 5);
++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME));
++ test_assert(part->header_size.lines == 2);
++ test_assert(part->header_size.physical_size == 125);
++ test_assert(part->header_size.virtual_size == 125+2);
++ test_assert(part->body_size.lines == 19);
++ test_assert(part->body_size.physical_size == 661);
++ test_assert(part->body_size.virtual_size == 661+19);
++
++ part = parts->children->children;
++ test_assert(part->children_count == 4);
++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME));
++ test_assert(part->header_size.lines == 2);
++ test_assert(part->header_size.physical_size == 124);
++ test_assert(part->header_size.virtual_size == 124+2);
++ test_assert(part->body_size.lines == 16);
++ test_assert(part->body_size.physical_size == 453);
++ test_assert(part->body_size.virtual_size == 453+16);
++
++ part = parts->children->children->children;
++ for (unsigned int i = 1; i <= 3; i++, part = part->next) {
++ test_assert(part->children_count == 0);
++ test_assert(part->flags == (MESSAGE_PART_FLAG_TEXT | MESSAGE_PART_FLAG_IS_MIME));
++ test_assert(part->header_size.lines == 2);
++ test_assert(part->header_size.physical_size == 26);
++ test_assert(part->header_size.virtual_size == 26+2);
++ test_assert(part->body_size.lines == 0);
++ test_assert(part->body_size.physical_size == i);
++ test_assert(part->body_size.virtual_size == i);
++ }
++
++ test_parsed_parts(input, parts);
++ i_stream_unref(&input);
++ pool_unref(&pool);
++ test_end();
++}
++
+ int main(void)
+ {
+ static void (*test_functions[])(void) = {
+@@ -654,6 +748,7 @@ int main(void)
+ test_message_parser_garbage_suffix_mime_boundary,
+ test_message_parser_continuing_mime_boundary,
+ test_message_parser_continuing_truncated_mime_boundary,
++ test_message_parser_long_mime_boundary,
+ test_message_parser_no_eoh,
+ NULL
+ };
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch b/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch
new file mode 100644
index 000000000..eeb6c96f1
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch
@@ -0,0 +1,72 @@
+From 5f8de52fec3191a1aa68a399ee2068485737dc4f Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 13:06:02 +0300
+Subject: [PATCH 07/13] lib-mail: message-parser - Optimize boundary lookups
+ when exact boundary is found
+
+When an exact boundary is found, there's no need to continue looking for
+more boundaries.
+---
+ src/lib-mail/message-parser.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 92f541b02..c2934c761 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -80,8 +80,14 @@ boundary_find(struct message_boundary *boundaries,
+ while (boundaries != NULL) {
+ if (boundaries->len <= len &&
+ memcmp(boundaries->boundary, data, boundaries->len) == 0 &&
+- (best == NULL || best->len < boundaries->len))
++ (best == NULL || best->len < boundaries->len)) {
+ best = boundaries;
++ if (best->len == len) {
++ /* This is exactly the wanted boundary. There
++ can't be a better one. */
++ break;
++ }
++ }
+
+ boundaries = boundaries->next;
+ }
+@@ -263,15 +269,27 @@ boundary_line_find(struct message_parser_ctx *ctx,
+ /* need to find the end of line */
+ data += 2;
+ size -= 2;
+- if (memchr(data, '\n', size) == NULL &&
++ const unsigned char *lf_pos = memchr(data, '\n', size);
++ if (lf_pos == NULL &&
+ size+2 < BOUNDARY_END_MAX_LEN &&
+ !ctx->input->eof && !full) {
+ /* no LF found */
+ ctx->want_count = BOUNDARY_END_MAX_LEN;
+ return 0;
+ }
+-
+- *boundary_r = boundary_find(ctx->boundaries, data, size);
++ size_t find_size = size;
++
++ if (lf_pos != NULL) {
++ find_size = lf_pos - data;
++ if (find_size > 0 && data[find_size-1] == '\r')
++ find_size--;
++ if (find_size > 2 && data[find_size-1] == '-' &&
++ data[find_size-2] == '-')
++ find_size -= 2;
++ } else if (find_size > BOUNDARY_END_MAX_LEN)
++ find_size = BOUNDARY_END_MAX_LEN;
++
++ *boundary_r = boundary_find(ctx->boundaries, data, find_size);
+ if (*boundary_r == NULL)
+ return -1;
+
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch
new file mode 100644
index 000000000..4af070a87
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch
@@ -0,0 +1,50 @@
+From 929396767d831bedbdec6392aaa835b045332fd3 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 14:53:27 +0300
+Subject: [PATCH 08/13] lib-mail: message-parser - Add boundary_remove_until()
+ helper function
+
+---
+ src/lib-mail/message-parser.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index c2934c761..028f74159 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -223,6 +223,13 @@ static void message_part_finish(struct message_parser_ctx *ctx)
+ ctx->part = ctx->part->parent;
+ }
+
++static void
++boundary_remove_until(struct message_parser_ctx *ctx,
++ struct message_boundary *boundary)
++{
++ ctx->boundaries = boundary;
++}
++
+ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx)
+ {
+ struct message_boundary *b;
+@@ -364,10 +371,10 @@ static int parse_part_finish(struct message_parser_ctx *ctx,
+
+ if (boundary->epilogue_found) {
+ /* this boundary isn't needed anymore */
+- ctx->boundaries = boundary->next;
++ boundary_remove_until(ctx, boundary->next);
+ } else {
+ /* forget about the boundaries we possibly skipped */
+- ctx->boundaries = boundary;
++ boundary_remove_until(ctx, boundary);
+ }
+
+ /* the boundary itself should already be in buffer. add that. */
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch b/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch
new file mode 100644
index 000000000..aade7dc2b
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch
@@ -0,0 +1,169 @@
+From d53d83214b1d635446a8cf8ff9438cc530133d62 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 15:00:57 +0300
+Subject: [PATCH 09/13] lib-mail: message-parser - Don't use memory pool for
+ parser
+
+This reduces memory usage when parsing many MIME parts where boundaries are
+being added and removed constantly.
+---
+ src/lib-mail/message-parser.c | 48 ++++++++++++++++++++++++++++---------------
+ 1 file changed, 32 insertions(+), 16 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 028f74159..8970d8e0e 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -17,14 +17,14 @@ struct message_boundary {
+ struct message_boundary *next;
+
+ struct message_part *part;
+- const char *boundary;
++ char *boundary;
+ size_t len;
+
+ unsigned int epilogue_found:1;
+ };
+
+ struct message_parser_ctx {
+- pool_t parser_pool, part_pool;
++ pool_t part_pool;
+ struct istream *input;
+ struct message_part *parts, *part;
+ const char *broken_reason;
+@@ -32,7 +32,7 @@ struct message_parser_ctx {
+ enum message_header_parser_flags hdr_flags;
+ enum message_parser_flags flags;
+
+- const char *last_boundary;
++ char *last_boundary;
+ struct message_boundary *boundaries;
+
+ struct message_part **next_part;
+@@ -223,10 +223,24 @@ static void message_part_finish(struct message_parser_ctx *ctx)
+ ctx->part = ctx->part->parent;
+ }
+
++static void message_boundary_free(struct message_boundary *b)
++{
++ i_free(b->boundary);
++ i_free(b);
++}
++
+ static void
+ boundary_remove_until(struct message_parser_ctx *ctx,
+ struct message_boundary *boundary)
+ {
++ while (ctx->boundaries != boundary) {
++ struct message_boundary *cur = ctx->boundaries;
++
++ i_assert(cur != NULL);
++ ctx->boundaries = cur->next;
++ message_boundary_free(cur);
++
++ }
+ ctx->boundaries = boundary;
+ }
+
+@@ -234,15 +248,14 @@ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx)
+ {
+ struct message_boundary *b;
+
+- b = p_new(ctx->parser_pool, struct message_boundary, 1);
++ b = i_new(struct message_boundary, 1);
+ b->part = ctx->part;
+ b->boundary = ctx->last_boundary;
++ ctx->last_boundary = NULL;
+ b->len = strlen(b->boundary);
+
+ b->next = ctx->boundaries;
+ ctx->boundaries = b;
+-
+- ctx->last_boundary = NULL;
+ }
+
+ static int parse_next_body_message_rfc822_init(struct message_parser_ctx *ctx,
+@@ -359,6 +372,8 @@ static int parse_part_finish(struct message_parser_ctx *ctx,
+ struct message_block *block_r, bool first_line)
+ {
+ size_t line_size;
++ size_t boundary_len = boundary->len;
++ bool boundary_epilogue_found = boundary->epilogue_found;
+
+ i_assert(ctx->last_boundary == NULL);
+
+@@ -391,7 +406,7 @@ static int parse_part_finish(struct message_parser_ctx *ctx,
+ i_assert(block_r->data[0] == '\n');
+ line_size = 1;
+ }
+- line_size += 2 + boundary->len + (boundary->epilogue_found ? 2 : 0);
++ line_size += 2 + boundary_len + (boundary_epilogue_found ? 2 : 0);
+ i_assert(block_r->size >= ctx->skip + line_size);
+ block_r->size = line_size;
+ parse_body_add_block(ctx, block_r);
+@@ -553,9 +568,9 @@ static void parse_content_type(struct message_parser_ctx *ctx,
+ for (; *results != NULL; results += 2) {
+ if (strcasecmp(results[0], "boundary") == 0) {
+ /* truncate excessively long boundaries */
++ i_free(ctx->last_boundary);
+ ctx->last_boundary =
+- p_strndup(ctx->parser_pool, results[1],
+- BOUNDARY_STRING_MAX_LEN);
++ i_strndup(results[1], BOUNDARY_STRING_MAX_LEN);
+ break;
+ }
+ }
+@@ -678,7 +693,7 @@ static int parse_next_header(struct message_parser_ctx *ctx,
+ i_assert(!ctx->multipart);
+ part->flags = 0;
+ }
+- ctx->last_boundary = NULL;
++ i_free(ctx->last_boundary);
+
+ if (!ctx->part_seen_content_type ||
+ (part->flags & MESSAGE_PART_FLAG_IS_MIME) == 0) {
+@@ -1081,11 +1096,8 @@ message_parser_init_int(struct istream *input,
+ enum message_parser_flags flags)
+ {
+ struct message_parser_ctx *ctx;
+- pool_t pool;
+
+- pool = pool_alloconly_create("Message Parser", 1024);
+- ctx = p_new(pool, struct message_parser_ctx, 1);
+- ctx->parser_pool = pool;
++ ctx = i_new(struct message_parser_ctx, 1);
+ ctx->hdr_flags = hdr_flags;
+ ctx->flags = flags;
+ ctx->input = input;
+@@ -1105,7 +1117,7 @@ message_parser_init(pool_t part_pool, struct istream *input,
+ ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1);
+ ctx->next_part = &ctx->part->children;
+ ctx->parse_next_block = parse_next_header_init;
+- p_array_init(&ctx->next_part_stack, ctx->parser_pool, 4);
++ i_array_init(&ctx->next_part_stack, 4);
+ return ctx;
+ }
+
+@@ -1146,8 +1158,12 @@ int message_parser_deinit_from_parts(struct message_parser_ctx **_ctx,
+
+ if (ctx->hdr_parser_ctx != NULL)
+ message_parse_header_deinit(&ctx->hdr_parser_ctx);
++ boundary_remove_until(ctx, NULL);
+ i_stream_unref(&ctx->input);
+- pool_unref(&ctx->parser_pool);
++ if (array_is_created(&ctx->next_part_stack))
++ array_free(&ctx->next_part_stack);
++ i_free(ctx->last_boundary);
++ i_free(ctx);
+ i_assert(ret < 0 || *parts_r != NULL);
+ return ret;
+ }
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch b/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch
new file mode 100644
index 000000000..ae5254466
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch
@@ -0,0 +1,188 @@
+From df9e0d358ef86e3342525dcdefcf79dc2d749a30 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 16:59:40 +0300
+Subject: [PATCH 10/13] lib-mail: message-parser - Support limiting max number
+ of nested MIME parts
+
+The default is to allow 100 nested MIME parts. When the limit is reached,
+the innermost MIME part's body contains all the rest of the inner bodies
+until a parent MIME part is reached.
+---
+ src/lib-mail/message-parser.c | 43 +++++++++++++++++++++++++++++++-------
+ src/lib-mail/test-message-parser.c | 31 +++++++++++++++++++++++++++
+ 2 files changed, 67 insertions(+), 7 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 8970d8e0e..721615f76 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -13,6 +13,8 @@
+ #define BOUNDARY_STRING_MAX_LEN (70 + 10)
+ #define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2)
+
++#define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100
++
+ struct message_boundary {
+ struct message_boundary *next;
+
+@@ -28,9 +30,11 @@ struct message_parser_ctx {
+ struct istream *input;
+ struct message_part *parts, *part;
+ const char *broken_reason;
++ unsigned int nested_parts_count;
+
+ enum message_header_parser_flags hdr_flags;
+ enum message_parser_flags flags;
++ unsigned int max_nested_mime_parts;
+
+ char *last_boundary;
+ struct message_boundary *boundaries;
+@@ -206,6 +210,8 @@ message_part_append(struct message_parser_ctx *ctx)
+ ctx->next_part = &part->children;
+
+ ctx->part = part;
++ ctx->nested_parts_count++;
++ i_assert(ctx->nested_parts_count < ctx->max_nested_mime_parts);
+ }
+
+ static void message_part_finish(struct message_parser_ctx *ctx)
+@@ -213,8 +219,12 @@ static void message_part_finish(struct message_parser_ctx *ctx)
+ struct message_part **const *parent_next_partp;
+ unsigned int count = array_count(&ctx->next_part_stack);
+
++ i_assert(ctx->nested_parts_count > 0);
++ ctx->nested_parts_count--;
++
+ parent_next_partp = array_idx(&ctx->next_part_stack, count-1);
+ array_delete(&ctx->next_part_stack, count-1, 1);
++
+ ctx->next_part = *parent_next_partp;
+
+ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size);
+@@ -592,6 +602,11 @@ static bool block_is_at_eoh(const struct message_block *block)
+ return FALSE;
+ }
+
++static bool parse_too_many_nested_mime_parts(struct message_parser_ctx *ctx)
++{
++ return ctx->nested_parts_count > ctx->max_nested_mime_parts;
++}
++
+ #define MUTEX_FLAGS \
+ (MESSAGE_PART_FLAG_MESSAGE_RFC822 | MESSAGE_PART_FLAG_MULTIPART)
+
+@@ -616,8 +631,12 @@ static int parse_next_header(struct message_parser_ctx *ctx,
+ "\n--boundary" belongs to us or to a previous boundary.
+ this is a problem if the boundary prefixes are identical,
+ because MIME requires only the prefix to match. */
+- parse_next_body_multipart_init(ctx);
+- ctx->multipart = TRUE;
++ if (!parse_too_many_nested_mime_parts(ctx)) {
++ parse_next_body_multipart_init(ctx);
++ ctx->multipart = TRUE;
++ } else {
++ part->flags &= ~MESSAGE_PART_FLAG_MULTIPART;
++ }
+ }
+
+ /* before parsing the header see if we can find a --boundary from here.
+@@ -721,12 +740,16 @@ static int parse_next_header(struct message_parser_ctx *ctx,
+ i_assert(ctx->last_boundary == NULL);
+ ctx->multipart = FALSE;
+ ctx->parse_next_block = parse_next_body_to_boundary;
+- } else if (part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822)
++ } else if ((part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) != 0 &&
++ !parse_too_many_nested_mime_parts(ctx)) {
+ ctx->parse_next_block = parse_next_body_message_rfc822_init;
+- else if (ctx->boundaries != NULL)
+- ctx->parse_next_block = parse_next_body_to_boundary;
+- else
+- ctx->parse_next_block = parse_next_body_to_eof;
++ } else {
++ part->flags &= ~MESSAGE_PART_FLAG_MESSAGE_RFC822;
++ if (ctx->boundaries != NULL)
++ ctx->parse_next_block = parse_next_body_to_boundary;
++ else
++ ctx->parse_next_block = parse_next_body_to_eof;
++ }
+
+ ctx->want_count = 1;
+
+@@ -1100,6 +1123,8 @@ message_parser_init_int(struct istream *input,
+ ctx = i_new(struct message_parser_ctx, 1);
+ ctx->hdr_flags = hdr_flags;
+ ctx->flags = flags;
++ ctx->max_nested_mime_parts =
++ MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS;
+ ctx->input = input;
+ i_stream_ref(input);
+ return ctx;
+@@ -1159,6 +1184,10 @@ int message_parser_deinit_from_parts(struct message_parser_ctx **_ctx,
+ if (ctx->hdr_parser_ctx != NULL)
+ message_parse_header_deinit(&ctx->hdr_parser_ctx);
+ boundary_remove_until(ctx, NULL);
++ /* caller might have stopped the parsing early */
++ i_assert(ctx->nested_parts_count == 0 ||
++ i_stream_have_bytes_left(ctx->input));
++
+ i_stream_unref(&ctx->input);
+ if (array_is_created(&ctx->next_part_stack))
+ array_free(&ctx->next_part_stack);
+diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c
+index 94aa3eb7c..481d05942 100644
+--- a/src/lib-mail/test-message-parser.c
++++ b/src/lib-mail/test-message-parser.c
+@@ -166,6 +166,36 @@ static void test_message_parser_small_blocks(void)
+ test_end();
+ }
+
++static void test_message_parser_stop_early(void)
++{
++ struct message_parser_ctx *parser;
++ struct istream *input;
++ struct message_part *parts;
++ struct message_block block;
++ unsigned int i;
++ pool_t pool;
++ int ret;
++
++ test_begin("message parser stop early");
++ pool = pool_alloconly_create("message parser", 10240);
++ input = test_istream_create(test_msg);
++
++ test_istream_set_allow_eof(input, FALSE);
++ for (i = 1; i <= TEST_MSG_LEN+1; i++) {
++ i_stream_seek(input, 0);
++ test_istream_set_size(input, i);
++ parser = message_parser_init(pool, input, 0, 0);
++ while ((ret = message_parser_parse_next_block(parser,
++ &block)) > 0) ;
++ test_assert(ret == 0);
++ message_parser_deinit(&parser, &parts);
++ }
++
++ i_stream_unref(&input);
++ pool_unref(&pool);
++ test_end();
++}
++
+ static void test_message_parser_truncated_mime_headers(void)
+ {
+ static const char input_msg[] =
+@@ -740,6 +770,7 @@ int main(void)
+ {
+ static void (*test_functions[])(void) = {
+ test_message_parser_small_blocks,
++ test_message_parser_stop_early,
+ test_message_parser_truncated_mime_headers,
+ test_message_parser_truncated_mime_headers2,
+ test_message_parser_truncated_mime_headers3,
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch b/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch
new file mode 100644
index 000000000..52848bf3a
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch
@@ -0,0 +1,87 @@
+From d7bba401dd234802bcdb55ff27dfb99bffdab804 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 23 Apr 2020 17:09:33 +0300
+Subject: [PATCH 11/13] lib-mail: message-parser - Support limiting max number
+ of MIME parts
+
+The default is to allow 10000 MIME parts. When it's reached, no more
+MIME boundary lines will be recognized, so the rest of the mail belongs
+to the last added MIME part.
+---
+ src/lib-mail/message-parser.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 721615f76..646307802 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -14,6 +14,7 @@
+ #define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2)
+
+ #define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100
++#define MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS 10000
+
+ struct message_boundary {
+ struct message_boundary *next;
+@@ -31,10 +32,12 @@ struct message_parser_ctx {
+ struct message_part *parts, *part;
+ const char *broken_reason;
+ unsigned int nested_parts_count;
++ unsigned int total_parts_count;
+
+ enum message_header_parser_flags hdr_flags;
+ enum message_parser_flags flags;
+ unsigned int max_nested_mime_parts;
++ unsigned int max_total_mime_parts;
+
+ char *last_boundary;
+ struct message_boundary *boundaries;
+@@ -211,7 +214,9 @@ message_part_append(struct message_parser_ctx *ctx)
+
+ ctx->part = part;
+ ctx->nested_parts_count++;
++ ctx->total_parts_count++;
+ i_assert(ctx->nested_parts_count < ctx->max_nested_mime_parts);
++ i_assert(ctx->total_parts_count <= ctx->max_total_mime_parts);
+ }
+
+ static void message_part_finish(struct message_parser_ctx *ctx)
+@@ -296,6 +301,12 @@ boundary_line_find(struct message_parser_ctx *ctx,
+ return -1;
+ }
+
++ if (ctx->total_parts_count >= ctx->max_total_mime_parts) {
++ /* can't add any more MIME parts. just stop trying to find
++ more boundaries. */
++ return -1;
++ }
++
+ /* need to find the end of line */
+ data += 2;
+ size -= 2;
+@@ -1125,6 +1136,8 @@ message_parser_init_int(struct istream *input,
+ ctx->flags = flags;
+ ctx->max_nested_mime_parts =
+ MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS;
++ ctx->max_total_mime_parts =
++ MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS;
+ ctx->input = input;
+ i_stream_ref(input);
+ return ctx;
+@@ -1142,6 +1155,7 @@ message_parser_init(pool_t part_pool, struct istream *input,
+ ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1);
+ ctx->next_part = &ctx->part->children;
+ ctx->parse_next_block = parse_next_header_init;
++ ctx->total_parts_count = 1;
+ i_array_init(&ctx->next_part_stack, 4);
+ return ctx;
+ }
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch b/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch
new file mode 100644
index 000000000..a81177d2b
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch
@@ -0,0 +1,133 @@
+From 0c9d56b41b992a868f299e05677a67c4d0495523 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Thu, 2 Jul 2020 17:31:19 +0300
+Subject: [PATCH 12/13] lib-mail: Fix handling trailing "--" in MIME boundaries
+
+Broken by 5b8ec27fae941d06516c30476dcf4820c6d200ab
+---
+ src/lib-mail/message-parser.c | 14 ++++++++----
+ src/lib-mail/test-message-parser.c | 46 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 56 insertions(+), 4 deletions(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 646307802..175d4b488 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -75,7 +75,7 @@ static int preparsed_parse_next_header_init(struct message_parser_ctx *ctx,
+
+ static struct message_boundary *
+ boundary_find(struct message_boundary *boundaries,
+- const unsigned char *data, size_t len)
++ const unsigned char *data, size_t len, bool trailing_dashes)
+ {
+ struct message_boundary *best = NULL;
+
+@@ -89,7 +89,11 @@ boundary_find(struct message_boundary *boundaries,
+ memcmp(boundaries->boundary, data, boundaries->len) == 0 &&
+ (best == NULL || best->len < boundaries->len)) {
+ best = boundaries;
+- if (best->len == len) {
++ /* If we see "foo--", it could either mean that there
++ is a boundary named "foo" that ends now or there's
++ a boundary "foo--" which continues. */
++ if (best->len == len ||
++ (best->len == len-2 && trailing_dashes)) {
+ /* This is exactly the wanted boundary. There
+ can't be a better one. */
+ break;
+@@ -319,6 +323,7 @@ boundary_line_find(struct message_parser_ctx *ctx,
+ return 0;
+ }
+ size_t find_size = size;
++ bool trailing_dashes = FALSE;
+
+ if (lf_pos != NULL) {
+ find_size = lf_pos - data;
+@@ -326,11 +331,12 @@ boundary_line_find(struct message_parser_ctx *ctx,
+ find_size--;
+ if (find_size > 2 && data[find_size-1] == '-' &&
+ data[find_size-2] == '-')
+- find_size -= 2;
++ trailing_dashes = TRUE;
+ } else if (find_size > BOUNDARY_END_MAX_LEN)
+ find_size = BOUNDARY_END_MAX_LEN;
+
+- *boundary_r = boundary_find(ctx->boundaries, data, find_size);
++ *boundary_r = boundary_find(ctx->boundaries, data, find_size,
++ trailing_dashes);
+ if (*boundary_r == NULL)
+ return -1;
+
+diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c
+index 481d05942..113454ea0 100644
+--- a/src/lib-mail/test-message-parser.c
++++ b/src/lib-mail/test-message-parser.c
+@@ -510,6 +510,51 @@ static const char input_msg[] =
+ test_end();
+ }
+
++static void test_message_parser_trailing_dashes(void)
++{
++static const char input_msg[] =
++"Content-Type: multipart/mixed; boundary=\"a--\"\n"
++"\n"
++"--a--\n"
++"Content-Type: multipart/mixed; boundary=\"a----\"\n"
++"\n"
++"--a----\n"
++"Content-Type: text/plain\n"
++"\n"
++"body\n"
++"--a------\n"
++"Content-Type: text/html\n"
++"\n"
++"body2\n"
++"--a----";
++ struct message_parser_ctx *parser;
++ struct istream *input;
++ struct message_part *parts;
++ struct message_block block;
++ pool_t pool;
++ int ret;
++
++ test_begin("message parser trailing dashes");
++ pool = pool_alloconly_create("message parser", 10240);
++ input = test_istream_create(input_msg);
++
++ parser = message_parser_init(pool, input, 0, 0);
++ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ;
++ test_assert(ret < 0);
++ message_parser_deinit(&parser, &parts);
++
++ test_assert(parts->children_count == 2);
++ test_assert(parts->children->next == NULL);
++ test_assert(parts->children->children_count == 1);
++ test_assert(parts->children->children->next == NULL);
++ test_assert(parts->children->children->children_count == 0);
++
++ test_parsed_parts(input, parts);
++ i_stream_unref(&input);
++ pool_unref(&pool);
++ test_end();
++}
++
+ static void test_message_parser_continuing_mime_boundary(void)
+ {
+ static const char input_msg[] =
+@@ -777,6 +822,7 @@ int main(void)
+ test_message_parser_empty_multipart,
+ test_message_parser_duplicate_mime_boundary,
+ test_message_parser_garbage_suffix_mime_boundary,
++ test_message_parser_trailing_dashes,
+ test_message_parser_continuing_mime_boundary,
+ test_message_parser_continuing_truncated_mime_boundary,
+ test_message_parser_long_mime_boundary,
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch b/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch
new file mode 100644
index 000000000..97068345f
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch
@@ -0,0 +1,32 @@
+From f77a2b6c3ffe2ea96f4a4b05ec38dc9d53266ecb Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Wed, 27 May 2020 11:35:55 +0300
+Subject: [PATCH 13/13] lib-mail: Fix parse_too_many_nested_mime_parts()
+
+This was originally correct, until it was "optimized" wrong and got merged.
+---
+ src/lib-mail/message-parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
+index 175d4b488..5b11772ff 100644
+--- a/src/lib-mail/message-parser.c
++++ b/src/lib-mail/message-parser.c
+@@ -621,7 +621,7 @@ static bool block_is_at_eoh(const struct message_block *block)
+
+ static bool parse_too_many_nested_mime_parts(struct message_parser_ctx *ctx)
+ {
+- return ctx->nested_parts_count > ctx->max_nested_mime_parts;
++ return ctx->nested_parts_count+1 >= ctx->max_nested_mime_parts;
+ }
+
+ #define MUTEX_FLAGS \
+--
+2.11.0
+
diff --git a/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch b/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch
new file mode 100644
index 000000000..44f6564f8
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch
@@ -0,0 +1,27 @@
+From 1a6ff0beebf0ab0c71081eaff1d5d7fd26015a94 Mon Sep 17 00:00:00 2001
+From: Josef 'Jeff' Sipek <jeff.sipek@dovecot.fi>
+Date: Tue, 19 Sep 2017 13:26:57 +0300
+Subject: [PATCH] lib: buffer_free(NULL) should be a no-op
+
+---
+ src/lib/buffer.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2020-12100
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz]
+Comment: No change in any hunk
+
+--- a/src/lib/buffer.c
++++ b/src/lib/buffer.c
+@@ -148,6 +148,9 @@ void buffer_free(buffer_t **_buf)
+ {
+ struct real_buffer *buf = (struct real_buffer *)*_buf;
+
++ if (buf == NULL)
++ return;
++
+ *_buf = NULL;
+ if (buf->alloced)
+ p_free(buf->pool, buf->w_buffer);
diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
index e21a94ad6..29905196b 100644
--- a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
+++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
@@ -10,6 +10,22 @@ SRC_URI = "http://dovecot.org/releases/2.2/dovecot-${PV}.tar.gz \
file://dovecot.service \
file://dovecot.socket \
file://0001-doveadm-Fix-parallel-build.patch \
+ file://0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch \
+ file://0002-lib-mail-message-parser-Change-message_part_append-t.patch \
+ file://0003-lib-mail-message-parser-Optimize-updating-children_c.patch \
+ file://0004-lib-mail-message-parser-Optimize-appending-new-part-.patch \
+ file://0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch \
+ file://0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch \
+ file://0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch \
+ file://0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch \
+ file://0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch \
+ file://0010-lib-mail-message-parser-Support-limiting-max-number-.patch \
+ file://0011-lib-mail-message-parser-Support-limiting-max-number-.patch \
+ file://0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch \
+ file://0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch \
+ file://buffer_free_fix.patch \
+ file://0002-lib-ntlm-Check-buffer-length-on-responses.patch \
+ file://0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch \
"
SRC_URI[md5sum] = "66c4d71858b214afee5b390ee602dee2"
diff --git a/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb b/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb
index 5dabdd51d..cad2fa7d7 100644
--- a/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb
+++ b/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb
@@ -8,13 +8,14 @@ SECTION = "admin"
LICENSE = "GPLv2+"
LIC_FILES_CHKSUM = "file://COPYING;md5=5574c6965ae5f583e55880e397fbb018"
-SRC_URI = "git://github.com/LINBIT/drbd-utils;name=drbd-utils \
- git://github.com/LINBIT/drbd-headers;name=drbd-headers;destsuffix=git/drbd-headers \
+SRC_URI = "git://github.com/LINBIT/drbd-utils;name=drbd-utils;branch=master;protocol=https \
+ git://github.com/LINBIT/drbd-headers;name=drbd-headers;destsuffix=git/drbd-headers;branch=master;protocol=https \
${@bb.utils.contains('DISTRO_FEATURES','usrmerge','file://0001-drbd-utils-support-usrmerge.patch','',d)} \
"
# v9.12.0
SRCREV_drbd-utils = "91629a4cce49ca0d4f917fe0bffa25cfe8db3052"
SRCREV_drbd-headers = "233006b4d26cf319638be0ef6d16ec7dee287b66"
+SRCREV_FORMAT = "drbd-utils_drbd-headers"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb b/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb
index ed5c3a979..8301c65bf 100644
--- a/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb
+++ b/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e4f3ea6e9b28af88dc0321190a1f8250"
S = "${WORKDIR}/git"
SRCREV = "4cdfdc38eca237c19c22a8b90490446ce6d970fa"
-SRC_URI = "git://github.com/maxmind/geoip-api-perl.git;protocol=https; \
+SRC_URI = "git://github.com/maxmind/geoip-api-perl.git;protocol=https;branch=master \
file://run-ptest \
"
diff --git a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb
index 4271c2e15..3be1313d3 100644
--- a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb
+++ b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb
@@ -10,7 +10,7 @@ SECTION = "libdevel"
GEOIP_DATABASE_VERSION = "20181205"
-SRC_URI = "git://github.com/maxmind/geoip-api-c.git \
+SRC_URI = "git://github.com/maxmind/geoip-api-c.git;branch=master;protocol=https \
http://sources.openembedded.org/GeoIP.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIP-dat; \
http://sources.openembedded.org/GeoIPv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIPv6-dat; \
http://sources.openembedded.org/GeoLiteCity.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCity-dat; \
diff --git a/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb b/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb
index 125b59e76..9c15490dc 100644
--- a/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb
+++ b/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb
@@ -9,7 +9,7 @@ inherit manpages
MAN_PKG = "${PN}"
SRCREV = "42bfbb9beb924672ca86b86e9679ac3d6b87d992"
-SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https"
+SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https;branch=master"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb b/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb
index ad0ec2700..59e540a71 100644
--- a/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb
+++ b/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
S = "${WORKDIR}/git"
SRCREV = "c3ee70c878b9c5833a77a1f339f1ca4dc6f225c5"
SRC_URI = "\
- git://github.com/nmav/ipcalc.git;protocol=https; \
+ git://github.com/nmav/ipcalc.git;protocol=https;branch=master \
file://0001-Makefile-pass-extra-linker-flags.patch \
"
diff --git a/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb b/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb
index 3cabc4ff8..7a229c7b1 100644
--- a/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb
+++ b/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb
@@ -14,7 +14,7 @@ PV .= "+git${SRCPV}"
LK_REL = "1.0.18"
SRC_URI = " \
- git://github.com/sctp/lksctp-tools.git \
+ git://github.com/sctp/lksctp-tools.git;branch=master;protocol=https \
file://0001-withsctp-use-PACKAGE_VERSION-in-withsctp.h.patch \
file://0001-configure.ac-add-CURRENT-REVISION-and-AGE-for-libsct.patch \
file://0001-build-fix-netinet-sctp.h-not-to-be-installed.patch \
diff --git a/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb b/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb
index 5917cfb3e..e07356165 100644
--- a/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb
+++ b/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
DEPENDS = "flex-native bison-native libnl python"
PV = "0.3.1+git${SRCPV}"
-SRC_URI = "git://github.com/linux-wpan/lowpan-tools \
+SRC_URI = "git://github.com/linux-wpan/lowpan-tools;branch=master;protocol=https \
file://no-help2man.patch \
file://0001-Fix-build-errors-with-clang.patch \
file://0001-addrdb-coord-config-parse.y-add-missing-time.h-inclu.patch \
diff --git a/meta-networking/recipes-support/mtr/mtr_0.93.bb b/meta-networking/recipes-support/mtr/mtr_0.93.bb
index dd150700a..4db7f7bbf 100644
--- a/meta-networking/recipes-support/mtr/mtr_0.93.bb
+++ b/meta-networking/recipes-support/mtr/mtr_0.93.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
file://ui/mtr.c;beginline=5;endline=16;md5=00a894a39d53726a27386534d1c4e468"
SRCREV = "304349bad86229aedbc62c07d5e98a8292967991"
-SRC_URI = "git://github.com/traviscross/mtr"
+SRC_URI = "git://github.com/traviscross/mtr;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_git.bb b/meta-networking/recipes-support/nbdkit/nbdkit_git.bb
index a63e49ec5..0876c6f35 100644
--- a/meta-networking/recipes-support/nbdkit/nbdkit_git.bb
+++ b/meta-networking/recipes-support/nbdkit/nbdkit_git.bb
@@ -9,7 +9,7 @@ HOMEPAGE = "https://github.com/libguestfs/nbdkit"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=4332a97808994cf2133a65b6c6f33eaf"
-SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https \
+SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \
file://0001-server-Fix-build-when-printf-is-a-macro.patch \
"
diff --git a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb b/meta-networking/recipes-support/ndisc6/ndisc6_git.bb
index 5f866052c..d359b620b 100644
--- a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb
+++ b/meta-networking/recipes-support/ndisc6/ndisc6_git.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
PV = "1.0.4+git${SRCPV}"
SRCREV = "4c794b5512d23c649def1f94a684225dcbb6ac3e"
-SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http \
+SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http;branch=master \
file://0001-replace-VLAIS-with-malloc-free-pair.patch \
file://0002-Do-not-undef-_GNU_SOURCE.patch \
file://0001-autogen-Do-not-symlink-gettext.h-from-build-host.patch \
diff --git a/meta-networking/recipes-support/netcf/netcf_0.2.8.bb b/meta-networking/recipes-support/netcf/netcf_0.2.8.bb
index a180571f2..af617ce92 100644
--- a/meta-networking/recipes-support/netcf/netcf_0.2.8.bb
+++ b/meta-networking/recipes-support/netcf/netcf_0.2.8.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fb919cc88dbe06ec0b0bd50e001ccf1f"
SRCREV = "2c5d4255857531bc09d91dcd02e86545f29004d4"
PV .= "+git${SRCPV}"
-SRC_URI = "git://pagure.io/netcf.git;protocol=https \
+SRC_URI = "git://pagure.io/netcf.git;protocol=https;branch=master \
"
UPSTREAM_CHECK_GITTAGREGEX = "release-(?P<pver>(\d+(\.\d+)+))"
diff --git a/meta-networking/recipes-support/netperf/netperf_git.bb b/meta-networking/recipes-support/netperf/netperf_git.bb
index d48f3aeab..f6ea211f7 100644
--- a/meta-networking/recipes-support/netperf/netperf_git.bb
+++ b/meta-networking/recipes-support/netperf/netperf_git.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a0ab17253e7a3f318da85382c7d5d5d6"
PV = "2.7.0+git${SRCPV}"
-SRC_URI = "git://github.com/HewlettPackard/netperf.git \
+SRC_URI = "git://github.com/HewlettPackard/netperf.git;branch=master;protocol=https \
file://cpu_set.patch \
file://vfork.patch \
file://init \
diff --git a/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb b/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb
index bb401666c..0c67f67d7 100644
--- a/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb
+++ b/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb
@@ -14,7 +14,7 @@ and ypdomainname. \
# v4.2.3
SRCREV = "1bfda29c342a81b97cb1995ffd9e8da5de63e7ab"
-SRC_URI = "git://github.com/thkukuk/yp-tools \
+SRC_URI = "git://github.com/thkukuk/yp-tools;branch=master;protocol=https \
file://domainname.service \
"
diff --git a/meta-networking/recipes-support/ntimed/ntimed_git.bb b/meta-networking/recipes-support/ntimed/ntimed_git.bb
index a749b1659..43ed1abe3 100644
--- a/meta-networking/recipes-support/ntimed/ntimed_git.bb
+++ b/meta-networking/recipes-support/ntimed/ntimed_git.bb
@@ -8,7 +8,7 @@ SECTION = "net"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://main.c;beginline=2;endline=24;md5=89db8e76f2951f3fad167e7aa9718a44"
-SRC_URI = "git://github.com/bsdphk/Ntimed \
+SRC_URI = "git://github.com/bsdphk/Ntimed;branch=master;protocol=https \
file://use-ldflags.patch"
PV = "0.0+git${SRCPV}"
diff --git a/meta-networking/recipes-support/open-isns/open-isns_0.99.bb b/meta-networking/recipes-support/open-isns/open-isns_0.99.bb
index a03b92f5f..1bf7c48e0 100644
--- a/meta-networking/recipes-support/open-isns/open-isns_0.99.bb
+++ b/meta-networking/recipes-support/open-isns/open-isns_0.99.bb
@@ -13,7 +13,7 @@ SECTION = "net"
DEPENDS = "openssl"
-SRC_URI = "git://github.com/open-iscsi/open-isns"
+SRC_URI = "git://github.com/open-iscsi/open-isns;branch=master;protocol=https"
SRCREV = "cfdbcff867ee580a71bc9c18c3a38a6057df0150"
diff --git a/meta-networking/recipes-support/phytool/phytool.bb b/meta-networking/recipes-support/phytool/phytool.bb
index 29499d6d7..7fde88c44 100644
--- a/meta-networking/recipes-support/phytool/phytool.bb
+++ b/meta-networking/recipes-support/phytool/phytool.bb
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0"
PV = "2+git${SRCPV}"
SRCREV = "8882328c08ba2efb13c049812098f1d0cb8adf0c"
-SRC_URI = "git://github.com/wkz/phytool.git"
+SRC_URI = "git://github.com/wkz/phytool.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb b/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb
index 15fd7ff66..5cb4e67c2 100644
--- a/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb
+++ b/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb
@@ -6,7 +6,7 @@ DEPENDS = "libnl"
RDEPENDS_${PN} = "bash perl"
BRANCH = "stable-v${@d.getVar('PV').split('.')[0]}"
-SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=${BRANCH} \
+SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=${BRANCH};protocol=https \
file://0001-Remove-man-files-which-cant-be-built.patch \
"
SRCREV = "f12c953f0864691eacc9fcc4cda489b92ffd5a85"
diff --git a/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb b/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb
index 0b63f79ac..d8a1f6140 100644
--- a/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb
+++ b/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb
@@ -6,7 +6,7 @@ LICENSE = "GPLv2+"
LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
SRCREV = "a8e5847e5f7e411be424f9b52a6cdf9d2ed4aeb5"
-SRC_URI = "git://github.com/troglobit/smcroute.git;branch=master;protocol=git"
+SRC_URI = "git://github.com/troglobit/smcroute.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/spice/spice-protocol_git.bb b/meta-networking/recipes-support/spice/spice-protocol_git.bb
index 1d56bea17..ca683bf22 100644
--- a/meta-networking/recipes-support/spice/spice-protocol_git.bb
+++ b/meta-networking/recipes-support/spice/spice-protocol_git.bb
@@ -18,7 +18,7 @@ PV = "0.14.1+git${SRCPV}"
SRCREV = "e0ec178a72aa33e307ee5ac02b63bf336da921a5"
SRC_URI = " \
- git://anongit.freedesktop.org/spice/spice-protocol \
+ git://anongit.freedesktop.org/spice/spice-protocol;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/spice/spice_git.bb b/meta-networking/recipes-support/spice/spice_git.bb
index 9d3a0e6cb..3d47f5a54 100644
--- a/meta-networking/recipes-support/spice/spice_git.bb
+++ b/meta-networking/recipes-support/spice/spice_git.bb
@@ -21,8 +21,8 @@ SRCREV_spice-common = "4fc4c2db36c7f07b906e9a326a9d3dc0ae6a2671"
SRCREV_FORMAT = "spice_spice-common"
SRC_URI = " \
- git://anongit.freedesktop.org/spice/spice;name=spice \
- git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/subprojects/spice-common;name=spice-common \
+ git://anongit.freedesktop.org/spice/spice;name=spice;branch=master \
+ git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/subprojects/spice-common;name=spice-common;branch=master \
file://0001-Convert-pthread_t-to-be-numeric.patch \
file://0001-Fix-compile-errors-on-Linux-32bit-system.patch \
"
diff --git a/meta-networking/recipes-support/spice/usbredir_0.8.0.bb b/meta-networking/recipes-support/spice/usbredir_0.8.0.bb
index 9ee43be1e..f07fb3b50 100644
--- a/meta-networking/recipes-support/spice/usbredir_0.8.0.bb
+++ b/meta-networking/recipes-support/spice/usbredir_0.8.0.bb
@@ -10,7 +10,7 @@ DEPENDS = "libusb1"
SRCREV = "07b98b8e71f620dfdd57e92ddef6b677b259a092"
SRC_URI = " \
- git://anongit.freedesktop.org/spice/usbredir \
+ git://anongit.freedesktop.org/spice/usbredir;branch=master \
"
S = "${WORKDIR}/git"
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
index 9b74e00c5..84d4716f3 100644
--- a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
@@ -9,6 +9,7 @@ if we haven't captured all of it.
(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
+CVE: CVE-2020-8037
Upstream-Status: Backport
Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com>
diff --git a/meta-networking/recipes-support/unbound/unbound_1.9.4.bb b/meta-networking/recipes-support/unbound/unbound_1.9.4.bb
index 6200214ac..f4b3c28ae 100644
--- a/meta-networking/recipes-support/unbound/unbound_1.9.4.bb
+++ b/meta-networking/recipes-support/unbound/unbound_1.9.4.bb
@@ -9,7 +9,7 @@ SECTION = "net"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=5308494bc0590c0cb036afd781d78f06"
-SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=http;branch=master \
+SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=http;branch=master;protocol=https \
file://0001-contrib-add-yocto-compatible-startup-scripts.patch \
"
SRCREV="b60c4a472c856f0a98120b7259e991b3a6507eb5"
diff --git a/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb b/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb
index bab75fee3..6b83cbd52 100644
--- a/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb
+++ b/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4cfd939b1d7e6aba9fcefb7f6e2fd45d"
DEPENDS = "libnl"
-SRC_URI = "git://github.com/linux-wpan/wpan-tools"
+SRC_URI = "git://github.com/linux-wpan/wpan-tools;branch=master;protocol=https"
SRCREV = "a316ca2caa746d60817400e5bf646c2820f09273"
S = "${WORKDIR}/git"