subtree updates

poky: 50d272863d..0b3e371116:
  Alistair Francis (1):
        recipes-bsp/opensbi: Fix the u-boot payload name

  Changqing Li (2):
        update-rc.d: update SRCREV and license checksum
        update-rc.d: support enable/disable options

  Chen Qi (2):
        context.py: avoid skipping tests by meaningless command argument
        oeqa: avoid class setup method to run when skipping the whole class

  Joe Slater (1):
        glib-2.0: Fix CVE-2019-12450

  Jonathan Rajotte (1):
        lttng-tools: update to 2.10.7

  Joseph Reynolds (1):
        dropbear: new feature: disable-weak-ciphers

  Joshua Watt (4):
        perl: Improve ptest package reproducibility
        python3: Reformat sysconfig
        perl: Reproducible build fixes
        bash: Remove .build files for reproducible builds

  Martin Jansa (1):
        gcc-runtime.inc: create the correct directory before creating the symlinks in it

  Ricardo Ribalda Delgado (1):
        go: avoid host contamination by GOCACHE

  Ross Burton (1):
        pigz: bump alternative priority

  Tim Orling (1):
        ptest-packagelists.inc: add libmodule-build-perl-ptest

meta-openembedded: 3b245e4fe8..64974b8779:
  Adrian Bunk (9):
        libauthen-radius-perl: Remove manual RDEPENDS from PN-ptest to PN package
        network-manager-applet: Remove obsolete dbus-glib and libnm-glib dependencies
        ndctl: Remove the unnecessary dependency on virtual/kernel
        tipcutils: Remove the unnecessary dependency on virtual/kernel
        xl2tpd: Remove the old 1.3.6 version
        gpsd: Force using python-scons-native for now
        efibootmgr: Remove, was moved to oe-core
        efivar: Remove, was moved to oe-core
        wireless-regdb: Remove, was moved to oe-core

  Andrey Zhizhikin (1):
        cpuburn-arm: add aarch64 machine and build configuration

  Ankit Navik (1):
        safec: Add Safe C license

  Bartosz Golaszewski (1):
        libgpiod: upgrade to v1.4

  Hongxu Jia (1):
        dracut: fix generated initramfs boot failure under bash 5

  Kai Kang (1):
        xfce4-screensaver: 0.1.4 -> 0.1.5

  Khem Raj (5):
        stressapptest: Fix build with libc++
        stressapptest: Implement reading sysfs and use it if sysconf is not there
        stressapptest: Use git SHA instead of git archive
        gmime: Add recipe
        pidgin-sipe: Depend on gmime

  Maciej Pijanowski (1):
        recipes-benchmark/stressapptest_1.0.9.bb: add recipe

  Mingli Yu (3):
        mariadb: Upgrade to 10.3.16
        mozjs: Fix do_patch error for mips64-n32
        python-lxml: replace -Og with -O for mips64-32

  Naveen Saini (1):
        pm-graph: fix multilib build failure

  Nicola Lunghi (1):
        libp11: No need to delete *.la anymore

  Oleksandr Kravchuk (1):
        openconnect: update to 8.03

  Pascal Bach (3):
        protobuf: 3.6.1 -> 3.8.0
        protobuf-c: add patch for protobuf 3 compatibility
        python3-protobuf, python-protobuf: 3.6.1 -> 3.8.0

  Persian Prince (1):
        blueman_%.bbappend: Avoid PAK archive (application/x-pak)

  Saikiran Madugula (1):
        gitver: Pass git directory argument to gitrev_run

  Tim Orling (1):
        libmodule-build-perl: drop, has moved to oe-core

  Yi Zhao (1):
        snort: upgrade 2.9.11.1 -> 2.9.13

  Zang Ruochen (3):
        python-twisted: upgrade 19.2.0 -> 19.2.1
        python-wrapt: upgrade 1.11.1 -> 1.11.2
        python-certifi: upgrade 2019.3.9 -> 2019.6.16

Change-Id: I0c3385628e0382c56c94fa27ba4d14e301c2e558
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

2 files changed, 48 insertions, 2 deletions

diff --git a/poky/meta/recipes-core/dropbear/dropbear.inc b/poky/meta/recipes-core/dropbear/dropbear.inc
index b74d186cd..dcbda741c 100644
--- a/poky/meta/recipes-core/dropbear/dropbear.inc
+++ b/poky/meta/recipes-core/dropbear/dropbear.inc
@@ -20,7 +20,8 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
            file://dropbear@.service \
            file://dropbear.socket \
            file://dropbear.default \
-           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} "
+           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} "
 
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
                file://0006-dropbear-configuration-file.patch \
@@ -46,8 +47,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
 BINCOMMANDS = "dbclient ssh scp"
 EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
 
-PACKAGECONFIG ?= ""
+PACKAGECONFIG ?= "disable-weak-ciphers"
 PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
+PACKAGECONFIG[disable-weak-ciphers] = ""
 
 EXTRA_OECONF += "\
  ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
diff --git a/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
new file mode 100644
index 000000000..e48a34bac
--- /dev/null
+++ b/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
@@ -0,0 +1,44 @@
+This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers 
+in the dropbear ssh server and client since they're considered weak ciphers
+and we want to support the stong algorithms.
+
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
+
+Index: dropbear-2019.78/default_options.h
+===================================================================
+--- dropbear-2019.78.orig/default_options.h
++++ dropbear-2019.78/default_options.h
+@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma
+ 
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
+-#define DROPBEAR_ENABLE_CBC_MODE 1
++#define DROPBEAR_ENABLE_CBC_MODE 0
+ 
+ /* Enable "Counter Mode" for ciphers. This is more secure than
+  * CBC mode against certain attacks. It is recommended for security
+@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma
+ /* Message integrity. sha2-256 is recommended as a default, 
+    sha1 for compatibility */
+ #define DROPBEAR_SHA1_HMAC 1
+-#define DROPBEAR_SHA1_96_HMAC 1
++#define DROPBEAR_SHA1_96_HMAC 0
+ #define DROPBEAR_SHA2_256_HMAC 1
+ 
+ /* Hostkey/public key algorithms - at least one required, these are used
+@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma
+  * Small systems should generally include either curve25519 or ecdh for performance.
+  * curve25519 is less widely supported but is faster
+  */ 
+-#define DROPBEAR_DH_GROUP14_SHA1 1
++#define DROPBEAR_DH_GROUP14_SHA1 0
+ #define DROPBEAR_DH_GROUP14_SHA256 1
+ #define DROPBEAR_DH_GROUP16 0
+ #define DROPBEAR_CURVE25519 1
+ #define DROPBEAR_ECDH 1
+-#define DROPBEAR_DH_GROUP1 1
++#define DROPBEAR_DH_GROUP1 0
+ 
+ /* When group1 is enabled it will only be allowed by Dropbear client
+ not as a server, due to concerns over its strength. Set to 0 to allow