subtree updates july 21 2023 poky,openembedded

poky: 13b646c0e1..b398c7653e:
  Adrian Freihofer (2):
        runqemu-ifdown: catch up with ifup
        runqemu: drop uid parameter for ifdown

  Alejandro Hernandez Samaniego (3):
        baremetal-helloworld: Fix race condition
        runqemu: Stop using warn() since its been deprecated
        runqemu: Fix automated call to runqemu-ifup

  Alex Kiernan (3):
        rootfs: Add debugfs package db file copy and cleanup
        rpm: Pick debugfs package db files/dirs explicitly
        eudev: Add group sgx to eudev package

  Alexander Kanavin (27):
        insane.bbclass: enable 32 bit time API check (as a warning) on affected architectures
        libxcrypt: upgrade 4.4.34 -> 4.4.35
        libxml2: update 2.10.4 -> 2.11.4
        ovmf: update 202302 -> 202305
        lua: update 5.4.4 -> 5.4.6
        cargo.bbclass: set up cargo environment in common do_compile
        rust-common.bbclass: move musl-specific linking fix from rust-source.inc
        python3-cryptography: update 39.0.2 -> 41.0.1
        python3-cryptography-vectors: update 39.0.2 -> 41.0.1
        python3: update 3.11.3 -> 3.11.4
        diffutils: update 3.9 -> 3.10
        shadow: remove dependency on pam-plugin-lastlog
        libpam: update 1.5.2 -> 1.5.3
        librsvg: update 2.56.0 -> 2.56.1
        vulkan-validation-layers: update 1.3.243 -> 1.3.250
        xcb-util-cursor: add a recipe from meta-oe
        weston: update 11.0.1 -> 12.0.1
        libdmx: update 1.1.4 -> 1.1.5
        xtrans: update 1.4.0 -> 1.5.0
        libproxy: fetch from git
        libproxy: update 0.4.18 -> 0.5.2
        libssh2: update 1.10.0 -> 1.11.0
        gstreamer1.0-plugins-base: enable glx/opengl support
        webkitgtk: update 2.38.5 -> 2.40.2
        python3-cryptography: update a patch to upstream's better followup fix
        time64.inc: annotate and clean up recipe-specific Y2038 exceptions
        Revert "rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock"

  Andrej Valek (3):
        cve-check: add option to add additional patched CVEs
        oeqa/selftest/cve_check: rework test to new cve status handling
        cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS

  Anuj Mittal (7):
        rpm: backport fix to prevent crashes with latest sqlite
        sqlite3: upgrade 3.41.2 -> 3.42.0
        vte: upgrade 0.72.1 -> 0.72.2
        libpng: upgrade 1.6.39 -> 1.6.40
        glib-networking: upgrade 2.76.0 -> 2.76.1
        bluez5: upgrade 5.66 -> 5.68
        selftest/cases/glibc.py: fix the override syntax

  BELOUARGA Mohamed (9):
        bitbake: fetch2/npmsw: Add support for the new format of the shrinkwrap file
        bitbake: fetch2/npmsw: Don't fetch dev dependencies when they are not demanded
        bitbake: fetch2/npm: Remove special caracters that causes recipe tool to fail
        recipetool: create: npm: Remove duplicate function to not have future conflicts
        classes: npm: Handle peer dependencies for npm packages
        recipetool: create: npm: Add support for the new format of the shrinkwrap file
        recipetool: create: npm: Add support to handle peer dependencies
        classes: npm: Add support for the new format of the shrinkwrap file
        classe-recipes: npm: Add support for dependencies and devDependencies

  Benjamin Bouvier (1):
        util-linux: add alternative links for ipcs,ipcrm

  Bruce Ashfield (19):
        perf: fix buildpaths QA warning in 6.4+
        linux-libc-headers: bump to 6.4
        kernel: fix localversion in v6.3+
        linux-yocto: introduce 6.4 reference kernel recipes
        linux-yocto/6.4: update to latest
        linux-yocto/6.4: aufs6 integration
        linux-yocto/6.4: refresh configuration
        linux-yocto-rt/6.4: integrate -rt6
        linux-yocto/6.4: update to v6.4.2
        linux-yocto-tiny/6.4: fix configuration warnings (HID)
        linux-yocto-tiny/arm: fix configuration warnings (HID)
        linux-yocto/ppc: add elfutils-native to DEPENDS
        linux-yocto/6.1: update to v6.1.36
        linux-yocto/6.1: update to v6.1.37
        linux-yocto/6.1: update to v6.1.38
        linux-yocto/6.x: cfg: update ima.cfg to match current meta-integrity
        linux-yocto/6.4: update to v6.4.3
        kernel: set HOSTPKG_CONFIG to use pkg-config-native
        linux-yocto/6.4: fix menuconfig

  Changqing Li (2):
        dnf: only write the log lock to root for native dnf
        rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock

  Denys Dmytriyenko (1):
        bitbake: runqueue: convert deferral messages from bb.note to bb.debug

  Enrico Scholz (1):
        shadow-sysroot: add license information

  Etienne Cordonnier (2):
        libxcrypt: fix hard-coded ".so" extension
        qemu: fix typo

  Fabio Estevam (3):
        u-boot: Update Upstream-Status
        u-boot: Upgrade to 2023.07
        u-boot: Upgrade to 2023.07.02

  Frederic Martinsons (1):
        ptest-cargo.bbclass: fix condition to detect test executable

  Joe Slater (1):
        ghostscript: advance to version 10.01.2

  Jose Quaresma (12):
        kernel: config modules directories are handled by kernel-module-split
        kernel-module-split: install config modules directories only when they are needed
        kernel-module-split: use context manager to open files
        kernel-module-split: make autoload and probeconf distribution specific
        kernel-module-split add systemd modulesloaddir and modprobedir config
        pybootchartgui: calcule elapsed_time when starting the loop
        pybootchartgui: concatenate the elapsed time with the process
        pybootchartgui: fix overlapping argument in render_processes_chart
        pybootchartgui: fix width max usage in draw_label_in_box
        openssl: add PERLEXTERNAL path to test its existence
        openssl: use a glob on the PERLEXTERNAL to track updates on the path
        go: update 1.20.5 -> 1.20.6

  Julien Stephan (1):
        automake: fix buildtest patch

  Khem Raj (9):
        ffmpeg: Fix build on riscv
        libpam: Fix examples build on musl
        webkitgtk: Enable JIT on RISCV64
        musl: Guard fallocate64 with _LARGEFILE64_SOURCE
        alsa-lib: Disable old API symbols
        mesa: Fix build with upcoming LLVM 17
        meson.bbclass: Point to llvm-config from native sysroot
        webkitgtk: Unbreak build on platforms using pvr graphics drivers
        python3-lxml: upgrade 4.9.2 -> 4.9.3

  Martin Jansa (4):
        selftest: multiconfig-image-packager: try to respect IMAGE_LINK_NAME
        kernel-devicetree: install dtb files without -${KERNEL_DTB_NAME} suffix
        image-artifact-names: include ${IMAGE_NAME_SUFFIX} directly in both ${IMAGE_NAME} and ${IMAGE_LINK_NAME}
        cpio: respect MLPREFIX for PACKAGE_WRITE_DEPS

  Michael Halstead (1):
        resulttool/resultutils: allow index generation despite corrupt json

  Mingli Yu (1):
        qemu: Add qemu-user-* and qemu-system-* to PACKAGES_DYNAMIC

  Natasha Bailey (1):
        tiff: backport a fix for CVE-2023-26965

  Ovidiu Panait (5):
        mdadm: fix util-linux ptest dependency
        mdadm: fix 07revert-inplace ptest
        mdadm: fix segfaults when running ptests
        mdadm: skip running known broken ptests
        mdadm: re-add mdadm-ptest to PTESTS_SLOW

  Peter Hoyes (5):
        bitbake: bitbake: tests/fetch: Mark TestTimeout as not a test suite
        bitbake: bitbake: tests/fetch: Rename assertRaisesRegexp to assertRaisesRegex
        bitbake: bitbake: tests/fetch: Set git config if not already set
        bitbake: bitbake: tests: Use assertLogs to test logging output
        bitbake: bitbake: Bootstrap pytest for self-tests

  Peter Marko (4):
        cve-update-nvd2-native: fix cvssV3 metrics
        gcsections: apply section removal also in C++, not only in C
        cve-update-nvd2-native: retry all errors and sleep between retries
        cve-update-nvd2-native: increase retry count

  Piotr Łobacz (1):
        bitbake.conf: Add acl distro native features support

  Quentin Schulz (1):
        uboot-extlinux-config.bbclass: fix old override syntax in comment

  Richard Purdie (14):
        defaultsetup: Enable largefile and 64bit time_t support systemwide for 32 bit platforms
        time64: Disable CFLAGS for strace
        bitbake: runqueue: Fix deferred task/multiconfig race issue
        strace: Update patches/tests with upstream fixes
        bitbake: fetch2/npmsw: Support old and new shrinkwrap formats
        ptest-runner: Pull in "runner: Remove threads and mutexes" fix
        bitbake: server/process: Show command in timeout message
        bitbake: cooker: Log when parsing starts in server log
        gcc-testsuite: Fix ppc cpu specification
        ptest-runner: Pull in parallel test fixes and output handling
        oeqa/selftest/rust: Various fixes to work correctly
        bitbake: runqueue: Add pressure change logging
        build-appliance-image: Update to master head revision
        glibc-testsuite: Fix network restrictions causing test failures

  Ross Burton (26):
        cve-update-db-native: remove
        cve-update-nvd2-native: handle all configuration nodes, not just first
        cve-update-nvd2-native: use exact times, don't truncate
        ghostscript: remove CVE_CHECK_IGNORE for CVE-2013-6629
        pkgconf: update SRC_URI
        libjpeg-turbo: upgrade to 3.0.0
        cups: upgrade to 2.4.6
        tiff: upgrade to 4.5.1
        linux-yocto/cve-exclusion: move entries from cve-extra-exclusions
        linux-yocto/cve-exclusion: ignore more backported CVEs
        python3: fix missing comma in get_module_deps3.py
        python3-jsonpointer: upgrade to 2.4
        oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case
        cml1: add showconfig task to easily find the generated .config file
        rootfs_rpm: don't depend on opkg-native for update-alternatives
        poky: add Debian 12 to supported distribution list
        cve-update-nvd2-native: log a little more
        cve-update-nvd2-native: actually use API keys
        gcc: don't pass --enable-standard-branch-protection
        machine/arch-arm64: add -mbranch-protection=standard
        qemuarm: pin kernel to 6.1
        libdmx: remove obsolete library
        linux-yocto_6.1: ignore backported CVEs
        python3: ignore CVE-2023-36632
        ltp: add RDEPENDS on findutils
        oeqa/ltp: rewrote LTP testcase and parser

  Siddharth Doshi (2):
        bind: Upgrade 9.18.15 -> 9.18.16
        flac: Upgrade 1.4.2 -> 1.4.3

  Soumya (1):
        perl: Fix CVE-2023-31486

  Staffan Rydén (1):
        kernel: Fix path comparison in kernel staging dir symlinking

  Stéphane Veyret (1):
        scripts/oe-setup-builddir: copy conf-notes.txt to build dir

  Sudip Mukherjee (1):
        libssh2: disable rpath to fix curl-native build

  Thomas Roos (1):
        testimage/oeqa: Drop testimage_dump_host functionality

  Tim Orling (10):
        python3-pytest-subtests: upgrade 0.10.0 -> 0.11.0
        python3-urllib3: upgrade 2.0.2 -> 2.0.3
        python3-typing-extensions: upgrade 4.6.3 -> 4.7.0
        python3-hypothesis: upgrade 6.79.2 -> 6.80.0
        python3-pygments: upgrade 2.14.0 -> 2.15.1
        python3-importlib-metadata: upgrade 6.7.0 -> 6.8.0
        python3-typing-extensions: upgrade 4.7.0 -> 4.7.1
        python3-cryptography{-vectors}: upgrade 41.0.1 -> 41.0.2
        python3-zipp: upgrade 3.15.0 -> 3.16.2
        python3-hypothesis: upgrade 6.80.0 -> 6.81.2

  Trevor Gamblin (15):
        python3: add cgitb, zipapp ptest dependencies
        qemu: upgrade 8.0.0 -> 8.0.3
        python3: parallelize ptests, add test_cppext dependencies
        python3-setuptools: upgrade 67.6.1 -> 68.0.0
        diffoscope: upgrade 242 -> 243
        p11-kit: upgrade 0.24.1 -> 0.25.0
        diffoscope: add missing RDEPENDS and alphabetize
        linux-firmware: upgrade 20230515 -> 20230625
        python3-trove-classifiers: upgrade 2023.5.24 -> 2023.7.6
        python3-cython: upgrade 0.29.35 -> 0.29.36
        icu: upgrade 72-1 -> 73-2
        python3-editables: add python3-io to RDEPENDS
        python3: ensure ptest regression capture
        diffoscope: upgrade 243 -> 244
        xeyes: upgrade 1.2.0 -> 1.3.0

  Wang Mingyu (51):
        freetype: upgrade 2.13.0 -> 2.13.1
        gstreamer1.0: upgrade 1.22.3 -> 1.22.4
        kbd: upgrade 2.5.1 -> 2.6.0
        libassuan: upgrade 2.5.5 -> 2.5.6
        libksba: upgrade 1.6.3 -> 1.6.4
        libmd: upgrade 1.0.4 -> 1.1.0
        libsdl2: upgrade 2.26.5 -> 2.28.0
        libtraceevent: upgrade 1.7.2 -> 1.7.3
        libx11: upgrade 1.8.5 -> 1.8.6
        lttng-ust: upgrade 2.13.5 -> 2.13.6
        nettle: upgrade 3.9 -> 3.9.1
        nghttp2: upgrade 1.53.0 -> 1.54.0
        ccache: upgrade 4.8.1 -> 4.8.2
        mesa: upgrade 23.1.1 -> 23.1.3
        python3-numpy: upgrade 1.24.3 -> 1.25.0
        python3-typing-extensions: upgrade 4.6.2 -> 4.6.3
        xorgproto: upgrade 2022.2 -> 2023.2
        python3-hatchling: upgrade 1.17.0 -> 1.18.0
        python3-hypothesis: upgrade 6.75.7 -> 6.79.2
        python3-importlib-metadata: upgrade 6.6.0 -> 6.7.0
        python3-iso8601: upgrade 1.1.0 -> 2.0.0
        python3-markupsafe: upgrade 2.1.2 -> 2.1.3
        python3-pluggy: upgrade 1.0.0 -> 1.2.0
        python3-pycairo: upgrade 1.23.0 -> 1.24.0
        python3-pyparsing: upgrade 3.0.9 -> 3.1.0
        python3-pytest: upgrade 7.3.1 -> 7.4.0
        python3-ruamel-yaml: upgrade 0.17.31 -> 0.17.32
        python3-sphinx-rtd-theme: upgrade 1.2.1 -> 1.2.2
        xkeyboard-config: upgrade 2.38 -> 2.39
        xwayland: upgrade 23.1.1 -> 23.1.2
        wayland-protocols: upgrade 1.31 -> 1.32
        taglib: upgrade 1.13 -> 1.13.1
        libxcrypt: upgrade 4.4.35 -> 4.4.36
        msmtp: upgrade 1.8.23 -> 1.8.24
        libwebp: upgrade 1.3.0 -> 1.3.1
        libuv: upgrade 1.45.0 -> 1.46.0
        acpica: upgrade 20230331 -> 20230628
        libnss-nis: upgrade 3.1 -> 3.2
        harfbuzz: upgrade 7.3.0 -> 8.0.1
        libproxy: upgrade 0.5.2 -> 0.5.3
        nghttp2: upgrade 1.54.0 -> 1.55.1
        debianutils: upgrade 5.7 -> 5.8
        glib-2.0: upgrade 2.76.3 -> 2.76.4
        python3-pip: upgrade 23.1.2 -> 23.2
        opkg: upgrade 0.6.1 -> 0.6.2
        opkg-utils: upgrade 0.5.0 -> 0.6.2
        python3-editables: upgrade 0.3 -> 0.4
        python3-git: upgrade 3.1.31 -> 3.1.32
        python3-numpy: upgrade 1.25.0 -> 1.25.1
        repo: upgrade 2.34.1 -> 2.35
        libva: upgrade to 2.19.0

  Yash Shinde (1):
        oeqa/selftest: Add rust selftests

  Yi Zhao (1):
        ifupdown: install missing directories

  Yoann Congal (2):
        recipetool: Fix inherit in created -native* recipes
        oeqa/selftest/devtool: add unit test for "devtool add -b"

  Yuta Hayama (1):
        systemd-systemctl: fix errors in instance name expansion

meta-openembedded: 2638d458a5..0e3f5e5201:
  Alex Kiernan (1):
        ostree: Upgrade 2023.4 -> 2023.5

  Archana Polampalli (1):
        tcpreplay: upgrade 4.4.3 -> 4.4.4

  Beniamin Sandu (1):
        mbedtls: fix builds with crypto extensions

  Bruce Ashfield (1):
        vboxguestdrivers: fix compilation against 6.4 kernel / headers

  Carlos Rafael Giani (3):
        pipewire: Disable libmysofa since it is not available in OE
        pipewire: Improve packageconfigs
        pipewire: Add dedicated aes67 package and fix rlimits.d package assignment

  Chee Yang Lee (1):
        rabbitmq-c: Fix CVE-2023-35789

  Jasper Orschulko (8):
        python3-pytest-cov: Add initial recipe 4.1.0
        python3-covdefaults: Add initial recipe 2.3.0
        python3-platformdirs: Fix recipe version 3.6.0
        python3-distlib: Add initial recipe 0.3.6
        python3-filelock: Add initial recipe 3.12.0
        python3-virtualenv: Add initial recipe 20.23.0
        python3-pyproject-api: Add initial recipe 1.5.1
        python3-tox: Add initial recipe 4.6.0

  Joe Slater (1):
        libgpiod: modify RDEPENDS for ptest

  Justin Bronder (2):
        python3-asyncinotify: upgrade 3.0.1 -> 4.0.2
        python3-pytest-asyncio: upgrade 0.16.0 -> 0.21.1

  Kai Kang (2):
        libtimezonemap: rename downloaded file name
        fltk-native: fix libdl link issue

  Khem Raj (33):
        gupnp-av: Fix build with libxml2-2.11 and newer
        xcb-util-cursor: Delete recipe
        pidgin-sipe: Add packageconfig to turn Werror on/off
        fbida: Fix build on musl
        pcp: Update to 6.0.5
        geos: Upgrade to 3.12.0
        ctags: Extend to build native package
        libcoap: Build linker symbol file explicitly
        geos: Use cmake directly
        pcp: Fix build race
        sblim-sfcc: Fix build with clang17
        minifi-cpp: Fix build with clang 17
        python3-grpcio-tools: Upgrade to 1.56.0
        python3-grpcio: Upgrade to 1.56.0
        python3-grpcio: Fix build on musl
        python3-grpcio-tools: Fix build with musl
        thin-provisioning-tools: Upgrade to 1.0.4
        thin-provisioning-tools: Fix build on musl.
        pcp: Disable parallel build
        crash: Fix build with glibc 2.38+
        breakpad: Update to latest trunk
        python3-requests-toolbelt: Fix ptest failures seen with urllib3 2.0
        ptest-packagelists-meta-oe: Limit mcelog to x86/x86_64
        graphviz: Upgrade to 8.1.0 release
        emlog: Update to latest to fix build with 6.4 kernel
        dlm: Upgrade to 4.2.0
        mdio-tools: Update to latest on trunk
        dlm: Fix build with linux kernel 6.4+
        dlm: Do not pass -fcf-protection=full via Makefile
        dlm: Do not use -fcf-protection=full on arm platforms
        zfs: Update to 2.2.0 rc1
        zfs: Disable builds on aarch64 for now
        dhcp-relay: Pass cross configure flags to bind build

  Luke Schaefer (1):
        nginx: Add stream Signed-off-by: Luke Schaefer <lukeschafer17@gmail.com>

  Marek Vasut (4):
        lvgl: Factor out and unify lv-drivers configuration
        lvgl: Add default input device configuration option
        linux-serial-test: Update to latest git revision
        libiio: enable c++ bindings

  Markus Volk (10):
        pipewire: upgrade 0.3.71 -> 0.3.72
        pipewire: upgrade 0.3.72 -> 0.3.73
        gnome-software: upgrade 44.2 -> 44.3
        eog: upgrade 44.2 -> 44.3
        spdlog: upgrade 1.11.0 -> 1.12.0
        flatpak: update dependencies
        gnome-control-center: upgrade 44.2 -> 44.3
        gnome-shell: upgrade 44.2 -> 44.3
        mutter: upgrade 44.2 -> 44.3
        gnome-settings-daemon: upgrade 44.0 -> 44.1

  Martin Jansa (4):
        nodejs: use PIE for host binaries
        gupnp: backport a fix not to use deprecated xmlReadMemory
        pidgin-sipe: allow to build with libxml2-2.11
        raptor2: backport a fix to build with libxml2-2.11

  Michael Haener (1):
        nginx: upgrade to 1.24.0 release

  Michael Weiß (1):
        pv: Show progress bar even if no terminal is set as in 1.6.6

  Mingli Yu (1):
        snort: Add systemd unit file

  Peter Kjellerstedt (1):
        cppzmq: Move the version to the recipe file name

  Petr Gotthard (2):
        python3-pyroute2: upgrade 0.5.19 -> 0.7.9
        networkmanager: upgrade 1.42.6 -> 1.42.8

  Ricardo Salveti (1):
        lshw: bump to b4e0673

  Ross Burton (5):
        poppler: fix missing include
        libpaper: remove redundant autoreconf --install
        liblbxutil: remove obsolete library
        xsetmode: remove obsolete utility
        libxkbui: remove obsolete recipe

  Tim Orling (1):
        python3-argh: upgrade 0.26.2 -> 0.28.1

  Trevor Gamblin (9):
        python3-alembic: upgrade 1.10.4 -> 1.11.1
        python3-sqlalchemy: upgrade 2.0.15 -> 2.0.19
        python3-argcomplete: upgrade 3.1.0 -> 3.1.1
        python3-arpeggio: upgrade 2.0.0 -> 2.0.2
        python3-astroid: upgrade 2.15.5 -> 2.15.6
        python3-autobahn: upgrade 23.6.1 -> 23.6.2
        python3-bandit: upgrade 1.7.4 -> 1.7.5
        python3-bandit: add python3-rich to RDEPENDS
        python3-bitarray: upgrade 2.7.3 -> 2.7.6

  Wang Mingyu (44):
        cppzmq: upgrade 4.9.0 -> 4.10.0
        iwd: upgrade 2.5 -> 2.6
        libburn: upgrade 1.5.4 -> 1.5.6
        libzip: upgrade 1.9.2 -> 1.10.0
        openfortivpn: upgrade 1.20.3 -> 1.20.5
        psqlodbc: upgrade 13.02.0000 -> 15.00.0000
        python3-aenum: upgrade 3.1.12 -> 3.1.14
        python3-can: upgrade 4.2.1 -> 4.2.2
        python3-google-api-python-client: upgrade 2.89.0 -> 2.90.0
        python3-h5py: upgrade 3.8.0 -> 3.9.0
        python3-natsort: upgrade 8.3.1 -> 8.4.0
        python3-pymodbus: upgrade 3.3.1 -> 3.3.2
        python3-pymongo: upgrade 4.3.3 -> 4.4.0
        python3-pyscaffold: upgrade 4.4.1 -> 4.5
        python3-pyzstd: upgrade 0.15.7 -> 0.15.9
        python3-requests-futures: upgrade 1.0.0 -> 1.0.1
        python3-sentry-sdk: upgrade 1.25.1 -> 1.26.0
        python3-zeroconf: upgrade 0.68.0 -> 0.69.0
        weechat: upgrade 3.8 -> 4.0.0
        python3-platformdirs: upgrade 3.6.0 -> 3.8.0
        renderdoc: upgrade 1.13 -> 1.27
        gegl: upgrade 0.4.44 -> 0.4.46
        gvfs: upgrade 1.50.4 -> 1.51.1
        weechat: upgrade 4.0.0 -> 4.0.1
        avro-c: upgrade 1.11.1 -> 1.11.2
        glfw: upgrade 3.3 -> 3.3.8
        hwloc: upgrade 2.9.1 -> 2.9.2
        minicoredumper: upgrade 2.0.3 -> 2.0.6
        thingsboard-gateway: upgrade 3.2 -> 3.3
        xterm: upgrade 382 -> 383
        passwdqc: upgrade 2.0.2 -> 2.0.3
        python3-aenum: upgrade 3.1.14 -> 3.1.15
        python3-configargparse : upgrade 1.5.3 -> 1.5.5
        python3-elementpath: upgrade 4.1.3 -> 4.1.4
        python3-google-api-python-client: upgrade 2.90.0 -> 2.92.0
        python3-google-auth: upgrade 2.20.0 -> 2.21.0
        python3-joblib: upgrade 1.2.0 -> 1.3.1
        python3-pillow: upgrade 9.5.0 -> 10.0.0
        python3-redis: upgrade 4.5.5 -> 4.6.0
        python3-tox: upgrade 4.6.0 -> 4.6.3
        python3-virtualenv: upgrade 20.23.0 -> 20.23.1
        python3-zeroconf: upgrade 0.69.0 -> 0.70.0
        libyang: Fix install conflict when enable multilib.
        php: Fix install conflict when enable multilib.

  Wolfgang Meyer (4):
        fbida: Switch to git fetcher
        fbida: build with meson
        fbida: SRC_REV bump ac9005b..eb769e3
        fbida: make fbpdf build optional

  Yi Zhao (6):
        conntrack-tools: add systemd unit file
        conntrack-tools: add required kernel modules to RRECOMMENDS
        frr: upgrade 8.4.2 -> 8.4.4
        mbedtls: upgrade 2.28.2 -> 2.28.3
        open-vm-tools: Security fix CVE-2023-20867
        samba: upgrade 4.18.3 -> 4.18.4

  Zoltán Böszörményi (1):
        opencv: 4.8.0

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I48c2ba4573ee81b637b1ba890c312f491004f666

1 files changed, 70 insertions, 15 deletions

diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass
index bd9e7e7445..c1f1ea0fd6 100644
--- a/poky/meta/classes/cve-check.bbclass
+++ b/poky/meta/classes/cve-check.bbclass
@@ -48,8 +48,8 @@ CVE_CHECK_LOG_JSON ?= "${T}/cve.json"
 CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
 CVE_CHECK_RECIPE_FILE ?= "${CVE_CHECK_DIR}/${PN}"
 CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json"
-CVE_CHECK_MANIFEST ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve"
-CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.json"
+CVE_CHECK_MANIFEST ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.cve"
+CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.json"
 CVE_CHECK_COPY_FILES ??= "1"
 CVE_CHECK_CREATE_MANIFEST ??= "1"
 
@@ -70,12 +70,28 @@ CVE_CHECK_COVERAGE ??= "1"
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
 
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
 #
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
 #
+# Settings the same status and reason for multiple CVEs is possible
+# via CVE_STATUS_GROUPS variable.
+#
+# CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
+#
+# CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0003"
+# CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS_PATCHED = "CVE-1234-0002 CVE-1234-0004"
+# CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally"
+#
+# All possible CVE statuses could be found in cve-check-map.conf
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
 CVE_CHECK_IGNORE ?= ""
 
 # Layers to be excluded
@@ -88,6 +104,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
+python () {
+    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+    if cve_check_ignore:
+        bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+        for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+            d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+    # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
+    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+        cve_group = d.getVar(cve_status_group)
+        if cve_group is not None:
+            for cve in cve_group.split():
+                d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
+        else:
+            bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+}
+
 def generate_json_report(d, out_path, link_path):
     if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
         import json
@@ -260,7 +294,7 @@ def check_cves(d, patched_cves):
     """
     Connect to the NVD database and find unpatched cves.
     """
-    from oe.cve_check import Version, convert_cve_version
+    from oe.cve_check import Version, convert_cve_version, decode_cve_status
 
     pn = d.getVar("PN")
     real_pv = d.getVar("PV")
@@ -282,7 +316,12 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been skipped by cve-check")
         return ([], [], [], [])
 
-    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+    # Convert CVE_STATUS into ignored CVEs and check validity
+    cve_ignore = []
+    for cve in (d.getVarFlags("CVE_STATUS") or {}):
+        decoded_status, _, _ = decode_cve_status(d, cve)
+        if decoded_status == "Ignored":
+            cve_ignore.append(cve)
 
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -413,6 +452,8 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
     CVE manifest if enabled.
     """
 
+    from oe.cve_check import decode_cve_status
+
     cve_file = d.getVar("CVE_CHECK_LOG")
     fdir_name  = d.getVar("FILE_DIRNAME")
     layer = fdir_name.split("/")[-3]
@@ -441,20 +482,27 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         is_patched = cve in patched
         is_ignored = cve in ignored
 
+        status = "Unpatched"
         if (is_patched or is_ignored) and not report_all:
             continue
+        if is_ignored:
+            status = "Ignored"
+        elif is_patched:
+            status = "Patched"
+        else:
+            # default value of status is Unpatched
+            unpatched_cves.append(cve)
 
         write_string += "LAYER: %s\n" % layer
         write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
         write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
         write_string += "CVE: %s\n" % cve
-        if is_ignored:
-            write_string += "CVE STATUS: Ignored\n"
-        elif is_patched:
-            write_string += "CVE STATUS: Patched\n"
-        else:
-            unpatched_cves.append(cve)
-            write_string += "CVE STATUS: Unpatched\n"
+        write_string += "CVE STATUS: %s\n" % status
+        _, detail, description = decode_cve_status(d, cve)
+        if detail:
+            write_string += "CVE DETAIL: %s\n" % detail
+        if description:
+            write_string += "CVE DESCRIPTION: %s\n" % description
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -516,6 +564,8 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
     Prepare CVE data for the JSON format, then write it.
     """
 
+    from oe.cve_check import decode_cve_status
+
     output = {"version":"1", "package": []}
     nvd_link = "https://nvd.nist.gov/vuln/detail/"
 
@@ -576,6 +626,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
             "status" : status,
             "link": issue_link
         }
+        _, detail, description = decode_cve_status(d, cve)
+        if detail:
+            cve_item["detail"] = detail
+        if description:
+            cve_item["description"] = description
         cve_list.append(cve_item)
 
     package_data["issue"] = cve_list