diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2023-05-02 23:26:54 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2023-05-04 00:04:39 +0300 |
commit | 821a859c1d68e8cfeea8c50e86f15daa87e71d59 (patch) | |
tree | 58306112a24fe4a57c66e3d7a324460bbd52c28f /poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch | |
parent | ce7bef12b17859cef0615675e4ad5f6f4f611384 (diff) | |
download | openbmc-821a859c1d68e8cfeea8c50e86f15daa87e71d59.tar.xz |
subtree updates
meta-openembedded: 744a4b6eda..df452d9d98:
Alexander Stein (1):
dool: Add patch to fix rebuild
Alexander Thoma (1):
Fix tigervnc crash due to missing xkbcomp rdepends
Andrej Valek (2):
grpc: upgrade 1.45.2 -> 1.46.6
grpc: upgrade 1.46.6 -> 1.46.7
Archana Polampalli (2):
Nodejs - Upgrade to 16.18.1
Nodejs: Fixed python3 DeprecationWarning
BINDU (1):
flatbuffers: adapt for cross-compilation environments
Carsten Bäcker (1):
spdlog: Fix CMake flag
Changqing Li (12):
zabbix: fix CVE-2022-43515,CVE-2022-46768
redis: 6.2.7 -> 6.2.8
redis: upgrade 7.0.4 to 7.0.5
redis: 7.0.5 -> 7.0.7
liblockfile: fix do_install failure when ldconfig is not installed
postgresql: fix CVE-2022-41862
redis: upgrade 7.0.7 -> 7.0.9
redis: upgrade 6.2.8 -> 6.2.11
zabbix: fix CVE-2023-29451
redis: upgrade 6.2.11 -> 6.2.12
redis: upgrade 7.0.9 -> 7.0.10
redis: upgrade 7.0.10 -> 7.0.11
Chase Qi (1):
kernel-selftest: install kselftest runner
Chee Yang Lee (2):
zsh: Fix CVE-2021-45444
cifs-utils: fix CVE-2022-27239 CVE-2022-29869
Dmitry Baryshkov (1):
nss: fix cross-compilation error
Dragos-Marian Panait (1):
phpmyadmin: fix CVE-2023-25727
Gary Huband (1):
chrony: add pkgconfig class as pkg-config is explicitly searched for
Geoff Parker (1):
python3-pillow: add tk to RDEPENDS ptest pkg only if x11 in DISTRO_FEATURES
He Zhe (2):
protobuf: upgrade 3.19.4 -> 3.19.6
python3-protobuf: upgrade 3.20.0 -> 3.20.3
Hermes Zhang (1):
kernel_add_regdb: Change the task order
Hitendra Prajapati (5):
dhcp: Fix CVE-2022-2928 & CVE-2022-2929
strongswan: CVE-2022-40617 A possible DoS in Using Untrusted URIs for Revocation Checking
nginx: CVE-2022-41741, CVE-2022-41742 Memory corruption in the ngx_http_mp4_module
net-snmp: CVE-2022-44792 & CVE-2022-44793 Fix NULL Pointer Exception
krb5: CVE-2022-42898 integer overflow vulnerabilities in PAC parsing
Howard Cochran (1):
ufw: Fix "could not find required binary 'iptables'"
Joe Slater (1):
phoronix-test-suite: Fix CVE-2022-40704
Khem Raj (6):
mpd: Update to 0.23.8
mpd: Upgrade to 0.23.9
ncmpc: Upgrade to 0.47
mpd: Upgrade to 0.23.12 release
monkey: Fix build with musl
postfix: Fix build on systems with linux 6.x
Manoj Saun (1):
postgresql: fix ptest failure of sysviews test
Marta Rybczynska (1):
jansson: whitelist CVE-2020-36325
Martin Jansa (12):
re2: fix branch name from master to main
exiv2: fix SRC_URI
mdns: use git fetcher
monkey: use git fetcher
jack: fix compatibility with python-3.11
restinio: fix S variable in multilib builds
mongodb: fix chown user for multilib builds
pahole: respect libdir
lvgl,lv-lib-png,lv-drivers: fix installed-vs-shipped QA issue with multilib
lirc: fix do_install with multilib
dleyna-{server,renderer}: fix dev-so QA issue with multilib
zsh: fix installed-vs-shipped with multilib
Mingli Yu (6):
php: Upgrade to 8.1.12
mariadb: not use qemu to run cross-compiled binaries
mariadb: Upgrade to 10.7.7
php: Upgrade to 8.1.16
mariadb: Upgrade to 10.7.8
mariadb: Fix CVE-2022-47015
Narpat Mali (2):
python3-oauthlib: upgrade 3.2.0 -> 3.2.2
Fix collections.abc deprecation warning in downloadutils Warning appears as:
Neetika Singh (1):
libcroco: Add fix for CVE-2020-12825
Nikhil R (1):
duktape: Add ptest
Niko Mauno (2):
nftables: Fix missing leading whitespace with ':append'
Fix missing leading whitespace with ':append'
Peter Kjellerstedt (2):
chrony: Remove the readline PACKAGECONFIG
chrony: Remove the libcap and nss PACKAGECONFIGs
Peter Marko (3):
ntp: whitelist CVE-2019-11331
c-ares: fix CVE-2022-4904
dnsmasq: fix CVE-2023-28450
Philippe Coval (1):
pim435: Relocate sources to eclipse
Polampalli, Archana (2):
xfce4-settings: 4.16.2 -> 4.16.5
nodejs: Upgrade 16.19.0 -> 16.19.1
Preeti Sachan (1):
fluidsynth: update SRC_URI to remove non-existing 2.2.x branch
Randy MacLeod (2):
python3-pillow: add ptest support
python3-pillow: Add distutils, unixadmin for ptest
S. Lockwood-Childs (1):
multipath-tools: fix QA "dev-so" regression
Siddharth Doshi (1):
xterm : Fix CVE-2022-45063 code execution via OSC 50 input sequences] CVE-2022-45063
Tim Orling (1):
nodejs: upgrade 16.18.1 -> 16.19.0
Tom Hochstein (1):
nlohmann-json: Allow empty main package for SDK
Urade, Yogita (3):
multipath-tools: fix CVE-2022-41974
poppler: fix CVE-2021-30860
dlt-daemon: fix CVE-2023-26257
Wang Mingyu (5):
python3-pillow: upgrade 9.2.0 -> 9.3.0
python3-pillow: upgrade 9.3.0 -> 9.4.0
apache2: upgrade 2.4.54 -> 2.4.55
apache2: upgrade 2.4.55 -> 2.4.56
openwsman: Change download branch from master to main.
Xu Huan (1):
python3-pillow: upgrade 9.0.1 -> 9.1.1
Yi Zhao (5):
postfix: upgrade 3.6.5 -> 3.6.7
freeradius: Security fixes for CVE-2022-41860 CVE-2022-41861
frr: Security fix for CVE-2022-42917
apache2: use /run instead of /var/run for systemd volatile config
mbedtls: upgrade 2.28.0 -> 2.28.2
Yogita Urade (2):
multipath-tools:fix CVE-2022-41973
syslog-ng: fix CVE-2022-38725
Zheng Qiu (1):
redis: build with USE_SYSTEMD=yes when systemd is enabled
wangmy (1):
libcrypt-openssl-rsa-perl: upgrade 0.32 -> 0.33
zhengruoqin (1):
python3-pillow: upgrade 9.1.1 -> 9.2.0
meta-raspberrypi: dacad9302a..2a06e4e84b:
Zachary T Welch (1):
machines: simplify MACHINEOVERRIDES definitions
meta-security: c79262a30b..cc20e2af2a:
Armin Kuster (2):
oeqa/tpm2: fix and cleanup tests
oeqa: meta-tpm shut swtpm down before and after testing
poky: eaf8ce9d39..4cc0e9438b:
Adrian Freihofer (1):
own-mirrors: add crate
Alejandro Hernandez Samaniego (2):
baremetal-image: Avoid overriding qemu variables from IMAGE_CLASSES
testimage: Fix error message to reflect new syntax
Alex Kiernan (3):
u-boot: Remove duplicate inherit of cml1
cargo_common.bbclass: Fix typos
classes: image: Set empty weak default IMAGE_LINGUAS
Alex Stewart (1):
lsof: add update-alternatives logic
Alexander Kanavin (49):
local.conf.sample: correct the location of public hashserv
lttng-modules: upgrade 2.13.4 -> 2.13.5
quilt: backport a patch to address grep 3.8 failures
lttng-tools: submit determinism.patch upstream
groff: submit patches upstream
tcl: correct patch status
kea: submit patch upstream
ovmf: correct patches status
libffi: submit patch upstream
linux-firmware: upgrade 20220913 -> 20221012
xwayland: upgrade 22.1.3 -> 22.1.4
libffi: upgrade 3.4.2 -> 3.4.4
libical: upgrade 3.0.15 -> 3.0.16
mtd-utils: upgrade 2.1.4 -> 2.1.5
gdk-pixbuf: upgrade 2.42.9 -> 2.42.10
gstreamer1.0: upgrade 1.20.3 -> 1.20.4
libepoxy: convert to git
libepoxy: update 1.5.9 -> 1.5.10
vala: install vapigen-wrapper into /usr/bin/crosscripts and stage only that
gnomebase.bbclass: return the whole version for tarball directory if it is a number
libnewt: update 0.52.21 -> 0.52.23
ruby: merge .inc into .bb
ruby: update 3.1.2 -> 3.1.3
tzdata: update 2022d -> 2022g
devtool/upgrade: correctly handle recipes where S is a subdir of upstream tree
libarchive: upgrade 3.6.1 -> 3.6.2
devtool: process local files only for the main branch
libksba: update 1.6.2 -> 1.6.3
linux-firmware: upgrade 20221109 -> 20221214
xwayland: upgrade 22.1.5 -> 22.1.7
xserver-xorg: upgrade 21.1.4 -> 21.1.6
selftest/virgl: use pkg-config from the host
vulkan-samples: branch rename master -> main
gdk-pixbuf: do not use tools from gdk-pixbuf-native when building tests
oeqa/qemurunner: do not use Popen.poll() when terminating runqemu with a signal
diffutils: update 3.8 -> 3.9
lttng-tools: update 2.13.8 -> 2.13.9
apr: update 1.7.0 -> 1.7.2
apr-util: update 1.6.1 -> 1.6.3
bind: upgrade 9.18.10 -> 9.18.11
libjpeg-turbo: upgrade 2.1.4 -> 2.1.5
linux-firmware: upgrade 20221214 -> 20230117
sudo: upgrade 1.9.12p1 -> 1.9.12p2
vim: update 9.0.1211 -> 9.0.1293 to resolve open CVEs
dbus: upgrade 1.14.4 -> 1.14.6
linux-firmware: upgrade 20230117 -> 20230210
wireless-regdb: upgrade 2022.08.12 -> 2023.02.13
devtool/upgrade: do not delete the workspace/recipes directory
patchelf: replace a rejected patch with an equivalent uninative.bbclass tweak
Alexandre Belloni (1):
oeqa/selftest/bbtests: Update message lookup for test_git_unpack_nonetwork_fail
Alexey Smirnov (1):
classes: make TOOLCHAIN more permissive for kernel
Alexis Lothoré (1):
oeqa/selftest/resulttooltests: fix minor typo
Antonin Godard (2):
busybox: always start do_compile with orig config files
busybox: rm temporary files if do_compile was interrupted
Armin Kuster (1):
lttng-modules: Fix for 5.10.163 kernel version
Arnout Vandecappelle (1):
python3-pytest: depend on python3-tomli instead of python3-toml
Bartosz Golaszewski (1):
bluez5: add dbus to RDEPENDS
Benoît Mauduit (1):
lib/oe/reproducible: Use git log without gpg signature
Bernhard Rosenkränzer (1):
cmake-native: Fix host tool contamination (Bug: 14951)
Bhabu Bindu (5):
qemu: Fix CVE-2021-3611
curl: Fix CVE-2022-32221
curl: Fix CVE-2022-42916
curl: Fix CVE-2022-42915
qemu: Fix CVE-2022-4144
Bruce Ashfield (34):
linux-yocto/5.10: update to v5.10.147
linux-yocto/5.10: update to v5.10.149
linux-yocto/5.15: update to v5.15.72
kern-tools: fix relative path processing
linux-yocto/5.15: update to v5.15.74
linux-yocto/5.15: update to v5.15.76
linux-yocto/5.15: update to v5.15.78
linux-yocto/5.15: fix CONFIG_CRYPTO_CCM mismatch warnings
kern-tools: integrate ZFS speedup patch
linux-yocto/5.10: update to v5.10.152
linux-yocto/5.10: update to v5.10.154
linux-yocto/5.10: update to v5.10.160
linux-yocto/5.15: ltp and squashfs fixes
linux-yocto/5.15: fix perf build with clang
linux-yocto/5.15: libbpf: Fix build warning on ref_ctr_off
linux-yocto/5.15: update to v5.15.84
linux-yocto/5.15: powerpc: Fix reschedule bug in KUAP-unlocked user copy
linux-yocto/5.15: update to v5.15.87
linux-yocto/5.15: update to v5.15.89
linux-yocto/5.15: update to v5.15.91
lttng-modules: fix for kernel 6.2+
linux-yocto/5.15: update to v5.15.94
linux-yocto/5.15: update to v5.15.96
linux-yocto-rt/5.15: update to -rt59
linux-yocto/5.10: update to v5.10.162
linux-yocto/5.10: update to v5.10.164
linux-yocto/5.10: update to v5.10.166
linux-yocto/5.10: update to v5.10.168
linux-yocto/5.10: update to v5.10.170
linux-yocto/5.10: update to v5.10.172
linux-yocto/5.10: update to v5.10.175
lttng-modules: update to v2.13.9
linux-yocto/5.15: update to v5.15.98
linux-yocto/5.15: update to v5.15.103
Carlos Alberto Lopez Perez (1):
xwayland: libxshmfence is needed when dri3 is enabled
Changqing Li (3):
base.bbclass: Fix way to check ccache path
apt: fix do_package_qa failure
libsdl2: fix CVE-2022-4743
Chee Yang Lee (4):
dropbear: fix CVE-2021-36369
git: upgrade to 2.35.6
tiff: fix multiple CVEs
git: ignore CVE-2023-22743
Chen Qi (10):
image_types_wic.bbclass: fix cross binutils dependency
openssl: export necessary env vars in SDK
kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild
resolvconf: make it work
dhcpcd: fix to work with systemd
psplash: consider the situation of psplash not exist for systemd
bc: extend to nativesdk
rm_work: adjust dependency to make do_rm_work_all depend on do_rm_work
dhcpcd: backport two patches to fix runtime error
libseccomp: fix typo in DESCRIPTION
Christian Eggers (1):
linux-firmware: split rtl8761 firmware
Claus Stovgaard (1):
gstreamer1.0-libav: fix errors with ffmpeg 5.x
Daniel Gomez (1):
gtk-icon-cache: Fix GTKIC_CMD if-else condition
Diego Sueiro (1):
kernel.bbclass: Include randstruct seed assets in STAGING_KERNEL_BUILDDIR
Dmitry Baryshkov (4):
linux-firmware: upgrade 20221012 -> 20221109
linux-firmware: add new fw file to ${PN}-qcom-adreno-a530
linux-firmware: properly set license for all Qualcomm firmware
linux-firmware: add yamato fw files to qcom-adreno-a2xx package
Ed Tanous (1):
openssl: Upgrade 3.0.5 -> 3.0.7
Enrico Jörns (1):
sstatesig: emit more helpful error message when not finding sstate manifest
Etienne Cordonnier (2):
mirrors.bbclass: use shallow tarball for binutils-native
bitbake: siggen: Fix inefficient string concatenation
Federico Pellegrin (1):
curl: fix dependencies when building with ldap/ldaps
Florin Diaconescu (1):
python3: upgrade 3.10.8 -> 3.10.9
Frank de Brabander (2):
cve-update-db-native: add timeout to urlopen() calls
bitbake: bin/utils: Ensure locale en_US.UTF-8 is available on the system
Geoffrey GIRY (1):
cve-check: Fix false negative version issue
Harald Seiler (2):
opkg: Set correct info_dir and status_file in opkg.conf
bootchart2: Fix usrmerge support
He Zhe (3):
lttng-tools: Upgrade 2.13.4 -> 2.13.8
lttng-modules: Fix crash on powerpc64
lttng-modules: update 2.13.7 -> 2.13.8
Hitendra Prajapati (14):
openssl: CVE-2022-3358 Using a Custom Cipher with NID_undef may lead to NULL encryption
QEMU: CVE-2022-3165 VNC: integer underflow in vnc_client_cut_text_ext leads to CPU exhaustion
systemd: CVE-2022-3821 Fix buffer overrun
libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.c
golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps
libxml2: Fix CVE-2022-40303 && CVE-2022-40304
libX11: CVE-2022-3554 & CVE-2022-3555 Fix memory leak
systemd: CVE-2022-45873 deadlock in systemd-coredump via a crash with a long backtrace
go: fix CVE-2022-41717 Excessive memory use in got server
less: backport the fix for CVE-2022-46663
curl: CVE-2023-27533 TELNET option IAC injection
curl: CVE-2023-27534 SFTP path resolving discrepancy
ruby: CVE-2023-28756 ReDoS vulnerability in Time
screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs
Hongxu Jia (1):
pkgconf: fix CVE-2023-24056
Jagadeesh Krishnanjanappa (1):
qemuboot.bbclass: make sure runqemu boots bundled initramfs kernel image
Jan Kircher (1):
toolchain-scripts: compatibility with unbound variable protection
Jan-Simon Moeller (1):
buildtools-tarball: export certificates to python and curl
Jeremy Puhlman (1):
qemu-native: Add PACKAGECONFIG option for jack
Jermain Horsman (1):
cve-check: write the cve manifest to IMGDEPLOYDIR
Joe Slater (4):
python3: advance to version 3.10.8
nghttp2: never build python bindings
python3: fix CVE-2023-24329
go: fix CVE-2022-41724, 41725
John Edward Broadbent (1):
externalsrc: git submodule--helper list unsupported
Jose Quaresma (7):
kernel-yocto: improve fatal error messages of symbol_why.py
archiver: avoid using machine variable as it breaks multiconfig
sstatesig: skip the rm_work task signature
rm_work: exclude the SSTATETASKS from the rm_work tasks sinature
sstate: Allow optimisation of do_deploy_archives task dependencies
Revert "gstreamer1.0: disable flaky gstbin:test_watch_for_state_change test"
gstreamer1.0: Fix race conditions in gstbin tests
Joshua Watt (6):
runqemu: Do not perturb script environment
runqemu: Fix gl-es argument from causing other arguments to be ignored
qemu-helper-native: Re-write bridge helper as C program
qemu-helper-native: Correctly pass program name as argv[0]
scripts: convert-overrides: Allow command-line customizations
classes/create-spdx: Add SPDX_PRETTY option
KARN JYE LAU (1):
freetype:update mirror site.
Kai Kang (5):
libuv: fixup SRC_URI
webkitgtk: 2.36.7 -> 2.36.8
qemu: fix compile error
xserver-xorg: 21.1.6 -> 21.1.7
python3-git: fix indent error
Keiya Nobuta (2):
gnutls: Unified package names to lower-case
create-spdx: Remove ";name=..." for downloadLocation
Kenfe-Mickael Laventure (3):
buildtools-tarball: Handle spaces within user $PATH
toolchain-scripts: Handle spaces within user $PATH
populate_sdk_ext: Handle spaces within user $PATH
Khem Raj (10):
perf: Depend on native setuptools3
tiff: Add packageconfig knob for webp
libtirpc: Check if file exists before operating on it
libusb1: Link with latomic only if compiler has no atomic builtins
libusb1: Strip trailing whitespaces
scons: Pass MAXLINELENGTH to scons invocation
scons.bbclass: Make MAXLINELENGTH overridable
systemd.bbclass: Add /usr/lib/systemd to searchpaths as well
rsync: Add missing prototypes to function declarations
rsync: Turn on -pedantic-errors at the end of 'configure'
Konrad Weihmann (1):
create-spdx: default share_src for shared sources
Lee Chee Yang (2):
migration-guides: add release-notes for 4.0.7
migration-guides: add release-notes for 4.0.9
Leon Anavi (1):
get_module_deps3.py: Check attribute '__file__'
Liam Beguin (1):
meson: make wrapper options sub-command specific
Louis Rannou (1):
oeqa/selftest/locales: Add selftest for locale generation/presence
Luis (1):
rm_work.bbclass: use HOSTTOOLS 'rm' binary exclusively
Marek Vasut (3):
bluez5: Point hciattach bcm43xx firmware search path to /lib/firmware
bitbake: fetch2/git: Prevent git fetcher from fetching gitlab repository metadata
bitbake: fetch2/git: Clarify the meaning of namespace
Marius Kriegerowski (1):
bitbake: bitbake-diffsigs: Make PEP8 compliant
Mark Hatle (3):
insane.bbclass: Allow hashlib version that only accepts on parameter
bitbake: utils/ply: Update md5 to better report errors with hashlib
openssl: Move microblaze to linux-latomic config
Marta Rybczynska (2):
efibootmgr: update compilation with musl
cve-update-db-native: avoid incomplete updates
Martin Jansa (15):
vulkan-samples: add lfs=0 to SRC_URI to avoid git smudge errors in do_unpack
externalsrc.bbclass: fix git repo detection
libsndfile1: Backport fix for CVE-2021-4156
tiff: refresh with devtool
tiff: add CVE tag to b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
libxml2: fix test data checksums
systemd: backport another change from v252 to fix build with CVE-2022-45873.patch
ffmpeg: refresh patches to apply cleanly
meta: remove True option to getVar and getVarFlag calls (again)
bitbake: fetch2/git: show SRCREV and git repo in error message about fixed SRCREV
timezone: use 'tz' subdir instead of ${WORKDIR} directly
tzdata: use separate B instead of WORKDIR for zic output
tzcode-native: fix build with gcc-13 on host
selftest: devtool: set BB_HASHSERVE_UPSTREAM when setting SSTATE_MIRROR
bmap-tools: switch to main branch
Mateusz Marciniec (1):
sstatesig: Improve output hash calculation
Mathieu Dubois-Briand (1):
dbus: Add missing CVE product name
Mauro Queiros (1):
image.bbclass: print all QA functions exceptions
Michael Halstead (4):
uninative: Upgrade to 3.7 to work with glibc 2.36
selftest/runtime_test/virgl: Disable for all Rocky Linux
uninative: Upgrade to 3.8.1 to include libgcc
uninative: Upgrade to 3.9 to include glibc 2.37
Michael Opdenacker (11):
create-spdx.bbclass: remove unused SPDX_INCLUDE_PACKAGED
SPDX and CVE documentation updates
manuals: add 4.0.5 and 4.0.6 release notes
manuals: document SPDX_PRETTY variable
dev-manual: fix old override syntax
ref-manual: document SSTATE_EXCLUDEDEPS_SYSROOT
profile-manual: update WireShark hyperlinks
bsp-guide: fix broken git URLs and missing word
manuals: update patchwork instance URL
dev-manual: common-tasks.rst: add link to FOSDEM 2023 video
migration-guides: add 4.0.8 release notes
Mikko Rapeli (11):
common-tasks.rst: fix oeqa runtime test path
oeqa context.py: fix --target-ip comment to include ssh port number
oeqa ssh.py: move output prints to new line
oeqa ssh.py: add connection keep alive options to ssh client
oeqa dump.py: add error counter and stop after 5 failures
oeqa qemurunner: read more data at a time from serial
oeqa qemurunner.py: add timeout to QMP calls
oeqa qemurunner.py: try to avoid reading one character at a time
oeqa ssh.py: fix hangs in run()
runqemu: kill qemu if it hangs
oeqa rtc.py: skip if read-only-rootfs
Ming Liu (1):
linux: inherit pkgconfig in kernel.bbclass
Mingli Yu (4):
glslang: branch rename master -> main
mdadm: Fix testcase 06wrmostly
mdadm: fix tests/02lineargrow
mdadm: Fix raid0 tests
Narpat Mali (12):
wayland: fix CVE-2021-3782
python3-mako: backport fix for CVE-2022-40023
ffmpeg: fix for CVE-2022-3964
ffmpeg: fix for CVE-2022-3965
ffmpeg: fix for CVE-2022-3109
python3-setuptools: fix for CVE-2022-40897
python3-wheel: fix for CVE-2022-40898
python3-git: fix for CVE-2022-24439
ffmpeg: fix for CVE-2022-3341
python3-certifi: fix for CVE-2022-23491
libseccomp: fix for the ptest result format
libmicrohttpd: upgrade 0.9.75 -> 0.9.76
Nathan Rossi (4):
oeqa/selftest/lic_checksum: Cleanup changes to emptytest include
oeqa/selftest/minidebuginfo: Create selftest for minidebuginfo
glibc-locale: Do not INHIBIT_DEFAULT_DEPS
package: Fix handling of minidebuginfo with newer binutils
Niko Mauno (2):
systemd: Consider PACKAGECONFIG in RRECOMMENDS
Fix missing leading whitespace with ':append'
Ovidiu Panait (1):
kernel.bbclass: remove empty module directories to prevent QA issues
Pavel Zhukov (4):
bitbake: gitsm: Fix regression in gitsm submodule path parsing
oeqa/rpm.py: Increase timeout and add debug output
gcc: Refactor linker patches and fix linker on arm with usrmerge
wic: Fix usage of fstype=none in wic
Pawan Badganchi (2):
curl: Add fix for CVE-2023-23914, CVE-2023-23915
tiff: Add fix for CVE-2022-4645
Pawel Zalewski (1):
classes/fs-uuid: Fix command output decoding issue
Peter Kjellerstedt (2):
externalsrc.bbclass: Remove a trailing slash from ${B}
devshell: Do not add scripts/git-intercept to PATH
Peter Marko (9):
systemd: add group render to udev package
meta-selftest/staticids: add render group for systemd
externalsrc: fix lookup for .gitmodules
oeqa/selftest/externalsrc: add test for srctree_hash_files
systemd: add group sgx to udev package
systemd: fix CVE-2022-4415
gcc-shared-source: do not use ${S}/.. in deploy_source_date_epoch
package.bbclass: correct check for /build in copydebugsources()
go: ignore CVE-2022-41716
Petr Kubizňák (1):
harfbuzz: remove bindir only if it exists
Piotr Łobacz (1):
systemd: fix wrong nobody-group assignment
Polampalli, Archana (1):
libpam: fix CVE-2022-28321
Poonam (1):
python3-setuptools-rust-native: Add direct dependency of native python3 modules
Qiu, Zheng (3):
tiff: Security fix for CVE-2022-3970
vim: upgrade 9.0.0820 -> 9.0.0947
valgrind: remove most hidden tests for arm64
Quentin Schulz (4):
cairo: update patch for CVE-2019-6461 with upstream solution
docs: migration-4.0: specify variable name change for kernel inclusion in image recipe
docs: kernel-dev: faq: update tip on how to not include kernel in image
cairo: fix CVE patches assigned wrong CVE number
Randy MacLeod (3):
valgrind: skip the boost_thread test on arm
vim: upgrade 9.0.0947 -> 9.0.1211
vim: upgrade 9.0.1403 -> 9.0.1429
Ranjitsinh Rathod (3):
curl: Correct LICENSE from MIT-open-group to curl
curl: Add patch to fix CVE-2022-43551
curl: Add patch to fix CVE-2022-43552
Ravula Adhitya Siddartha (2):
linux-yocto/5.10: update genericx86* machines to v5.10.149
linux-yocto/5.15: update genericx86* machines to v5.15.72
Richard Purdie (35):
bitbake: tests/fetch: Allow handling of a file:// url within a submodule
build-appliance-image: Update to kirkstone head revision
openssl: Fix SSL_CERT_FILE to match ca-certs location
numactl: upgrade 2.0.14 -> 2.0.15
bitbake: runqueue: Fix race issues around hash equivalence and sstate reuse
lttng-modules: upgrade 2.13.5 -> 2.13.7
bitbake.conf: Drop export of SOURCE_DATE_EPOCH_FALLBACK
gcc-shared-source: Fix source date epoch handling
gcc-source: Fix gengtypes race
gcc-source: Drop gengtype manipulation
gcc-source: Ensure deploy_source_date_epoch sstate hash doesn't change
sanity: Drop data finalize call
oeqa/selftest/tinfoil: Add test for separate config_data with recipe_parse_file()
build-appliance-image: Update to kirkstone head revision
yocto-check-layer: Allow OE-Core to be tested
oeqa/concurrencytest: Add number of failures to summary output
build-appliance-image: Update to kirkstone head revision
native: Drop special variable handling
kernel/linux-kernel-base: Fix kernel build artefact determinism issues
make-mod-scripts: Ensure kernel build output is deterministic
libc-locale: Fix on target locale generation
build-appliance-image: Update to kirkstone head revision
libssh2: Clean up ptest patch/coverage
bitbake: utils: Allow to_boolean to support int values
bitbake: cookerdata: Remove incorrect SystemExit usage
bitbake: cookerdata: Improve early exception handling
bitbake: cookerdata: Drop dubious exception handling code
binutils: Fix nativesdk ld.so search
oeqa/selftest/prservice: Improve debug output for failure
staging: Separate out different multiconfig manifests
staging/multilib: Fix manifest corruption
glibc: Add missing binutils dependency
selftest/recipetool: Stop test corrupting tinfoil class
base-files: Drop localhost.localdomain from hosts file
pybootchartui: Fix python syntax issue
Robert Andersson (1):
go-crosssdk: avoid host contamination by GOCACHE
Robert Yang (1):
bitbake: fetch/git: Fix local clone url to make it work with repo
Rodolfo Quesada Zumbado (1):
tar: CVE-2022-48303
Romuald Jeanne (1):
image_types: fix multiubi var init
Ross Burton (37):
qemu: fix CVE-2022-2962
lighttpd: fix CVE-2022-41556
expat: backport the fix for CVE-2022-43680
scripts/oe-check-sstate: cleanup
scripts/oe-check-sstate: force build to run for all targets, specifically populate_sysroot
opkg-utils: use a git clone, not a dynamic snapshot
oe/packagemanager/rpm: don't leak file objects
glib-2.0: fix rare GFileInfo test case failure
pixman: backport fix for CVE-2022-44638
sanity: check for GNU tar specifically
qemu: add io_uring PACKAGECONFIG
expat: upgrade to 2.5.0
linux-firmware: don't put the firmware into the sysroot
tiff: fix a number of CVEs
xserver-xorg: backport fixes for CVE-2022-3550 and CVE-2022-3551
lib/buildstats: fix parsing of trees with reduced_proc_pressure directories
combo-layer: remove unused import
combo-layer: dont use bb.utils.rename
combo-layer: add sync-revs command
libepoxy: remove upstreamed patch
cve-update-db-native: show IP on failure
bitbake: bb/utils: include SSL certificate paths in export_proxies
ppp: backport fix for CVE-2022-4603
quilt: fix intermittent failure in faildiff.test
spirv-headers: set correct branch name
quilt: use upstreamed faildiff.test fix
git: ignore CVE-2022-41953
buildtools-tarball: set pkg-config search path
sdkext/cases/devtool: pass a logger to HTTPService
httpserver: add error handler that write to the logger
lib/buildstats: handle tasks that never finished
shadow: ignore CVE-2016-15024
vim: add missing pkgconfig inherit
vim: upgrade to 9.0.1403
vim: set modified-by to the recipe MAINTAINER
lib/resulttool: fix typo breaking resulttool log --ptest
scripts/lib/buildstats: handle top-level build_stats not being complete
Sakib Sajal (3):
go: fix CVE-2022-2880
git: upgrade 2.35.6 -> 2.35.7
go: fix CVE-2022-2879 and CVE-2022-41720
Sandeep Gundlupet Raju (2):
kernel-fitimage: Adjust order of dtb/dtbo files
kernel-fitimage: Allow user to select dtb when multiple dtb exists
Saul Wold (3):
at: Change when files are copied
package.bbclase: Add check for /build in copydebugsources()
busybox: Fix depmod patch
Schmidt, Adriaan (1):
bitbake: bitbake-diffsigs: break on first dependent task difference
Sean Anderson (2):
kernel: Clear SYSROOT_DIRS instead of replacing sysroot_stage_all
uboot-sign: Fix using wrong KEY_REQ_ARGS
Sergei Zhmylev (2):
wic: honor the SOURCE_DATE_EPOCH in case of updated fstab
wic: make ext2/3/4 images reproducible
Shubham Kulkarni (3):
glibc: Security fix for CVE-2023-0687
go-runtime: Security fix for CVE-2022-41723
go-runtime: Security fix for CVE-2022-41722
Siddharth Doshi (5):
openssl: Upgrade 3.0.7 -> 3.0.8
epiphany: Security fix for CVE-2023-26081
harfbuzz: Security fix for CVE-2023-25193
openssl: Security fix for CVE-2023-0464, CVE-2023-0465, CVE-2023-0466
curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538
Simone Weiss (1):
json-c: Add ptest for json-c
Steve Sakoman (12):
Revert "lttng-tools: Upgrade 2.13.4 -> 2.13.8"
poky.conf: bump version for 4.0.5
Revert "expat: backport the fix for CVE-2022-43680"
poky.conf: bump version for 4.0.6
Revert "libksba: fix CVE-2022-47629"
poky.conf: bump version for 4.0.7
poky.conf: Update SANITY_TESTED_DISTROS to match autobuilder
system-requirements.rst: add Fedora 36 and AlmaLinux 8.7 to list of supported distros
libgit2: uprade 1.4.3 -> 1.4.4
libgit2: upgrade 1.4.4 -> 1.4.5
poky.conf: bump version for 4.0.8
poky.conf: bump version for 4.0.9
Sundeep KOKKONDA (1):
cargo : non vulnerable cve-2022-46176 added to excluded list
Teoh Jay Shen (2):
tiff: Security fixes CVE-2022-2867,CVE-2022-2868 and CVE-2022-2869
vim: Upgrade 9.0.0598 -> 9.0.0614
Thomas Perrot (2):
psplash: add psplash-default in rdepends
xserver-xorg: move some recommended dependencies in required
Thomas Roos (1):
devtool: fix devtool finish when gitmodules file is empty
Tim Orling (5):
python3: upgrade 3.10.4 -> 3.10.7
git: upgrade 2.35.4 -> 2.35.5
vim: upgrade 9.0.0614 -> 9.0.0820
mirrors.bbclass: update CPAN_MIRROR
cracklib: update github branch to 'main'
Tom Hochstein (2):
meson: Fix wrapper handling of implicit setup command
oeqa/sdk: Improve Meson test
Trevor Woerner (3):
cups: use BUILDROOT instead of DESTDIR
cups: check PACKAGECONFIG for pam feature
cups: add/fix web interface packaging
Ulrich Ölmann (4):
recipe_sanity: fix old override syntax
lsof: fix old override syntax
update-alternatives: fix typos
kernel-yocto: fix kernel-meta data detection
Vincent Davis Jr (1):
linux-firmware: package amdgpu firmware
Virendra Thakur (1):
qemu: Fix CVE-2021-3750 for qemu
Vivek Kumbhar (5):
python3: fix CVE-2022-42919 local privilege escalation via the multiprocessing forkserver start method
sqlite: fix CVE-2022-46908 safe mode authorizer callback allows disallowed UDFs.
openssl: fix CVE-2022-3996 double locking leads to denial of service
gnutls: fix CVE-2023-0361 timing side-channel in the TLS RSA key exchange code
go: fix CVE-2023-24537 Infinite loop in parsing
Vyacheslav Yurkov (3):
files: overlayfs-etc: refactor preinit template
classes: files: Extend overlayfs-etc class
overlayfs: Allow not used mount points
Wang Mingyu (19):
bind: upgrade 9.18.7 -> 9.18.8
socat: upgrade 1.7.4.3 -> 1.7.4.4
libxcrypt: upgrade 4.4.28 -> 4.4.30
xwayland: upgrade 22.1.4 -> 22.1.5
mobile-broadband-provider-info: upgrade 20220725 -> 20221107
babeltrace: upgrade 1.5.8 -> 1.5.11
iso-codes: upgrade 4.11.0 -> 4.12.0
bind: upgrade 9.18.8 -> 9.18.9
mpfr: upgrade 4.1.0 -> 4.1.1
libxcrypt-compat: upgrade 4.4.30 -> 4.4.33
libpng: upgrade 1.6.38 -> 1.6.39
gstreamer1.0: upgrade 1.20.4 -> 1.20.5
bind: upgrade 9.18.9 -> 9.18.10
libjpeg-turbo: upgrade 2.1.5 -> 2.1.5.1
xwayland: upgrade 22.1.7 -> 22.1.8
iso-codes: upgrade 4.12.0 -> 4.13.0
lua: Fix install conflict when enable multilib.
vala: Fix install conflict when enable multilib.
dhcpcd: Fix install conflict when enable multilib.
Xiangyu Chen (18):
qemu: Backport patches from upstream to support float128 on qemu-ppc64
linux-yocto-dev: add qemuarm64
ltp: backport clock_gettime04 fix from upstream
dbus: fix CVE-2022-42010 Check brackets in signature nest correctly
dbus: fix CVE-2022-42011 dbus-daemon can be crashed by messages with array length inconsistent with element type
dbus: fix CVE-2022-42012 dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
lttng-tools: Upgrade 2.13.4 -> 2.13.8
sudo: upgrade 1.9.10 -> sudo 1.9.12p1
bash: backport patch to fix CVE-2022-3715
grub2: backport patch to fix CVE-2022-2601 CVE-2022-3775
dbus: upgrade 1.14.0 -> 1.14.4
sysstat: fix CVE-2022-39377
grub: backport patches to fix CVE-2022-28736
openssh: remove RRECOMMENDS to rng-tools for sshd package
numactl: skip test case when target platform doesn't have 2 CPU node
dhcpcd: fix dhcpcd start failure on qemuppc64
sudo: update 1.9.12p2 -> 1.9.13p3
shadow: backport patch to fix CVE-2023-29383
Yash Shinde (5):
binutils: stable 2.38 branch updates
glibc: stable 2.35 branch updates.
glibc: stable 2.35 branch updates.
binutils : Fix CVE-2023-22608
binutils : Fix CVE-2023-1579
Yash.Shinde@windriver.com (1):
binutils : Fix CVE-2022-4285
Yogita Urade (1):
libksba: fix CVE-2022-47629
Zheng Qiu (1):
tiff: fix CVE-2022-2953
ciarancourtney (1):
wic: swap partitions are not added to fstab
pawan (2):
Revert "qemu: fix CVE-2021-3507"
curl: Add fix for CVE-2023-23916
pgowda (1):
binutils : Fix CVE-2022-38128
wangmy (9):
ifupdown: upgrade 0.8.37 -> 0.8.39
libcap: upgrade 2.65 -> 2.66
libical: upgrade 3.0.14 -> 3.0.15
numactl: upgrade 2.0.15 -> 2.0.16
wpebackend-fdo: upgrade 1.12.1 -> 1.14.0
libksba: upgrade 1.6.0 -> 1.6.2
lttng-ust: upgrade 2.13.3 -> 2.13.4
lttng-ust: upgrade 2.13.4 -> 2.13.5
lighttpd: upgrade 1.4.66 -> 1.4.67
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I80cf3cd933dea72160ce87efb2a42fe4d0e5d7d5
Diffstat (limited to 'poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch')
-rw-r--r-- | poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch | 225 |
1 files changed, 225 insertions, 0 deletions
diff --git a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch new file mode 100644 index 0000000000..3b94c48e8d --- /dev/null +++ b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch @@ -0,0 +1,225 @@ +From 959c59c7a0164117e7f8366466a32bb1f8d77ff1 Mon Sep 17 00:00:00 2001 +From: Pauli <pauli@openssl.org> +Date: Wed, 8 Mar 2023 15:28:20 +1100 +Subject: [PATCH] x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz <tomas@openssl.org> +Reviewed-by: Shane Lontis <shane.lontis@oracle.com> +(Merged from https://github.com/openssl/openssl/pull/20568) + +Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1] +CVE: CVE-2023-0464 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + crypto/x509/pcy_local.h | 8 +++++++- + crypto/x509/pcy_node.c | 12 +++++++++--- + crypto/x509/pcy_tree.c | 36 ++++++++++++++++++++++++++---------- + 3 files changed, 42 insertions(+), 14 deletions(-) + +diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +index 18b53cc..cba107c 100644 +--- a/crypto/x509/pcy_local.h ++++ b/crypto/x509/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++ /* The number of nodes in the tree */ ++ size_t node_count; ++ /* The maximum number of nodes in the tree */ ++ size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void ossl_policy_node_free(X509_POLICY_NODE *node); + int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, + const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +index 9d9a7ea..450f95a 100644 +--- a/crypto/x509/pcy_node.c ++++ b/crypto/x509/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++ return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +- if (level) { ++ if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + +- if (tree) { ++ if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + ++ tree->node_count++; + if (parent) + parent->nchild++; + +diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c +index fa45da5..f953a05 100644 +--- a/crypto/x509/pcy_tree.c ++++ b/crypto/x509/pcy_tree.c +@@ -14,6 +14,17 @@ + + #include "pcy_local.h" + ++/* ++ * If the maximum number of nodes in the policy tree isn't defined, set it to ++ * a generous default of 1000 nodes. ++ * ++ * Defining this to be zero means unlimited policy tree growth which opens the ++ * door on CVE-2023-0464. ++ */ ++#ifndef OPENSSL_POLICY_TREE_NODES_MAX ++# define OPENSSL_POLICY_TREE_NODES_MAX 1000 ++#endif ++ + static void expected_print(BIO *channel, + X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, + int indent) +@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + return X509_PCY_TREE_INTERNAL; + } + ++ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ ++ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; ++ + /* + * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. + * +@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + if ((data = ossl_policy_data_new(NULL, + OBJ_nid2obj(NID_any_policy), 0)) == NULL) + goto bad_tree; +- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) { ++ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) { + ossl_policy_data_free(data); + goto bad_tree; + } +@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + * Return value: 1 on success, 0 otherwise + */ + static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, +- X509_POLICY_DATA *data) ++ X509_POLICY_DATA *data, ++ X509_POLICY_TREE *tree) + { + X509_POLICY_LEVEL *last = curr - 1; + int i, matched = 0; +@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); + + if (ossl_policy_node_match(last, node, data->valid_policy)) { +- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL) ++ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL) + return 0; + matched = 1; + } + } + if (!matched && last->anyPolicy) { +- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL) ++ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) + return 0; + } + return 1; +@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + * Return value: 1 on success, 0 otherwise. + */ + static int tree_link_nodes(X509_POLICY_LEVEL *curr, +- const X509_POLICY_CACHE *cache) ++ const X509_POLICY_CACHE *cache, ++ X509_POLICY_TREE *tree) + { + int i; + +@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); + + /* Look for matching nodes in previous level */ +- if (!tree_link_matching_nodes(curr, data)) ++ if (!tree_link_matching_nodes(curr, data, tree)) + return 0; + } + return 1; +@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, + /* Curr may not have anyPolicy */ + data->qualifier_set = cache->anyPolicy->qualifier_set; + data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; +- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) { ++ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) { + ossl_policy_data_free(data); + return 0; + } +@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, + /* Finally add link to anyPolicy */ + if (last->anyPolicy && + ossl_policy_level_add_node(curr, cache->anyPolicy, +- last->anyPolicy, NULL) == NULL) ++ last->anyPolicy, tree, 0) == NULL) + return 0; + return 1; + } +@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, + extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS + | POLICY_DATA_FLAG_EXTRA_NODE; + node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent, +- tree); ++ tree, 1); + } + if (!tree->user_policies) { + tree->user_policies = sk_X509_POLICY_NODE_new_null(); +@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) + + for (i = 1; i < tree->nlevel; i++, curr++) { + cache = ossl_policy_cache_set(curr->cert); +- if (!tree_link_nodes(curr, cache)) ++ if (!tree_link_nodes(curr, cache, tree)) + return X509_PCY_TREE_INTERNAL; + + if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) +-- +2.35.7 + |