subtree updates: openembedded poky

poky: fb1853c66c..0907793d5e: Alexander Kanavin (30): sudo: update 1.9.12p2 -> 1.9.13p2 procps: update 3.3.17 -> 4.0.3 selftest/overlayfs: enable systemd via INIT_MANAGER systemd: update 252.5 -> 253.1 dpkg: update 1.21.20 -> 1.21.21 libdnf: update 0.69.0 -> 0.70.0 ethtool: update 6.1 -> 6.2 iptables: update 1.8.8 -> 1.8.9 util-macros: do not probe into host triplet when checking manpage section names encodings: update 1.0.6 -> 1.0.7 font-alias: update 1.0.4 -> 1.0.5 sqlite3: update 3.40.1 -> 3.41.0 enchant2: upgrade 2.3.3 -> 2.3.4 make: upgrade 4.4 -> 4.4.1 vte: upgrade 0.70.2 -> 0.70.3 pango: upgrade 1.50.12 -> 1.50.13 libnotify: upgrade 0.8.1 -> 0.8.2 puzzles: upgrade to latest revision iproute2: upgrade 6.1.0 -> 6.2.0 bind: upgrade 9.18.11 -> 9.18.12 stress-ng: remove obsolete patch piglit: upgrade to latest revision apt: re-enable version check devtool/upgrade: do not delete the workspace/recipes directory runqemu: direct mesa to use its own drivers, rather than ones provided by host distro mesa: allow mesa-native/nativesdk only subject to opengl/vulkan DISTRO_FEATURE mesa: enable a rich set of drivers for native builds llvm: allow building libllvm in native builds, subject to PACKAGECONFIG mesa: do not strip rpaths from dri drivers mesa: update 22.3.5 -> 23.0.0 Alexandre Belloni (2): pseudo: Update to pull in fd leak fix stress-ng: upgrade 0.15.04 -> 0.15.06 Alexis Lothoré (8): scripts/resulttool: call fixup_ptest_names in regression_common oeqa/selftest/resulttool: fix ptest filtering tests oeqa/selftest/resulttool: fix fake data used for testing scripts/resulttool: fix ptests results containing a non reproducible path oeqa/selftest/resulttool: add test for error propagation in test name filtering scripts/resulttool: do not count newly passing tests as regressions scripts/yocto_testresults_query.py: set proper branches when using resulttool scripts/yocto_testresults_query.py: fix regression reports for branches with slashes Andrew Geissler (1): filemap.py: enforce maximum of 4kb block size Arturo Buzarra (1): run-postinsts: Set dependency for ldconfig to avoid boot issues Bruce Ashfield (12): perf: fix buildpaths QA warning lttng-modules: update to v2.13.9 lttng-modules: fix for v6.3+ kernels linux-yocto/6.1: update to v6.1.15 linux-yocto/5.15: update to v5.15.98 linux-yocto/6.1: update to v6.1.20 linux-yocto/5.15: update to v5.15.103 kernel-devsrc: fix mismatched compiler warning linux-yocto-dev: bump to v6.3 kernel/kernel-devsrc: powerpc: add elfutils dependency yocto-bsp/6.1: update reference boards to v6.1.20 yocto-bsp/5.15: update to v5.15.103 Carlos Alberto Lopez Perez (1): mesa-demos: packageconfig weston should have a dependency on wayland-protocols Changqing Li (1): cpio: fix ptest failure Chen Qi (4): Revert "systemd-systemctl: Create machine-id with "uninitialized" text in it" rpm: fix RPM_ETCCONFIGDIR value in SDK debugedit: add recipe rpm: add back find-debuginfo support Clément Péron (2): qemu: split out qemu-guest-agent, add startup scripts runqemu: add an option to enable guest-agent virtio device Daniel Ammann (1): bitbake: fetch2/sftp: Fix fetching URIs with spaces Dmitry Baryshkov (1): mesa: import patch from upstream to fix tools build on musl Fawzi KHABER (4): bitbake: doc: ref-variables: add LAYERSERIES_COMPAT to term glossary bitbake: bitbake-user-manual: update Hello World example package.bbclass: check packages name conflict in do_package oeqa/selftest/cases/package.py: adding unittest for package rename conflicts Frederic Martinsons (7): cargo.bbclass: use offline mode for building bitbake: crate.py: authorize crate url with parameters cargo-update-recipe-crates: generate checksum for each crates python3-bcrypt: add crates checksums python3-cryptography: add crates checksums bitbake: fetch2: Add checksum capability for crate fetcher bitbake: crate.py: make checksum verification mandatory Geoffrey GIRY (1): cve-check: Fix false negative version issue James R T (1): bitbake: ConfHandler: Allow the '@' character in variable flag names Jialing Zhang (5): class-recipe: add support for loongarch64 Do not remove the -m option for loongarch64 image-uefi: add support for loongarch64 add support for loongarch64 recipes: add support for loongarch64 Jose Quaresma (5): go: fix some linkshared regression introduced in go 1.20 buildstats-summary: add an option to disable bold oeqs/selftest: OESelftestTestContext: replace the os.environ after subprocess.check_output oeqa/selftest: OESelftestTestContext: convert relative to full path when newbuilddir is provided oeqa/selftest/reproducible: Split different packages from missing packages output Joshua Watt (1): runqemu: Fix TypeError when command fails Kai Kang (1): grub2: support metadata_csum_seed feature Kenfe-Mickael Laventure (3): buildtools-tarball: Handle spaces within user $PATH toolchain-scripts: Handle spaces within user $PATH populate_sdk_ext: Handle spaces within user $PATH Khem Raj (9): libcomps: Fix callback function prototype for PyCOMPS_hash rpm: Fix hdr_hash function prototype binutils: Enable --enable-new-dtags systemd: Fix musl fix patch systemd.bbclass: Add /usr/lib/systemd to searchpaths as well systemtap: Disable dangling-pointer warning glibc: Disable warnings as errors vte: Upgrade to 0.72.0 Revert "runqemu: Add workaround for APIC hang on pre 4.15 kernels on qemux86" Lee Chee Yang (2): migration-guides: add release-notes for 4.0.8 migration-guides: add release-notes for 4.1.3 Maanya Goenka (1): create-spdx: fix config build by adding dependency to enable reruns Mark Asselstine (1): bitbake: build: Make python output print to stdout when running with -v (verbose) Mark Hatle (3): bitbake: wget.py: Add catch TimeoutError exception bitbake: wget.py: Combine urlopener exceptions tcf-agent: Update to current version Markus Volk (1): gtk4: update 4.8.3 -> 4.10.0 Martin Jansa (22): file: add few more PACKAGECONFIGs to avoid autodetected deps from host npm.bbclass: avoid DeprecationWarning with new python timezone: use 'tz' subdir instead of ${WORKDIR} directly tzdata: use separate B instead of WORKDIR for zic output git-submodule-test: disable upstream version check tzcode-native: fix build with gcc-13 on host selftest: devtool: set BB_HASHSERVE_UPSTREAM when setting SSTATE_MIRROR selftest: wic: respect IMAGE_LINK_NAME selftest: wic: respect IMAGE_LINK_NAME also in test_rawcopy_plugin_qemu selftest: runqemu: respect IMAGE_LINK_NAME image-artifact-names.bbclass: add INITRAMFS_IMAGE_NAME from kernel.bbclass selftest: fitimage.py: respect INITRAMFS_IMAGE_NAME and KERNEL_FIT_LINK_NAME image-artifact-names: add IMAGE_MACHINE_SUFFIX variable selftest: gdbserver.py: respect IMAGE_LINK_NAME selftest: minidebuginfo.py respect IMAGE_LINK_NAME runqemu: get_first_file() rename cmd* to glob* selftest: imagefeatures.py: respect IMAGE_LINK_NAME for debugfs and manifest as well oeqa: loader.py: show warning when skipping selected module and abort if all are skipped bmap-tools: switch to main branch python3-scons: upgrade to v4.5.2 selftest: systemd_boot.py: respect IMAGE_LINK_NAME selftest: eSDK rename to esdk Martin Larsson (1): libpam: Remove flex dependency Michael Halstead (1): selftest/runtime_test/virgl: Disable for all Rocky Linux Michael Opdenacker (7): ref-manual: clarify explanations about feature backfilling overview-manual: add missing link to BitBake User Manual manuals: simplify references to the BitBake User Manual poky.yaml.in, system-requirements.rst: update system requirements ref-manual: system-requirements.rst: simplify supported distro requirements ref-manual: variables.rst: update LAYERSERIES_COMPAT bitbake: bitbake-user-manual: fix links to supported release manuals Mikko Rapeli (1): oeqa rtc.py: skip if read-only-rootfs Ming Liu (1): linux: inherit pkgconfig in kernel.bbclass Mingli Yu (4): mdadm: Fix testcase 06wrmostly mdadm: fix tests/02lineargrow mdadm: Fix raid0 tests mdadm: fix tests/00raid0 Ovidiu Panait (1): gobject-introspection: inherit python3targetconfig Peter Marko (2): go: use go as CVE product for all golang recipe veriants gcc-shared-source: do not use ${S}/.. in deploy_source_date_epoch Piotr Łobacz (1): systemd: fix wrong nobody-group assignment Randy MacLeod (3): valgrind: Disable drd/tests/bar_bad ptest openssl: update from 3.0.8 to 3.1.0 vim: upgrade 9.0.1403 -> 9.0.1429 Richard Purdie (52): gdb: Fix occasional build failure staging: Separate out different multiconfig manifests bitbake: server/xmlrpc: Fix after currentAsyncCommand locking changes gdb: Mark patch as backport glibc: Add missing binutils dependency glibc: Update sstate/equiv versions to clean cache staging/multilib: Fix manifest corruption m4/opkg/ethtool/attr/libgpg-error: Add missing bash ptest dependency openssl: Add missing ptest dependency on openssl-bin valgrind: Add missing utf-32 gconv dependency for ptests perl: Add missing procps-ps dependency for ptests acl/attr: ptest fixes and improvements m4: Add missing ptest dependency libmodule-build-perl: Fix ptest dependencies bc: Fix ptest test output naming findutils: Fix ptest dependency issue gawk: Fix ptest dependency libconvert-asn1-perl: Fix ptest dependencies libxml-sax-perl: Fix ptest dependencies babeltrace2: Fix ptest execution in minimal images and add debug info babeltrace: Fix ptest dependency lttng-tools: Improve ptest debugging and fix dependencies gettext: Add missing bash ptest dependency glibc-tests: Add missing bash ptest dependency opkg: Add missing python module ptest dependencies libxml-perl: Add missing perl module ptest dependencies gstreamer1.0: Add missing gconv ptest dependency gnutls: Add missing python ptest dependency busybox: Fix ptest dependencies selftest/recipetool: Stop test corrupting tinfoil class oeqa/selftest/sstate: Merge sstate test class with tests themselves oeqa/selftest/sstate: Move common code to base class oeqa/selftest/sstate: Split classes to allow more parallelism base-files: Drop localhost.localdomain from hosts file core-image-ptest: Switch to BBCLASSEXTEND parallel execution ptest-packagelists: Simplify ptest list/code scripts/combo-layer: Fix python deprecation warning pybootchartui: Fix python syntax issue pybootchart: Fix extents handling to account for cpu/io/mem pressure changes matchbox-wm: Update 1.2.2 -> 1.2.3 matchbox-panel-2: Update 2.11 -> 2.12 matchbox-desktop-2: Update 2.2 -> 2.3 matchbox-terminal: Update to latest SRCREV matchbox-config-gtk: Update to latest SRCREV matchbox-terminal: Fix PV to match standard format openssl: Fix reproducibility issue resulttool: Improve overlapping ptest result reporting poky-bleeding: Update and rework bitbake: fetch2: Rename __BBSEENSRCREV -> __BBSRCREV_SEEN bitbake: fetch2: Add autorev warning when it is set too late abi_version/sstate: Handle pkgconfig output changes and bump output versions bitbake: fetch2/local: Mention the value of localpath in failure message Robert Joslyn (1): curl: Update from 7.88.1 to 8.0.1 Robert Yang (3): bitbake: fetch/git: Fix local clone url to make it work with repo bitbake: cache: Make EXCLUDE_FROM_WORLD boolean bitbake: bitbake: bitbake-user-manual: Update EXCLUDE_FROM_WORLD Romuald JEANNE (1): image_types: fix vname var init in multiubi_mkfs() function Romuald Jeanne (2): image_types: fix multiubi var init oeqa/selftest/imagefeatures: set a test for mutliubi in test_image_fstypes Ross Burton (35): vim: add missing pkgconfig inherit shadow: ignore CVE-2016-15024 epiphany: upgrade to 43.1 manpages: use an intercept to run mandb oeqa/selftest/imagefeatures: add test for man-db systemd: add ignore for CVE-2022-4415 meson: remove obsolete RPATH stripping patch poky: set MAINTAINER clearly vim: set modified-by to the recipe MAINTAINER vim: upgrade to 9.0.1403 lib/resulttool: fix typo breaking resulttool log --ptest resulttool: add log --list-ptest python3-numpy: add missing dependency for the tests python3: missing ptest dependencies python3: add missing -modules dependencies python3-unittest-automake-output: add new recipe for ptest integration python3-atomicwrites: use python3-unittest-automake-output python3-bcrypt: use python3-unittest-automake-output python3-cryptography: use python3-unittest-automake-output python3-hypothesis: use python3-unittest-automake-output python3-jinja2: use python3-unittest-automake-output python3-markupsafe: use python3-unittest-automake-output python3-more-itertools: use python3-unittest-automake-output python3-pluggy: use python3-unittest-automake-output python3-pyasn1: : use python3-unittest-automake-output python3-pytz: use python3-unittest-automake-output python3-wcwidth: use python3-unittest-automake-output python3-webcolors: use python3-unittest-automake-output python3-jsonpointer: rewrite testing scripts: add buildstats-summary quilt: fix non-deterministic ownership in ptest package scripts/lib/buildstats: handle top-level build_stats not being complete go: fix CVE-2023-2453 libunwind: fix compile failures on 32-bit arm with Clang 16 tzdata: upgrade to 2023c Siddharth Doshi (2): OpenSSL: Security fix for CVE-2023-0464 openssh: upgrade 9.2p1 -> 9.3p1 Sudip Mukherjee (3): libgit2: update license information libgit2: upgrade to v1.6.3 cracklib: upgrade to v2.9.10 Sundeep KOKKONDA (1): rust: added missing runtime dependencies to run rust on target Thomas Roos (1): qemuboot-x86.inc: allow overwrite of QB_CPU Tim Orling (4): cracklib: update github branch to 'main' python3-wheel: upgrade 0.38.4 -> 0.40.0 bitbake: toaster: update gen_fixtures.py for mickledore bitbake: toaster: update fixtures for mickledore Tom Hochstein (2): meson: Fix wrapper handling of implicit setup command oeqa/sdk: Improve Meson test Trevor Woerner (3): cups: use BUILDROOT instead of DESTDIR cups: check PACKAGECONFIG for pam feature cups: add/fix web interface packaging Ulrich Ölmann (1): base: fix typos Wang Mingyu (24): autoconf-archive: upgrade 2022.09.03 -> 2023.02.20 font-util: upgrade 1.3.3 -> 1.4.0 harfbuzz: upgrade 7.0.1 -> 7.1.0 iso-codes: upgrade 4.12.0 -> 4.13.0 libmicrohttpd: upgrade 0.9.75 -> 0.9.76 meson: upgrade 1.0.0 -> 1.0.1 glib-2.0: upgrade 2.74.5 -> 2.74.6 python3-cryptography(-vectors): upgrade 39.0.1 -> 39.0.2 python3-setuptools: upgrade 67.3.3 -> 67.4.0 python3-git: upgrade 3.1.30 -> 3.1.31 repo: upgrade 2.31 -> 2.32 strace: upgrade 6.1 -> 6.2 stress-ng: upgrade 0.15.03 -> 0.15.04 lua: Fix install conflict when enable multilib. vala: Fix install conflict when enable multilib. dhcpcd: Fix install conflict when enable multilib. grep: upgrade 3.8 -> 3.9 python3-setuptools: upgrade 67.4.0 -> 67.6.0 python3-poetry-core: upgrade 1.5.1 -> 1.5.2 python3-pytest: upgrade 7.2.1 -> 7.2.2 python3-scons: upgrade 4.4.0 -> 4.5.1 python3-testtools: upgrade 2.5.0 -> 2.6.0 python3-urllib3: upgrade 1.26.14 -> 1.26.15 xcb-proto: Fix install conflict when enable multilib. Xiangyu Chen (3): sudo: update 1.9.12p2 -> 1.9.13p3 rng-tools: splitting the rng-tools systemd/sysvinit serivce as a package package: moving field data process before variable process in process_pkgconfig Yash Shinde (1): binutils: Fix CVE-2023-25586 Yoann Congal (1): ref-manual: Add info on "mixin" layers Yureka Lilian (1): systemd: rebase musl patches Zang Ruochen (1): maintainers.inc: Modify email address Zoltan Boszormenyi (2): piglit: Fix build time dependency pypi.bbclass: Set SRC_URI downloadfilename with an optional prefix meta-openembedded: a9b2d1303b..17243e70c8: AYP (1): packagegroup-meta-networking: remove ntpdate Andreas Helbech Kleist (1): cli11: enable native/nativesdk builds Archana Polampalli (1): Nodejs: add missing run_ptest script Bartosz Golaszewski (3): libgpiod: update to v2.0 python3-gpiod: update to v2.0 reboot-mode: new package Changqing Li (5): rabbitmq-c: upgrade 0.11.0 -> 0.13.0 sg3-utils: upgrade 1.45 -> 1.47 liblockfile: upgrade 1.14 -> 1.17 syslog-ng: upgrade 3.38.1 -> 4.0.1 redis: upgrade 7.0.9 -> 7.0.10 Chen Pei (1): meta-perl-base:fix SUMMARY Christophe Vu-Brugier (2): exfatprogs: add new recipe exfat-utils: remove recipe Clément Péron (1): python3-click-repl: add mising prompt-toolkit runtime dependency Etienne Cordonnier (8): android-tools 10: import version from meta-clang android-tools 10: remove dead code android-tools 10: move adbd to its own package android-tools 10: Add flag to enable adbd service android-tools 10: various fixes android-tools 10: port some patches from version 5 android-tools: fix TMPDIR android-tools: update to 29.0.6.r14 Fabio Estevam (2): iperf3: Update to 3.13 ettercap: Update Upstream-Status Frederic Martinsons (2): uutils-coreutils: Add crates checksum and use cargo-update-recipes-crates python3-pyruvate: Add crates checksum and use cargo-update-recipes-crates Jan Feemers (1): nodejs: package-split between nodejs and nodejs-npm Joe Slater (3): libidn: update to 1.41 re2: move to version 2023-03-01 libreport: update to version 2.17.8 Justin Bronder (1): tk: inherit pkgconfig Khem Raj (41): gnome-commander: Upgrade to 1.16.0 release python3-lru-dict: Fix function pointer mismatch hdf5: Upgrade to 1.14.0 python3-h5py: Upgrade to 3.8.0 pkcs11-helper: Update to latest tip of trunk glm: Update to tip of trunk libsdl2-ttf: Upgrade to 2.20.2 libsdl-image: Fix build with clang16 gphoto2: Fix build with clang16 + musl pmdk: Upgrade to 1.12.1 pndk: Add missing dependency on native cmake libx86-1: Fix build with clang16 mongodb: Upgrade to 4.4.19 glog: Disable 64bit atomics on rv32 mongodb: Fix type mitmatch found with clang16 gegl: Remove openmp dep for rv32 and ppc32 gnome-desktop: Make seccomp dependency optional for rv32 nodejs: Upgrade to 18.14.2 libx86-1: Fix build on 32bit x86 vlc: Upgrade to 3.0.18 redis: Upgrade 6.x recipe to 6.2.11 redis: Upgrade 7.x to 7.0.9 packagegroup-meta-multimedia: mycroft needs pulseaudio pahole: Upgrade to tip of trunk sg3-utils: Fix build with musl gsoap: Upgrade to 2.8.126 waylandpp: Just enforce opengl for target recipe freeglut: Drop -fcommon and add -Wno-implicit-function-declaration nodejs: Depend on file-native lirc: Fix build with usrmerge feature building on ubuntu hosts rp-pppoe: Define _GNU_SOURCE libssh: Fix build with clang16 packagegroup-meta-multimedia: Remove library only packages from rdeps packagegroup-meta-oe: Remove mongodb from rdep list of packagegroup packagegroup-meta-networking: Set PACKAGE_ARCH = "${MACHINE_ARCH}" cmocka: Check for previous declaration of uintptr_t ettercap: Fix build with libcurl >= 8 fluentbit: Disable upstart scripts xfstests: Fix build with musl nautilus: Fix build with clang and drop unused patch gimp: Update to 2.10.34 Lei Maohui (2): libiodbc: Install *.h files to /usr/include/iodbc to fix conflicts error with unixodbc reference to ubuntu: pgpool2: Added a new recipe. Manoj Saun (1): postgresql: fix ptest failure of sysviews test Markus Volk (13): dav1d: add recipe libavif: add recipe xdg-dbus-proxy: add recipe libnice: upgrade 0.1.18 -> 0.1.21 pipewire: update 0.3.66 -> 0.3.67 nv-codec-headers: update 11.1.5.2 -> 12.0.16.0 wireplumber: update 0.4.13 -> 0.4.14 libcamera: update 0.0.1 -> 0.0.4 xdg-desktop-portal: fix bwrap path gvfs: add more PACKAGECONFIGS evolution-data-server: update 3.46.3 -> 3.48.0 gtksourceview5: update 5.6.1 -> 5.7.1 libgtop: update 2.40.0 -> 2.41.1 Mingli Yu (4): php: Upgrade to 8.1.16 opencv: Upgrade to 4.7.0 crash: Upgrade to 8.0.2 mcelog: Upgrade to v191 Peter Johennecken (1): fluentbit: change of download name Peter Marko (1): dnsmasq: fix CVE-2023-28450 Petr Gotthard (4): openvpn: upgrade 2.6.0 -> 2.6.1 libqmi: upgrade 1.32.2 -> 1.32.4 libmbim: upgrade 1.28.2 -> 1.28.4 modemmanager: upgrade 1.20.4 -> 1.20.6 Randy MacLeod (4): rsyslog: update from 8.2212.0 to 8.2302.0 rsyslog: add disabled PACKAGECONFIG to drop capabilities librelp: make inline errors be warnings in debug build cmocka: update from 1.1.5+ to 1.1.7 Sakib Sajal (1): libuser: upgrade v0.63 -> v0.64 Stefan Ghinea (1): redis: fix service redis-server restart not working under sysvinit Trevor Woerner (3): cups-filters: remove duplicate configure option cups-filters: fix ghostscript handling hplip: add runtime dependency on ghostscript Wang Mingyu (136): logcheck: upgrade 1.4.0 -> 1.4.2 byacc: upgrade 20230201 -> 20230219 bubblewrap: upgrade 0.7.0 -> 0.8.0 bats: upgrade 1.8.2 -> 1.9.0 cryptsetup: upgrade 2.6.0 -> 2.6.1 c-ares: upgrade 1.18.1 -> 1.19.0 cukinia: upgrade 0.6.0 -> 0.6.1 python3-coverage: upgrade 7.2.0 -> 7.2.1 python3-decouple: upgrade 3.7 -> 3.8 python3-aiohue: upgrade 4.6.1 -> 4.6.2 python3-fastnumbers: upgrade 4.0.1 -> 5.0.1 python3-haversine: upgrade 2.7.0 -> 2.8.0 python3-google-auth: upgrade 2.16.1 -> 2.16.2 python3-google-api-python-client: upgrade 2.79.0 -> 2.80.0 python3-imageio: upgrade 2.25.1 -> 2.26.0 python3-ipython: upgrade 8.10.0 -> 8.11.0 python3-nocasedict: upgrade 1.1.0 -> 2.0.0 python3-natsort: upgrade 8.2.0 -> 8.3.1 python3-nocaselist: Upgrade 1.1.0 -> 1.1.1 python3-protobuf: upgrade 4.21.12 -> 4.22.0 python3-pydicti: upgrade 1.2.0 -> 1.2.1 python3-watchdog: upgrade 2.3.0-> 2.3.1 python3-pymisp: upgrade 2.4.168 -> 2.4.168.1 python3-wrapt: upgrade 1.14.1 -> 1.15.0 apache2: upgrade 2.4.55 -> 2.4.56 logwatch: upgrade 7.7 -> 7.8 libvpx: upgrade 1.12.0 -> 1.13.0 libjcat: upgrade 0.1.12 -> 0.1.13 librsync: upgrade 2.3.2 -> 2.3.4 lcms: upgrade 2.14 -> 2.15 gsoap: upgrade 2.0.106 -> 2.0.124 hwdata: upgrade 0.367 -> 0.368 ctags: upgrade 6.0.20230212.0 -> 6.0.20230305.0 freerdp: upgrade 2.9.0 -> 2.10.0 python3-mpmath: upgrade 1.2.1 -> 1.3.0 python3-alembic: upgrade 1.9.4 -> 1.10.2 python3-astroid: upgrade 2.14.2 -> 2.15.0 python3-charset-normalizer: upgrade 3.0.1 -> 3.1.0 python3-argcomplete upgrade 2.0.0 -> 2.1.1 python3-fastjsonschema: upgrade 2.16.2 -> 2.16.3 python3-protobuf: upgrade 4.22.0 -> 4.22.1 python3-xmlschema: upgrade 2.2.1 -> 2.2.2 python3-tqdm: upgrade 4.64.1 -> 4.65.0 python3-pyexpect: upgrade 1.0.21 -> 1.0.22 python3-pywbem: upgrade 1.6.0 -> 1.6.1 stunnel: upgrade 5.67 -> 5.69 rp-pppoe: upgrade 3.14 -> 3.15 nbdkit: upgrade 1.33.7 -> 1.33.10 php: update 8.1.16 -> 8.2.3 tcsh: upgrade 6.22.04 -> 6.24.07 monit: upgrade 5.32.0 -> 5.33.0 poppler: upgrade 23.02.0 -> 23.03.0 satyr: upgrade 0.40 -> 0.42 nginx: upgrade 1.20.1 -> 1.23.3 raptor2: upgrade 2.0.15 -> 2.0.16 spawn-fcgi: upgrade 1.6.4 -> 1.6.5 unixodbc: Fix install conflict when enable multilib. xdebug: upgrade 3.1.1 -> 3.2.0 postgresql: Fix install conflict when enable multilib. networkmanager: upgrade 1.42.0 -> 1.42.4 rdma-core: upgrade 44.0 -> 45.0 python3-gcovr: upgrade 5.2 -> 6.0 makeself: upgrade 2.4.5 -> 2.5.0 ctags: upgrade 6.0.20230305.0 -> 6.0.20230312.0 python3-gmqtt: upgrade 0.6.11 -> 0.6.12 python3-google-api-python-client: upgrade 2.80.0 -> 2.81.0 python3-msgpack: upgrade 1.0.4 -> 1.0.5 python3-portion: upgrade 2.3.1 -> 2.4.0 python3-paramiko: upgrade 3.0.0 -> 3.1.0 python3-openpyxl: upgrade 3.1.1 -> 3.1.2 python3-pymisp: upgrade 2.4.168.1 -> 2.4.169 python3-pydantic: upgrade 1.10.5 -> 1.10.6 python3-pytest-xdist: upgrade 3.2.0 -> 3.2.1 python3-pymodbus: upgrade 3.1.3 -> 3.2.0 python3-smpplib: upgrade 2.2.1 -> 2.2.2 python3-twitter: upgrade 4.12.1 -> 4.13.0 python3-unidiff: upgrade 0.7.4 -> 0.7.5 python3-xlsxwriter: upgrade 3.0.8 -> 3.0.9 python3-pykickstart: upgrade 3.44 -> 3.45 python3-web3: upgrade 5.31.3 -> 5.31.4 python3-pymodbus: upgrade 3.2.0 -> 3.2.1 python3-geojson: upgrade 2.5.0 -> 3.0.1 python3-sentry-sdk: upgrade 1.15.0 -> 1.17.0 python3-apt: upgrade 2.5.2 -> 2.5.3 python3-argcomplete: upgrade 2.1.1 -> 3.0.0 python3-cmake: upgrade 3.25.2 -> 3.26.0 python3-coverage: upgrade 7.2.1 -> 7.2.2 python3-eth-typing: upgrade 3.2.0 -> 3.3.0 python3-daemon: upgrade 2.3.2 -> 3.0.1 python3-engineio: upgrade 4.3.4 -> 4.4.0 python3-flask-socketio: upgrade 5.3.2 -> 5.3.3 python3-pykickstart: upgrade 3.45 -> 3.47 python3-pymisp: upgrade 2.4.169 -> 2.4.169.2 python3-simplejson: upgrade 3.18.3 -> 3.18.4 python3-rapidjson: upgrade 1.9 -> 1.10 python3-socketio: upgrade 5.7.2 -> 5.8.0 python3-sqlalchemy: upgrade 2.0.4 -> 2.0.7 python3-tzlocal: upgrade 4.2 -> 4.3 python3-typeguard: upgrade 2.13.3 -> 3.0.1 python3-web3: upgrade 5.31.4 -> 6.0.0 python3-zeroconf: upgrade 0.47.3 -> 0.47.4 tracker: upgrade 3.4.2 -> 3.5.0 xterm: upgrade 378 -> 379 python3-zopeinterface: upgrade 5.5.2 -> 6.0 xf86-video-amdgpu: upgrade 22.0.0 -> 23.0.0 libclass-method-modifiers-perl: upgrade 2.13 -> 2.15 libcompress-raw-bzip2-perl: upgrade 2.201 -> 2.204 libcompress-raw-lzma-perl: upgrade 2.201 -> 2.204 libcompress-raw-zlib-perl: upgrade 2.202 -> 2.204 libio-compress-lzma-perl: upgrade 2.201 -> 2.204 libio-compress-perl: upgrade 2.201 -> 2.204 libtest-deep-perl: upgrade 1.130 -> 1.204 opencl-headers: upgrade 2022.09.30 -> 2023.02.06 php: upgrade 8.2.3 -> 8.2.4 googletest: upgrade 1.12.1 -> 1.13.0 consolation: upgrade 0.0.8 -> 0.0.9 can-utils: upgrade 2021.08.0 -> 2023.03 nbdkit: upgrade 1.33.10 -> 1.33.11 adcli: upgrade 0.9.0 -> 0.9.2 gnome-chess: upgrade 43.1 -> 43.2 xfstests: upgrade 2023.01.01 -> 2023.03.05 gnome-backgrounds: upgrade 43 -> 44.0 libwacom: upgrade 2.5.0 -> 2.6.0 libass: upgrade 0.17.0 -> 0.17.1 libnet-dns-perl: upgrade 1.36 -> 1.37 libadwaita: upgrade 1.2.1 -> 1.3.1 libcgi-perl: upgrade 4.55 -> 4.56 libpeas: upgrade 1.34.0 -> 1.36.0 gvfs: upgrade 1.50.3 -> 1.50.4 gnome-system-monitor: upgrade 42.0 -> 44.0 nautilus: upgrade 43.2 -> 44.0 babl: upgrade 0.1.98 -> 0.1.102 ctags: upgrade 6.0.20230312.0 -> 6.0.20230319.0 folks: upgrade 0.15.5 -> 0.15.6 gegl: upgrade 0.4.40 -> 0.4.42 gnome-autoar: upgrade 0.4.3 -> 0.4.4 Xiangyu Chen (2): libbpf: upgrade 0.8.0 -> 1.1.0 abseil-cpp: upgrade 20221014.0 -> 20230125.1 Yi Zhao (25): audit: upgrade 3.0.9 -> 3.1 audit: drop version 2.8.5 frr: add UPSTREAM_CHECK_GITTAGREGEX quagga: drop recipe libssh: upgrade 0.8.9 -> 0.10.4 strongswan: 5.9.9 -> 5.9.10 libnfnetlink: upgrade 1.0.1 -> 1.0.2 libnetfilter-cthelper: upgrade 1.0.0 -> 1.0.1 libnetfilter-cttimeout: upgrade 1.0.0 -> 1.0.1 traceroute: upgrade 2.1.1 -> 2.1.2 freeradius: add UPSTREAM_CHECK_GITTAGREGEX libyang: fix ptest libyang: upgrade 2.0.194 -> 2.1.30 frr: support more arches netplan: add missing runtime dependencies python3-rich: add recipe packagegroup-meta-networking: add frr packagegroup-meta-oe: enable build libyang on riscv32/64 libnftnl: upgrade 1.2.4 -> 1.2.5 libldb: upgrade 2.6.1 -> 2.7.1 samba: upgrade 4.17.5 -> 4.18.0 libssh: add ptest mbedtls: add ptest libyang: upgrade 2.1.30 -> 2.1.55 tcpreplay: 4.4.2 -> 4.4.3 Yoann Congal (4): libusb-compat: Revert "libusb-compat: move libraries to base_libdir" libusb-compat: upgrade sources to fix -native build libusb-compat: add simple ptest (example programs) libusb-compat: RDEPENDS on libusb1 Yue Tao (1): Introduce python3-trustme to fix ptest error of python3-requests-toolbelt Zhixiong Chi (2): ntp: drop the deprecated ntpdate python3-betamax: fix ptest failture of fixture and record modes Zoltán Böszörményi (13): opencl-icd-loader: Add RPROVIDES:${PN} = "virtual/opencl-icd" ocl-icd: Add PROVIDES and RPROVIDES for virtual/opencl-icd meta-oe/conf/layer.conf: Add PREFERRED_[R]PROVIDER_virtual/opencl-icd python3-ninja: New recipe python3-cmake: New recipe python3-scikit-build: New recipe python3-pyproject-metadata: New recipe opencv: Support OpenVINO python3-executing: New recipe python3-pure-eval: New recipe python3-stack-data: New recipe python3-ipython: Add missing dependency opencv: Fix PACKAGECONFIG[openvino] Signed-off-by: Andrew Geissler <geissonator@yahoo.com> Change-Id: Idbfcd5f4c03ed5bd9c72558714edbe0200495aad
author: Andrew Geissler <geissonator@yahoo.com> 2023-03-31 17:59:46 +0300
committer: Andrew Geissler <geissonator@yahoo.com> 2023-03-31 18:07:26 +0300
commit: fc113eade321128fc43b0b299e81ad07fc1edf3d (patch)
tree: b3b676c59ea53afe2ab04ec32d919ea11e8269d1 /poky/meta/recipes-connectivity
parent: 2daf84b2d486da0b21344da999553c8fa1228195 (diff)
download: openbmc-fc113eade321128fc43b0b299e81ad07fc1edf3d.tar.xz
18 files changed, 303 insertions, 38 deletions
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.11/0001-avoid-start-failure-with-bind-user.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.12/0001-avoid-start-failure-with-bind-user.patch
index ec1bc7b567..ec1bc7b567 100644
--- a/poky/meta/recipes-connectivity/bind/bind-9.18.11/0001-avoid-start-failure-with-bind-user.patch
+++ b/poky/meta/recipes-connectivity/bind/bind-9.18.12/0001-avoid-start-failure-with-bind-user.patch
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.11/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.12/0001-named-lwresd-V-and-start-log-hide-build-options.patch
index 4c10f33f04..4c10f33f04 100644
--- a/poky/meta/recipes-connectivity/bind/bind-9.18.11/0001-named-lwresd-V-and-start-log-hide-build-options.patch
+++ b/poky/meta/recipes-connectivity/bind/bind-9.18.12/0001-named-lwresd-V-and-start-log-hide-build-options.patch
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.11/bind-ensure-searching-for-json-headers-searches-sysr.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.12/bind-ensure-searching-for-json-headers-searches-sysr.patch
index f1abd179e8..f1abd179e8 100644
--- a/poky/meta/recipes-connectivity/bind/bind-9.18.11/bind-ensure-searching-for-json-headers-searches-sysr.patch
+++ b/poky/meta/recipes-connectivity/bind/bind-9.18.12/bind-ensure-searching-for-json-headers-searches-sysr.patch
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.11/bind9 b/poky/meta/recipes-connectivity/bind/bind-9.18.12/bind9
index 968679ff7f..968679ff7f 100644
--- a/poky/meta/recipes-connectivity/bind/bind-9.18.11/bind9
+++ b/poky/meta/recipes-connectivity/bind/bind-9.18.12/bind9
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.11/conf.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.12/conf.patch
index aa3642acec..aa3642acec 100644
--- a/poky/meta/recipes-connectivity/bind/bind-9.18.11/conf.patch
+++ b/poky/meta/recipes-connectivity/bind/bind-9.18.12/conf.patch
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.11/generate-rndc-key.sh b/poky/meta/recipes-connectivity/bind/bind-9.18.12/generate-rndc-key.sh
index 633e29c0e6..633e29c0e6 100644
--- a/poky/meta/recipes-connectivity/bind/bind-9.18.11/generate-rndc-key.sh
+++ b/poky/meta/recipes-connectivity/bind/bind-9.18.12/generate-rndc-key.sh
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.11/init.d-add-support-for-read-only-rootfs.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.12/init.d-add-support-for-read-only-rootfs.patch
index 11db95ede1..11db95ede1 100644
--- a/poky/meta/recipes-connectivity/bind/bind-9.18.11/init.d-add-support-for-read-only-rootfs.patch
+++ b/poky/meta/recipes-connectivity/bind/bind-9.18.12/init.d-add-support-for-read-only-rootfs.patch
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.11/make-etc-initd-bind-stop-work.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.12/make-etc-initd-bind-stop-work.patch
index 146f3e35db..146f3e35db 100644
--- a/poky/meta/recipes-connectivity/bind/bind-9.18.11/make-etc-initd-bind-stop-work.patch
+++ b/poky/meta/recipes-connectivity/bind/bind-9.18.12/make-etc-initd-bind-stop-work.patch
diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.11/named.service b/poky/meta/recipes-connectivity/bind/bind-9.18.12/named.service
index cda56ef015..cda56ef015 100644
--- a/poky/meta/recipes-connectivity/bind/bind-9.18.11/named.service
+++ b/poky/meta/recipes-connectivity/bind/bind-9.18.12/named.service
diff --git a/poky/meta/recipes-connectivity/bind/bind_9.18.11.bb b/poky/meta/recipes-connectivity/bind/bind_9.18.12.bb
index 55a06eae5f..abce1c0f45 100644
--- a/poky/meta/recipes-connectivity/bind/bind_9.18.11.bb
+++ b/poky/meta/recipes-connectivity/bind/bind_9.18.12.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            "
 
-SRC_URI[sha256sum] = "8ff3352812230cbcbda42df87cad961f94163d3da457c5e4bef8057fd5df2158"
+SRC_URI[sha256sum] = "47766bb7b063aabbad054386b190aa7f6c14524427afd427c30ec426512027e7"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2
diff --git a/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb b/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb
index 39e689d2f6..579fa95df7 100644
--- a/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb
+++ b/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://roy.marples.name/downloads/${BPN}/${BPN}-${PV}.tar.xz \
            file://0001-privsep-linux-fix-SECCOMP_AUDIT_ARCH-missing-ppc64le.patch \
            file://dhcpcd.service \
            file://dhcpcd@.service \
+           file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
            "
 
 SRC_URI[sha256sum] = "819357634efed1ea5cf44ec01b24d3d3f8852fec8b4249925dcc5667c54e376c"
diff --git a/poky/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch b/poky/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch
new file mode 100644
index 0000000000..12998aada4
--- /dev/null
+++ b/poky/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch
@@ -0,0 +1,46 @@
+From 4915a7e52fcea8fe283a842890a1e726b1e26b10 Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui@fujitsu.com>
+Date: Fri, 10 Mar 2023 03:48:46 +0000
+Subject: [PATCH] dhcpcd.8: Fix conflict error when enable multilib.
+
+Error: Transaction test error:
+ file /usr/share/man/man8/dhcpcd.8 conflicts between attempted
+ installs of dhcpcd-doc-9.4.1-r0.cortexa57 and
+ lib32-dhcpcd-doc-9.4.1-r0.armv7ahf_neon
+
+The differences between the two files are as follows:
+@@ -821,7 +821,7 @@
+ If you always use the same options, put them here.
+ .It Pa /usr/libexec/dhcpcd-run-hooks
+ Bourne shell script that is run to configure or de-configure an interface.
+-.It Pa /usr/lib64/dhcpcd/dev
++.It Pa /usr/lib/dhcpcd/dev
+ Linux
+ .Pa /dev
+ management modules.
+
+It is just a man file, there is no necessary to manage multiple
+versions.
+
+Upstream-Status: Inappropriate [oe specific]
+Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
+---
+ src/dhcpcd.8.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dhcpcd.8.in b/src/dhcpcd.8.in
+index bc6b3b5..791f2ba 100644
+--- a/src/dhcpcd.8.in
++++ b/src/dhcpcd.8.in
+@@ -821,7 +821,7 @@ Configuration file for dhcpcd.
+ If you always use the same options, put them here.
+ .It Pa @SCRIPT@
+ Bourne shell script that is run to configure or de-configure an interface.
+-.It Pa @LIBDIR@/dhcpcd/dev
++.It Pa /usr/<libdir>/dhcpcd/dev
+ Linux
+ .Pa /dev
+ management modules.
+-- 
+2.34.1
+
diff --git a/poky/meta/recipes-connectivity/iproute2/iproute2_6.1.0.bb b/poky/meta/recipes-connectivity/iproute2/iproute2_6.2.0.bb
index 7272e8f147..65ddfa8223 100644
--- a/poky/meta/recipes-connectivity/iproute2/iproute2_6.1.0.bb
+++ b/poky/meta/recipes-connectivity/iproute2/iproute2_6.2.0.bb
@@ -7,7 +7,7 @@ HOMEPAGE = "http://www.linuxfoundation.org/collaborate/workgroups/networking/ipr
 SECTION = "base"
 LICENSE = "GPL-2.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
-                    file://ip/ip.c;beginline=3;endline=8;md5=689d691d0410a4b64d3899f8d6e31817"
+                    "
 
 DEPENDS = "flex-native bison-native iptables libcap"
 
@@ -15,7 +15,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz \
            file://0001-libc-compat.h-add-musl-workaround.patch \
            "
 
-SRC_URI[sha256sum] = "5ce12a0fec6b212725ef218735941b2dab76244db7e72646a76021b0537b43ab"
+SRC_URI[sha256sum] = "4d72730200ec5b2aabaa1a2f20553c6748292f065d9a154c7d5e22559df9fd62"
 
 inherit update-alternatives bash-completion pkgconfig
 
diff --git a/poky/meta/recipes-connectivity/openssh/openssh_9.2p1.bb b/poky/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index e6cf2ff2d6..d3dedd1a5a 100644
--- a/poky/meta/recipes-connectivity/openssh/openssh_9.2p1.bb
+++ b/poky/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -25,7 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
            "
-SRC_URI[sha256sum] = "3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46"
+SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
 
 # This CVE is specific to OpenSSH with the pam opie which we don't build/use here
 CVE_CHECK_IGNORE += "CVE-2007-2768"
@@ -158,7 +158,7 @@ FILES:${PN}-keygen = "${bindir}/ssh-keygen"
 RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server"
 RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
 # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
-RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils"
+RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils openssl-bin"
 
 RPROVIDES:${PN}-ssh = "ssh"
 RPROVIDES:${PN}-sshd = "sshd"
diff --git a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
new file mode 100644
index 0000000000..33b0bb6c79
--- /dev/null
+++ b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
@@ -0,0 +1,226 @@
+From 2017771e2db3e2b96f89bbe8766c3209f6a99545 Mon Sep 17 00:00:00 2001
+From: Pauli <pauli@openssl.org>
+Date: Wed, 8 Mar 2023 15:28:20 +1100
+Subject: [PATCH] x509: excessive resource use verifying policy constraints
+
+A security vulnerability has been identified in all supported versions
+of OpenSSL related to the verification of X.509 certificate chains
+that include policy constraints.  Attackers may be able to exploit this
+vulnerability by creating a malicious certificate chain that triggers
+exponential use of computational resources, leading to a denial-of-service
+(DoS) attack on affected systems.
+
+Fixes CVE-2023-0464
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/20570)
+
+Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545]
+CVE: CVE-2023-0464
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+
+---
+ crypto/x509/pcy_local.h |  8 +++++++-
+ crypto/x509/pcy_node.c  | 12 +++++++++---
+ crypto/x509/pcy_tree.c  | 36 ++++++++++++++++++++++++++----------
+ 3 files changed, 42 insertions(+), 14 deletions(-)
+
+diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h
+index 18b53cc..cba107c 100644
+--- a/crypto/x509/pcy_local.h
++++ b/crypto/x509/pcy_local.h
+@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
+ };
+ 
+ struct X509_POLICY_TREE_st {
++    /* The number of nodes in the tree */
++    size_t node_count;
++    /* The maximum number of nodes in the tree */
++    size_t node_maximum;
++
+     /* This is the tree 'level' data */
+     X509_POLICY_LEVEL *levels;
+     int nlevel;
+@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
+ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+                                              X509_POLICY_DATA *data,
+                                              X509_POLICY_NODE *parent,
+-                                             X509_POLICY_TREE *tree);
++                                             X509_POLICY_TREE *tree,
++                                             int extra_data);
+ void ossl_policy_node_free(X509_POLICY_NODE *node);
+ int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
+                            const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
+diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c
+index 9d9a7ea..450f95a 100644
+--- a/crypto/x509/pcy_node.c
++++ b/crypto/x509/pcy_node.c
+@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
+ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+                                              X509_POLICY_DATA *data,
+                                              X509_POLICY_NODE *parent,
+-                                             X509_POLICY_TREE *tree)
++                                             X509_POLICY_TREE *tree,
++                                             int extra_data)
+ {
+     X509_POLICY_NODE *node;
+ 
++    /* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
++    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
++        return NULL;
++
+     node = OPENSSL_zalloc(sizeof(*node));
+     if (node == NULL) {
+         ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
+@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+     }
+     node->data = data;
+     node->parent = parent;
+-    if (level) {
++    if (level != NULL) {
+         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
+             if (level->anyPolicy)
+                 goto node_error;
+@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+         }
+     }
+ 
+-    if (tree) {
++    if (extra_data) {
+         if (tree->extra_data == NULL)
+             tree->extra_data = sk_X509_POLICY_DATA_new_null();
+         if (tree->extra_data == NULL){
+@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+         }
+     }
+ 
++    tree->node_count++;
+     if (parent)
+         parent->nchild++;
+ 
+diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c
+index fa45da5..f953a05 100644
+--- a/crypto/x509/pcy_tree.c
++++ b/crypto/x509/pcy_tree.c
+@@ -14,6 +14,17 @@
+ 
+ #include "pcy_local.h"
+ 
++/*
++ * If the maximum number of nodes in the policy tree isn't defined, set it to
++ * a generous default of 1000 nodes.
++ *
++ * Defining this to be zero means unlimited policy tree growth which opens the
++ * door on CVE-2023-0464.
++ */
++#ifndef OPENSSL_POLICY_TREE_NODES_MAX
++# define OPENSSL_POLICY_TREE_NODES_MAX 1000
++#endif
++
+ static void expected_print(BIO *channel,
+                            X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
+                            int indent)
+@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+         return X509_PCY_TREE_INTERNAL;
+     }
+ 
++    /* Limit the growth of the tree to mitigate CVE-2023-0464 */
++    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
++
+     /*
+      * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
+      *
+@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+     if ((data = ossl_policy_data_new(NULL,
+                                      OBJ_nid2obj(NID_any_policy), 0)) == NULL)
+         goto bad_tree;
+-    if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
++    if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
+         ossl_policy_data_free(data);
+         goto bad_tree;
+     }
+@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+  * Return value: 1 on success, 0 otherwise
+  */
+ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+-                                    X509_POLICY_DATA *data)
++                                    X509_POLICY_DATA *data,
++                                    X509_POLICY_TREE *tree)
+ {
+     X509_POLICY_LEVEL *last = curr - 1;
+     int i, matched = 0;
+@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+         X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
+ 
+         if (ossl_policy_node_match(last, node, data->valid_policy)) {
+-            if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
++            if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
+                 return 0;
+             matched = 1;
+         }
+     }
+     if (!matched && last->anyPolicy) {
+-        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
++        if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
+             return 0;
+     }
+     return 1;
+@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+  * Return value: 1 on success, 0 otherwise.
+  */
+ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+-                           const X509_POLICY_CACHE *cache)
++                           const X509_POLICY_CACHE *cache,
++                           X509_POLICY_TREE *tree)
+ {
+     int i;
+ 
+@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+         X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
+ 
+         /* Look for matching nodes in previous level */
+-        if (!tree_link_matching_nodes(curr, data))
++        if (!tree_link_matching_nodes(curr, data, tree))
+             return 0;
+     }
+     return 1;
+@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
+     /* Curr may not have anyPolicy */
+     data->qualifier_set = cache->anyPolicy->qualifier_set;
+     data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+-    if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
++    if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
+         ossl_policy_data_free(data);
+         return 0;
+     }
+@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
+     /* Finally add link to anyPolicy */
+     if (last->anyPolicy &&
+             ossl_policy_level_add_node(curr, cache->anyPolicy,
+-                                       last->anyPolicy, NULL) == NULL)
++                                       last->anyPolicy, tree, 0) == NULL)
+         return 0;
+     return 1;
+ }
+@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
+             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
+                 | POLICY_DATA_FLAG_EXTRA_NODE;
+             node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
+-                                              tree);
++                                              tree, 1);
+         }
+         if (!tree->user_policies) {
+             tree->user_policies = sk_X509_POLICY_NODE_new_null();
+@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
+ 
+     for (i = 1; i < tree->nlevel; i++, curr++) {
+         cache = ossl_policy_cache_set(curr->cert);
+-        if (!tree_link_nodes(curr, cache))
++        if (!tree_link_nodes(curr, cache, tree))
+             return X509_PCY_TREE_INTERNAL;
+ 
+         if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
+-- 
+2.25.1
+
diff --git a/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch b/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch
deleted file mode 100644
index cf77e873a2..0000000000
--- a/poky/meta/recipes-connectivity/openssl/openssl/afalg.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Don't refuse to build afalgeng if cross-compiling or the host kernel is too old.
-
-Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688]
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-Index: openssl-3.0.4/Configure
-===================================================================
---- openssl-3.0.4.orig/Configure
-+++ openssl-3.0.4/Configure
-@@ -1681,20 +1681,7 @@ $config{CFLAGS} = [ map { $_ eq '--ossl-
- unless ($disabled{afalgeng}) {
-     $config{afalgeng}="";
-     if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
--        my $minver = 4*10000 + 1*100 + 0;
--        if ($config{CROSS_COMPILE} eq "") {
--            my $verstr = `uname -r`;
--            my ($ma, $mi1, $mi2) = split("\\.", $verstr);
--            ($mi2) = $mi2 =~ /(\d+)/;
--            my $ver = $ma*10000 + $mi1*100 + $mi2;
--            if ($ver < $minver) {
--                disable('too-old-kernel', 'afalgeng');
--            } else {
--                push @{$config{engdirs}}, "afalg";
--            }
--        } else {
--            disable('cross-compiling', 'afalgeng');
--        }
-+        push @{$config{engdirs}}, "afalg";
-     } else {
-         disable('not-linux', 'afalgeng');
-     }
diff --git a/poky/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch b/poky/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
new file mode 100644
index 0000000000..78dcd81685
--- /dev/null
+++ b/poky/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
@@ -0,0 +1,22 @@
+The perl script adds random suffixes to the local function names to ensure
+it doesn't clash with other parts of openssl. Set the random number seed
+to something predictable so the assembler files are generated consistently
+and our own reproducible builds tests pass.
+
+Upstream-Status: Pending
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl
+===================================================================
+--- openssl-3.1.0.orig/crypto/modes/asm/aes-gcm-avx512.pl
++++ openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl
+@@ -191,6 +191,9 @@ my $CTX_OFFSET_HTable    = (16 * 6);
+ # ;;; Helper functions
+ # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ 
++# Ensure the local labels are reproduicble
++srand(10000);
++
+ # ; Generates "random" local labels
+ sub random_string() {
+   my @chars  = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_');
diff --git a/poky/meta/recipes-connectivity/openssl/openssl_3.0.8.bb b/poky/meta/recipes-connectivity/openssl/openssl_3.1.0.bb
index 8771884dda..b319c66044 100644
--- a/poky/meta/recipes-connectivity/openssl/openssl_3.0.8.bb
+++ b/poky/meta/recipes-connectivity/openssl/openssl_3.1.0.bb
@@ -10,15 +10,16 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
 SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
-           file://afalg.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://fix_random_labels.patch \
+           file://CVE-2023-0464.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e"
+SRC_URI[sha256sum] = "aaa925ad9828745c4cad9d9efeb273deca820f2cdcf2c3ac7d7c1212b7c497b4"
 
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
author	Andrew Geissler <geissonator@yahoo.com>	2023-03-31 17:59:46 +0300
committer	Andrew Geissler <geissonator@yahoo.com>	2023-03-31 18:07:26 +0300
commit	fc113eade321128fc43b0b299e81ad07fc1edf3d (patch)
tree	b3b676c59ea53afe2ab04ec32d919ea11e8269d1 /poky/meta/recipes-connectivity
parent	2daf84b2d486da0b21344da999553c8fa1228195 (diff)
download	openbmc-fc113eade321128fc43b0b299e81ad07fc1edf3d.tar.xz