summaryrefslogtreecommitdiff
path: root/poky/meta/recipes-connectivity
diff options
context:
space:
mode:
Diffstat (limited to 'poky/meta/recipes-connectivity')
-rw-r--r--poky/meta/recipes-connectivity/avahi/avahi_0.8.bb1
-rw-r--r--poky/meta/recipes-connectivity/avahi/files/invalid-service.patch29
-rw-r--r--poky/meta/recipes-connectivity/bind/bind_9.18.18.bb (renamed from poky/meta/recipes-connectivity/bind/bind_9.18.17.bb)2
-rw-r--r--poky/meta/recipes-connectivity/bluez5/bluez5.inc1
-rw-r--r--poky/meta/recipes-connectivity/bluez5/bluez5/fix-check-ell-path.patch39
-rw-r--r--poky/meta/recipes-connectivity/bluez5/bluez5_5.69.bb (renamed from poky/meta/recipes-connectivity/bluez5/bluez5_5.68.bb)2
-rw-r--r--poky/meta/recipes-connectivity/connman/connman-conf/main.conf2
-rw-r--r--poky/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch63
-rw-r--r--poky/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch128
-rw-r--r--poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch8
-rw-r--r--poky/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch37
-rw-r--r--poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch141
-rw-r--r--poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch174
-rw-r--r--poky/meta/recipes-connectivity/connman/connman_1.42.bb (renamed from poky/meta/recipes-connectivity/connman/connman_1.41.bb)6
-rw-r--r--poky/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.2.bb (renamed from poky/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.1.bb)3
-rw-r--r--poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-fix-strlcpy-overflow-in-psp_ifname-239.patch33
-rw-r--r--poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch279
-rw-r--r--poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch253
-rw-r--r--poky/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch85
-rw-r--r--poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch27
-rw-r--r--poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch25
-rw-r--r--poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch37
-rw-r--r--poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch49
-rw-r--r--poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb36
-rw-r--r--poky/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch62
-rw-r--r--poky/meta/recipes-connectivity/kea/kea_2.4.0.bb (renamed from poky/meta/recipes-connectivity/kea/kea_2.2.0.bb)5
-rw-r--r--poky/meta/recipes-connectivity/neard/neard_0.19.bb (renamed from poky/meta/recipes-connectivity/neard/neard_0.18.bb)2
-rw-r--r--poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb1
-rw-r--r--poky/meta/recipes-connectivity/openssh/openssh/0001-openssh-regress-Makefile-print-logs-if-test-fails.patch34
-rw-r--r--poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch994
-rw-r--r--poky/meta/recipes-connectivity/openssh/openssh_9.4p1.bb (renamed from poky/meta/recipes-connectivity/openssh/openssh_9.3p2.bb)4
-rw-r--r--poky/meta/recipes-connectivity/openssl/openssl_3.1.2.bb (renamed from poky/meta/recipes-connectivity/openssl/openssl_3.1.1.bb)7
32 files changed, 733 insertions, 1836 deletions
diff --git a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 7b0f490768..4c830cc058 100644
--- a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -25,6 +25,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
file://0001-Fix-opening-etc-resolv.conf-error.patch \
file://handle-hup.patch \
file://local-ping.patch \
+ file://invalid-service.patch \
"
GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/poky/meta/recipes-connectivity/avahi/files/invalid-service.patch b/poky/meta/recipes-connectivity/avahi/files/invalid-service.patch
new file mode 100644
index 0000000000..8f188aff2c
--- /dev/null
+++ b/poky/meta/recipes-connectivity/avahi/files/invalid-service.patch
@@ -0,0 +1,29 @@
+From 46490e95151d415cd22f02565e530eb5efcef680 Mon Sep 17 00:00:00 2001
+From: Asger Hautop Drewsen <asger@princh.com>
+Date: Mon, 9 Aug 2021 14:25:08 +0200
+Subject: [PATCH] Fix avahi-browse: Invalid service type
+
+Invalid service types will stop the browse from completing, or
+in simple terms "my washing machine stops me from printing".
+
+Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/472]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ avahi-core/browse-service.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c
+index 63e0275a..ac3d2ecb 100644
+--- a/avahi-core/browse-service.c
++++ b/avahi-core/browse-service.c
+@@ -103,7 +103,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_prepare(
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_PROTO_VALID(protocol), AVAHI_ERR_INVALID_PROTOCOL);
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(server, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_FLAGS_VALID(flags, AVAHI_LOOKUP_USE_WIDE_AREA|AVAHI_LOOKUP_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+- AVAHI_CHECK_VALIDITY_RETURN_NULL(server, avahi_is_valid_service_type_generic(service_type), AVAHI_ERR_INVALID_SERVICE_TYPE);
++
++ if (!avahi_is_valid_service_type_generic(service_type))
++ service_type = "_invalid._tcp";
+
+ if (!domain)
+ domain = server->domain_name;
diff --git a/poky/meta/recipes-connectivity/bind/bind_9.18.17.bb b/poky/meta/recipes-connectivity/bind/bind_9.18.18.bb
index 9e7973ecbf..e74e685fe8 100644
--- a/poky/meta/recipes-connectivity/bind/bind_9.18.17.bb
+++ b/poky/meta/recipes-connectivity/bind/bind_9.18.18.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
file://0001-avoid-start-failure-with-bind-user.patch \
"
-SRC_URI[sha256sum] = "bde1c5017b81d1d79c69eb8f537f2e5032fd3623acdd5ee830d4f74bc2483458"
+SRC_URI[sha256sum] = "d735cdc127a6c5709bde475b5bf16fa2133f36fdba202f7c3c37d134e5192160"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# follow the ESV versions divisible by 2
diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5.inc b/poky/meta/recipes-connectivity/bluez5/bluez5.inc
index d2ee2b4f12..e10158a6e5 100644
--- a/poky/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/poky/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -55,7 +55,6 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
file://0001-test-gatt-Fix-hung-issue.patch \
file://0004-src-shared-util.c-include-linux-limits.h.patch \
- file://fix-check-ell-path.patch \
"
S = "${WORKDIR}/bluez-${PV}"
diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5/fix-check-ell-path.patch b/poky/meta/recipes-connectivity/bluez5/bluez5/fix-check-ell-path.patch
deleted file mode 100644
index 7afa63962d..0000000000
--- a/poky/meta/recipes-connectivity/bluez5/bluez5/fix-check-ell-path.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Upstream-Status: Submitted [https://marc.info/?l=linux-bluetooth&m=168818474411163&w=2]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
-
-From linux-bluetooth Sat Jul 01 04:12:52 2023
-From: Rudi Heitbaum <rudi () heitbaum ! com>
-Date: Sat, 01 Jul 2023 04:12:52 +0000
-To: linux-bluetooth
-Subject: [PATCH] configure: Fix check ell path for cross compiling
-Message-Id: <20230701041252.139338-1-rudi () heitbaum ! com>
-X-MARC-Message: https://marc.info/?l=linux-bluetooth&m=168818474411163
-
-Use of AC_CHECK_FILE prevents cross compilation.
-Instead use test to support cross compiling.
-
-Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com>
----
- configure.ac | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index eff297960..bc7edfcd3 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -298,9 +298,10 @@ if (test "${enable_external_ell}" = "yes"); then
- AC_SUBST(ELL_LIBS)
- fi
- if (test "${enable_external_ell}" != "yes"); then
-- AC_CHECK_FILE(${srcdir}/ell/ell.h, dummy=yes,
-- AC_CHECK_FILE(${srcdir}/../ell/ell/ell.h, dummy=yes,
-- AC_MSG_ERROR(ELL source is required or use --enable-external-ell)))
-+ if (test ! -f ${srcdir}/ell/ell.h) &&
-+ (test ! -f ${srcdir}/../ell/ell/ell.h); then
-+ AC_MSG_ERROR(ELL source is required or use --enable-external-ell)
-+ fi
- fi
- AM_CONDITIONAL(EXTERNAL_ELL, test "${enable_external_ell}" = "yes" ||
- (test "${enable_btpclient}" != "yes" &&
---
-2.34.1
diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5_5.68.bb b/poky/meta/recipes-connectivity/bluez5/bluez5_5.69.bb
index 7c7ad75ed8..4673000f60 100644
--- a/poky/meta/recipes-connectivity/bluez5/bluez5_5.68.bb
+++ b/poky/meta/recipes-connectivity/bluez5/bluez5_5.69.bb
@@ -1,6 +1,6 @@
require bluez5.inc
-SRC_URI[sha256sum] = "fc505e6445cb579a55cacee6821fe70d633921522043d322b696de0a175ff933"
+SRC_URI[sha256sum] = "bc5a35ddc7c72d0d3999a0d7b2175c8b7d57ab670774f8b5b4900ff38a2627fc"
CVE_STATUS[CVE-2020-24490] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes"
diff --git a/poky/meta/recipes-connectivity/connman/connman-conf/main.conf b/poky/meta/recipes-connectivity/connman/connman-conf/main.conf
index a394e8f25b..3c9dd396f6 100644
--- a/poky/meta/recipes-connectivity/connman/connman-conf/main.conf
+++ b/poky/meta/recipes-connectivity/connman/connman-conf/main.conf
@@ -1,2 +1,2 @@
[General]
-NetworkInterfaceBlacklist = eth0
+NetworkInterfaceBlacklist = eth,en
diff --git a/poky/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch b/poky/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch
deleted file mode 100644
index 8e2f47a1d5..0000000000
--- a/poky/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
-From: Daniel Wagner <wagi@monom.org>
-Date: Tue, 11 Apr 2023 08:12:56 +0200
-Subject: [PATCH] gdhcp: Verify and sanitize packet length first
-
-Avoid overwriting the read packet length after the initial test. Thus
-move all the length checks which depends on the total length first
-and do not use the total lenght from the IP packet afterwards.
-
-Fixes CVE-2023-28488
-
-Reported by Polina Smirnova <moe.hwr@gmail.com>
-
-CVE: CVE-2023-28488
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
----
- gdhcp/client.c | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/gdhcp/client.c b/gdhcp/client.c
-index 7efa7e45..82017692 100644
---- a/gdhcp/client.c
-+++ b/gdhcp/client.c
-@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
- static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
- struct sockaddr_in *dst_addr)
- {
-- int bytes;
- struct ip_udp_dhcp_packet packet;
- uint16_t check;
-+ int bytes, tot_len;
-
- memset(&packet, 0, sizeof(packet));
-
-@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
- if (bytes < 0)
- return -1;
-
-- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
-- return -1;
--
-- if (bytes < ntohs(packet.ip.tot_len))
-+ tot_len = ntohs(packet.ip.tot_len);
-+ if (bytes > tot_len) {
-+ /* ignore any extra garbage bytes */
-+ bytes = tot_len;
-+ } else if (bytes < tot_len) {
- /* packet is bigger than sizeof(packet), we did partial read */
- return -1;
-+ }
-
-- /* ignore any extra garbage bytes */
-- bytes = ntohs(packet.ip.tot_len);
-+ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
-+ return -1;
-
- if (!sanity_check(&packet, bytes))
- return -1;
---
-2.34.1
-
diff --git a/poky/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch b/poky/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch
index 83343fdda5..9e5ac8da15 100644
--- a/poky/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch
+++ b/poky/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch
@@ -1,4 +1,4 @@
-From 5f373f373f5baccc282dce257b7b16c8bb4a82c4 Mon Sep 17 00:00:00 2001
+From af55a6a414d32c12f9ef3cab778385a361e1ad6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eivind=20N=C3=A6ss?= <eivnaes@yahoo.com>
Date: Sat, 25 Mar 2023 20:51:52 +0000
Subject: [PATCH] vpn: Adding support for latest pppd 2.5.0 release
@@ -11,82 +11,12 @@ Adding a libppp-compat.h file to mask for any differences in the version.
Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a48864a2e5d2a725dfc6eef567108bc13b43857f]
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+
---
- configure.ac | 42 ++++++++-----
scripts/libppp-compat.h | 127 ++++++++++++++++++++++++++++++++++++++++
- scripts/libppp-plugin.c | 15 +++--
- 3 files changed, 161 insertions(+), 23 deletions(-)
+ 1 file changed, 127 insertions(+)
create mode 100644 scripts/libppp-compat.h
-diff --git a/configure.ac b/configure.ac
-index a573cef..f34bb38 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -135,14 +135,6 @@ AC_ARG_ENABLE(l2tp,
- AC_HELP_STRING([--enable-l2tp], [enable l2tp support]),
- [enable_l2tp=${enableval}], [enable_l2tp="no"])
- if (test "${enable_l2tp}" != "no"); then
-- if (test -z "${path_pppd}"); then
-- AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], $PATH:/sbin:/usr/sbin)
-- else
-- PPPD="${path_pppd}"
-- AC_SUBST(PPPD)
-- fi
-- AC_CHECK_HEADERS(pppd/pppd.h, dummy=yes,
-- AC_MSG_ERROR(ppp header files are required))
- if (test -z "${path_l2tp}"); then
- AC_PATH_PROG(L2TP, [xl2tpd], [/usr/sbin/xl2tpd], $PATH:/sbin:/usr/sbin)
- else
-@@ -160,6 +152,18 @@ AC_ARG_ENABLE(pptp,
- AC_HELP_STRING([--enable-pptp], [enable pptp support]),
- [enable_pptp=${enableval}], [enable_pptp="no"])
- if (test "${enable_pptp}" != "no"); then
-+ if (test -z "${path_pptp}"); then
-+ AC_PATH_PROG(PPTP, [pptp], [/usr/sbin/pptp], $PATH:/sbin:/usr/sbin)
-+ else
-+ PPTP="${path_pptp}"
-+ AC_SUBST(PPTP)
-+ fi
-+fi
-+AM_CONDITIONAL(PPTP, test "${enable_pptp}" != "no")
-+AM_CONDITIONAL(PPTP_BUILTIN, test "${enable_pptp}" = "builtin")
-+
-+if (test "${enable_pptp}" != "no" || test "${enable_l2tp}" != "no"); then
-+
- if (test -z "${path_pppd}"); then
- AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], $PATH:/sbin:/usr/sbin)
- else
-@@ -168,15 +172,23 @@ if (test "${enable_pptp}" != "no"); then
- fi
- AC_CHECK_HEADERS(pppd/pppd.h, dummy=yes,
- AC_MSG_ERROR(ppp header files are required))
-- if (test -z "${path_pptp}"); then
-- AC_PATH_PROG(PPTP, [pptp], [/usr/sbin/pptp], $PATH:/sbin:/usr/sbin)
-- else
-- PPTP="${path_pptp}"
-- AC_SUBST(PPTP)
-+ AC_CHECK_HEADERS([pppd/chap.h pppd/chap-new.h pppd/chap_ms.h])
-+
-+ PKG_CHECK_EXISTS([pppd],
-+ [AS_VAR_SET([pppd_pkgconfig_support],[yes])])
-+
-+ PPPD_VERSION=2.4.9
-+ if test x"$pppd_pkgconfig_support" = xyes; then
-+ PPPD_VERSION=`$PKG_CONFIG --modversion pppd`
- fi
-+
-+ AC_DEFINE_UNQUOTED([PPP_VERSION(x,y,z)],
-+ [((x & 0xFF) << 16 | (y & 0xFF) << 8 | (z & 0xFF) << 0)],
-+ [Macro to help determine the particular version of pppd])
-+ PPP_VERSION=$(echo $PPPD_VERSION | sed -e "s/\./\,/g")
-+ AC_DEFINE_UNQUOTED(WITH_PPP_VERSION, PPP_VERSION($PPP_VERSION),
-+ [The real version of pppd represented as an int])
- fi
--AM_CONDITIONAL(PPTP, test "${enable_pptp}" != "no")
--AM_CONDITIONAL(PPTP_BUILTIN, test "${enable_pptp}" = "builtin")
-
- AC_CHECK_HEADERS(resolv.h, dummy=yes,
- AC_MSG_ERROR(resolver header files are required))
diff --git a/scripts/libppp-compat.h b/scripts/libppp-compat.h
new file mode 100644
index 0000000..eee1d09
@@ -220,55 +150,3 @@ index 0000000..eee1d09
+
+#endif /* #if WITH_PPP_VERSION < PPP_VERSION(2,5,0) */
+#endif /* #if__LIBPPP_COMPAT_H__ */
-diff --git a/scripts/libppp-plugin.c b/scripts/libppp-plugin.c
-index 0dd8b47..61641b5 100644
---- a/scripts/libppp-plugin.c
-+++ b/scripts/libppp-plugin.c
-@@ -29,14 +29,13 @@
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <fcntl.h>
--#include <pppd/pppd.h>
--#include <pppd/fsm.h>
--#include <pppd/ipcp.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
-
- #include <dbus/dbus.h>
-
-+#include "libppp-compat.h"
-+
- #define INET_ADDRES_LEN (INET_ADDRSTRLEN + 5)
- #define INET_DNS_LEN (2*INET_ADDRSTRLEN + 9)
-
-@@ -47,7 +46,7 @@ static char *path;
- static DBusConnection *connection;
- static int prev_phase;
-
--char pppd_version[] = VERSION;
-+char pppd_version[] = PPPD_VERSION;
-
- int plugin_init(void);
-
-@@ -170,7 +169,7 @@ static void ppp_up(void *data, int arg)
- DBUS_TYPE_STRING_AS_STRING DBUS_TYPE_STRING_AS_STRING
- DBUS_DICT_ENTRY_END_CHAR_AS_STRING, &dict);
-
-- append(&dict, "INTERNAL_IFNAME", ifname);
-+ append(&dict, "INTERNAL_IFNAME", ppp_ifname());
-
- inet_ntop(AF_INET, &ipcp_gotoptions[0].ouraddr, buf, INET_ADDRSTRLEN);
- append(&dict, "INTERNAL_IP4_ADDRESS", buf);
-@@ -309,9 +308,9 @@ int plugin_init(void)
- chap_check_hook = ppp_have_secret;
- pap_check_hook = ppp_have_secret;
-
-- add_notifier(&ip_up_notifier, ppp_up, NULL);
-- add_notifier(&phasechange, ppp_phase_change, NULL);
-- add_notifier(&exitnotify, ppp_exit, connection);
-+ ppp_add_notify(NF_IP_UP, ppp_up, NULL);
-+ ppp_add_notify(NF_PHASE_CHANGE, ppp_phase_change, NULL);
-+ ppp_add_notify(NF_EXIT, ppp_exit, connection);
-
- return 0;
- }
diff --git a/poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch b/poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
index 9dca21a02f..aefdd3aa06 100644
--- a/poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
+++ b/poky/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
@@ -18,14 +18,6 @@ diff --git a/gweb/gresolv.c b/gweb/gresolv.c
index 954e7cf..2a9bc51 100644
--- a/gweb/gresolv.c
+++ b/gweb/gresolv.c
-@@ -36,6 +36,7 @@
- #include <arpa/inet.h>
- #include <arpa/nameser.h>
- #include <net/if.h>
-+#include <ctype.h>
-
- #include "gresolv.h"
-
@@ -878,8 +879,6 @@ GResolv *g_resolv_new(int index)
resolv->index = index;
resolv->nameserver_list = NULL;
diff --git a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
deleted file mode 100644
index 182c5ca29c..0000000000
--- a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
-From: Nathan Crandall <ncrandall@tesla.com>
-Date: Tue, 12 Jul 2022 08:56:34 +0200
-Subject: gweb: Fix OOB write in received_data()
-
-There is a mismatch of handling binary vs. C-string data with memchr
-and strlen, resulting in pos, count, and bytes_read to become out of
-sync and result in a heap overflow. Instead, do not treat the buffer
-as an ASCII C-string. We calculate the count based on the return value
-of memchr, instead of strlen.
-
-Fixes: CVE-2022-32292
-
-CVE: CVE-2022-32292
-
-Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- gweb/gweb.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/gweb/gweb.c b/gweb/gweb.c
-index 12fcb1d8..13c6c5f2 100644
---- a/gweb/gweb.c
-+++ b/gweb/gweb.c
-@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
- }
-
- *pos = '\0';
-- count = strlen((char *) ptr);
-+ count = pos - ptr;
- if (count > 0 && ptr[count - 1] == '\r') {
- ptr[--count] = '\0';
- bytes_read--;
---
-cgit
-
diff --git a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch b/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch
deleted file mode 100644
index b280203594..0000000000
--- a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From 72343929836de80727a27d6744c869dff045757c Mon Sep 17 00:00:00 2001
-From: Daniel Wagner <wagi@monom.org>
-Date: Tue, 5 Jul 2022 08:32:12 +0200
-Subject: wispr: Add reference counter to portal context
-
-Track the connman_wispr_portal_context live time via a
-refcounter. This only adds the infrastructure to do proper reference
-counting.
-
-Fixes: CVE-2022-32293
-CVE: CVE-2022-32293
-Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- src/wispr.c | 52 ++++++++++++++++++++++++++++++++++++++++++----------
- 1 file changed, 42 insertions(+), 10 deletions(-)
-
-diff --git a/src/wispr.c b/src/wispr.c
-index a07896ca..bde7e63b 100644
---- a/src/wispr.c
-+++ b/src/wispr.c
-@@ -56,6 +56,7 @@ struct wispr_route {
- };
-
- struct connman_wispr_portal_context {
-+ int refcount;
- struct connman_service *service;
- enum connman_ipconfig_type type;
- struct connman_wispr_portal *wispr_portal;
-@@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NULL;
- static char *online_check_ipv6_url = NULL;
- static bool enable_online_to_ready_transition = false;
-
-+#define wispr_portal_context_ref(wp_context) \
-+ wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__)
-+#define wispr_portal_context_unref(wp_context) \
-+ wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__)
-+
- static void connman_wispr_message_init(struct connman_wispr_message *msg)
- {
- DBG("");
-@@ -162,9 +168,6 @@ static void free_connman_wispr_portal_context(
- {
- DBG("context %p", wp_context);
-
-- if (!wp_context)
-- return;
--
- if (wp_context->wispr_portal) {
- if (wp_context->wispr_portal->ipv4_context == wp_context)
- wp_context->wispr_portal->ipv4_context = NULL;
-@@ -201,9 +204,38 @@ static void free_connman_wispr_portal_context(
- g_free(wp_context);
- }
-
-+static struct connman_wispr_portal_context *
-+wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context,
-+ const char *file, int line, const char *caller)
-+{
-+ DBG("%p ref %d by %s:%d:%s()", wp_context,
-+ wp_context->refcount + 1, file, line, caller);
-+
-+ __sync_fetch_and_add(&wp_context->refcount, 1);
-+
-+ return wp_context;
-+}
-+
-+static void wispr_portal_context_unref_debug(
-+ struct connman_wispr_portal_context *wp_context,
-+ const char *file, int line, const char *caller)
-+{
-+ if (!wp_context)
-+ return;
-+
-+ DBG("%p ref %d by %s:%d:%s()", wp_context,
-+ wp_context->refcount - 1, file, line, caller);
-+
-+ if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1)
-+ return;
-+
-+ free_connman_wispr_portal_context(wp_context);
-+}
-+
- static struct connman_wispr_portal_context *create_wispr_portal_context(void)
- {
-- return g_try_new0(struct connman_wispr_portal_context, 1);
-+ return wispr_portal_context_ref(
-+ g_new0(struct connman_wispr_portal_context, 1));
- }
-
- static void free_connman_wispr_portal(gpointer data)
-@@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gpointer data)
- if (!wispr_portal)
- return;
-
-- free_connman_wispr_portal_context(wispr_portal->ipv4_context);
-- free_connman_wispr_portal_context(wispr_portal->ipv6_context);
-+ wispr_portal_context_unref(wispr_portal->ipv4_context);
-+ wispr_portal_context_unref(wispr_portal->ipv6_context);
-
- g_free(wispr_portal);
- }
-@@ -452,7 +484,7 @@ static void portal_manage_status(GWebResult *result,
- connman_info("Client-Timezone: %s", str);
-
- if (!enable_online_to_ready_transition)
-- free_connman_wispr_portal_context(wp_context);
-+ wispr_portal_context_unref(wp_context);
-
- __connman_service_ipconfig_indicate_state(service,
- CONNMAN_SERVICE_STATE_ONLINE, type);
-@@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service,
- return;
- }
-
-- free_connman_wispr_portal_context(wp_context);
-+ wispr_portal_context_unref(wp_context);
- return;
- }
-
-@@ -952,7 +984,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context)
-
- if (wp_context->token == 0) {
- err = -EINVAL;
-- free_connman_wispr_portal_context(wp_context);
-+ wispr_portal_context_unref(wp_context);
- }
- } else if (wp_context->timeout == 0) {
- wp_context->timeout = g_idle_add(no_proxy_callback, wp_context);
-@@ -1001,7 +1033,7 @@ int __connman_wispr_start(struct connman_service *service,
-
- /* If there is already an existing context, we wipe it */
- if (wp_context)
-- free_connman_wispr_portal_context(wp_context);
-+ wispr_portal_context_unref(wp_context);
-
- wp_context = create_wispr_portal_context();
- if (!wp_context)
---
-cgit
-
diff --git a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch b/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch
deleted file mode 100644
index 56f8fc82de..0000000000
--- a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch
+++ /dev/null
@@ -1,174 +0,0 @@
-From 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001
-From: Daniel Wagner <wagi@monom.org>
-Date: Tue, 5 Jul 2022 09:11:09 +0200
-Subject: wispr: Update portal context references
-
-Maintain proper portal context references to avoid UAF.
-
-Fixes: CVE-2022-32293
-CVE: CVE-2022-32293
-Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- src/wispr.c | 34 ++++++++++++++++++++++------------
- 1 file changed, 22 insertions(+), 12 deletions(-)
-
-diff --git a/src/wispr.c b/src/wispr.c
-index bde7e63b..84bed33f 100644
---- a/src/wispr.c
-+++ b/src/wispr.c
-@@ -105,8 +105,6 @@ static bool enable_online_to_ready_transition = false;
-
- static void connman_wispr_message_init(struct connman_wispr_message *msg)
- {
-- DBG("");
--
- msg->has_error = false;
- msg->current_element = NULL;
-
-@@ -166,8 +164,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context)
- static void free_connman_wispr_portal_context(
- struct connman_wispr_portal_context *wp_context)
- {
-- DBG("context %p", wp_context);
--
- if (wp_context->wispr_portal) {
- if (wp_context->wispr_portal->ipv4_context == wp_context)
- wp_context->wispr_portal->ipv4_context = NULL;
-@@ -483,9 +479,6 @@ static void portal_manage_status(GWebResult *result,
- &str))
- connman_info("Client-Timezone: %s", str);
-
-- if (!enable_online_to_ready_transition)
-- wispr_portal_context_unref(wp_context);
--
- __connman_service_ipconfig_indicate_state(service,
- CONNMAN_SERVICE_STATE_ONLINE, type);
-
-@@ -546,14 +539,17 @@ static void wispr_portal_request_portal(
- {
- DBG("");
-
-+ wispr_portal_context_ref(wp_context);
- wp_context->request_id = g_web_request_get(wp_context->web,
- wp_context->status_url,
- wispr_portal_web_result,
- wispr_route_request,
- wp_context);
-
-- if (wp_context->request_id == 0)
-+ if (wp_context->request_id == 0) {
- wispr_portal_error(wp_context);
-+ wispr_portal_context_unref(wp_context);
-+ }
- }
-
- static bool wispr_input(const guint8 **data, gsize *length,
-@@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service,
- return;
-
- if (!authentication_done) {
-- wispr_portal_error(wp_context);
- free_wispr_routes(wp_context);
-+ wispr_portal_error(wp_context);
-+ wispr_portal_context_unref(wp_context);
- return;
- }
-
- /* Restarting the test */
- __connman_service_wispr_start(service, wp_context->type);
-+ wispr_portal_context_unref(wp_context);
- }
-
- static void wispr_portal_request_wispr_login(struct connman_service *service,
-@@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebResult *result,
-
- wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN;
-
-+ wispr_portal_context_ref(wp_context);
- if (__connman_agent_request_login_input(wp_context->service,
- wispr_portal_request_wispr_login,
-- wp_context) != -EINPROGRESS)
-+ wp_context) != -EINPROGRESS) {
- wispr_portal_error(wp_context);
-- else
-+ wispr_portal_context_unref(wp_context);
-+ } else
- return true;
-
- break;
-@@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
- if (length > 0) {
- g_web_parser_feed_data(wp_context->wispr_parser,
- chunk, length);
-+ wispr_portal_context_unref(wp_context);
- return true;
- }
-
-@@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
-
- switch (status) {
- case 000:
-+ wispr_portal_context_ref(wp_context);
- __connman_agent_request_browser(wp_context->service,
- wispr_portal_browser_reply_cb,
- wp_context->status_url, wp_context);
-@@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
- if (g_web_result_get_header(result, "X-ConnMan-Status",
- &str)) {
- portal_manage_status(result, wp_context);
-+ wispr_portal_context_unref(wp_context);
- return false;
-- } else
-+ } else {
-+ wispr_portal_context_ref(wp_context);
- __connman_agent_request_browser(wp_context->service,
- wispr_portal_browser_reply_cb,
- wp_context->redirect_url, wp_context);
-+ }
-
- break;
- case 300:
-@@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
- !g_web_result_get_header(result, "Location",
- &redirect)) {
-
-+ wispr_portal_context_ref(wp_context);
- __connman_agent_request_browser(wp_context->service,
- wispr_portal_browser_reply_cb,
- wp_context->status_url, wp_context);
-@@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
-
- wp_context->redirect_url = g_strdup(redirect);
-
-+ wispr_portal_context_ref(wp_context);
- wp_context->request_id = g_web_request_get(wp_context->web,
- redirect, wispr_portal_web_result,
- wispr_route_request, wp_context);
-@@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
-
- break;
- case 505:
-+ wispr_portal_context_ref(wp_context);
- __connman_agent_request_browser(wp_context->service,
- wispr_portal_browser_reply_cb,
- wp_context->status_url, wp_context);
-@@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
- wp_context->request_id = 0;
- done:
- wp_context->wispr_msg.message_type = -1;
-+ wispr_portal_context_unref(wp_context);
- return false;
- }
-
-@@ -890,6 +899,7 @@ static void proxy_callback(const char *proxy, void *user_data)
- xml_wispr_parser_callback, wp_context);
-
- wispr_portal_request_portal(wp_context);
-+ wispr_portal_context_unref(wp_context);
- }
-
- static gboolean no_proxy_callback(gpointer user_data)
---
-cgit
-
diff --git a/poky/meta/recipes-connectivity/connman/connman_1.41.bb b/poky/meta/recipes-connectivity/connman/connman_1.42.bb
index d8ac1f5cde..c2fcd617ae 100644
--- a/poky/meta/recipes-connectivity/connman/connman_1.41.bb
+++ b/poky/meta/recipes-connectivity/connman/connman_1.42.bb
@@ -5,16 +5,12 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \
file://connman \
file://no-version-scripts.patch \
- file://CVE-2022-32293_p1.patch \
- file://CVE-2022-32293_p2.patch \
- file://CVE-2022-32292.patch \
- file://0001-gdhcp-Verify-and-sanitize-packet-length-first.patch \
file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \
"
SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
-SRC_URI[sha256sum] = "79fb40f4fdd5530c45aa8e592fb16ba23d3674f3a98cf10b89a6576f198de589"
+SRC_URI[sha256sum] = "a3e6bae46fc081ef2e9dae3caa4f7649de892c3de622c20283ac0ca81423c2aa"
RRECOMMENDS:${PN} = "connman-conf"
RCONFLICTS:${PN} = "networkmanager"
diff --git a/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.1.bb b/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.2.bb
index de007a6e6c..0966edd1b8 100644
--- a/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.1.bb
+++ b/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.2.bb
@@ -15,9 +15,10 @@ SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=ma
file://dhcpcd.service \
file://dhcpcd@.service \
file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
+ file://0001-privsep-fix-strlcpy-overflow-in-psp_ifname-239.patch \
"
-SRCREV = "5d9bf80c26b4b7dc9d8aa175d96d5a24e75b4d48"
+SRCREV = "d2fbde99cf2d0072016af9dfe6a77032a5a9fc30"
S = "${WORKDIR}/git"
inherit pkgconfig autotools-brokensep systemd useradd
diff --git a/poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-fix-strlcpy-overflow-in-psp_ifname-239.patch b/poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-fix-strlcpy-overflow-in-psp_ifname-239.patch
new file mode 100644
index 0000000000..d4fb1737a6
--- /dev/null
+++ b/poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-fix-strlcpy-overflow-in-psp_ifname-239.patch
@@ -0,0 +1,33 @@
+From 1bd8fc7d4b34f752a32709d277a897e5ad202d97 Mon Sep 17 00:00:00 2001
+From: Tobias Heider <tobhe@users.noreply.github.com>
+Date: Tue, 15 Aug 2023 18:06:48 +0200
+Subject: [PATCH] privsep: fix strlcpy overflow in psp_ifname (#239)
+
+When running our Ubuntu tests with libc6 and strlcpy overflow checks
+enabled we found that the wrong size is passed to strlcpy resulting
+in a crash because of an overflow.
+
+Upstream-Status: Backport
+[https://github.com/NetworkConfiguration/dhcpcd/commit/1bd8fc7d4b34f752a32709d277a897e5ad202d97]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/privsep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/privsep.c b/src/privsep.c
+index b11c0351..cfe54742 100644
+--- a/src/privsep.c
++++ b/src/privsep.c
+@@ -1200,7 +1200,7 @@ ps_newprocess(struct dhcpcd_ctx *ctx, struct ps_id *psid)
+ #endif
+
+ if (!(ctx->options & DHCPCD_MANAGER))
+- strlcpy(psp->psp_ifname, ctx->ifv[0], sizeof(psp->psp_name));
++ strlcpy(psp->psp_ifname, ctx->ifv[0], sizeof(psp->psp_ifname));
+ TAILQ_INSERT_TAIL(&ctx->ps_processes, psp, next);
+ return psp;
+ }
+--
+2.25.1
+
diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
new file mode 100644
index 0000000000..70bd98897d
--- /dev/null
+++ b/poky/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
@@ -0,0 +1,279 @@
+From 703418fe9d2e3b1e8d594df5788d8001a8116265 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Date: Fri, 30 Jun 2023 19:02:45 +0200
+Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check
+ set*id() return values
+
+Several setuid(), setgid(), seteuid() and setguid() return values
+were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
+leading to potential security issues.
+
+CVE: CVE-2023-40303
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6]
+Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Signed-off-by: Simon Josefsson <simon@josefsson.org>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ ftpd/ftpd.c | 10 +++++++---
+ src/rcp.c | 39 +++++++++++++++++++++++++++++++++------
+ src/rlogin.c | 11 +++++++++--
+ src/rsh.c | 25 +++++++++++++++++++++----
+ src/rshd.c | 20 +++++++++++++++++---
+ src/uucpd.c | 15 +++++++++++++--
+ 6 files changed, 100 insertions(+), 20 deletions(-)
+
+diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
+index 92b2cca5..28dd523f 100644
+--- a/ftpd/ftpd.c
++++ b/ftpd/ftpd.c
+@@ -862,7 +862,9 @@ end_login (struct credentials *pcred)
+ char *remotehost = pcred->remotehost;
+ int atype = pcred->auth_type;
+
+- seteuid ((uid_t) 0);
++ if (seteuid ((uid_t) 0) == -1)
++ _exit (EXIT_FAILURE);
++
+ if (pcred->logged_in)
+ {
+ logwtmp_keep_open (ttyline, "", "");
+@@ -1151,7 +1153,8 @@ getdatasock (const char *mode)
+
+ if (data >= 0)
+ return fdopen (data, mode);
+- seteuid ((uid_t) 0);
++ if (seteuid ((uid_t) 0) == -1)
++ _exit (EXIT_FAILURE);
+ s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
+ if (s < 0)
+ goto bad;
+@@ -1978,7 +1981,8 @@ passive (int epsv, int af)
+ else /* !AF_INET6 */
+ ((struct sockaddr_in *) &pasv_addr)->sin_port = 0;
+
+- seteuid ((uid_t) 0);
++ if (seteuid ((uid_t) 0) == -1)
++ _exit (EXIT_FAILURE);
+ if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0)
+ {
+ if (seteuid ((uid_t) cred.uid))
+diff --git a/src/rcp.c b/src/rcp.c
+index 75adb253..cdcf8500 100644
+--- a/src/rcp.c
++++ b/src/rcp.c
+@@ -345,14 +345,23 @@ main (int argc, char *argv[])
+ if (from_option)
+ { /* Follow "protocol", send data. */
+ response ();
+- setuid (userid);
++
++ if (setuid (userid) == -1)
++ {
++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++ }
++
+ source (argc, argv);
+ exit (errs);
+ }
+
+ if (to_option)
+ { /* Receive data. */
+- setuid (userid);
++ if (setuid (userid) == -1)
++ {
++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++ }
++
+ sink (argc, argv);
+ exit (errs);
+ }
+@@ -537,7 +546,11 @@ toremote (char *targ, int argc, char *argv[])
+ if (response () < 0)
+ exit (EXIT_FAILURE);
+ free (bp);
+- setuid (userid);
++
++ if (setuid (userid) == -1)
++ {
++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++ }
+ }
+ source (1, argv + i);
+ close (rem);
+@@ -630,7 +643,12 @@ tolocal (int argc, char *argv[])
+ ++errs;
+ continue;
+ }
+- seteuid (userid);
++
++ if (seteuid (userid) == -1)
++ {
++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++ }
++
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+ sslen = sizeof (ss);
+ (void) getpeername (rem, (struct sockaddr *) &ss, &sslen);
+@@ -643,7 +661,12 @@ tolocal (int argc, char *argv[])
+ #endif
+ vect[0] = target;
+ sink (1, vect);
+- seteuid (effuid);
++
++ if (seteuid (effuid) == -1)
++ {
++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++ }
++
+ close (rem);
+ rem = -1;
+ #ifdef SHISHI
+@@ -1441,7 +1464,11 @@ susystem (char *s, int userid)
+ return (127);
+
+ case 0:
+- setuid (userid);
++ if (setuid (userid) == -1)
++ {
++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++ }
++
+ execl (PATH_BSHELL, "sh", "-c", s, NULL);
+ _exit (127);
+ }
+diff --git a/src/rlogin.c b/src/rlogin.c
+index aa6426fb..c543de0c 100644
+--- a/src/rlogin.c
++++ b/src/rlogin.c
+@@ -647,8 +647,15 @@ try_connect:
+ /* Now change to the real user ID. We have to be set-user-ID root
+ to get the privileged port that rcmd () uses. We now want, however,
+ to run as the real user who invoked us. */
+- seteuid (uid);
+- setuid (uid);
++ if (seteuid (uid) == -1)
++ {
++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++ }
++
++ if (setuid (uid) == -1)
++ {
++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++ }
+
+ doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */
+
+diff --git a/src/rsh.c b/src/rsh.c
+index 2d622ca4..6f60667d 100644
+--- a/src/rsh.c
++++ b/src/rsh.c
+@@ -276,8 +276,17 @@ main (int argc, char **argv)
+ {
+ if (asrsh)
+ *argv = (char *) "rlogin";
+- seteuid (getuid ());
+- setuid (getuid ());
++
++ if (seteuid (getuid ()) == -1)
++ {
++ error (EXIT_FAILURE, errno, "seteuid() failed");
++ }
++
++ if (setuid (getuid ()) == -1)
++ {
++ error (EXIT_FAILURE, errno, "setuid() failed");
++ }
++
+ execv (PATH_RLOGIN, argv);
+ error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
+ }
+@@ -541,8 +550,16 @@ try_connect:
+ error (0, errno, "setsockopt DEBUG (ignored)");
+ }
+
+- seteuid (uid);
+- setuid (uid);
++ if (seteuid (uid) == -1)
++ {
++ error (EXIT_FAILURE, errno, "seteuid() failed");
++ }
++
++ if (setuid (uid) == -1)
++ {
++ error (EXIT_FAILURE, errno, "setuid() failed");
++ }
++
+ #ifdef HAVE_SIGACTION
+ sigemptyset (&sigs);
+ sigaddset (&sigs, SIGINT);
+diff --git a/src/rshd.c b/src/rshd.c
+index d1c0d0cd..707790e7 100644
+--- a/src/rshd.c
++++ b/src/rshd.c
+@@ -1847,8 +1847,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+ pwd->pw_shell = PATH_BSHELL;
+
+ /* Set the gid, then uid to become the user specified by "locuser" */
+- setegid ((gid_t) pwd->pw_gid);
+- setgid ((gid_t) pwd->pw_gid);
++ if (setegid ((gid_t) pwd->pw_gid) == -1)
++ {
++ rshd_error ("Cannot drop privileges (setegid() failed)\n");
++ exit (EXIT_FAILURE);
++ }
++
++ if (setgid ((gid_t) pwd->pw_gid) == -1)
++ {
++ rshd_error ("Cannot drop privileges (setgid() failed)\n");
++ exit (EXIT_FAILURE);
++ }
++
+ #ifdef HAVE_INITGROUPS
+ initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */
+ #endif
+@@ -1870,7 +1880,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+ }
+ #endif /* WITH_PAM */
+
+- setuid ((uid_t) pwd->pw_uid);
++ if (setuid ((uid_t) pwd->pw_uid) == -1)
++ {
++ rshd_error ("Cannot drop privileges (setuid() failed)\n");
++ exit (EXIT_FAILURE);
++ }
+
+ /* We'll execute the client's command in the home directory
+ * of locuser. Note, that the chdir must be executed after
+diff --git a/src/uucpd.c b/src/uucpd.c
+index 107589e1..29cfce35 100644
+--- a/src/uucpd.c
++++ b/src/uucpd.c
+@@ -252,7 +252,12 @@ doit (struct sockaddr *sap, socklen_t salen)
+ snprintf (Username, sizeof (Username), "USER=%s", user);
+ snprintf (Logname, sizeof (Logname), "LOGNAME=%s", user);
+ dologin (pw, sap, salen);
+- setgid (pw->pw_gid);
++
++ if (setgid (pw->pw_gid) == -1)
++ {
++ fprintf (stderr, "setgid() failed");
++ return;
++ }
+ #ifdef HAVE_INITGROUPS
+ initgroups (pw->pw_name, pw->pw_gid);
+ #endif
+@@ -261,7 +266,13 @@ doit (struct sockaddr *sap, socklen_t salen)
+ fprintf (stderr, "Login incorrect.");
+ return;
+ }
+- setuid (pw->pw_uid);
++
++ if (setuid (pw->pw_uid) == -1)
++ {
++ fprintf (stderr, "setuid() failed");
++ return;
++ }
++
+ execl (uucico_location, "uucico", NULL);
+ perror ("uucico server: execl");
+ }
diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
new file mode 100644
index 0000000000..1b972aac29
--- /dev/null
+++ b/poky/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
@@ -0,0 +1,253 @@
+From 70fe022f9dac760eaece0228cad17e3d29a57fb8 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Mon, 31 Jul 2023 13:59:05 +0200
+Subject: [PATCH] CVE-2023-40303: Indent changes in previous commit.
+
+CVE: CVE-2023-40303
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ src/rcp.c | 42 ++++++++++++++++++++++++------------------
+ src/rlogin.c | 12 ++++++------
+ src/rsh.c | 24 ++++++++++++------------
+ src/rshd.c | 24 ++++++++++++------------
+ src/uucpd.c | 16 ++++++++--------
+ 5 files changed, 62 insertions(+), 56 deletions(-)
+
+diff --git a/src/rcp.c b/src/rcp.c
+index cdcf8500..652f22e6 100644
+--- a/src/rcp.c
++++ b/src/rcp.c
+@@ -347,9 +347,10 @@ main (int argc, char *argv[])
+ response ();
+
+ if (setuid (userid) == -1)
+- {
+- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+- }
++ {
++ error (EXIT_FAILURE, 0,
++ "Could not drop privileges (setuid() failed)");
++ }
+
+ source (argc, argv);
+ exit (errs);
+@@ -358,9 +359,10 @@ main (int argc, char *argv[])
+ if (to_option)
+ { /* Receive data. */
+ if (setuid (userid) == -1)
+- {
+- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+- }
++ {
++ error (EXIT_FAILURE, 0,
++ "Could not drop privileges (setuid() failed)");
++ }
+
+ sink (argc, argv);
+ exit (errs);
+@@ -548,9 +550,10 @@ toremote (char *targ, int argc, char *argv[])
+ free (bp);
+
+ if (setuid (userid) == -1)
+- {
+- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+- }
++ {
++ error (EXIT_FAILURE, 0,
++ "Could not drop privileges (setuid() failed)");
++ }
+ }
+ source (1, argv + i);
+ close (rem);
+@@ -645,9 +648,10 @@ tolocal (int argc, char *argv[])
+ }
+
+ if (seteuid (userid) == -1)
+- {
+- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+- }
++ {
++ error (EXIT_FAILURE, 0,
++ "Could not drop privileges (seteuid() failed)");
++ }
+
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+ sslen = sizeof (ss);
+@@ -663,9 +667,10 @@ tolocal (int argc, char *argv[])
+ sink (1, vect);
+
+ if (seteuid (effuid) == -1)
+- {
+- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+- }
++ {
++ error (EXIT_FAILURE, 0,
++ "Could not drop privileges (seteuid() failed)");
++ }
+
+ close (rem);
+ rem = -1;
+@@ -1465,9 +1470,10 @@ susystem (char *s, int userid)
+
+ case 0:
+ if (setuid (userid) == -1)
+- {
+- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+- }
++ {
++ error (EXIT_FAILURE, 0,
++ "Could not drop privileges (setuid() failed)");
++ }
+
+ execl (PATH_BSHELL, "sh", "-c", s, NULL);
+ _exit (127);
+diff --git a/src/rlogin.c b/src/rlogin.c
+index c543de0c..4360202f 100644
+--- a/src/rlogin.c
++++ b/src/rlogin.c
+@@ -648,14 +648,14 @@ try_connect:
+ to get the privileged port that rcmd () uses. We now want, however,
+ to run as the real user who invoked us. */
+ if (seteuid (uid) == -1)
+- {
+- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+- }
++ {
++ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++ }
+
+ if (setuid (uid) == -1)
+- {
+- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+- }
++ {
++ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++ }
+
+ doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */
+
+diff --git a/src/rsh.c b/src/rsh.c
+index 6f60667d..179b47cd 100644
+--- a/src/rsh.c
++++ b/src/rsh.c
+@@ -278,14 +278,14 @@ main (int argc, char **argv)
+ *argv = (char *) "rlogin";
+
+ if (seteuid (getuid ()) == -1)
+- {
+- error (EXIT_FAILURE, errno, "seteuid() failed");
+- }
++ {
++ error (EXIT_FAILURE, errno, "seteuid() failed");
++ }
+
+ if (setuid (getuid ()) == -1)
+- {
+- error (EXIT_FAILURE, errno, "setuid() failed");
+- }
++ {
++ error (EXIT_FAILURE, errno, "setuid() failed");
++ }
+
+ execv (PATH_RLOGIN, argv);
+ error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
+@@ -551,14 +551,14 @@ try_connect:
+ }
+
+ if (seteuid (uid) == -1)
+- {
+- error (EXIT_FAILURE, errno, "seteuid() failed");
+- }
++ {
++ error (EXIT_FAILURE, errno, "seteuid() failed");
++ }
+
+ if (setuid (uid) == -1)
+- {
+- error (EXIT_FAILURE, errno, "setuid() failed");
+- }
++ {
++ error (EXIT_FAILURE, errno, "setuid() failed");
++ }
+
+ #ifdef HAVE_SIGACTION
+ sigemptyset (&sigs);
+diff --git a/src/rshd.c b/src/rshd.c
+index 707790e7..3a153a18 100644
+--- a/src/rshd.c
++++ b/src/rshd.c
+@@ -1848,16 +1848,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+
+ /* Set the gid, then uid to become the user specified by "locuser" */
+ if (setegid ((gid_t) pwd->pw_gid) == -1)
+- {
+- rshd_error ("Cannot drop privileges (setegid() failed)\n");
+- exit (EXIT_FAILURE);
+- }
++ {
++ rshd_error ("Cannot drop privileges (setegid() failed)\n");
++ exit (EXIT_FAILURE);
++ }
+
+ if (setgid ((gid_t) pwd->pw_gid) == -1)
+- {
+- rshd_error ("Cannot drop privileges (setgid() failed)\n");
+- exit (EXIT_FAILURE);
+- }
++ {
++ rshd_error ("Cannot drop privileges (setgid() failed)\n");
++ exit (EXIT_FAILURE);
++ }
+
+ #ifdef HAVE_INITGROUPS
+ initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */
+@@ -1881,10 +1881,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+ #endif /* WITH_PAM */
+
+ if (setuid ((uid_t) pwd->pw_uid) == -1)
+- {
+- rshd_error ("Cannot drop privileges (setuid() failed)\n");
+- exit (EXIT_FAILURE);
+- }
++ {
++ rshd_error ("Cannot drop privileges (setuid() failed)\n");
++ exit (EXIT_FAILURE);
++ }
+
+ /* We'll execute the client's command in the home directory
+ * of locuser. Note, that the chdir must be executed after
+diff --git a/src/uucpd.c b/src/uucpd.c
+index 29cfce35..fde7b9c9 100644
+--- a/src/uucpd.c
++++ b/src/uucpd.c
+@@ -254,10 +254,10 @@ doit (struct sockaddr *sap, socklen_t salen)
+ dologin (pw, sap, salen);
+
+ if (setgid (pw->pw_gid) == -1)
+- {
+- fprintf (stderr, "setgid() failed");
+- return;
+- }
++ {
++ fprintf (stderr, "setgid() failed");
++ return;
++ }
+ #ifdef HAVE_INITGROUPS
+ initgroups (pw->pw_name, pw->pw_gid);
+ #endif
+@@ -268,10 +268,10 @@ doit (struct sockaddr *sap, socklen_t salen)
+ }
+
+ if (setuid (pw->pw_uid) == -1)
+- {
+- fprintf (stderr, "setuid() failed");
+- return;
+- }
++ {
++ fprintf (stderr, "setuid() failed");
++ return;
++ }
+
+ execl (uucico_location, "uucico", NULL);
+ perror ("uucico server: execl");
diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch
deleted file mode 100644
index 603d2baf9d..0000000000
--- a/poky/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From c7c27ba763c613f83c1561e56448b49315c271c5 Mon Sep 17 00:00:00 2001
-From: Jackie Huang <jackie.huang@windriver.com>
-Date: Wed, 6 Mar 2019 09:36:11 -0500
-Subject: [PATCH] Upstream:
- http://www.mail-archive.com/bug-inetutils@gnu.org/msg02103.html
-
-Upstream-Status: Pending
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
-
----
- ping/ping_common.h | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/ping/ping_common.h b/ping/ping_common.h
-index 65e3e60..3e84db0 100644
---- a/ping/ping_common.h
-+++ b/ping/ping_common.h
-@@ -18,10 +18,14 @@
- You should have received a copy of the GNU General Public License
- along with this program. If not, see `http://www.gnu.org/licenses/'. */
-
-+#include <config.h>
-+
- #include <netinet/in_systm.h>
- #include <netinet/in.h>
- #include <netinet/ip.h>
-+#ifdef HAVE_IPV6
- #include <netinet/icmp6.h>
-+#endif
- #include <icmp.h>
- #include <error.h>
- #include <progname.h>
-@@ -63,7 +67,12 @@ struct ping_stat
- want to follow the traditional behaviour of ping. */
- #define DEFAULT_PING_COUNT 0
-
-+#ifdef HAVE_IPV6
- #define PING_HEADER_LEN (USE_IPV6 ? sizeof (struct icmp6_hdr) : ICMP_MINLEN)
-+#else
-+#define PING_HEADER_LEN (ICMP_MINLEN)
-+#endif
-+
- #define PING_TIMING(s) ((s) >= sizeof (struct timeval))
- #define PING_DATALEN (64 - PING_HEADER_LEN) /* default data length */
-
-@@ -78,13 +87,20 @@ struct ping_stat
-
- #define PING_MIN_USER_INTERVAL (200000/PING_PRECISION)
-
-+#ifdef HAVE_IPV6
- /* FIXME: Adjust IPv6 case for options and their consumption. */
- #define _PING_BUFLEN(p, u) ((u)? ((p)->ping_datalen + sizeof (struct icmp6_hdr)) : \
- (MAXIPLEN + (p)->ping_datalen + ICMP_TSLEN))
-
-+#else
-+#define _PING_BUFLEN(p, u) (MAXIPLEN + (p)->ping_datalen + ICMP_TSLEN)
-+#endif
-+
-+#ifdef HAVE_IPV6
- typedef int (*ping_efp6) (int code, void *closure, struct sockaddr_in6 * dest,
- struct sockaddr_in6 * from, struct icmp6_hdr * icmp,
- int datalen);
-+#endif
-
- typedef int (*ping_efp) (int code,
- void *closure,
-@@ -93,13 +109,17 @@ typedef int (*ping_efp) (int code,
- struct ip * ip, icmphdr_t * icmp, int datalen);
-
- union event {
-+#ifdef HAVE_IPV6
- ping_efp6 handler6;
-+#endif
- ping_efp handler;
- };
-
- union ping_address {
- struct sockaddr_in ping_sockaddr;
-+#ifdef HAVE_IPV6
- struct sockaddr_in6 ping_sockaddr6;
-+#endif
- };
-
- typedef struct ping_data PING;
diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch
deleted file mode 100644
index 2974bd4f94..0000000000
--- a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From f7f785c21306010b2367572250b2822df5bc7728 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier at gentoo.org>
-Date: Thu, 18 Nov 2010 16:59:14 -0500
-Subject: [PATCH] printf-parse: pull in features.h for __GLIBC__
-
-Upstream-Status: Pending
-
-Signed-off-by: Mike Frysinger <vapier at gentoo.org>
-
----
- lib/printf-parse.h | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/lib/printf-parse.h b/lib/printf-parse.h
-index e7d0f82..d7b4534 100644
---- a/lib/printf-parse.h
-+++ b/lib/printf-parse.h
-@@ -28,6 +28,9 @@
-
- #include "printf-args.h"
-
-+#ifdef HAVE_FEATURES_H
-+# include <features.h> /* for __GLIBC__ */
-+#endif
-
- /* Flags */
- #define FLAG_GROUP 1 /* ' flag */
diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch
deleted file mode 100644
index 1ef7e21073..0000000000
--- a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 9089c6eafbf5903174dce87b68476e35db80beb9 Mon Sep 17 00:00:00 2001
-From: Martin Jansa <martin.jansa@gmail.com>
-Date: Wed, 6 Mar 2019 09:36:11 -0500
-Subject: [PATCH] inetutils: Import version 1.9.4
-
-Upstream-Status: Pending
-
----
- lib/wchar.in.h | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/lib/wchar.in.h b/lib/wchar.in.h
-index cdda680..043866a 100644
---- a/lib/wchar.in.h
-+++ b/lib/wchar.in.h
-@@ -77,6 +77,9 @@
- /* The include_next requires a split double-inclusion guard. */
- #if @HAVE_WCHAR_H@
- # @INCLUDE_NEXT@ @NEXT_WCHAR_H@
-+#else
-+# include <stddef.h>
-+# define MB_CUR_MAX 1
- #endif
-
- #undef _GL_ALREADY_INCLUDING_WCHAR_H
diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch
deleted file mode 100644
index 460ddf9830..0000000000
--- a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 101130f422dd5c01a1459645d7b2a5b8d19720ab Mon Sep 17 00:00:00 2001
-From: Martin Jansa <martin.jansa@gmail.com>
-Date: Wed, 6 Mar 2019 09:36:11 -0500
-Subject: [PATCH] inetutils: define PATH_PROCNET_DEV if not already defined
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-this prevents the following compilation error :
-system/linux.c:401:15: error: 'PATH_PROCNET_DEV' undeclared (first use in this function)
-
-this patch comes from :
- http://repository.timesys.com/buildsources/i/inetutils/inetutils-1.9/
-
-Upstream-Status: Inappropriate [not author]
-
-Signed-of-by: Eric Bénard <eric@eukrea.com>
-
----
- ifconfig/system/linux.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/ifconfig/system/linux.c b/ifconfig/system/linux.c
-index e453b46..4268ca9 100644
---- a/ifconfig/system/linux.c
-+++ b/ifconfig/system/linux.c
-@@ -53,6 +53,10 @@
- #include "../ifconfig.h"
-
-
-+#ifndef PATH_PROCNET_DEV
-+ #define PATH_PROCNET_DEV "/proc/net/dev"
-+#endif
-+
- /* ARPHRD stuff. */
-
- static void
diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch
deleted file mode 100644
index 2343c03cb4..0000000000
--- a/poky/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From cc66e842e037fba9f06761f942abe5c4856492b8 Mon Sep 17 00:00:00 2001
-From: Kai Kang <kai.kang@windriver.com>
-Date: Wed, 6 Mar 2019 09:36:11 -0500
-Subject: [PATCH] inetutils: Import version 1.9.4
-
-Only check security/pam_appl.h which is provided by package libpam when pam is
-enabled.
-
-Upstream-Status: Pending
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
----
- configure.ac | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 5e16c3a..18510a8 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -182,6 +182,19 @@ AC_SUBST(LIBUTIL)
-
- # See if we have libpam.a. Investigate PAM versus Linux-PAM.
- if test "$with_pam" = yes ; then
-+ AC_CHECK_HEADERS([security/pam_appl.h], [], [], [
-+#include <sys/types.h>
-+#ifdef HAVE_NETINET_IN_SYSTM_H
-+# include <netinet/in_systm.h>
-+#endif
-+#include <netinet/in.h>
-+#ifdef HAVE_NETINET_IP_H
-+# include <netinet/ip.h>
-+#endif
-+#ifdef HAVE_SYS_PARAM_H
-+# include <sys/param.h>
-+#endif
-+])
- AC_CHECK_LIB(dl, dlopen, LIBDL=-ldl)
- AC_CHECK_LIB(pam, pam_authenticate, LIBPAM=-lpam)
- if test "$ac_cv_lib_pam_pam_authenticate" = yes ; then
-@@ -617,7 +630,7 @@ AC_HEADER_DIRENT
- AC_CHECK_HEADERS([arpa/nameser.h arpa/tftp.h fcntl.h features.h \
- glob.h memory.h netinet/ether.h netinet/in_systm.h \
- netinet/ip.h netinet/ip_icmp.h netinet/ip_var.h \
-- security/pam_appl.h shadow.h \
-+ shadow.h \
- stropts.h sys/tty.h \
- sys/utsname.h sys/ptyvar.h sys/msgbuf.h sys/filio.h \
- sys/ioctl_compat.h sys/cdefs.h sys/stream.h sys/mkdev.h \
diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb b/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb
index bcc3a0258e..957f1feac6 100644
--- a/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb
+++ b/poky/meta/recipes-connectivity/inetutils/inetutils_2.4.bb
@@ -13,23 +13,19 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7"
SRC_URI[sha256sum] = "1789d6b1b1a57dfe2a7ab7b533ee9f5dfd9cbf5b59bb1bb3c2612ed08d0f68b2"
SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
- file://inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch \
- file://inetutils-1.8-0003-wchar.patch \
- file://rexec.xinetd.inetutils \
+ file://rexec.xinetd.inetutils \
file://rlogin.xinetd.inetutils \
file://rsh.xinetd.inetutils \
file://telnet.xinetd.inetutils \
file://tftpd.xinetd.inetutils \
- file://inetutils-1.9-PATH_PROCNET_DEV.patch \
- file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \
-"
+ file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \
+ file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \
+ "
inherit autotools gettext update-alternatives texinfo
acpaths = "-I ./m4"
-SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', '', 'file://fix-disable-ipv6.patch', d)}"
-
PACKAGECONFIG ??= "ftp uucpd \
${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6 ping6', '', d)} \
@@ -41,21 +37,33 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6 gl_cv_socket_ipv6=no,"
PACKAGECONFIG[ping6] = "--enable-ping6,--disable-ping6,"
EXTRA_OECONF = "--with-ncurses-include-dir=${STAGING_INCDIR} \
- inetutils_cv_path_login=${base_bindir}/login \
--with-libreadline-prefix=${STAGING_LIBDIR} \
--enable-rpath=no \
-"
+ --with-path-login=${base_bindir}/login \
+ --with-path-cp=${base_bindir}/cp \
+ --with-path-uucico=${libexecdir}/uuico \
+ --with-path-procnet-dev=/proc/net/dev \
+ "
+
+EXTRA_OECONF:append:libc-musl = " --with-path-utmpx=/dev/null/utmpx --with-path-wtmpx=/dev/null/wtmpx"
# These are horrible for security, disable them
EXTRA_OECONF:append = " --disable-rsh --disable-rshd --disable-rcp \
--disable-rlogin --disable-rlogind --disable-rexec --disable-rexecd"
+# The configure script guesses many paths in cross builds, check for this happening
+do_configure_cross_check() {
+ if grep "may be incorrect because of cross-compilation" ${B}/config.log; then
+ bberror Default path values used, these must be set explicitly
+ fi
+}
+do_configure[postfuncs] += "do_configure_cross_check"
+
+# The --with-path options are not actually options, so this check needs to be silenced
+ERROR_QA:remove = "unknown-configure-option"
+
do_configure:prepend () {
export HELP2MAN='true'
- cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${S}/build-aux/config.rpath
- install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.guess ${S}
- install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.sub ${S}
- rm -f ${S}/glob/configure*
}
do_install:append () {
diff --git a/poky/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch b/poky/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch
new file mode 100644
index 0000000000..8a5bd00302
--- /dev/null
+++ b/poky/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch
@@ -0,0 +1,62 @@
+From f9bcfed5a1d44d9211c5f6eba403a9898c8c9057 Mon Sep 17 00:00:00 2001
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Date: Tue, 8 Aug 2023 19:03:13 +0100
+Subject: [PATCH] kea: fix reproducible build failure
+
+New version of Kea has started using path of build-dir instead of
+src-dir which results in reproducible builds failure.
+Use src-dir as is used in v2.2.0
+
+Upstream-Status: Pending
+https://gitlab.isc.org/isc-projects/kea/-/issues/3007
+
+Upstream has confirmed the patch will not be accepted but discussions
+with upstream is still going on, we might have a proper solution later.
+
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+---
+ src/bin/admin/kea-admin.in | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/bin/admin/kea-admin.in b/src/bin/admin/kea-admin.in
+index 034a0ee..8ab11ab 100644
+--- a/src/bin/admin/kea-admin.in
++++ b/src/bin/admin/kea-admin.in
+@@ -51,14 +51,14 @@ dump_qry=""
+ if test -f "@datarootdir@/@PACKAGE_NAME@/scripts/admin-utils.sh"; then
+ . "@datarootdir@/@PACKAGE_NAME@/scripts/admin-utils.sh"
+ else
+- . "@abs_top_builddir@/src/bin/admin/admin-utils.sh"
++ . "@abs_top_srcdir@/src/bin/admin/admin-utils.sh"
+ fi
+
+ # Find the installed kea-lfc if available. Fallback to sources otherwise.
+ if test -x "@sbindir@/kea-lfc"; then
+ kea_lfc="@sbindir@/kea-lfc"
+ else
+- kea_lfc="@abs_top_builddir@/src/bin/lfc/kea-lfc"
++ kea_lfc="@abs_top_srcdir@/src/bin/lfc/kea-lfc"
+ fi
+
+ # Prints out usage version.
+@@ -355,7 +355,7 @@ mysql_upgrade() {
+ # Check if there are any files in it
+ num_files=$(find "${upgrade_scripts_dir}" -name 'upgrade*.sh' -type f | wc -l)
+ if [ "$num_files" -eq 0 ]; then
+- upgrade_scripts_dir=@abs_top_builddir@/src/share/database/scripts/mysql
++ upgrade_scripts_dir=@abs_top_srcdir@/src/share/database/scripts/mysql
+
+ # Check if the scripts directory exists at all.
+ if [ ! -d ${upgrade_scripts_dir} ]; then
+@@ -405,7 +405,7 @@ pgsql_upgrade() {
+ # Check if there are any files in it
+ num_files=$(find "${upgrade_scripts_dir}" -name 'upgrade*.sh' -type f | wc -l)
+ if [ "$num_files" -eq 0 ]; then
+- upgrade_scripts_dir=@abs_top_builddir@/src/share/database/scripts/pgsql
++ upgrade_scripts_dir=@abs_top_srcdir@/src/share/database/scripts/pgsql
+
+ # Check if the scripts directory exists at all.
+ if [ ! -d ${upgrade_scripts_dir} ]; then
+--
+2.39.2
+
diff --git a/poky/meta/recipes-connectivity/kea/kea_2.2.0.bb b/poky/meta/recipes-connectivity/kea/kea_2.4.0.bb
index 2c2e5a74dd..316468754e 100644
--- a/poky/meta/recipes-connectivity/kea/kea_2.2.0.bb
+++ b/poky/meta/recipes-connectivity/kea/kea_2.4.0.bb
@@ -3,7 +3,7 @@ DESCRIPTION = "Kea is the next generation of DHCP software developed by ISC. It
HOMEPAGE = "http://kea.isc.org"
SECTION = "connectivity"
LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYING;md5=97ce14bdd2733f5b84ab5e29380d057d"
+LIC_FILES_CHKSUM = "file://COPYING;md5=ea061fa0188838072c4248c1318ec131"
DEPENDS = "boost log4cplus openssl"
@@ -17,8 +17,9 @@ SRC_URI = "http://ftp.isc.org/isc/kea/${PV}/${BP}.tar.gz \
file://fix-multilib-conflict.patch \
file://fix_pid_keactrl.patch \
file://0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch \
+ file://0001-kea-fix-reproducible-build-failure.patch \
"
-SRC_URI[sha256sum] = "da7d90ca62a772602dac6e77e507319038422895ad68eeb142f1487d67d531d2"
+SRC_URI[sha256sum] = "3a33cd08dc3319ff544e6bbf2c0429042106f4051ebe115dc1bb2625c95003f7"
inherit autotools systemd update-rc.d upstream-version-is-even
diff --git a/poky/meta/recipes-connectivity/neard/neard_0.18.bb b/poky/meta/recipes-connectivity/neard/neard_0.19.bb
index 362a7615b6..a98f436b98 100644
--- a/poky/meta/recipes-connectivity/neard/neard_0.18.bb
+++ b/poky/meta/recipes-connectivity/neard/neard_0.19.bb
@@ -15,7 +15,7 @@ SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=https;bra
file://0001-Add-header-dependency-to-nciattach.o.patch \
"
-SRCREV = "c781008d3786e03173f0a0f5dfcc0545c787d7fc"
+SRCREV = "a1dc8a75cba999728e154a0f811ab9dd50c809f7"
S = "${WORKDIR}/git"
diff --git a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb
index e703395cc4..35cf6af6d4 100644
--- a/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb
+++ b/poky/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.3.bb
@@ -84,6 +84,7 @@ CONFFILES:${PN}-client += "${localstatedir}/lib/nfs/etab \
${sysconfdir}/nfsmount.conf"
FILES:${PN}-client = "${sbindir}/*statd \
+ ${libdir}/libnfsidmap.so.* \
${sbindir}/rpc.idmapd ${sbindir}/sm-notify \
${sbindir}/showmount ${sbindir}/nfsstat \
${localstatedir}/lib/nfs \
diff --git a/poky/meta/recipes-connectivity/openssh/openssh/0001-openssh-regress-Makefile-print-logs-if-test-fails.patch b/poky/meta/recipes-connectivity/openssh/openssh/0001-openssh-regress-Makefile-print-logs-if-test-fails.patch
new file mode 100644
index 0000000000..baa68dc6ff
--- /dev/null
+++ b/poky/meta/recipes-connectivity/openssh/openssh/0001-openssh-regress-Makefile-print-logs-if-test-fails.patch
@@ -0,0 +1,34 @@
+From 554f7baed050f89ffc2a7192d3071e8c5420f6d3 Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Fri, 25 Aug 2023 10:35:28 +0000
+Subject: [PATCH] openssh regress/Makefile: print logs if test fails
+
+Some tests are failing in CI runs and reproduction has failed. Print
+the captured sshd and ssh client logs if test fails. This should
+help to fix the root causes.
+
+Reference: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
+
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+---
+ regress/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/437]
+
+diff --git a/regress/Makefile b/regress/Makefile
+index d80bf59..a972dff 100644
+--- a/regress/Makefile
++++ b/regress/Makefile
+@@ -229,7 +229,7 @@ t-exec: ${LTESTS:=.sh}
+ done; \
+ if [ "x$${skip}" = "xno" ]; then \
+ echo "run test $${TEST}" ... 1>&2; \
+- (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
++ (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || (echo return value: $$?; echo capturing logs; cat *.log; exit 1); \
+ else \
+ echo skip test $${TEST} 1>&2; \
+ fi; \
+--
+2.34.1
+
diff --git a/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch b/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch
deleted file mode 100644
index 4c8aa085f3..0000000000
--- a/poky/meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch
+++ /dev/null
@@ -1,994 +0,0 @@
-From 7280401bdd77ca54be6867a154cc01e0d72612e0 Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Fri, 24 Mar 2023 13:56:25 +1100
-Subject: [PATCH] remove support for old libcrypto
-
-OpenSSH now requires LibreSSL 3.1.0 or greater or
-OpenSSL 1.1.1 or greater
-
-with/ok dtucker@
-
-Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7280401bdd77ca54be6867a154cc01e0d72612e0]
-Comment: Hunks are refreshed.
-Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
-
----
- .github/workflows/c-cpp.yml | 7 -
- INSTALL | 8 +-
- cipher-aes.c | 2 +-
- configure.ac | 96 ++---
- openbsd-compat/libressl-api-compat.c | 556 +--------------------------
- openbsd-compat/openssl-compat.h | 151 +-------
- 6 files changed, 40 insertions(+), 780 deletions(-)
-
-diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
-index 3d9aa22dba5..d299a32468d 100644
---- a/.github/workflows/c-cpp.yml
-+++ b/.github/workflows/c-cpp.yml
-@@ -47,9 +47,6 @@ jobs:
- - { target: ubuntu-20.04, config: tcmalloc }
- - { target: ubuntu-20.04, config: musl }
- - { target: ubuntu-latest, config: libressl-master }
-- - { target: ubuntu-latest, config: libressl-2.2.9 }
-- - { target: ubuntu-latest, config: libressl-2.8.3 }
-- - { target: ubuntu-latest, config: libressl-3.0.2 }
- - { target: ubuntu-latest, config: libressl-3.2.6 }
- - { target: ubuntu-latest, config: libressl-3.3.6 }
- - { target: ubuntu-latest, config: libressl-3.4.3 }
-@@ -58,10 +55,6 @@ jobs:
- - { target: ubuntu-latest, config: libressl-3.7.0 }
- - { target: ubuntu-latest, config: openssl-master }
- - { target: ubuntu-latest, config: openssl-noec }
-- - { target: ubuntu-latest, config: openssl-1.0.1 }
-- - { target: ubuntu-latest, config: openssl-1.0.1u }
-- - { target: ubuntu-latest, config: openssl-1.0.2u }
-- - { target: ubuntu-latest, config: openssl-1.1.0h }
- - { target: ubuntu-latest, config: openssl-1.1.1 }
- - { target: ubuntu-latest, config: openssl-1.1.1k }
- - { target: ubuntu-latest, config: openssl-1.1.1n }
-diff --git a/INSTALL b/INSTALL
-index 68b15e13190..f99d1e2a809 100644
---- a/INSTALL
-+++ b/INSTALL
-@@ -21,12 +21,8 @@ https://zlib.net/
-
- libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto
- is supported but severely restricts the available ciphers and algorithms.
-- - LibreSSL (https://www.libressl.org/)
-- - OpenSSL (https://www.openssl.org) with any of the following versions:
-- - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
--
--Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to
--1.1.0g can't be used.
-+ - LibreSSL (https://www.libressl.org/) 3.1.0 or greater
-+ - OpenSSL (https://www.openssl.org) 1.1.1 or greater
-
- LibreSSL/OpenSSL should be compiled as a position-independent library
- (i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC"
-diff --git a/cipher-aes.c b/cipher-aes.c
-index 8b101727284..87c763353d8 100644
---- a/cipher-aes.c
-+++ b/cipher-aes.c
-@@ -69,7 +69,7 @@ ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
-
- static int
- ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
-- LIBCRYPTO_EVP_INL_TYPE len)
-+ size_t len)
- {
- struct ssh_rijndael_ctx *c;
- u_char buf[RIJNDAEL_BLOCKSIZE];
-diff --git a/configure.ac b/configure.ac
-index 22fee70f604..1c0ccdf19c5 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -2802,42 +2802,40 @@ if test "x$openssl" = "xyes" ; then
- #include <openssl/crypto.h>
- #define DATA "conftest.ssllibver"
- ]], [[
-- FILE *fd;
-- int rc;
-+ FILE *f;
-
-- fd = fopen(DATA,"w");
-- if(fd == NULL)
-+ if ((f = fopen(DATA, "w")) == NULL)
- exit(1);
--#ifndef OPENSSL_VERSION
--# define OPENSSL_VERSION SSLEAY_VERSION
--#endif
--#ifndef HAVE_OPENSSL_VERSION
--# define OpenSSL_version SSLeay_version
--#endif
--#ifndef HAVE_OPENSSL_VERSION_NUM
--# define OpenSSL_version_num SSLeay
--#endif
-- if ((rc = fprintf(fd, "%08lx (%s)\n",
-+ if (fprintf(f, "%08lx (%s)",
- (unsigned long)OpenSSL_version_num(),
-- OpenSSL_version(OPENSSL_VERSION))) < 0)
-+ OpenSSL_version(OPENSSL_VERSION)) < 0)
-+ exit(1);
-+#ifdef LIBRESSL_VERSION_NUMBER
-+ if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0)
-+ exit(1);
-+#endif
-+ if (fputc('\n', f) == EOF || fclose(f) == EOF)
- exit(1);
--
- exit(0);
- ]])],
- [
-- ssl_library_ver=`cat conftest.ssllibver`
-+ sslver=`cat conftest.ssllibver`
-+ ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'`
- # Check version is supported.
-- case "$ssl_library_ver" in
-- 10000*|0*)
-- AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
-- ;;
-- 100*) ;; # 1.0.x
-- 101000[[0123456]]*)
-- # https://github.com/openssl/openssl/pull/4613
-- AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
-+ case "$sslver" in
-+ 100*|10100*) # 1.0.x, 1.1.0x
-+ AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")])
- ;;
- 101*) ;; # 1.1.x
-- 200*) ;; # LibreSSL
-+ 200*) # LibreSSL
-+ lver=`echo "$sslver" | sed 's/.*libressl-//'`
-+ case "$lver" in
-+ 2*|300*) # 2.x, 3.0.0
-+ AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")])
-+ ;;
-+ *) ;; # Assume all other versions are good.
-+ esac
-+ ;;
- 300*)
- # OpenSSL 3; we use the 1.1x API
- CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
-@@ -2847,10 +2845,10 @@ if test "x$openssl" = "xyes" ; then
- CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
- ;;
- *)
-- AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
-+ AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")])
- ;;
- esac
-- AC_MSG_RESULT([$ssl_library_ver])
-+ AC_MSG_RESULT([$ssl_showver])
- ],
- [
- AC_MSG_RESULT([not found])
-@@ -2863,7 +2861,7 @@ if test "x$openssl" = "xyes" ; then
-
- case "$host" in
- x86_64-*)
-- case "$ssl_library_ver" in
-+ case "$sslver" in
- 3000004*)
- AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
- ;;
-@@ -2879,9 +2877,6 @@ if test "x$openssl" = "xyes" ; then
- #include <openssl/opensslv.h>
- #include <openssl/crypto.h>
- ]], [[
--#ifndef HAVE_OPENSSL_VERSION_NUM
--# define OpenSSL_version_num SSLeay
--#endif
- exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
- ]])],
- [
-@@ -2955,44 +2950,13 @@ if test "x$openssl" = "xyes" ; then
- )
- )
-
-- # LibreSSL/OpenSSL 1.1x API
-+ # LibreSSL/OpenSSL API differences
- AC_CHECK_FUNCS([ \
-- OPENSSL_init_crypto \
-- DH_get0_key \
-- DH_get0_pqg \
-- DH_set0_key \
-- DH_set_length \
-- DH_set0_pqg \
-- DSA_get0_key \
-- DSA_get0_pqg \
-- DSA_set0_key \
-- DSA_set0_pqg \
-- DSA_SIG_get0 \
-- DSA_SIG_set0 \
-- ECDSA_SIG_get0 \
-- ECDSA_SIG_set0 \
- EVP_CIPHER_CTX_iv \
- EVP_CIPHER_CTX_iv_noconst \
- EVP_CIPHER_CTX_get_iv \
- EVP_CIPHER_CTX_get_updated_iv \
- EVP_CIPHER_CTX_set_iv \
-- RSA_get0_crt_params \
-- RSA_get0_factors \
-- RSA_get0_key \
-- RSA_set0_crt_params \
-- RSA_set0_factors \
-- RSA_set0_key \
-- RSA_meth_free \
-- RSA_meth_dup \
-- RSA_meth_set1_name \
-- RSA_meth_get_finish \
-- RSA_meth_set_priv_enc \
-- RSA_meth_set_priv_dec \
-- RSA_meth_set_finish \
-- EVP_PKEY_get0_RSA \
-- EVP_MD_CTX_new \
-- EVP_MD_CTX_free \
-- EVP_chacha20 \
- ])
-
- if test "x$openssl_engine" = "xyes" ; then
-@@ -3050,8 +3014,8 @@ if test "x$openssl" = "xyes" ; then
- ]
- )
-
-- # Check for SHA256, SHA384 and SHA512 support in OpenSSL
-- AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
-+ # Check for various EVP support in OpenSSL
-+ AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20])
-
- # Check complete ECC support in OpenSSL
- AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
-diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c
-index 498180dc894..59be17397c5 100644
---- a/openbsd-compat/libressl-api-compat.c
-+++ b/openbsd-compat/libressl-api-compat.c
-@@ -1,129 +1,5 @@
--/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */
--/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */
--/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */
--/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */
--/* $OpenBSD: p_lib.c,v 1.24 2018/05/30 15:40:50 tb Exp $ */
--/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */
--/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-- * All rights reserved.
-- *
-- * This package is an SSL implementation written
-- * by Eric Young (eay@cryptsoft.com).
-- * The implementation was written so as to conform with Netscapes SSL.
-- *
-- * This library is free for commercial and non-commercial use as long as
-- * the following conditions are aheared to. The following conditions
-- * apply to all code found in this distribution, be it the RC4, RSA,
-- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-- * included with this distribution is covered by the same copyright terms
-- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-- *
-- * Copyright remains Eric Young's, and as such any Copyright notices in
-- * the code are not to be removed.
-- * If this package is used in a product, Eric Young should be given attribution
-- * as the author of the parts of the library used.
-- * This can be in the form of a textual message at program startup or
-- * in documentation (online or textual) provided with the package.
-- *
-- * Redistribution and use in source and binary forms, with or without
-- * modification, are permitted provided that the following conditions
-- * are met:
-- * 1. Redistributions of source code must retain the copyright
-- * notice, this list of conditions and the following disclaimer.
-- * 2. Redistributions in binary form must reproduce the above copyright
-- * notice, this list of conditions and the following disclaimer in the
-- * documentation and/or other materials provided with the distribution.
-- * 3. All advertising materials mentioning features or use of this software
-- * must display the following acknowledgement:
-- * "This product includes cryptographic software written by
-- * Eric Young (eay@cryptsoft.com)"
-- * The word 'cryptographic' can be left out if the rouines from the library
-- * being used are not cryptographic related :-).
-- * 4. If you include any Windows specific code (or a derivative thereof) from
-- * the apps directory (application code) you must include an acknowledgement:
-- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-- *
-- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-- * SUCH DAMAGE.
-- *
-- * The licence and distribution terms for any publically available version or
-- * derivative of this code cannot be changed. i.e. this code cannot simply be
-- * copied and put under another distribution licence
-- * [including the GNU Public Licence.]
-- */
--
--/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */
--/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */
--/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */
--/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-- * project 2000.
-- */
--/* ====================================================================
-- * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
-- *
-- * Redistribution and use in source and binary forms, with or without
-- * modification, are permitted provided that the following conditions
-- * are met:
-- *
-- * 1. Redistributions of source code must retain the above copyright
-- * notice, this list of conditions and the following disclaimer.
-- *
-- * 2. Redistributions in binary form must reproduce the above copyright
-- * notice, this list of conditions and the following disclaimer in
-- * the documentation and/or other materials provided with the
-- * distribution.
-- *
-- * 3. All advertising materials mentioning features or use of this
-- * software must display the following acknowledgment:
-- * "This product includes software developed by the OpenSSL Project
-- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-- *
-- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-- * endorse or promote products derived from this software without
-- * prior written permission. For written permission, please contact
-- * licensing@OpenSSL.org.
-- *
-- * 5. Products derived from this software may not be called "OpenSSL"
-- * nor may "OpenSSL" appear in their names without prior written
-- * permission of the OpenSSL Project.
-- *
-- * 6. Redistributions of any form whatsoever must retain the following
-- * acknowledgment:
-- * "This product includes software developed by the OpenSSL Project
-- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-- *
-- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-- * OF THE POSSIBILITY OF SUCH DAMAGE.
-- * ====================================================================
-- *
-- * This product includes cryptographic software written by Eric Young
-- * (eay@cryptsoft.com). This product includes software written by Tim
-- * Hudson (tjh@cryptsoft.com).
-- *
-- */
--
--/* $OpenBSD: rsa_meth.c,v 1.2 2018/09/12 06:35:38 djm Exp $ */
- /*
-- * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
-+ * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
-@@ -147,192 +23,7 @@
- #include <stdlib.h>
- #include <string.h>
-
--#include <openssl/err.h>
--#include <openssl/bn.h>
--#include <openssl/dsa.h>
--#include <openssl/rsa.h>
- #include <openssl/evp.h>
--#ifdef OPENSSL_HAS_ECC
--#include <openssl/ecdsa.h>
--#endif
--#include <openssl/dh.h>
--
--#ifndef HAVE_DSA_GET0_PQG
--void
--DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
--{
-- if (p != NULL)
-- *p = d->p;
-- if (q != NULL)
-- *q = d->q;
-- if (g != NULL)
-- *g = d->g;
--}
--#endif /* HAVE_DSA_GET0_PQG */
--
--#ifndef HAVE_DSA_SET0_PQG
--int
--DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
--{
-- if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) ||
-- (d->g == NULL && g == NULL))
-- return 0;
--
-- if (p != NULL) {
-- BN_free(d->p);
-- d->p = p;
-- }
-- if (q != NULL) {
-- BN_free(d->q);
-- d->q = q;
-- }
-- if (g != NULL) {
-- BN_free(d->g);
-- d->g = g;
-- }
--
-- return 1;
--}
--#endif /* HAVE_DSA_SET0_PQG */
--
--#ifndef HAVE_DSA_GET0_KEY
--void
--DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key)
--{
-- if (pub_key != NULL)
-- *pub_key = d->pub_key;
-- if (priv_key != NULL)
-- *priv_key = d->priv_key;
--}
--#endif /* HAVE_DSA_GET0_KEY */
--
--#ifndef HAVE_DSA_SET0_KEY
--int
--DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
--{
-- if (d->pub_key == NULL && pub_key == NULL)
-- return 0;
--
-- if (pub_key != NULL) {
-- BN_free(d->pub_key);
-- d->pub_key = pub_key;
-- }
-- if (priv_key != NULL) {
-- BN_free(d->priv_key);
-- d->priv_key = priv_key;
-- }
--
-- return 1;
--}
--#endif /* HAVE_DSA_SET0_KEY */
--
--#ifndef HAVE_RSA_GET0_KEY
--void
--RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
--{
-- if (n != NULL)
-- *n = r->n;
-- if (e != NULL)
-- *e = r->e;
-- if (d != NULL)
-- *d = r->d;
--}
--#endif /* HAVE_RSA_GET0_KEY */
--
--#ifndef HAVE_RSA_SET0_KEY
--int
--RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
--{
-- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL))
-- return 0;
--
-- if (n != NULL) {
-- BN_free(r->n);
-- r->n = n;
-- }
-- if (e != NULL) {
-- BN_free(r->e);
-- r->e = e;
-- }
-- if (d != NULL) {
-- BN_free(r->d);
-- r->d = d;
-- }
--
-- return 1;
--}
--#endif /* HAVE_RSA_SET0_KEY */
--
--#ifndef HAVE_RSA_GET0_CRT_PARAMS
--void
--RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
-- const BIGNUM **iqmp)
--{
-- if (dmp1 != NULL)
-- *dmp1 = r->dmp1;
-- if (dmq1 != NULL)
-- *dmq1 = r->dmq1;
-- if (iqmp != NULL)
-- *iqmp = r->iqmp;
--}
--#endif /* HAVE_RSA_GET0_CRT_PARAMS */
--
--#ifndef HAVE_RSA_SET0_CRT_PARAMS
--int
--RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
--{
-- if ((r->dmp1 == NULL && dmp1 == NULL) ||
-- (r->dmq1 == NULL && dmq1 == NULL) ||
-- (r->iqmp == NULL && iqmp == NULL))
-- return 0;
--
-- if (dmp1 != NULL) {
-- BN_free(r->dmp1);
-- r->dmp1 = dmp1;
-- }
-- if (dmq1 != NULL) {
-- BN_free(r->dmq1);
-- r->dmq1 = dmq1;
-- }
-- if (iqmp != NULL) {
-- BN_free(r->iqmp);
-- r->iqmp = iqmp;
-- }
--
-- return 1;
--}
--#endif /* HAVE_RSA_SET0_CRT_PARAMS */
--
--#ifndef HAVE_RSA_GET0_FACTORS
--void
--RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
--{
-- if (p != NULL)
-- *p = r->p;
-- if (q != NULL)
-- *q = r->q;
--}
--#endif /* HAVE_RSA_GET0_FACTORS */
--
--#ifndef HAVE_RSA_SET0_FACTORS
--int
--RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
--{
-- if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL))
-- return 0;
--
-- if (p != NULL) {
-- BN_free(r->p);
-- r->p = p;
-- }
-- if (q != NULL) {
-- BN_free(r->q);
-- r->q = q;
-- }
--
-- return 1;
--}
--#endif /* HAVE_RSA_SET0_FACTORS */
-
- #ifndef HAVE_EVP_CIPHER_CTX_GET_IV
- int
-@@ -392,249 +83,4 @@ EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len)
- }
- #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
-
--#ifndef HAVE_DSA_SIG_GET0
--void
--DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
--{
-- if (pr != NULL)
-- *pr = sig->r;
-- if (ps != NULL)
-- *ps = sig->s;
--}
--#endif /* HAVE_DSA_SIG_GET0 */
--
--#ifndef HAVE_DSA_SIG_SET0
--int
--DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
--{
-- if (r == NULL || s == NULL)
-- return 0;
--
-- BN_clear_free(sig->r);
-- sig->r = r;
-- BN_clear_free(sig->s);
-- sig->s = s;
--
-- return 1;
--}
--#endif /* HAVE_DSA_SIG_SET0 */
--
--#ifdef OPENSSL_HAS_ECC
--#ifndef HAVE_ECDSA_SIG_GET0
--void
--ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
--{
-- if (pr != NULL)
-- *pr = sig->r;
-- if (ps != NULL)
-- *ps = sig->s;
--}
--#endif /* HAVE_ECDSA_SIG_GET0 */
--
--#ifndef HAVE_ECDSA_SIG_SET0
--int
--ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
--{
-- if (r == NULL || s == NULL)
-- return 0;
--
-- BN_clear_free(sig->r);
-- BN_clear_free(sig->s);
-- sig->r = r;
-- sig->s = s;
-- return 1;
--}
--#endif /* HAVE_ECDSA_SIG_SET0 */
--#endif /* OPENSSL_HAS_ECC */
--
--#ifndef HAVE_DH_GET0_PQG
--void
--DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
--{
-- if (p != NULL)
-- *p = dh->p;
-- if (q != NULL)
-- *q = dh->q;
-- if (g != NULL)
-- *g = dh->g;
--}
--#endif /* HAVE_DH_GET0_PQG */
--
--#ifndef HAVE_DH_SET0_PQG
--int
--DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
--{
-- if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL))
-- return 0;
--
-- if (p != NULL) {
-- BN_free(dh->p);
-- dh->p = p;
-- }
-- if (q != NULL) {
-- BN_free(dh->q);
-- dh->q = q;
-- }
-- if (g != NULL) {
-- BN_free(dh->g);
-- dh->g = g;
-- }
--
-- return 1;
--}
--#endif /* HAVE_DH_SET0_PQG */
--
--#ifndef HAVE_DH_GET0_KEY
--void
--DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
--{
-- if (pub_key != NULL)
-- *pub_key = dh->pub_key;
-- if (priv_key != NULL)
-- *priv_key = dh->priv_key;
--}
--#endif /* HAVE_DH_GET0_KEY */
--
--#ifndef HAVE_DH_SET0_KEY
--int
--DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
--{
-- if (pub_key != NULL) {
-- BN_free(dh->pub_key);
-- dh->pub_key = pub_key;
-- }
-- if (priv_key != NULL) {
-- BN_free(dh->priv_key);
-- dh->priv_key = priv_key;
-- }
--
-- return 1;
--}
--#endif /* HAVE_DH_SET0_KEY */
--
--#ifndef HAVE_DH_SET_LENGTH
--int
--DH_set_length(DH *dh, long length)
--{
-- if (length < 0 || length > INT_MAX)
-- return 0;
--
-- dh->length = length;
-- return 1;
--}
--#endif /* HAVE_DH_SET_LENGTH */
--
--#ifndef HAVE_RSA_METH_FREE
--void
--RSA_meth_free(RSA_METHOD *meth)
--{
-- if (meth != NULL) {
-- free((char *)meth->name);
-- free(meth);
-- }
--}
--#endif /* HAVE_RSA_METH_FREE */
--
--#ifndef HAVE_RSA_METH_DUP
--RSA_METHOD *
--RSA_meth_dup(const RSA_METHOD *meth)
--{
-- RSA_METHOD *copy;
--
-- if ((copy = calloc(1, sizeof(*copy))) == NULL)
-- return NULL;
-- memcpy(copy, meth, sizeof(*copy));
-- if ((copy->name = strdup(meth->name)) == NULL) {
-- free(copy);
-- return NULL;
-- }
--
-- return copy;
--}
--#endif /* HAVE_RSA_METH_DUP */
--
--#ifndef HAVE_RSA_METH_SET1_NAME
--int
--RSA_meth_set1_name(RSA_METHOD *meth, const char *name)
--{
-- char *copy;
--
-- if ((copy = strdup(name)) == NULL)
-- return 0;
-- free((char *)meth->name);
-- meth->name = copy;
-- return 1;
--}
--#endif /* HAVE_RSA_METH_SET1_NAME */
--
--#ifndef HAVE_RSA_METH_GET_FINISH
--int
--(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa)
--{
-- return meth->finish;
--}
--#endif /* HAVE_RSA_METH_GET_FINISH */
--
--#ifndef HAVE_RSA_METH_SET_PRIV_ENC
--int
--RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
-- const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
--{
-- meth->rsa_priv_enc = priv_enc;
-- return 1;
--}
--#endif /* HAVE_RSA_METH_SET_PRIV_ENC */
--
--#ifndef HAVE_RSA_METH_SET_PRIV_DEC
--int
--RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
-- const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
--{
-- meth->rsa_priv_dec = priv_dec;
-- return 1;
--}
--#endif /* HAVE_RSA_METH_SET_PRIV_DEC */
--
--#ifndef HAVE_RSA_METH_SET_FINISH
--int
--RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa))
--{
-- meth->finish = finish;
-- return 1;
--}
--#endif /* HAVE_RSA_METH_SET_FINISH */
--
--#ifndef HAVE_EVP_PKEY_GET0_RSA
--RSA *
--EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
--{
-- if (pkey->type != EVP_PKEY_RSA) {
-- /* EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); */
-- return NULL;
-- }
-- return pkey->pkey.rsa;
--}
--#endif /* HAVE_EVP_PKEY_GET0_RSA */
--
--#ifndef HAVE_EVP_MD_CTX_NEW
--EVP_MD_CTX *
--EVP_MD_CTX_new(void)
--{
-- return calloc(1, sizeof(EVP_MD_CTX));
--}
--#endif /* HAVE_EVP_MD_CTX_NEW */
--
--#ifndef HAVE_EVP_MD_CTX_FREE
--void
--EVP_MD_CTX_free(EVP_MD_CTX *ctx)
--{
-- if (ctx == NULL)
-- return;
--
-- EVP_MD_CTX_cleanup(ctx);
--
-- free(ctx);
--}
--#endif /* HAVE_EVP_MD_CTX_FREE */
--
- #endif /* WITH_OPENSSL */
-diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
-index 61a69dd56eb..d0dd2c3450d 100644
---- a/openbsd-compat/openssl-compat.h
-+++ b/openbsd-compat/openssl-compat.h
-@@ -33,26 +33,13 @@
- int ssh_compatible_openssl(long, long);
- void ssh_libcrypto_init(void);
-
--#if (OPENSSL_VERSION_NUMBER < 0x1000100fL)
--# error OpenSSL 1.0.1 or greater is required
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-+# error OpenSSL 1.1.0 or greater is required
- #endif
--
--#ifndef OPENSSL_VERSION
--# define OPENSSL_VERSION SSLEAY_VERSION
--#endif
--
--#ifndef HAVE_OPENSSL_VERSION
--# define OpenSSL_version(x) SSLeay_version(x)
--#endif
--
--#ifndef HAVE_OPENSSL_VERSION_NUM
--# define OpenSSL_version_num SSLeay
--#endif
--
--#if OPENSSL_VERSION_NUMBER < 0x10000001L
--# define LIBCRYPTO_EVP_INL_TYPE unsigned int
--#else
--# define LIBCRYPTO_EVP_INL_TYPE size_t
-+#ifdef LIBRESSL_VERSION_NUMBER
-+# if LIBRESSL_VERSION_NUMBER < 0x3010000fL
-+# error LibreSSL 3.1.0 or greater is required
-+# endif
- #endif
-
- #ifndef OPENSSL_RSA_MAX_MODULUS_BITS
-@@ -68,25 +55,6 @@ void ssh_libcrypto_init(void);
- # endif
- #endif
-
--/* LibreSSL/OpenSSL 1.1x API compat */
--#ifndef HAVE_DSA_GET0_PQG
--void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
-- const BIGNUM **g);
--#endif /* HAVE_DSA_GET0_PQG */
--
--#ifndef HAVE_DSA_SET0_PQG
--int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
--#endif /* HAVE_DSA_SET0_PQG */
--
--#ifndef HAVE_DSA_GET0_KEY
--void DSA_get0_key(const DSA *d, const BIGNUM **pub_key,
-- const BIGNUM **priv_key);
--#endif /* HAVE_DSA_GET0_KEY */
--
--#ifndef HAVE_DSA_SET0_KEY
--int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
--#endif /* HAVE_DSA_SET0_KEY */
--
- #ifndef HAVE_EVP_CIPHER_CTX_GET_IV
- # ifdef HAVE_EVP_CIPHER_CTX_GET_UPDATED_IV
- # define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv
-@@ -101,112 +69,5 @@ int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx,
- const unsigned char *iv, size_t len);
- #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
-
--#ifndef HAVE_RSA_GET0_KEY
--void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
-- const BIGNUM **d);
--#endif /* HAVE_RSA_GET0_KEY */
--
--#ifndef HAVE_RSA_SET0_KEY
--int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
--#endif /* HAVE_RSA_SET0_KEY */
--
--#ifndef HAVE_RSA_GET0_CRT_PARAMS
--void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
-- const BIGNUM **iqmp);
--#endif /* HAVE_RSA_GET0_CRT_PARAMS */
--
--#ifndef HAVE_RSA_SET0_CRT_PARAMS
--int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
--#endif /* HAVE_RSA_SET0_CRT_PARAMS */
--
--#ifndef HAVE_RSA_GET0_FACTORS
--void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
--#endif /* HAVE_RSA_GET0_FACTORS */
--
--#ifndef HAVE_RSA_SET0_FACTORS
--int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
--#endif /* HAVE_RSA_SET0_FACTORS */
--
--#ifndef DSA_SIG_GET0
--void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
--#endif /* DSA_SIG_GET0 */
--
--#ifndef DSA_SIG_SET0
--int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
--#endif /* DSA_SIG_SET0 */
--
--#ifdef OPENSSL_HAS_ECC
--#ifndef HAVE_ECDSA_SIG_GET0
--void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
--#endif /* HAVE_ECDSA_SIG_GET0 */
--
--#ifndef HAVE_ECDSA_SIG_SET0
--int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
--#endif /* HAVE_ECDSA_SIG_SET0 */
--#endif /* OPENSSL_HAS_ECC */
--
--#ifndef HAVE_DH_GET0_PQG
--void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
-- const BIGNUM **g);
--#endif /* HAVE_DH_GET0_PQG */
--
--#ifndef HAVE_DH_SET0_PQG
--int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
--#endif /* HAVE_DH_SET0_PQG */
--
--#ifndef HAVE_DH_GET0_KEY
--void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
--#endif /* HAVE_DH_GET0_KEY */
--
--#ifndef HAVE_DH_SET0_KEY
--int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
--#endif /* HAVE_DH_SET0_KEY */
--
--#ifndef HAVE_DH_SET_LENGTH
--int DH_set_length(DH *dh, long length);
--#endif /* HAVE_DH_SET_LENGTH */
--
--#ifndef HAVE_RSA_METH_FREE
--void RSA_meth_free(RSA_METHOD *meth);
--#endif /* HAVE_RSA_METH_FREE */
--
--#ifndef HAVE_RSA_METH_DUP
--RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth);
--#endif /* HAVE_RSA_METH_DUP */
--
--#ifndef HAVE_RSA_METH_SET1_NAME
--int RSA_meth_set1_name(RSA_METHOD *meth, const char *name);
--#endif /* HAVE_RSA_METH_SET1_NAME */
--
--#ifndef HAVE_RSA_METH_GET_FINISH
--int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa);
--#endif /* HAVE_RSA_METH_GET_FINISH */
--
--#ifndef HAVE_RSA_METH_SET_PRIV_ENC
--int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
-- const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
--#endif /* HAVE_RSA_METH_SET_PRIV_ENC */
--
--#ifndef HAVE_RSA_METH_SET_PRIV_DEC
--int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
-- const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
--#endif /* HAVE_RSA_METH_SET_PRIV_DEC */
--
--#ifndef HAVE_RSA_METH_SET_FINISH
--int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa));
--#endif /* HAVE_RSA_METH_SET_FINISH */
--
--#ifndef HAVE_EVP_PKEY_GET0_RSA
--RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
--#endif /* HAVE_EVP_PKEY_GET0_RSA */
--
--#ifndef HAVE_EVP_MD_CTX_new
--EVP_MD_CTX *EVP_MD_CTX_new(void);
--#endif /* HAVE_EVP_MD_CTX_new */
--
--#ifndef HAVE_EVP_MD_CTX_free
--void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
--#endif /* HAVE_EVP_MD_CTX_free */
--
- #endif /* WITH_OPENSSL */
- #endif /* _OPENSSL_COMPAT_H */
diff --git a/poky/meta/recipes-connectivity/openssh/openssh_9.3p2.bb b/poky/meta/recipes-connectivity/openssh/openssh_9.4p1.bb
index 5fb2dccdfc..2c85780e4d 100644
--- a/poky/meta/recipes-connectivity/openssh/openssh_9.3p2.bb
+++ b/poky/meta/recipes-connectivity/openssh/openssh_9.4p1.bb
@@ -24,9 +24,9 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
file://sshd_check_keys \
file://add-test-support-for-busybox.patch \
- file://7280401bdd77ca54be6867a154cc01e0d72612e0.patch \
+ file://0001-openssh-regress-Makefile-print-logs-if-test-fails.patch \
"
-SRC_URI[sha256sum] = "200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8"
+SRC_URI[sha256sum] = "3608fd9088db2163ceb3e600c85ab79d0de3d221e59192ea1923e23263866a85"
CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
diff --git a/poky/meta/recipes-connectivity/openssl/openssl_3.1.1.bb b/poky/meta/recipes-connectivity/openssl/openssl_3.1.2.bb
index c2a7173c84..3f77c218c8 100644
--- a/poky/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
+++ b/poky/meta/recipes-connectivity/openssl/openssl_3.1.2.bb
@@ -18,9 +18,9 @@ SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] = "b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674"
+SRC_URI[sha256sum] = "a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539"
-inherit lib_package multilib_header multilib_script ptest perlnative
+inherit lib_package multilib_header multilib_script ptest perlnative manpages
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
PACKAGECONFIG ?= ""
@@ -30,6 +30,7 @@ PACKAGECONFIG:class-nativesdk = ""
PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
PACKAGECONFIG[no-tls1] = "no-tls1"
PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
+PACKAGECONFIG[manpages] = ""
B = "${WORKDIR}/build"
do_configure[cleandirs] = "${B}"
@@ -145,7 +146,7 @@ do_configure () {
}
do_install () {
- oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
+ oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)}
oe_multilib_header openssl/opensslconf.h
oe_multilib_header openssl/configuration.h
generated by cgit v1.2.3 (git 2.39.0) at 2024-10-06 18:57:01 +0300