subtree updates
meta-arm: 1dff3300fb..0b61cc659a:
Ross Burton (1):
meta-arm/selftest: add test that PAC/BTI instructions are used
meta-openembedded: 991e6852a5..5ad7203f68:
Alexander Kanavin (1):
fio: revert "fio: upgrade 3.32 -> 2022"
BELOUARGA Mohamed (1):
monocypher: add crypto library recipe
Dylan Turner (1):
apache2: v2.4.57 to v2.4.58 to fix CVE-2023-43622
Hongxu Jia (1):
freeradius: make sub packages to runtime depends on freeradius
Kai Kang (1):
libnma: remove conflict xml file
Khem Raj (12):
nlohmann-json: Fix SRCREV_FORMAT and do not package git metadata into ptests
ptest-packagelists-meta-oe.inc: Move poco to slow tests
sdbus-c++-libsystemd: Upgrade to 254
sdbus-c++-tools: Upgrade to 1.4.0
gstd: Fix systemd user unit packaging
basu: Update to latest master
sdbus-c++: Install ptests into PTEST_PATH
liblognorm:Add asprintf to autoconf function check macro
gnome-console,gnome-terminal: Depend on vte from core layer
Revert "gnome-terminal: Remove recommendation on vte-prompt"
vte9: Drop recipe
basu: Update the SRCREV to get lld fix
Luca Fancellu (1):
linuxptp: Update downstream patches
Markus Volk (9):
libcacard: fix version string in libcacard.pc
cups-filters: fix Makefile race condition
system-config-printer: Add packageconfig for polkit
pipewire: upgrade 0.3.85 > 1.0.0
libcacard: set meson version based on PV
spice: Set meson version based on PV
spice-gtk: Set meson version based on PV
libdecor: update 0.2.0 -> 0.2.1
xdg-desktop-portal-gnome: upgrade 45.0 -> 45.1
Naveen Saini (2):
tbb: upgrade 2021.9.0 -> 2021.11.0
tbb: enable NUMA/Hybrid CPU support
Patrick Wicki (6):
squid: update from v5.7 to v6.5
squid: add nm dispatcher reload hook
squid: add auth packageconfig
squid: move configs to sub package
squid: add url-rewrite-helpers packageconfig
squid: add systemd service
Patrick Williams (1):
glog: Disable 64bit atomics on armv{5,6}
Peter Kjellerstedt (1):
redis: Inherit pkgconfig
Ross Burton (1):
python3-validators: add new recipe
Wang Mingyu (26):
ctags: upgrade 6.0.20231119.0 -> 6.0.20231126.0
dnfdragora: upgrade 2.1.4 -> 2.1.5
gensio: upgrade 2.7.7 -> 2.8.0
frr: upgrade 9.0.1 -> 9.1
capnproto: upgrade 1.0.1 -> 1.0.1.1
libbpf: upgrade 1.2.2 -> 1.3.0
paho-mqtt-cpp: upgrade 1.2.0 -> 1.3.1
tomoyo-tools: upgrade 2.5.0 -> 2.6.1
python3-aiohttp: upgrade 3.9.0 -> 3.9.1
python3-bitstring: upgrade 4.1.2 -> 4.1.3
python3-dbus-fast: upgrade 2.14.0 -> 2.15.0
python3-humanize: upgrade 4.8.0 -> 4.9.0
python3-ipython: upgrade 8.17.2 -> 8.18.0
python3-mypy: upgrade 1.7.0 -> 1.7.1
python3-pdm: upgrade 2.10.3 -> 2.10.4
python3-pexpect: upgrade 4.8.0 -> 4.9.0
python3-pychromecast: upgrade 13.0.7 -> 13.0.8
python3-pydantic: upgrade 2.5.1 -> 2.5.2
python3-pymisp: upgrade 2.4.178 -> 2.4.179
python3-pytest-xdist: upgrade 3.4.0 -> 3.5.0
python3-sentry-sdk: upgrade 1.35.0 -> 1.37.1
python3-types-setuptools: upgrade 68.2.0.1 -> 68.2.0.2
python3-virtualenv: upgrade 20.24.6 -> 20.24.7
redis: upgrade 7.2.2 -> 7.2.3
ser2net: upgrade 4.5.1 -> 4.6.0
thingsboard-gateway: upgrade 3.4.2 -> 3.4.3.1
alperak (12):
squashfs-tools-ng: upgrade 1.1.4 -> 1.2.0
tmate: Fix finding msgpack 6+
msgpack-c: upgrade 4.0.0 -> 6.0.0
msgpack-cpp: upgrade 4.1.1 -> 6.1.0
brotli: upgrade 1.0.9 -> 1.1.0
icewm: upgrade 2.9.9 -> 3.4.4
iotop: upgrade 1.21 -> 1.25
liblognorm: upgrade 1.0.1 -> 2.0.6
libmodbus: upgrade 3.1.7 -> 3.1.10
libpwquality: upgrade 1.4.4 -> 1.4.5
libspiro: upgrade 20200505 -> 20221101
gtkwave: upgrade 3.3.111 -> 3.3.117
poky: 2696bf8cf3..028b6f6226:
Adrian Freihofer (1):
cmake-qemu.bbclass: support qemu for cmake
Alassane Yattara (9):
bitbake: toaster/tests: Update methods wait_until_~ to skip using time.sleep
bitbake: toaster/tests: Override table edit columns TestCase from image recipe page
bitbake: toaster/tests: Test software recipe page
bitbake: toaster/tests: Added Machine page TestCase
bitbake: toaster/tests: Added Layers page TestCase
bitbake: toaster/tests: Added distro page TestCase
bitbake: toaster/tests: Bug-fix on tests/functional/test_project_page
bitbake: toaster/tests: Test single layer page
bitbake: toaster/tests: Test single recipe page
Alex Kiernan (4):
rust: Delete python2 configparser code path
rust: Drop TARGET_VENDOR export
eudev: Upgrade 3.2.12 -> 3.2.14
rust: Drop targets and hosts override magic
Alexander Kanavin (15):
python3-pyproject-hooks: fix upstream version check
cmake: upgrade 3.27.5 -> 3.27.7
desktop-file-utils: upgrade 0.26 -> 0.27
erofs-utils: upgrade 1.6 -> 1.7.1
webkitgtk: update 2.40.5 -> 2.42.2
epiphany: upgrade 44.6 -> 45.1
virglrenderer: upgrade 0.10.4 -> 1.0.0
libxkbcommon: upgrade 1.5.0 -> 1.6.0
mpg123: upgrade 1.31.3 -> 1.32.3
icu: upgrade 73-2 -> 74-1
p11-kit: upgrade 0.25.0 -> 0.25.2
glib-2.0: install gio-querymodules into bindir as well as libexecdir for native
meson: update 1.2.2 -> 1.3.0
repo: update 2.37 -> 2.39
rt-tests: update 2.5 -> 2.6
Bruce Ashfield (1):
lttng-modules: fix build for v6.7+
Changhyeok Bae (1):
iptables: upgrade 1.8.9 -> 1.8.10
Charlie Johnston (2):
bitbake.conf: Add gsutil as hosttool for gcp fetcher.
bitbake: fetch2: Ensure GCP fetcher checks if file exists before download.
Jan Vermaete (1):
systemd: fixed typo
Joao Marcos Costa (1):
documentation.conf: fix do_menuconfig description
Joshua Watt (2):
bitbake: bitbake-hashclient: Add commands to get hashes
bitbake: hashserv: sqlite: Ensure sync propagates to database connections
Julien Stephan (6):
devtool: fix update-recipe dry-run mode
lib/oe/recipeutils.py: remove trailing white-spaces
devtool: finish/update-recipe: restrict mode srcrev to recipes fetched from SCM
devtool: tag all submodules
devtool: add support for git submodules
oeqa/selftest/devtool: add test for git submodules
Justin Bronder (1):
contributor-guide: add License-Update tag
Kareem Zarka (2):
wic: bootimg-efi: Make kernel image installation configurable
oeqa/selftest/wic: Add tests for kernel image installation
Khem Raj (8):
shared-mime-info: Fix build with clang-17+
libsoup-2.4: Fix build with clang-17 and libxml2-2.12
busybox: Enable utmp support on musl systems
virglrenderer: Fix build with clang
llvm: Upgrade to 17.0.6
rust-common.bbclass: Define rust arch for x32 platforms
vte: Upgrade to 0.74.1
vte: Separate out gtk4 pieces of vte into individual packages
Lee Chee Yang (3):
wic: add test for partition hidden attributes
migration-guides: add release notes for 4.3.1
openssl: upgrade to 3.2.0
Malte Schmidt (1):
wic: rawcopy: add support for zstd decompression
Marco Felsch (1):
json-c: fix icecc compilation
Markus Volk (3):
bluez5: fix connection for ps5/dualshock controllers
cups: Add root,sys,wheel to system groups
vte: upgrade 0.72.2 -> 0.74.0
Martin Hundeb?ll (1):
libpam: split /etc/environment into pam-plugin-env package
Matsunaga-Shinji (1):
cve-check: Modify judgment processing using "=" in version comparison
Michael Opdenacker (4):
systemd-compat-units.bb: fix postinstall script
dev-manual: layers: update link to YP Compatible form
contributor-guide: fix command option
migration-guides: release 3.5 is actually 4.0
Niko Mauno (1):
rust-llvm: Allow overriding LLVM target archs
Patrick Williams (1):
shared-mime-info-native: handle old GCC for AlmaLinux8
Peter Marko (2):
cve-update-nvd2-native: remove unused variable CVE_SOCKET_TIMEOUT
cve-update-nvd2-native: make number of fetch attemtps configurable
Richard Haar (1):
bitbake: bitbake: tests: Fix duplicate test_underscore_override test
Richard Purdie (2):
bitbake: ui/ncurses: Add missing function call to avoid traceback
bitbake: cooker: Avoid eventlog variable listing lockups
Robert Yang (2):
gnu-config: Update to latest revision
gettext: Upgrade 0.22 -> 0.22.3
Ross Burton (3):
core-image-minimal-initramfs: don't install a kernel into the initramfs
autoconf: upgrade to 2.72d
Revert "cve-check: Modify judgment processing using "=" in version comparison"
Sundeep KOKKONDA (3):
rust: Split rustdoc into a separate package
glibc: stable 2.38 branch updates
binutils: stable 2.41 branch updates
Tim Orling (8):
python3-sphinxcontrib-applehelp: 1.0.4 -> 1.0.7
python3-sphinxcontrib-devhelp: 1.0.2 -> 1.0.5
python3-sphinxcontrib-htmlhelp: 2.0.1 -> 2.0.4
python3-sphinxcontrib-qthelp: 1.0.3 -> 1.0.6
python3-sphinxcontrib-serializinghtml: 1.1.5 -> 1.1.9
vim: upgrade 9.0.2068 -> 9.0.2130
python3-cryptography-vectors: add RECIPE_NO_UPDATE_REASON
python3-cryptography{-vectors}: 41.0.5 -> 41.0.7
Trevor Gamblin (2):
python3-ptest: skip test_storlines
patchtest: shorten patch signed-off-by test output
Viswanath Kraleti (1):
systemd-boot: Fix build issues on armv7a-linux
Wang Mingyu (27):
bind: upgrade 9.18.19 -> 9.18.20
diffoscope: upgrade 251 -> 252
ell: upgrade 0.59 -> 0.60
git: upgrade 2.42.1 -> 2.43.0
gnutls: upgrade 3.8.1 -> 3.8.2
libdrm: upgrade 2.4.117 -> 2.4.118
libgcrypt: upgrade 1.10.2 -> 1.10.3
libksba: upgrade 1.6.4 -> 1.6.5
libxslt: upgrade 1.1.38 -> 1.1.39
log4cplus: upgrade 2.1.0 -> 2.1.1
python3-certifi: upgrade 2023.7.22 -> 2023.11.17
python3-setuptools: upgrade 68.2.2 -> 69.0.2
python3-wcwidth: upgrade 0.2.9 -> 0.2.11
python3-hypothesis: upgrade 6.89.0 -> 6.90.0
python3-pyasn1: upgrade 0.5.0 -> 0.5.1
python3-scons: upgrade 4.5.2 -> 4.6.0
python3-urllib3: upgrade 2.0.7 -> 2.1.0
ethtool: upgrade 6.5 -> 6.6
gi-docgen: upgrade 2023.1 -> 2023.3
init-system-helpers: upgrade 1.65.2 -> 1.66
libsolv: upgrade 0.7.26 -> 0.7.27
python3-idna: upgrade 3.4 -> 3.6
ofono: upgrade 2.1 -> 2.2
python3-sphinx-rtd-theme: upgrade 1.3.0 -> 2.0.0
python3-trove-classifiers: upgrade 2023.11.14 -> 2023.11.22
python3-wheel: upgrade 0.41.3 -> 0.42.0
resolvconf: upgrade 1.91 -> 1.92
Xiangyu Chen (2):
shadow: Fix for CVE-2023-4641
bash: changes to SIGINT handler while waiting for a child
Zahir Hussain (1):
cmake: Unset CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES
meta-raspberrypi: 8231f97534..fde68b24f0:
Lorenzo Arena (1):
docs: fix syntax for overriding fs type for initramfs image
Change-Id: Idc6f6b1e913442bae03dfec9f207924c56f31056
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
diff --git a/poky/meta/recipes-extended/bash/bash/0001-changes-to-SIGINT-handler-while-waiting-for-a-child-.patch b/poky/meta/recipes-extended/bash/bash/0001-changes-to-SIGINT-handler-while-waiting-for-a-child-.patch
new file mode 100644
index 0000000..df92c24
--- /dev/null
+++ b/poky/meta/recipes-extended/bash/bash/0001-changes-to-SIGINT-handler-while-waiting-for-a-child-.patch
@@ -0,0 +1,226 @@
+From 721d5be99eb37d31e48bd66d61808a66a4c5ab84 Mon Sep 17 00:00:00 2001
+From: Chet Ramey <chet.ramey@case.edu>
+Date: Mon, 30 Oct 2023 12:16:07 -0400
+Subject: [PATCH] changes to SIGINT handler while waiting for a child; skip
+ vertical whitespace after translating an integer
+
+Upstream-Status: Backport from
+[https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=fe24a6a55e8850298b496c5b9d82f1866eba190e]
+
+[Adjust and drop some codes to be applicable the tree]
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ general.c | 5 +++--
+ jobs.c | 24 ++++++++++++++++--------
+ tests/redir.right | 4 ++--
+ tests/redir11.sub | 2 ++
+ tests/type.right | 16 ++++++++--------
+ tests/type.tests | 24 ++++++++++++------------
+ 6 files changed, 43 insertions(+), 32 deletions(-)
+
+diff --git a/general.c b/general.c
+index 85c5a8b6..65e2ee06 100644
+--- a/general.c
++++ b/general.c
+@@ -262,8 +262,9 @@ legal_number (string, result)
+ if (errno || ep == string)
+ return 0; /* errno is set on overflow or underflow */
+
+- /* Skip any trailing whitespace, since strtoimax does not. */
+- while (whitespace (*ep))
++ /* Skip any trailing whitespace, since strtoimax does not, using the same
++ test that strtoimax uses for leading whitespace. */
++ while (isspace ((unsigned char) *ep))
+ ep++;
+
+ /* If *string is not '\0' but *ep is '\0' on return, the entire string
+diff --git a/jobs.c b/jobs.c
+index 6b986ed7..262d78de 100644
+--- a/jobs.c
++++ b/jobs.c
+@@ -2718,6 +2718,10 @@ wait_for_background_pids (ps)
+ #define INVALID_SIGNAL_HANDLER (SigHandler *)wait_for_background_pids
+ static SigHandler *old_sigint_handler = INVALID_SIGNAL_HANDLER;
+
++/* The current SIGINT handler as set by restore_sigint_handler. Only valid
++ immediately after restore_sigint_handler, used for continuations. */
++static SigHandler *cur_sigint_handler = INVALID_SIGNAL_HANDLER;
++
+ static int wait_sigint_received;
+ static int child_caught_sigint;
+
+@@ -2735,6 +2739,7 @@ wait_sigint_cleanup ()
+ static void
+ restore_sigint_handler ()
+ {
++ cur_sigint_handler = old_sigint_handler;
+ if (old_sigint_handler != INVALID_SIGNAL_HANDLER)
+ {
+ set_signal_handler (SIGINT, old_sigint_handler);
+@@ -2758,8 +2763,7 @@ wait_sigint_handler (sig)
+ restore_sigint_handler ();
+ /* If we got a SIGINT while in `wait', and SIGINT is trapped, do
+ what POSIX.2 says (see builtins/wait.def for more info). */
+- if (this_shell_builtin && this_shell_builtin == wait_builtin &&
+- signal_is_trapped (SIGINT) &&
++ if (signal_is_trapped (SIGINT) &&
+ ((sigint_handler = trap_to_sighandler (SIGINT)) == trap_handler))
+ {
+ trap_handler (SIGINT); /* set pending_traps[SIGINT] */
+@@ -2782,6 +2786,8 @@ wait_sigint_handler (sig)
+ {
+ set_exit_status (128+SIGINT);
+ restore_sigint_handler ();
++ if (cur_sigint_handler == INVALID_SIGNAL_HANDLER)
++ set_sigint_handler (); /* XXX - only do this in one place */
+ kill (getpid (), SIGINT);
+ }
+
+@@ -2926,11 +2932,13 @@ wait_for (pid, flags)
+ {
+ SigHandler *temp_sigint_handler;
+
+- temp_sigint_handler = set_signal_handler (SIGINT, wait_sigint_handler);
+- if (temp_sigint_handler == wait_sigint_handler)
+- internal_debug ("wait_for: recursively setting old_sigint_handler to wait_sigint_handler: running_trap = %d", running_trap);
+- else
+- old_sigint_handler = temp_sigint_handler;
++ temp_sigint_handler = old_sigint_handler;
++ old_sigint_handler = set_signal_handler (SIGINT, wait_sigint_handler);
++ if (old_sigint_handler == wait_sigint_handler)
++ {
++ internal_debug ("wait_for: recursively setting old_sigint_handler to wait_sigint_handler: running_trap = %d", running_trap);
++ old_sigint_handler = temp_sigint_handler;
++ }
+ waiting_for_child = 0;
+ if (old_sigint_handler == SIG_IGN)
+ set_signal_handler (SIGINT, old_sigint_handler);
+@@ -4136,7 +4144,7 @@ set_job_status_and_cleanup (job)
+ SIGINT (if we reset the sighandler to the default).
+ In this case, we have to fix things up. What a crock. */
+ if (temp_handler == trap_handler && signal_is_trapped (SIGINT) == 0)
+- temp_handler = trap_to_sighandler (SIGINT);
++ temp_handler = trap_to_sighandler (SIGINT);
+ restore_sigint_handler ();
+ if (temp_handler == SIG_DFL)
+ termsig_handler (SIGINT); /* XXX */
+diff --git a/tests/redir.right b/tests/redir.right
+index 8db10414..9e1403c8 100644
+--- a/tests/redir.right
++++ b/tests/redir.right
+@@ -154,10 +154,10 @@ foo
+ 1
+ 7
+ after: 42
+-./redir11.sub: line 53: $(ss= declare -i ss): ambiguous redirect
++./redir11.sub: line 55: $(ss= declare -i ss): ambiguous redirect
+ after: 42
+ a+=3
+ foo
+ foo
+-./redir11.sub: line 75: 42: No such file or directory
++./redir11.sub: line 77: 42: No such file or directory
+ 42
+diff --git a/tests/redir11.sub b/tests/redir11.sub
+index d417cdb6..ca9854cd 100644
+--- a/tests/redir11.sub
++++ b/tests/redir11.sub
+@@ -34,6 +34,8 @@ a=4 b=7 ss=4 declare -i ss
+ a=4 b=7 foo
+ echo after: $a
+
++exec 7>&- 4>&-
++
+ unset a
+ a=4 echo foo 2>&1 >&$(foo) | { grep -q 'Bad file' || echo 'redir11 bad 3'; }
+ a=1 echo foo 2>&1 >&$(foo) | { grep -q 'Bad file' || echo 'redir11 bad 4'; }
+diff --git a/tests/type.right b/tests/type.right
+index bbc228e8..e0a66745 100644
+--- a/tests/type.right
++++ b/tests/type.right
+@@ -24,15 +24,15 @@ func ()
+ }
+ while
+ while is a shell keyword
+-./type.tests: line 56: type: m: not found
+-alias m='more'
+-alias m='more'
+-m is aliased to `more'
++./type.tests: line 59: type: morealias: not found
++alias morealias='more'
++alias morealias='more'
++morealias is aliased to `more'
+ alias
+-alias m='more'
+-alias m='more'
+-alias m='more'
+-m is aliased to `more'
++alias morealias='more'
++alias morealias='more'
++alias morealias='more'
++morealias is aliased to `more'
+ builtin
+ builtin is a shell builtin
+ /bin/sh
+diff --git a/tests/type.tests b/tests/type.tests
+index fd39c18a..ddc15407 100644
+--- a/tests/type.tests
++++ b/tests/type.tests
+@@ -25,8 +25,6 @@ type -r ${THIS_SH}
+ type notthere
+ command -v notthere
+
+-alias m=more
+-
+ unset -f func 2>/dev/null
+ func() { echo this is func; }
+
+@@ -49,24 +47,26 @@ command -V func
+ command -v while
+ command -V while
+
++alias morealias=more
++
+ # the following two lines should produce the same output
+ # post-3.0 patch makes command -v silent, as posix specifies
+ # first test with alias expansion off (should all fail or produce no output)
+-type -t m
+-type m
+-command -v m
++type -t morealias
++type morealias
++command -v morealias
+ alias -p
+-alias m
++alias morealias
+
+ # then test with alias expansion on
+ shopt -s expand_aliases
+-type m
+-type -t m
+-command -v m
++type morealias
++type -t morealias
++command -v morealias
+ alias -p
+-alias m
++alias morealias
+
+-command -V m
++command -V morealias
+ shopt -u expand_aliases
+
+ command -v builtin
+@@ -76,7 +76,7 @@ command -V /bin/sh
+
+ unset -f func
+ type func
+-unalias m
++unalias morealias
+ type m
+
+ hash -r
+--
+2.35.5
+
diff --git a/poky/meta/recipes-extended/bash/bash_5.2.21.bb b/poky/meta/recipes-extended/bash/bash_5.2.21.bb
index 6df73b6..46d921b 100644
--- a/poky/meta/recipes-extended/bash/bash_5.2.21.bb
+++ b/poky/meta/recipes-extended/bash/bash_5.2.21.bb
@@ -12,6 +12,7 @@
file://run-bash-ptests \
file://fix-run-builtins.patch \
file://use_aclocal.patch \
+ file://0001-changes-to-SIGINT-handler-while-waiting-for-a-child-.patch \
"
SRC_URI[tarball.sha256sum] = "c8e31bdc59b69aaffc5b36509905ba3e5cbb12747091d27b4b977f078560d5b8"
diff --git a/poky/meta/recipes-extended/cups/cups.inc b/poky/meta/recipes-extended/cups/cups.inc
index ff5f55e..31f686c 100644
--- a/poky/meta/recipes-extended/cups/cups.inc
+++ b/poky/meta/recipes-extended/cups/cups.inc
@@ -57,7 +57,7 @@
--enable-debug \
--disable-relro \
--enable-libusb \
- --with-system-groups=lpadmin \
+ --with-system-groups=lpadmin,root,sys,wheel \
--with-cups-group=lp \
--with-domainsocket=/run/cups/cups.sock \
--with-pkgconfpath=${libdir}/pkgconfig \
diff --git a/poky/meta/recipes-extended/ethtool/ethtool_6.5.bb b/poky/meta/recipes-extended/ethtool/ethtool_6.6.bb
similarity index 93%
rename from poky/meta/recipes-extended/ethtool/ethtool_6.5.bb
rename to poky/meta/recipes-extended/ethtool/ethtool_6.6.bb
index ef925e1..ab82435 100644
--- a/poky/meta/recipes-extended/ethtool/ethtool_6.5.bb
+++ b/poky/meta/recipes-extended/ethtool/ethtool_6.6.bb
@@ -11,7 +11,7 @@
file://avoid_parallel_tests.patch \
"
-SRC_URI[sha256sum] = "aed41ca58b3129126f18429172064d214191d7e7ef52c6e3f6b2ff7503706c03"
+SRC_URI[sha256sum] = "d4cdb4f7498781fb516e2b3d0eadab28691da3fd3e3445954e82d745de95fb96"
UPSTREAM_CHECK_URI = "https://www.kernel.org/pub/software/network/ethtool/"
diff --git a/poky/meta/recipes-extended/iptables/iptables/0001-configure-Add-option-to-enable-disable-libnfnetlink.patch b/poky/meta/recipes-extended/iptables/iptables/0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
index 0c2c97c..8824bf2 100644
--- a/poky/meta/recipes-extended/iptables/iptables/0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
+++ b/poky/meta/recipes-extended/iptables/iptables/0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
@@ -1,7 +1,7 @@
-From 698ed332e2c592235d2b737c545ac25ad0970e15 Mon Sep 17 00:00:00 2001
+From 0096c854d5015918ed154dccb3ad472fd06c1010 Mon Sep 17 00:00:00 2001
From: "Maxin B. John" <maxin.john@intel.com>
Date: Tue, 21 Feb 2017 11:16:31 +0200
-Subject: [PATCH 1/4] configure: Add option to enable/disable libnfnetlink
+Subject: [PATCH] configure: Add option to enable/disable libnfnetlink
This changes the configure behaviour from autodetecting
for libnfnetlink to having an option to disable it explicitly
@@ -10,12 +10,13 @@
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Maxin B. John <maxin.john@intel.com>
+
---
configure.ac | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
-index bc2ed47b..e27745e5 100644
+index d99fa3b..d607772 100644
--- a/configure.ac
+++ b/configure.ac
@@ -63,6 +63,9 @@ AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH],
@@ -28,9 +29,9 @@
AC_ARG_ENABLE([connlabel],
AS_HELP_STRING([--disable-connlabel],
[Do not build libnetfilter_conntrack]),
-@@ -117,9 +120,10 @@ if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
- AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool))
- fi
+@@ -113,9 +116,10 @@ AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"])
+ AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"])
+ AM_CONDITIONAL([ENABLE_CONNLABEL], [test "$enable_connlabel" = "yes"])
-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
- [nfnetlink=1], [nfnetlink=0])
@@ -40,8 +41,5 @@
+ ])
+AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "x$enable_libnfnetlink" = "xyes"])
- if test "x$enable_nftables" = "xyes"; then
- PKG_CHECK_MODULES([libmnl], [libmnl >= 1.0], [mnl=1], [mnl=0])
---
-2.30.2
-
+ if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
+ PKG_CHECK_MODULES([libpcap], [libpcap], [], [
diff --git a/poky/meta/recipes-extended/iptables/iptables/0002-iptables-xshared.h-add-missing-sys.types.h-include.patch b/poky/meta/recipes-extended/iptables/iptables/0002-iptables-xshared.h-add-missing-sys.types.h-include.patch
index 9621d46..a190c7e 100644
--- a/poky/meta/recipes-extended/iptables/iptables/0002-iptables-xshared.h-add-missing-sys.types.h-include.patch
+++ b/poky/meta/recipes-extended/iptables/iptables/0002-iptables-xshared.h-add-missing-sys.types.h-include.patch
@@ -1,7 +1,7 @@
-From d4699d2169fe2d91d0f1f4369d40d2e5f42b8877 Mon Sep 17 00:00:00 2001
+From 465e3ef77f1763d225adc76220e43ee9bd73b178 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex@linutronix.de>
Date: Tue, 17 May 2022 10:56:59 +0200
-Subject: [PATCH 2/4] iptables/xshared.h: add missing sys.types.h include
+Subject: [PATCH] iptables/xshared.h: add missing sys.types.h include
This resolves the build error under musl:
@@ -12,12 +12,13 @@
Upstream-Status: Submitted [via email to phil@nwl.cc]
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+
---
iptables/xshared.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/iptables/xshared.h b/iptables/xshared.h
-index 0ed9f3c2..b1413834 100644
+index a200e0d..f543dbf 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -6,6 +6,7 @@
@@ -28,6 +29,3 @@
#include <linux/netfilter_arp/arp_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
---
-2.30.2
-
diff --git a/poky/meta/recipes-extended/iptables/iptables/0003-Makefile.am-do-not-install-etc-ethertypes.patch b/poky/meta/recipes-extended/iptables/iptables/0003-Makefile.am-do-not-install-etc-ethertypes.patch
deleted file mode 100644
index cbc9757..0000000
--- a/poky/meta/recipes-extended/iptables/iptables/0003-Makefile.am-do-not-install-etc-ethertypes.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 28291b41bc3717f51e8d9d465f0100f1ca99dc26 Mon Sep 17 00:00:00 2001
-From: Trevor Gamblin <trevor.gamblin@windriver.com>
-Date: Wed, 9 Mar 2022 12:50:39 -0500
-Subject: [PATCH 3/4] Makefile.am: do not install /etc/ethertypes
-
-The /etc/ethertypes is provided by netbase since 6.0[1].
-Do not instal the file in ebtables, otherwise there would be a conflict:
-Error: Transaction test error:
- file /etc/ethertypes conflicts between attempted installs of
-netbase-1:6.2-r0.corei7_64 and iptables-1.8.7-r0.corei7_64
-
-[1]
-https://salsa.debian.org/md/netbase/-/commit/316680c6a2c3641b6abc76b3eebf88781f609d35)
-
-This patch is based off of the same change made for the ebtables recipe:
-
-http://cgit.openembedded.org/meta-openembedded/tree/meta-networking/recipes-filter/ebtables/ebtables-2.0.11/0001-Makefile.am-do-not-install-etc-ethertypes.patch?h=master
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
----
- Makefile.am | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index 451c3cb2..5125238c 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -20,7 +20,7 @@ EXTRA_DIST = autogen.sh iptables-test.py xlate-test.py
-
- if ENABLE_NFTABLES
- confdir = $(sysconfdir)
--dist_conf_DATA = etc/ethertypes etc/xtables.conf
-+dist_conf_DATA = etc/xtables.conf
- endif
-
- .PHONY: tarball
---
-2.30.2
-
diff --git a/poky/meta/recipes-extended/iptables/iptables/0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch b/poky/meta/recipes-extended/iptables/iptables/0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch
index 20c40c4..5a022eb 100644
--- a/poky/meta/recipes-extended/iptables/iptables/0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch
+++ b/poky/meta/recipes-extended/iptables/iptables/0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch
@@ -1,7 +1,7 @@
-From e7aa1dd2831f9bb5d0603c5e5027387ad7721b00 Mon Sep 17 00:00:00 2001
+From 6832501bbb90a3dab977a4625d0391804c0e795c Mon Sep 17 00:00:00 2001
From: "Maxin B. John" <maxin.john@intel.com>
Date: Tue, 21 Feb 2017 11:49:07 +0200
-Subject: [PATCH 4/4] configure.ac:
+Subject: [PATCH] configure.ac:
only-check-conntrack-when-libnfnetlink-enabled.patch
Package libnetfilter-conntrack depends on package libnfnetlink. iptables
@@ -23,15 +23,16 @@
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Maxin B. John <maxin.john@intel.com>
+
---
configure.ac | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
-index e27745e5..528f1bb5 100644
+index d607772..25a8e75 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -158,10 +158,12 @@ if test "$nftables" != 1; then
+@@ -159,10 +159,12 @@ if test "$nftables" != 1; then
fi
if test "x$enable_connlabel" = "xyes"; then
@@ -46,6 +47,3 @@
if test "$nfconntrack" -ne 1; then
blacklist_modules="$blacklist_modules connlabel";
echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built";
---
-2.30.2
-
diff --git a/poky/meta/recipes-extended/iptables/iptables/format-security.patch b/poky/meta/recipes-extended/iptables/iptables/format-security.patch
deleted file mode 100644
index fae920f..0000000
--- a/poky/meta/recipes-extended/iptables/iptables/format-security.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From ed4082a7405a5838c205a34c1559e289949200cc Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Thu, 12 Jan 2023 14:38:44 +0100
-Subject: extensions: NAT: Fix for -Werror=format-security
-
-Have to pass either a string literal or format string to xt_xlate_add().
-
-Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-Upstream-Status: Backport [https://git.netfilter.org/iptables/commit/?id=ed4082a7405a5838c205a34c1559e289949200cc]
-Signed-off-by: Alexander Kanavin <alex@linutronix.de>
----
- extensions/libxt_NAT.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/extensions/libxt_NAT.c b/extensions/libxt_NAT.c
-index da9f2201..2a634398 100644
---- a/extensions/libxt_NAT.c
-+++ b/extensions/libxt_NAT.c
-@@ -424,7 +424,7 @@ __NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r,
- if (r->flags & NF_NAT_RANGE_PROTO_OFFSET)
- return 0;
-
-- xt_xlate_add(xl, tgt);
-+ xt_xlate_add(xl, "%s", tgt);
- if (strlen(range_str))
- xt_xlate_add(xl, " to %s", range_str);
- if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) {
---
-cgit v1.2.3
-
diff --git a/poky/meta/recipes-extended/iptables/iptables_1.8.9.bb b/poky/meta/recipes-extended/iptables/iptables_1.8.10.bb
similarity index 95%
rename from poky/meta/recipes-extended/iptables/iptables_1.8.9.bb
rename to poky/meta/recipes-extended/iptables/iptables_1.8.10.bb
index dc91973..cd2f3bc 100644
--- a/poky/meta/recipes-extended/iptables/iptables_1.8.9.bb
+++ b/poky/meta/recipes-extended/iptables/iptables_1.8.10.bb
@@ -15,11 +15,9 @@
file://ip6tables.rules \
file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
file://0002-iptables-xshared.h-add-missing-sys.types.h-include.patch \
- file://0003-Makefile.am-do-not-install-etc-ethertypes.patch \
file://0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch \
- file://format-security.patch \
"
-SRC_URI[sha256sum] = "ef6639a43be8325a4f8ea68123ffac236cb696e8c78501b64e8106afb008c87f"
+SRC_URI[sha256sum] = "5cc255c189356e317d070755ce9371eb63a1b783c34498fb8c30264f3cc59c9c"
SYSTEMD_SERVICE:${PN} = "\
iptables.service \
diff --git a/poky/meta/recipes-extended/libsolv/libsolv_0.7.26.bb b/poky/meta/recipes-extended/libsolv/libsolv_0.7.27.bb
similarity index 95%
rename from poky/meta/recipes-extended/libsolv/libsolv_0.7.26.bb
rename to poky/meta/recipes-extended/libsolv/libsolv_0.7.27.bb
index bae7960..2ea80c6 100644
--- a/poky/meta/recipes-extended/libsolv/libsolv_0.7.26.bb
+++ b/poky/meta/recipes-extended/libsolv/libsolv_0.7.27.bb
@@ -12,7 +12,7 @@
file://0001-utils-Conside-musl-when-wrapping-qsort_r.patch \
"
-SRCREV = "48c985375134d2443eee551613161cadc278af2f"
+SRCREV = "0caa2edb94ba228003bf18960e4574256e92f8fb"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)"
diff --git a/poky/meta/recipes-extended/pam/libpam_1.5.3.bb b/poky/meta/recipes-extended/pam/libpam_1.5.3.bb
index 7af3ea9..809d927 100644
--- a/poky/meta/recipes-extended/pam/libpam_1.5.3.bb
+++ b/poky/meta/recipes-extended/pam/libpam_1.5.3.bb
@@ -57,6 +57,11 @@
FILES:${PN}-runtime = "${sysconfdir} ${sbindir} ${systemd_system_unitdir}"
FILES:${PN}-xtests = "${datadir}/Linux-PAM/xtests"
+# libpam installs /etc/environment for use with the pam_env plugin. Make sure it is
+# packaged with the pam-plugin-env package to avoid breaking installations which
+# install that file via other packages
+FILES:pam-plugin-env = "${sysconfdir}/environment"
+
PACKAGES_DYNAMIC += "^${MLPREFIX}pam-plugin-.*"
def get_multilib_bit(d):
@@ -113,7 +118,7 @@
pam_pkgname = mlprefix + 'pam-plugin%s'
do_split_packages(d, pam_libdir, r'^pam(.*)\.so$', pam_pkgname,
- 'PAM plugin for %s', hook=pam_plugin_hook, extra_depends='')
+ 'PAM plugin for %s', hook=pam_plugin_hook, extra_depends='', prepend=True)
do_split_packages(d, pam_filterdir, r'^(.*)$', 'pam-filter-%s', 'PAM filter for %s', extra_depends='')
}
diff --git a/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch b/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
new file mode 100644
index 0000000..1fabfe9
--- /dev/null
+++ b/poky/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
@@ -0,0 +1,147 @@
+From 25dbe2ce166a13322b7536ff2f738786ea2e61e7 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password). Each of those 2 password prompts
+uses agetpass() to get the password. If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+- malloc(3) or readpassphrase(3) failure.
+
+ These are going to be difficult to trigger. Maybe getting the system
+ to the limits of memory utilization at that exact point, so that the
+ next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+ About readpassphrase(3), ENFILE and EINTR seem the only plausible
+ ones, and EINTR probably requires privilege or being the same user;
+ but I wouldn't discard ENFILE so easily, if a process starts opening
+ files.
+
+- The password is longer than PASS_MAX.
+
+ The is plausible with physical access. However, at that point, a
+ keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable. Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> - brk / sbrk
+> - mmap MAP_ANONYMOUS
+> - mmap /dev/zero
+> - mmap some other file
+> - shm_open
+> - shmget
+>
+> Most of these return only pages of zeros to a process. Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process. It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> - ptrace (requires ptrace privileges, mediated by YAMA)
+> - causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack. Those copies won't get zeroed
+by explicit_bzero(3). However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3). But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible. Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit. Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All. Bug introduced in shadow 19990709. That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+
+CVE: CVE-2023-4641
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904]
+
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index 5983f787..2d8869ef 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -896,6 +896,7 @@ static void change_passwd (struct group *gr)
+ strzero (cp);
+ cp = getpass (_("Re-enter new password: "));
+ if (NULL == cp) {
++ memzero (pass, sizeof pass);
+ exit (1);
+ }
+
+--
+2.34.1
+
diff --git a/poky/meta/recipes-extended/shadow/shadow.inc b/poky/meta/recipes-extended/shadow/shadow.inc
index 83e1a84..ce3ce62 100644
--- a/poky/meta/recipes-extended/shadow/shadow.inc
+++ b/poky/meta/recipes-extended/shadow/shadow.inc
@@ -17,6 +17,7 @@
file://0001-Fix-can-not-print-full-login.patch \
file://CVE-2023-29383.patch \
file://0001-Overhaul-valid_field.patch \
+ file://CVE-2023-4641.patch \
"
SRC_URI:append:class-target = " \