subtree updates
meta-openembedded: 4dbbef7a39..9953ca1ac0:
Andreas Cord-Landwehr (1):
freerdp: provide cmake integration
BELOUARGA Mohamed (1):
Monocypher: Correct source URI and license
Clément Péron (2):
abseil-cpp: rename recipe to follow the version
protobuf: upgrade 4.23.4 -> 4.25.2
Fabio Estevam (1):
v4l-utils: Remove unneeded musl patch
Gassner, Tobias.ext (1):
softhsm_2.6.1.bb fixing p11-kit module path, adding softhsm2.module to FILES
Gianfranco Costamagna (1):
vbxguestdrivers: upgrade 7.0.12 -> 7.0.14
Khem Raj (4):
Revert "rng-tools: move from oe-core to meta-oe"
python3-pillow: Correct branch parameter in SRC_URI
python3-multidict: Make it work with python 3.12
python3-multidict: Fix running ptests
Markus Volk (6):
eog: update 45.1 -> 45.2
file-roller: update 43.0 -> 43.1
gvfs: update 1.52.1 -> 1.52.2
gjs: update 1.78.1 -> 1.78.2
mozjs: update 115.2.0 -> 115.6.0
pipewire: update 1.0.0 -> 1.0.1
Michael Haener (1):
nginx: add http sub module feature
Pablo Saavedra (1):
libbacktrace: fix sdk installation
Peter Marko (2):
protobuf-c: change branch to master
srecord: fix malformed patch upstream status
Ross Burton (1):
mozjs-115: fix the build on ARMv5
Yi Zhao (1):
samba: upgrade 4.19.3 -> 4.19.4
Yoann Congal (3):
packagegroup-meta-oe: remove mongodb
python3-coverage: add native and nativesdk BBCLASSEXTEND
python3-pytest-cov: Add missing python3-pytest RDEPENDS
alperak (8):
fmt: upgrade 10.1.1 -> 10.2.1
gerbera: upgrade 1.12.1 -> 2.0.0
spdlog: upgrade 1.12 -> 1.13
libebml: upgrade 1.4.4 -> 1.4.5
lcms: upgrade 2.15 -> 2.16
libkcapi: upgrade 1.4.0 -> 1.5.0
icewm: upgrade 3.4.4 -> 3.4.5
libreport: upgrade 2.17.8 -> 2.17.11
meta-raspberrypi: b859bc3eca..9c901bf170:
Damiano Ferrari (2):
rpi-config: Add CAN0_INTERRUPT_PIN and CAN1_INTERRUPT_PIN variable
docs: add info on how to set different CAN interrupt pins
Florin Sarbu (1):
Add Raspberry Pi 5
Leon Anavi (7):
rpi-base.inc: Add vc4-kms-v3d-pi5.dtbo
u-boot_%.bbappend: Skip for Raspberry Pi 5
rpi-config: Reduce config.txt size
linux-raspberrypi.inc: bcm2712_defconfig for rpi5
conf/machine/raspberrypi5.conf: kernel_2712.img
conf/machine/raspberrypi5.conf: ttyAMA10
conf/machine/raspberrypi5.conf: Use "Image"
poky: 7af374c90c..348d9aba33:
Alejandro Hernandez Samaniego (1):
newlib: Upgrade 4.3.0 -> 4.4.0
Alexander Kanavin (1):
shadow: replace static linking with dynamic libraries in a custom location and bundled with shadow
Anuj Mittal (4):
bluez5: upgrade 5.71 -> 5.72
cronie: upgrade 1.7.0 -> 1.7.1
libpsl: upgrade 0.21.2 -> 0.21.5
grub2: upgrade 2.06 -> 2.12
Bruce Ashfield (12):
linux-yocto/6.6: update to v6.6.11
linux-yocto/6.6: update CVE exclusions
linux-yocto/6.1: update to v6.1.72
linux-yocto/6.1: update CVE exclusions
linux-yocto/6.6: cfg: arm: introduce page size fragments
linux-yocto/6.6: security/cfg: add configs to harden protection
linux-yocto/6.1: security/cfg: add configs to harden protection
linux-yocto/6.6: update to v6.6.12
linux-yocto/6.6: update CVE exclusions
linux-yocto/6.1: update to v6.1.73
linux-yocto/6.1: update CVE exclusions
linux-yocto/6.1: drop recipes
Chen Qi (5):
oeqa/selftest: add test case to cover 'devtool modify -n' for a git recipe
systemd: refresh musl patches for v255.1
systemd: upgrade to 255.1
systemd-boot: upgrade to 255.1
rootfs-postcommands.bbclass: ignore comment mismatch in systemd_user_check
Etienne Cordonnier (1):
cmake.bbclass: add Darwin support
Fabio Estevam (2):
weston: Update to 13.0.0
pulseaudio: Update to 17.0
Jiang Kai (4):
debianutils: upgrade 5.15 -> 5.16
enchant2: upgrade 2.6.4 -> 2.6.5
libsecret: upgrade 0.21.1 -> 0.21.2
libxrandr: upgrade 1.5.3 -> 1.5.4
Joe Slater (1):
eudev: modify predictable network if name search
Jonathan GUILLOT (1):
udev-extraconf: fix unmount directories containing octal-escaped chars
Julien Stephan (3):
externalsrc: fix task dependency for do_populate_lic
devtool: modify: add support for multiple source in SRC_URI
oeqa/selftest/devtool: add test for recipes with multiple sources in SRC_URI
Kai Kang (2):
nativesdk-cairo: fix build error
p11-kit: fix parallel build failures
Kevin Hao (2):
yocto-bsp: Bump the default kernel to v6.6
yocto-bsp: Drop the support for v6.1 kernel
Khem Raj (4):
libgudev: Pass export-dynamic to linker directly.
coreutils: Fix build with clang
glibc: Do not enable CET on 32bit x86
rust: Re-write RPATHs in the copies llvm-config
Pavel Zhukov (1):
mdadm: Disable ptests
Peter Marko (1):
zlib: ignore CVE-2023-6992
Richard Purdie (7):
qemu: add PACKAGECONFIG for sndio
poky-altcfg: Update PREFERRED_VERSION for kerenl
xev: Drop diet libx11 related patch
libxcomposite: Drop obsolete patch
python3-subunit: Add missing module dependency
qemu: Upgrade 8.1.2 -> 8.2.0
qemu: Fix segfaults in webkitgtk:do_compile on debian11
Robert Yang (1):
autoconf: 2.72d -> 2.72e
Ross Burton (7):
cve_check: handle CVE_STATUS being set to the empty string
cve_check: cleanup logging
xserver-xorg: add PACKAGECONFIG for xvfb
xserver-xorg: disable xvfb by default
libssh2: backport fix for CVE-2023-48795
bitbake: bitbake: Version bump for inherit_defer addition
sanity: require bitbake 2.7.2 for the inherit_defer statement
Ryan Eatmon (1):
python3-yamllint: Add recipe
Simone Weiß (2):
tune-core2: Update qemu cpu to supported model
gcc: Update status of CVE-2023-4039
Thomas Perrot (1):
opensbi: bump to 1.4
Timotheus Giuliani (1):
linux-firmware: fix mediatek MT76x empty license package
Vincent Davis Jr (1):
shaderc: update commit hash to v2023.7
Wang Mingyu (2):
python3-subunit: upgrade 1.4.2 -> 1.4.4
libtest-warnings-perl: upgrade 0.031 -> 0.032
William Hauser (1):
native.bbclass: base_libdir unique from libdir
William Lyu (1):
perl: Fix perl-module-* being ignored via COMPLEMENTARY_GLOB
Yash Shinde (7):
rust: Fetch cargo from rust-snapshot dir.
rust: detect user-specified custom targets in compiletest
rust: Enable RUSTC_BOOTSTRAP to use nightly features during rust oe-selftest.
rust: Fix assertion failure error on oe-selftest
rust: Add new tests in the exclude list for rust oe-selftest
rust: Remove the test cases whose parent dir is also present in the exclude list
rust: Enable rust oe-selftest.
Yogita Urade (1):
tiff: fix CVE-2023-6228
meta-arm: 1cad3c3813..6bb1fc8d8c:
Harsimran Singh Tungal (1):
n1sdp:arm-bsp/optee: Update optee to v4.0
Ross Burton (1):
arm-bsp/linux-yocto: add 6.1 recipe
Change-Id: Ib4cc4e128e4d41f3329cf83a0d5e8539ef07ebe3
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
diff --git a/poky/meta/recipes-support/debianutils/debianutils_5.15.bb b/poky/meta/recipes-support/debianutils/debianutils_5.16.bb
similarity index 97%
rename from poky/meta/recipes-support/debianutils/debianutils_5.15.bb
rename to poky/meta/recipes-support/debianutils/debianutils_5.16.bb
index b1368a3..ec629d8 100644
--- a/poky/meta/recipes-support/debianutils/debianutils_5.15.bb
+++ b/poky/meta/recipes-support/debianutils/debianutils_5.16.bb
@@ -11,7 +11,7 @@
SRC_URI = "git://salsa.debian.org/debian/debianutils.git;protocol=https;branch=master \
"
-SRCREV = "d886c15810b58e57411048f57d7fb941a6819987"
+SRCREV = "9e0facf19b17b6d090a5dcc8cacb0c16e5ad9f72"
inherit autotools update-alternatives
diff --git a/poky/meta/recipes-support/enchant/enchant2_2.6.4.bb b/poky/meta/recipes-support/enchant/enchant2_2.6.5.bb
similarity index 91%
rename from poky/meta/recipes-support/enchant/enchant2_2.6.4.bb
rename to poky/meta/recipes-support/enchant/enchant2_2.6.5.bb
index 431d02e..1d5c716 100644
--- a/poky/meta/recipes-support/enchant/enchant2_2.6.4.bb
+++ b/poky/meta/recipes-support/enchant/enchant2_2.6.5.bb
@@ -12,7 +12,7 @@
inherit autotools pkgconfig github-releases
SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/enchant-${PV}.tar.gz"
-SRC_URI[sha256sum] = "833b4d5600dbe9ac867e543aac6a7a40ad145351495ca41223d4499d3ddbbd2c"
+SRC_URI[sha256sum] = "9e8fd28cb65a7b6da3545878a5c2f52a15f03c04933a5ff48db89fe86845728e"
GITHUB_BASE_URI = "https://github.com/AbiWord/enchant/releases"
diff --git a/poky/meta/recipes-support/libpsl/libpsl_0.21.2.bb b/poky/meta/recipes-support/libpsl/libpsl_0.21.5.bb
similarity index 79%
rename from poky/meta/recipes-support/libpsl/libpsl_0.21.2.bb
rename to poky/meta/recipes-support/libpsl/libpsl_0.21.5.bb
index 3bbbc0e..b9341a9 100644
--- a/poky/meta/recipes-support/libpsl/libpsl_0.21.2.bb
+++ b/poky/meta/recipes-support/libpsl/libpsl_0.21.5.bb
@@ -7,13 +7,13 @@
BUGTRACKER = "https://github.com/rockdaboot/libpsl/issues"
LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=6f40ab7fcf5ff18f3ff7f4b0860493fa \
- file://COPYING;md5=6f40ab7fcf5ff18f3ff7f4b0860493fa \
+LIC_FILES_CHKSUM = "file://LICENSE;md5=9f9e317096db2a598fc44237c5b8a4f7 \
+ file://COPYING;md5=9f9e317096db2a598fc44237c5b8a4f7 \
"
SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.gz \
"
-SRC_URI[sha256sum] = "e35991b6e17001afa2c0ca3b10c357650602b92596209b7492802f3768a6285f"
+SRC_URI[sha256sum] = "1dcc9ceae8b128f3c0b3f654decd0e1e891afc6ff81098f227ef260449dae208"
GITHUB_BASE_URI = "https://github.com/rockdaboot/libpsl/releases"
diff --git a/poky/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch b/poky/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
new file mode 100644
index 0000000..ab0f419
--- /dev/null
+++ b/poky/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
@@ -0,0 +1,466 @@
+From d4634630432594b139b3af6b9f254b890c0f275d Mon Sep 17 00:00:00 2001
+From: Michael Buckley <michael@buckleyisms.com>
+Date: Thu, 30 Nov 2023 15:08:02 -0800
+Subject: [PATCH] src: add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack"
+
+Refs:
+https://terrapin-attack.com/
+https://seclists.org/oss-sec/2023/q4/292
+https://osv.dev/list?ecosystem=&q=CVE-2023-48795
+https://github.com/advisories/GHSA-45x7-px36-x8w8
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
+
+Fixes #1290
+Closes #1291
+
+CVE: CVE-2023-48795
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ src/kex.c | 63 +++++++++++++++++++++++------------
+ src/libssh2_priv.h | 18 +++++++---
+ src/packet.c | 83 +++++++++++++++++++++++++++++++++++++++++++---
+ src/packet.h | 2 +-
+ src/session.c | 3 ++
+ src/transport.c | 12 ++++++-
+ 6 files changed, 149 insertions(+), 32 deletions(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index d4034a0a..b4b748ca 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -3037,6 +3037,13 @@ kex_method_extension_negotiation = {
+ 0,
+ };
+
++static const LIBSSH2_KEX_METHOD
++kex_method_strict_client_extension = {
++ "kex-strict-c-v00@openssh.com",
++ NULL,
++ 0,
++};
++
+ static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = {
+ #if LIBSSH2_ED25519
+ &kex_method_ssh_curve25519_sha256,
+@@ -3055,6 +3062,7 @@ static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = {
+ &kex_method_diffie_helman_group1_sha1,
+ &kex_method_diffie_helman_group_exchange_sha1,
+ &kex_method_extension_negotiation,
++ &kex_method_strict_client_extension,
+ NULL
+ };
+
+@@ -3307,13 +3315,13 @@ static int kexinit(LIBSSH2_SESSION * session)
+ return 0;
+ }
+
+-/* kex_agree_instr
++/* _libssh2_kex_agree_instr
+ * Kex specific variant of strstr()
+ * Needle must be preceded by BOL or ',', and followed by ',' or EOL
+ */
+-static unsigned char *
+-kex_agree_instr(unsigned char *haystack, size_t haystack_len,
+- const unsigned char *needle, size_t needle_len)
++unsigned char *
++_libssh2_kex_agree_instr(unsigned char *haystack, size_t haystack_len,
++ const unsigned char *needle, size_t needle_len)
+ {
+ unsigned char *s;
+ unsigned char *end_haystack;
+@@ -3398,7 +3406,7 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session,
+ while(s && *s) {
+ unsigned char *p = (unsigned char *) strchr((char *) s, ',');
+ size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
+- if(kex_agree_instr(hostkey, hostkey_len, s, method_len)) {
++ if(_libssh2_kex_agree_instr(hostkey, hostkey_len, s, method_len)) {
+ const LIBSSH2_HOSTKEY_METHOD *method =
+ (const LIBSSH2_HOSTKEY_METHOD *)
+ kex_get_method_by_name((char *) s, method_len,
+@@ -3432,9 +3440,9 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session,
+ }
+
+ while(hostkeyp && (*hostkeyp) && (*hostkeyp)->name) {
+- s = kex_agree_instr(hostkey, hostkey_len,
+- (unsigned char *) (*hostkeyp)->name,
+- strlen((*hostkeyp)->name));
++ s = _libssh2_kex_agree_instr(hostkey, hostkey_len,
++ (unsigned char *) (*hostkeyp)->name,
++ strlen((*hostkeyp)->name));
+ if(s) {
+ /* So far so good, but does it suit our purposes? (Encrypting vs
+ Signing) */
+@@ -3468,6 +3476,12 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
+ {
+ const LIBSSH2_KEX_METHOD **kexp = libssh2_kex_methods;
+ unsigned char *s;
++ const unsigned char *strict =
++ (unsigned char *)"kex-strict-s-v00@openssh.com";
++
++ if(_libssh2_kex_agree_instr(kex, kex_len, strict, 28)) {
++ session->kex_strict = 1;
++ }
+
+ if(session->kex_prefs) {
+ s = (unsigned char *) session->kex_prefs;
+@@ -3475,7 +3489,7 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
+ while(s && *s) {
+ unsigned char *q, *p = (unsigned char *) strchr((char *) s, ',');
+ size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
+- q = kex_agree_instr(kex, kex_len, s, method_len);
++ q = _libssh2_kex_agree_instr(kex, kex_len, s, method_len);
+ if(q) {
+ const LIBSSH2_KEX_METHOD *method = (const LIBSSH2_KEX_METHOD *)
+ kex_get_method_by_name((char *) s, method_len,
+@@ -3509,9 +3523,9 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
+ }
+
+ while(*kexp && (*kexp)->name) {
+- s = kex_agree_instr(kex, kex_len,
+- (unsigned char *) (*kexp)->name,
+- strlen((*kexp)->name));
++ s = _libssh2_kex_agree_instr(kex, kex_len,
++ (unsigned char *) (*kexp)->name,
++ strlen((*kexp)->name));
+ if(s) {
+ /* We've agreed on a key exchange method,
+ * Can we agree on a hostkey that works with this kex?
+@@ -3555,7 +3569,7 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session,
+ unsigned char *p = (unsigned char *) strchr((char *) s, ',');
+ size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
+
+- if(kex_agree_instr(crypt, crypt_len, s, method_len)) {
++ if(_libssh2_kex_agree_instr(crypt, crypt_len, s, method_len)) {
+ const LIBSSH2_CRYPT_METHOD *method =
+ (const LIBSSH2_CRYPT_METHOD *)
+ kex_get_method_by_name((char *) s, method_len,
+@@ -3577,9 +3591,9 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session,
+ }
+
+ while(*cryptp && (*cryptp)->name) {
+- s = kex_agree_instr(crypt, crypt_len,
+- (unsigned char *) (*cryptp)->name,
+- strlen((*cryptp)->name));
++ s = _libssh2_kex_agree_instr(crypt, crypt_len,
++ (unsigned char *) (*cryptp)->name,
++ strlen((*cryptp)->name));
+ if(s) {
+ endpoint->crypt = *cryptp;
+ return 0;
+@@ -3619,7 +3633,7 @@ static int kex_agree_mac(LIBSSH2_SESSION * session,
+ unsigned char *p = (unsigned char *) strchr((char *) s, ',');
+ size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
+
+- if(kex_agree_instr(mac, mac_len, s, method_len)) {
++ if(_libssh2_kex_agree_instr(mac, mac_len, s, method_len)) {
+ const LIBSSH2_MAC_METHOD *method = (const LIBSSH2_MAC_METHOD *)
+ kex_get_method_by_name((char *) s, method_len,
+ (const LIBSSH2_COMMON_METHOD **)
+@@ -3640,8 +3654,9 @@ static int kex_agree_mac(LIBSSH2_SESSION * session,
+ }
+
+ while(*macp && (*macp)->name) {
+- s = kex_agree_instr(mac, mac_len, (unsigned char *) (*macp)->name,
+- strlen((*macp)->name));
++ s = _libssh2_kex_agree_instr(mac, mac_len,
++ (unsigned char *) (*macp)->name,
++ strlen((*macp)->name));
+ if(s) {
+ endpoint->mac = *macp;
+ return 0;
+@@ -3672,7 +3687,7 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
+ unsigned char *p = (unsigned char *) strchr((char *) s, ',');
+ size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
+
+- if(kex_agree_instr(comp, comp_len, s, method_len)) {
++ if(_libssh2_kex_agree_instr(comp, comp_len, s, method_len)) {
+ const LIBSSH2_COMP_METHOD *method =
+ (const LIBSSH2_COMP_METHOD *)
+ kex_get_method_by_name((char *) s, method_len,
+@@ -3694,8 +3709,9 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
+ }
+
+ while(*compp && (*compp)->name) {
+- s = kex_agree_instr(comp, comp_len, (unsigned char *) (*compp)->name,
+- strlen((*compp)->name));
++ s = _libssh2_kex_agree_instr(comp, comp_len,
++ (unsigned char *) (*compp)->name,
++ strlen((*compp)->name));
+ if(s) {
+ endpoint->comp = *compp;
+ return 0;
+@@ -3876,6 +3892,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
+ session->local.kexinit = key_state->oldlocal;
+ session->local.kexinit_len = key_state->oldlocal_len;
+ key_state->state = libssh2_NB_state_idle;
++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
+ session->state &= ~LIBSSH2_STATE_KEX_ACTIVE;
+ session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
+ return -1;
+@@ -3901,6 +3918,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
+ session->local.kexinit = key_state->oldlocal;
+ session->local.kexinit_len = key_state->oldlocal_len;
+ key_state->state = libssh2_NB_state_idle;
++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
+ session->state &= ~LIBSSH2_STATE_KEX_ACTIVE;
+ session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
+ return -1;
+@@ -3949,6 +3967,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
+ session->remote.kexinit = NULL;
+ }
+
++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
+ session->state &= ~LIBSSH2_STATE_KEX_ACTIVE;
+ session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
+
+diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h
+index 82c3afe2..ee1d8b5c 100644
+--- a/src/libssh2_priv.h
++++ b/src/libssh2_priv.h
+@@ -699,6 +699,9 @@ struct _LIBSSH2_SESSION
+ /* key signing algorithm preferences -- NULL yields server order */
+ char *sign_algo_prefs;
+
++ /* Whether to use the OpenSSH Strict KEX extension */
++ int kex_strict;
++
+ /* (remote as source of data -- packet_read ) */
+ libssh2_endpoint_data remote;
+
+@@ -870,6 +873,7 @@ struct _LIBSSH2_SESSION
+ int fullpacket_macstate;
+ size_t fullpacket_payload_len;
+ int fullpacket_packet_type;
++ uint32_t fullpacket_required_type;
+
+ /* State variables used in libssh2_sftp_init() */
+ libssh2_nonblocking_states sftpInit_state;
+@@ -910,10 +914,11 @@ struct _LIBSSH2_SESSION
+ };
+
+ /* session.state bits */
+-#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000001
+-#define LIBSSH2_STATE_NEWKEYS 0x00000002
+-#define LIBSSH2_STATE_AUTHENTICATED 0x00000004
+-#define LIBSSH2_STATE_KEX_ACTIVE 0x00000008
++#define LIBSSH2_STATE_INITIAL_KEX 0x00000001
++#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000002
++#define LIBSSH2_STATE_NEWKEYS 0x00000004
++#define LIBSSH2_STATE_AUTHENTICATED 0x00000008
++#define LIBSSH2_STATE_KEX_ACTIVE 0x00000010
+
+ /* session.flag helpers */
+ #ifdef MSG_NOSIGNAL
+@@ -1144,6 +1149,11 @@ ssize_t _libssh2_send(libssh2_socket_t socket, const void *buffer,
+ int _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
+ key_exchange_state_t * state);
+
++unsigned char *_libssh2_kex_agree_instr(unsigned char *haystack,
++ size_t haystack_len,
++ const unsigned char *needle,
++ size_t needle_len);
++
+ /* Let crypt.c/hostkey.c expose their method structs */
+ const LIBSSH2_CRYPT_METHOD **libssh2_crypt_methods(void);
+ const LIBSSH2_HOSTKEY_METHOD **libssh2_hostkey_methods(void);
+diff --git a/src/packet.c b/src/packet.c
+index b5b41981..35d4d39e 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -605,14 +605,13 @@ authagent_exit:
+ * layer when it has received a packet.
+ *
+ * The input pointer 'data' is pointing to allocated data that this function
+- * is asked to deal with so on failure OR success, it must be freed fine.
+- * The only exception is when the return code is LIBSSH2_ERROR_EAGAIN.
++ * will be freed unless return the code is LIBSSH2_ERROR_EAGAIN.
+ *
+ * This function will always be called with 'datalen' greater than zero.
+ */
+ int
+ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+- size_t datalen, int macstate)
++ size_t datalen, int macstate, uint32_t seq)
+ {
+ int rc = 0;
+ unsigned char *message = NULL;
+@@ -657,6 +656,70 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ break;
+ }
+
++ if(session->state & LIBSSH2_STATE_INITIAL_KEX) {
++ if(msg == SSH_MSG_KEXINIT) {
++ if(!session->kex_strict) {
++ if(datalen < 17) {
++ LIBSSH2_FREE(session, data);
++ session->packAdd_state = libssh2_NB_state_idle;
++ return _libssh2_error(session,
++ LIBSSH2_ERROR_BUFFER_TOO_SMALL,
++ "Data too short extracting kex");
++ }
++ else {
++ const unsigned char *strict =
++ (unsigned char *)"kex-strict-s-v00@openssh.com";
++ struct string_buf buf;
++ unsigned char *algs = NULL;
++ size_t algs_len = 0;
++
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr += 17; /* advance past type and cookie */
++
++ if(_libssh2_get_string(&buf, &algs, &algs_len)) {
++ LIBSSH2_FREE(session, data);
++ session->packAdd_state = libssh2_NB_state_idle;
++ return _libssh2_error(session,
++ LIBSSH2_ERROR_BUFFER_TOO_SMALL,
++ "Algs too short");
++ }
++
++ if(algs_len == 0 ||
++ _libssh2_kex_agree_instr(algs, algs_len, strict, 28)) {
++ session->kex_strict = 1;
++ }
++ }
++ }
++
++ if(session->kex_strict && seq) {
++ LIBSSH2_FREE(session, data);
++ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED;
++ session->packAdd_state = libssh2_NB_state_idle;
++ libssh2_session_disconnect(session, "strict KEX violation: "
++ "KEXINIT was not the first packet");
++
++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT,
++ "strict KEX violation: "
++ "KEXINIT was not the first packet");
++ }
++ }
++
++ if(session->kex_strict && session->fullpacket_required_type &&
++ session->fullpacket_required_type != msg) {
++ LIBSSH2_FREE(session, data);
++ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED;
++ session->packAdd_state = libssh2_NB_state_idle;
++ libssh2_session_disconnect(session, "strict KEX violation: "
++ "unexpected packet type");
++
++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT,
++ "strict KEX violation: "
++ "unexpected packet type");
++ }
++ }
++
+ if(session->packAdd_state == libssh2_NB_state_allocated) {
+ /* A couple exceptions to the packet adding rule: */
+ switch(msg) {
+@@ -1341,6 +1404,15 @@ _libssh2_packet_ask(LIBSSH2_SESSION * session, unsigned char packet_type,
+
+ return 0;
+ }
++ else if(session->kex_strict &&
++ (session->state & LIBSSH2_STATE_INITIAL_KEX)) {
++ libssh2_session_disconnect(session, "strict KEX violation: "
++ "unexpected packet type");
++
++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT,
++ "strict KEX violation: "
++ "unexpected packet type");
++ }
+ packet = _libssh2_list_next(&packet->node);
+ }
+ return -1;
+@@ -1402,7 +1474,10 @@ _libssh2_packet_require(LIBSSH2_SESSION * session, unsigned char packet_type,
+ }
+
+ while(session->socket_state == LIBSSH2_SOCKET_CONNECTED) {
+- int ret = _libssh2_transport_read(session);
++ int ret;
++ session->fullpacket_required_type = packet_type;
++ ret = _libssh2_transport_read(session);
++ session->fullpacket_required_type = 0;
+ if(ret == LIBSSH2_ERROR_EAGAIN)
+ return ret;
+ else if(ret < 0) {
+diff --git a/src/packet.h b/src/packet.h
+index 79018bcf..6ea100a5 100644
+--- a/src/packet.h
++++ b/src/packet.h
+@@ -71,6 +71,6 @@ int _libssh2_packet_burn(LIBSSH2_SESSION * session,
+ int _libssh2_packet_write(LIBSSH2_SESSION * session, unsigned char *data,
+ unsigned long data_len);
+ int _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+- size_t datalen, int macstate);
++ size_t datalen, int macstate, uint32_t seq);
+
+ #endif /* __LIBSSH2_PACKET_H */
+diff --git a/src/session.c b/src/session.c
+index a4d602ba..f4bafb57 100644
+--- a/src/session.c
++++ b/src/session.c
+@@ -464,6 +464,8 @@ libssh2_session_init_ex(LIBSSH2_ALLOC_FUNC((*my_alloc)),
+ session->abstract = abstract;
+ session->api_timeout = 0; /* timeout-free API by default */
+ session->api_block_mode = 1; /* blocking API by default */
++ session->state = LIBSSH2_STATE_INITIAL_KEX;
++ session->fullpacket_required_type = 0;
+ session->packet_read_timeout = LIBSSH2_DEFAULT_READ_TIMEOUT;
+ session->flag.quote_paths = 1; /* default behavior is to quote paths
+ for the scp subsystem */
+@@ -1186,6 +1188,7 @@ libssh2_session_disconnect_ex(LIBSSH2_SESSION *session, int reason,
+ const char *desc, const char *lang)
+ {
+ int rc;
++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
+ session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
+ BLOCK_ADJUST(rc, session,
+ session_disconnect(session, reason, desc, lang));
+diff --git a/src/transport.c b/src/transport.c
+index 6d902d33..3b30ff84 100644
+--- a/src/transport.c
++++ b/src/transport.c
+@@ -187,6 +187,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
+ struct transportpacket *p = &session->packet;
+ int rc;
+ int compressed;
++ uint32_t seq = session->remote.seqno;
+
+ if(session->fullpacket_state == libssh2_NB_state_idle) {
+ session->fullpacket_macstate = LIBSSH2_MAC_CONFIRMED;
+@@ -318,7 +319,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
+ if(session->fullpacket_state == libssh2_NB_state_created) {
+ rc = _libssh2_packet_add(session, p->payload,
+ session->fullpacket_payload_len,
+- session->fullpacket_macstate);
++ session->fullpacket_macstate, seq);
+ if(rc == LIBSSH2_ERROR_EAGAIN)
+ return rc;
+ if(rc) {
+@@ -329,6 +330,11 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
+
+ session->fullpacket_state = libssh2_NB_state_idle;
+
++ if(session->kex_strict &&
++ session->fullpacket_packet_type == SSH_MSG_NEWKEYS) {
++ session->remote.seqno = 0;
++ }
++
+ return session->fullpacket_packet_type;
+ }
+
+@@ -1091,6 +1097,10 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session,
+
+ session->local.seqno++;
+
++ if(session->kex_strict && data[0] == SSH_MSG_NEWKEYS) {
++ session->local.seqno = 0;
++ }
++
+ ret = LIBSSH2_SEND(session, p->outbuf, total_length,
+ LIBSSH2_SOCKET_SEND_FLAGS(session));
+ if(ret < 0)
+--
+2.34.1
+
diff --git a/poky/meta/recipes-support/libssh2/libssh2_1.11.0.bb b/poky/meta/recipes-support/libssh2/libssh2_1.11.0.bb
index edc25db..5100e6f 100644
--- a/poky/meta/recipes-support/libssh2/libssh2_1.11.0.bb
+++ b/poky/meta/recipes-support/libssh2/libssh2_1.11.0.bb
@@ -9,6 +9,7 @@
SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
file://run-ptest \
+ file://CVE-2023-48795.patch \
"
SRC_URI[sha256sum] = "3736161e41e2693324deb38c26cfdc3efe6209d634ba4258db1cecff6a5ad461"
diff --git a/poky/meta/recipes-support/p11-kit/files/fix-parallel-build-failures.patch b/poky/meta/recipes-support/p11-kit/files/fix-parallel-build-failures.patch
new file mode 100644
index 0000000..47df027
--- /dev/null
+++ b/poky/meta/recipes-support/p11-kit/files/fix-parallel-build-failures.patch
@@ -0,0 +1,33 @@
+It fails occasionally with missing generated header files:
+
+| ../git/common/asn1.c:42:10: fatal error: openssl.asn.h: No such file or directory
+| 42 | #include "openssl.asn.h"
+| | ^~~~~~~~~~~~~~~
+| compilation terminated.
+
+According to meson manual page:
+
+https://mesonbuild.com/Wrap-best-practices-and-tips.html#declare-generated-headers-explicitly
+
+'asn_h_dep' should be a dependency of static_library target 'libp11_asn1' to
+make sure that required header files generated before compile common/asn1.c.
+
+Upstream-Status: Submitted [https://github.com/p11-glue/p11-kit/pull/619]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ common/meson.build | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/common/meson.build b/common/meson.build
+index dc86d7b..cc3ec48 100644
+--- a/common/meson.build
++++ b/common/meson.build
+@@ -113,6 +113,7 @@ if with_asn1
+ 'p11-asn1', libp11_asn1_sources,
+ gnu_symbol_visibility: 'hidden',
+ include_directories: configinc,
++ dependencies: asn_h_dep,
+ )
+
+ libp11_asn1_dep = declare_dependency(
diff --git a/poky/meta/recipes-support/p11-kit/p11-kit_0.25.3.bb b/poky/meta/recipes-support/p11-kit/p11-kit_0.25.3.bb
index 9e95942..b7ebd44 100644
--- a/poky/meta/recipes-support/p11-kit/p11-kit_0.25.3.bb
+++ b/poky/meta/recipes-support/p11-kit/p11-kit_0.25.3.bb
@@ -10,7 +10,9 @@
DEPENDS:append = "${@' glib-2.0' if d.getVar('GTKDOC_ENABLED') == 'True' else ''}"
-SRC_URI = "gitsm://github.com/p11-glue/p11-kit;branch=master;protocol=https"
+SRC_URI = "gitsm://github.com/p11-glue/p11-kit;branch=master;protocol=https \
+ file://fix-parallel-build-failures.patch \
+ "
SRCREV = "917e02a3211dabbdea4b079cb598581dce84fda1"
S = "${WORKDIR}/git"