subtree updates
poky: a631bfc3a3..733d919af4:
Alex Kiernan (2):
pypi.bbclass: Set CVE_PRODUCT to PYPI_PACKAGE
openssh: Move sshdgenkeys.service to sshd.socket
Arturo Buzarra (1):
run-postinsts: Set dependency for ldconfig to avoid boot issues
Ashish Sharma (2):
connman: Fix CVE-2023-28488 DoS in client.c
golang: Fix CVE-2023-24539
Bruce Ashfield (5):
linux-yocto/5.4: update to v5.4.238
linux-yocto/5.4: update to v5.4.240
linux-yocto/5.4: update to v5.4.241
linux-yocto/5.4: update to v5.4.242
linux-yocto/5.4: update to v5.4.243
Dmitry Baryshkov (1):
linux-firmware: upgrade 20230210 -> 20230404
Hitendra Prajapati (2):
git: fix CVE-2023-29007
git: fix CVE-2023-25652
Khem Raj (1):
perf: Depend on native setuptools3
Marek Vasut (1):
cpio: Fix wrong CRC with ASCII CRC for large files
Martin Jansa (1):
populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO override
Nikhil R (1):
ffmpeg: Fix CVE-2022-48434
Peter Marko (1):
libxml2: patch CVE-2023-28484 and CVE-2023-29469
Randolph Sapp (1):
wic/bootimg-efi: if fixed-size is set then use that for mkdosfs
Ranjitsinh Rathod (1):
libbsd: Add correct license for all packages
Shubham Kulkarni (1):
go: Security fix for CVE-2023-24538
Siddharth (1):
curl: ammend fix for CVE-2023-27534 to fix error when ssh is enabled
Steve Sakoman (1):
selftest: skip virgl test on ubuntu 22.10, fedora 37, and all rocky
Thomas Roos (1):
oeqa/utils/metadata.py: Fix running oe-selftest running with no distro set
Vijay Anusuri (3):
ghostscript: Fix CVE-2023-28879
xserver-xorg: Security fix CVE-2023-0494 and CVE-2023-1393
go: Security fix CVE-2023-24540
Vivek Kumbhar (1):
freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c
Yoann Congal (1):
linux-yocto: Exclude 294 CVEs already fixed upstream
meta-openembedded: 7007d14c25..116bfe8d5e:
Alex Yao (1):
lcov: Fix Perl Path
Hitendra Prajapati (1):
multipath-tools: CVE-2022-41973 Symlink attack multipathd operates insecurely
Hugo SIMELIERE (3):
openvpn: add CVE-2020-7224 and CVE-2020-27569 to allowlist
openvpn: upgrade 2.4.9 -> 2.4.12
libmodbus: Fix CVE-2022-0367
Jack Mitchell (2):
nss: backport fix for native build failure due to implicit casting with gcc13
nss: backport fix for native build failure due to dangling pointer with gcc13
Narpat Mali (1):
nodejs: make 14.18.1 available but not default
Valeria Petrov (1):
apache2: upgrade 2.4.56 -> 2.4.57
Viktor Rosendahl (1):
jsoncpp: Fix broken handling of escape characters
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I8260e0168ea1ddec7ee03555e4f5653155e0ab45
diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb
similarity index 91%
rename from meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb
rename to meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb
index 529e391..55e6603 100644
--- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb
+++ b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb
@@ -14,8 +14,11 @@
UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
-SRC_URI[md5sum] = "52863fa9b98e5a3d7f8bec1d5785a2ba"
-SRC_URI[sha256sum] = "46b268ef88e67ca6de2e9f19943eb9e5ac8544e55f5c1f3af677298d03e64b6e"
+SRC_URI[md5sum] = "e83d430947fb7c9ad1a174987317d1dc"
+SRC_URI[sha256sum] = "66952d9c95490e5875f04c9f8fa313b5e816d1b7b4d6cda3fb2ff749ad405dee"
+
+# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn.
+CVE_CHECK_WHITELIST += "CVE-2020-7224 CVE-2020-27569"
SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service"
SYSTEMD_AUTO_ENABLE = "disable"
diff --git a/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch b/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch
new file mode 100644
index 0000000..784f175
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch
@@ -0,0 +1,52 @@
+From 2d5a94aeeab01f0448b5a0bb8d4a9a23a5b790d5 Mon Sep 17 00:00:00 2001
+From: Andrew Childs <lorne@cons.org.nz>
+Date: Sat, 28 Dec 2019 16:04:24 +0900
+Subject: [PATCH] json_writer: fix inverted sense in isAnyCharRequiredQuoting
+ (#1120)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This bug is only affects platforms where `char` is unsigned.
+
+When char is a signed type, values >= 0x80 are also considered < 0,
+and hence require escaping due to the < ' ' condition.
+
+When char is an unsigned type, values >= 0x80 match none of the
+conditions and are considered safe to emit without escaping.
+
+This shows up as a test failure:
+
+* Detail of EscapeSequenceTest/writeEscapeSequence test failure:
+/build/source/src/test_lib_json/main.cpp(3370): expected == result
+ Expected: '["\"","\\","\b","\f","\n","\r","\t","\u0278","\ud852\udf62"]
+ '
+ Actual : '["\"","\\","\b","\f","\n","\r","\t","ɸ","𤭢"]
+ '
+Upstream-Status: Backport [https://github.com/open-source-parsers/jsoncpp/commit/f11611c8785082ead760494cba06196f14a06dcb]
+
+Signed-off-by: Viktor Rosendahl <Viktor.Rosendahl@bmw.de>
+
+---
+ src/lib_json/json_writer.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib_json/json_writer.cpp b/src/lib_json/json_writer.cpp
+index 519ce23..b68a638 100644
+--- a/src/lib_json/json_writer.cpp
++++ b/src/lib_json/json_writer.cpp
+@@ -178,8 +178,9 @@ static bool isAnyCharRequiredQuoting(char const* s, size_t n) {
+
+ char const* const end = s + n;
+ for (char const* cur = s; cur < end; ++cur) {
+- if (*cur == '\\' || *cur == '\"' || *cur < ' ' ||
+- static_cast<unsigned char>(*cur) < 0x80)
++ if (*cur == '\\' || *cur == '\"' ||
++ static_cast<unsigned char>(*cur) < ' ' ||
++ static_cast<unsigned char>(*cur) >= 0x80)
+ return true;
+ }
+ return false;
+--
+2.17.1
+
diff --git a/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb b/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb
index 629881f..ae4b4c9 100644
--- a/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb
+++ b/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb
@@ -14,7 +14,10 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=fa2a23dd1dc6c139f35105379d76df2b"
SRCREV = "d2e6a971f4544c55b8e3b25cf96db266971b778f"
-SRC_URI = "git://github.com/open-source-parsers/jsoncpp;branch=master;protocol=https"
+SRC_URI = "\
+ git://github.com/open-source-parsers/jsoncpp;branch=master;protocol=https \
+ file://0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch \
+ "
S = "${WORKDIR}/git"
diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch
new file mode 100644
index 0000000..c719c9c
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch
@@ -0,0 +1,22 @@
+From 7d94bfe53beeb2d25eb5f2ff6b1d509df7e6ab80 Mon Sep 17 00:00:00 2001
+From: Zuzana Svetlikova <zsvetlik@redhat.com>
+Date: Thu, 27 Apr 2017 14:25:42 +0200
+Subject: [PATCH] Disable running gyp on shared deps
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 93d63110..79caaec2 100644
+--- a/Makefile
++++ b/Makefile
+@@ -138,7 +138,7 @@ with-code-cache test-code-cache:
+ $(warning '$@' target is a noop)
+
+ out/Makefile: config.gypi common.gypi node.gyp \
+- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
++ deps/llhttp/llhttp.gyp \
+ tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
+ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
+ $(PYTHON) tools/gyp_node.py -f make
diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch
new file mode 100644
index 0000000..8c5f751
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch
@@ -0,0 +1,40 @@
+From e1d838089cd461d9efcf4d29d9f18f65994d2d6b Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Sun, 3 Oct 2021 22:48:39 +0200
+Subject: [PATCH] jinja/tests.py: add py 3.10 fix
+
+Upstream-Status: Pending
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ deps/v8/third_party/jinja2/tests.py | 2 +-
+ tools/inspector_protocol/jinja2/tests.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/deps/v8/third_party/jinja2/tests.py b/deps/v8/third_party/jinja2/tests.py
+index 0adc3d4..b14f85f 100644
+--- a/deps/v8/third_party/jinja2/tests.py
++++ b/deps/v8/third_party/jinja2/tests.py
+@@ -10,7 +10,7 @@
+ """
+ import operator
+ import re
+-from collections import Mapping
++from collections.abc import Mapping
+ from jinja2.runtime import Undefined
+ from jinja2._compat import text_type, string_types, integer_types
+ import decimal
+diff --git a/tools/inspector_protocol/jinja2/tests.py b/tools/inspector_protocol/jinja2/tests.py
+index 0adc3d4..b14f85f 100644
+--- a/tools/inspector_protocol/jinja2/tests.py
++++ b/tools/inspector_protocol/jinja2/tests.py
+@@ -10,7 +10,7 @@
+ """
+ import operator
+ import re
+-from collections import Mapping
++from collections.abc import Mapping
+ from jinja2.runtime import Undefined
+ from jinja2._compat import text_type, string_types, integer_types
+ import decimal
+--
+2.20.1
diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch
new file mode 100644
index 0000000..ee287bf
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch
@@ -0,0 +1,27 @@
+From 0976af0f3b328436ea44a74a406f311adb2ab211 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 15 Jun 2021 19:01:31 -0700
+Subject: [PATCH] ppc64: Do not use -mminimal-toc with clang
+
+clang does not support this option
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ common.gypi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/common.gypi b/common.gypi
+index ee91fb1d..049c8f8c 100644
+--- a/common.gypi
++++ b/common.gypi
+@@ -413,7 +413,7 @@
+ 'ldflags': [ '-m32' ],
+ }],
+ [ 'target_arch=="ppc64" and OS!="aix"', {
+- 'cflags': [ '-m64', '-mminimal-toc' ],
++ 'cflags': [ '-m64' ],
+ 'ldflags': [ '-m64' ],
+ }],
+ [ 'target_arch=="s390x"', {
+--
+2.32.0
diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch
new file mode 100644
index 0000000..c6fc2dc
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch
@@ -0,0 +1,62 @@
+From 6c3ac20477a4bac643088f24df3c042e627fafa9 Mon Sep 17 00:00:00 2001
+From: Guillaume Burel <guillaume.burel@stormshield.eu>
+Date: Fri, 3 Jan 2020 11:25:54 +0100
+Subject: [PATCH] Using native binaries
+
+---
+ node.gyp | 4 ++--
+ tools/v8_gypfiles/v8.gyp | 11 ++++-------
+ 2 files changed, 6 insertions(+), 9 deletions(-)
+
+--- a/node.gyp
++++ b/node.gyp
+@@ -487,6 +487,7 @@
+ 'action_name': 'run_mkcodecache',
+ 'process_outputs_as_sources': 1,
+ 'inputs': [
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(mkcodecache_exec)',
+ ],
+ 'outputs': [
+@@ -512,6 +513,7 @@
+ 'action_name': 'node_mksnapshot',
+ 'process_outputs_as_sources': 1,
+ 'inputs': [
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(node_mksnapshot_exec)',
+ ],
+ 'outputs': [
+--- a/tools/v8_gypfiles/v8.gyp
++++ b/tools/v8_gypfiles/v8.gyp
+@@ -220,6 +220,7 @@
+ {
+ 'action_name': 'run_torque_action',
+ 'inputs': [ # Order matters.
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)torque<(EXECUTABLE_SUFFIX)',
+ '<@(torque_files)',
+ ],
+@@ -351,6 +352,7 @@
+ {
+ 'action_name': 'generate_bytecode_builtins_list_action',
+ 'inputs': [
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)bytecode_builtins_list_generator<(EXECUTABLE_SUFFIX)',
+ ],
+ 'outputs': [
+@@ -533,6 +535,7 @@
+ ],
+ },
+ 'inputs': [
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(mksnapshot_exec)',
+ ],
+ 'outputs': [
+@@ -1448,6 +1451,7 @@
+ {
+ 'action_name': 'run_gen-regexp-special-case_action',
+ 'inputs': [
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)gen-regexp-special-case<(EXECUTABLE_SUFFIX)',
+ ],
+ 'outputs': [
diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch
new file mode 100644
index 0000000..3c4b231
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch
@@ -0,0 +1,84 @@
+From 5b22fac923d1ca3e9fefb97f5a171124a88f5e22 Mon Sep 17 00:00:00 2001
+From: Elliott Sales de Andrade <quantum.analyst@gmail.com>
+Date: Tue, 19 Mar 2019 23:22:40 -0400
+Subject: [PATCH] Install both binaries and use libdir.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This allows us to build with a shared library for other users while
+still providing the normal executable.
+
+Taken from - https://src.fedoraproject.org/rpms/nodejs/raw/rawhide/f/0002-Install-both-binaries-and-use-libdir.patch
+
+Upstream-Status: Pending
+
+Signed-off-by: Elliott Sales de Andrade <quantum.analyst@gmail.com>
+Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ configure.py | 7 +++++++
+ tools/install.py | 21 +++++++++------------
+ 2 files changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/configure.py b/configure.py
+index e6f7e4db..6cf5c45d 100755
+--- a/configure.py
++++ b/configure.py
+@@ -626,6 +626,12 @@ parser.add_option('--shared',
+ help='compile shared library for embedding node in another project. ' +
+ '(This mode is not officially supported for regular applications)')
+
++parser.add_option('--libdir',
++ action='store',
++ dest='libdir',
++ default='lib',
++ help='a directory to install the shared library into')
++
+ parser.add_option('--without-v8-platform',
+ action='store_true',
+ dest='without_v8_platform',
+@@ -1202,6 +1208,7 @@ def configure_node(o):
+ o['variables']['node_no_browser_globals'] = b(options.no_browser_globals)
+
+ o['variables']['node_shared'] = b(options.shared)
++ o['variables']['libdir'] = options.libdir
+ node_module_version = getmoduleversion.get_version()
+
+ if options.dest_os == 'android':
+diff --git a/tools/install.py b/tools/install.py
+index 729b416f..9bfc6234 100755
+--- a/tools/install.py
++++ b/tools/install.py
+@@ -121,22 +121,19 @@ def subdir_files(path, dest, action):
+
+ def files(action):
+ is_windows = sys.platform == 'win32'
+- output_file = 'node'
+ output_prefix = 'out/Release/'
++ output_libprefix = output_prefix
+
+- if 'false' == variables.get('node_shared'):
+- if is_windows:
+- output_file += '.exe'
++ if is_windows:
++ output_bin = 'node.exe'
++ output_lib = 'node.dll'
+ else:
+- if is_windows:
+- output_file += '.dll'
+- else:
+- output_file = 'lib' + output_file + '.' + variables.get('shlib_suffix')
++ output_bin = 'node'
++ output_lib = 'libnode.' + variables.get('shlib_suffix')
+
+- if 'false' == variables.get('node_shared'):
+- action([output_prefix + output_file], 'bin/' + output_file)
+- else:
+- action([output_prefix + output_file], 'lib/' + output_file)
++ action([output_prefix + output_bin], 'bin/' + output_bin)
++ if 'true' == variables.get('node_shared'):
++ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib)
+
+ if 'true' == variables.get('node_use_dtrace'):
+ action(['out/Release/node.d'], 'lib/dtrace/node.d')
diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch
new file mode 100644
index 0000000..cdf6bc8
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch
@@ -0,0 +1,21 @@
+Link mksnapshot with libatomic on x86
+
+Clang-12 on x86 emits atomic builtins
+
+Fixes
+| module-compiler.cc:(.text._ZN2v88internal4wasm12_GLOBAL__N_123ExecuteCompilationUnitsERKSt10shared_ptrINS2_22BackgroundCompileTokenEEPNS0_8CountersEiNS2_19CompileBaselineOnlyE+0x558): un
+defined reference to `__atomic_load'
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+--- a/tools/v8_gypfiles/v8.gyp
++++ b/tools/v8_gypfiles/v8.gyp
+@@ -1336,6 +1336,7 @@
+ {
+ 'target_name': 'mksnapshot',
+ 'type': 'executable',
++ 'libraries': [ '-latomic' ],
+ 'dependencies': [
+ 'v8_base_without_compiler',
+ 'v8_compiler_for_mksnapshot',
diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch
new file mode 100644
index 0000000..21a2281
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch
@@ -0,0 +1,32 @@
+Description: mksnapshot uses too much memory on 32-bit mipsel
+Author: Jérémy Lal <kapouer@melix.org>
+Last-Update: 2020-06-03
+Forwarded: https://bugs.chromium.org/p/v8/issues/detail?id=10586
+
+This ensures that we reserve 500M instead of 2G range for codegen
+ensures that qemu-mips can allocate such large ranges
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+--- a/deps/v8/src/common/globals.h
++++ b/deps/v8/src/common/globals.h
+@@ -224,7 +224,7 @@ constexpr size_t kMinimumCodeRangeSize =
+ constexpr size_t kMinExpectedOSPageSize = 64 * KB; // OS page on PPC Linux
+ #elif V8_TARGET_ARCH_MIPS
+ constexpr bool kPlatformRequiresCodeRange = false;
+-constexpr size_t kMaximalCodeRangeSize = 2048LL * MB;
++constexpr size_t kMaximalCodeRangeSize = 512 * MB;
+ constexpr size_t kMinimumCodeRangeSize = 0 * MB;
+ constexpr size_t kMinExpectedOSPageSize = 4 * KB; // OS page.
+ #else
+--- a/deps/v8/src/codegen/mips/constants-mips.h
++++ b/deps/v8/src/codegen/mips/constants-mips.h
+@@ -140,7 +140,7 @@ const uint32_t kLeastSignificantByteInIn
+ namespace v8 {
+ namespace internal {
+
+-constexpr size_t kMaxPCRelativeCodeRangeInMB = 4096;
++constexpr size_t kMaxPCRelativeCodeRangeInMB = 1024;
+
+ // -----------------------------------------------------------------------------
+ // Registers and FPURegisters.
diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb
new file mode 100644
index 0000000..fc88681
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb
@@ -0,0 +1,205 @@
+DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript"
+HOMEPAGE = "http://nodejs.org"
+LICENSE = "MIT & BSD & Artistic-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=6768abdfc4dae4fde59d6b4df96930f3"
+
+DEFAULT_PREFERENCE = "-1"
+
+DEPENDS = "openssl"
+DEPENDS:append:class-target = " qemu-native"
+DEPENDS:append:class-native = " c-ares-native"
+
+inherit pkgconfig python3native qemu
+
+COMPATIBLE_MACHINE:armv4 = "(!.*armv4).*"
+COMPATIBLE_MACHINE:armv5 = "(!.*armv5).*"
+COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*"
+
+COMPATIBLE_HOST:riscv64 = "null"
+COMPATIBLE_HOST:riscv32 = "null"
+
+SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
+ file://0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch \
+ file://0003-Install-both-binaries-and-use-libdir-nodejs14.patch \
+ file://0004-v8-don-t-override-ARM-CFLAGS.patch \
+ file://big-endian.patch \
+ file://mips-warnings.patch \
+ file://mips-less-memory-nodejs14.patch \
+ file://0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch \
+ file://CVE-2022-32212.patch \
+ file://CVE-2022-35255.patch \
+ file://CVE-2022-43548.patch \
+ "
+SRC_URI:append:class-target = " \
+ file://0002-Using-native-binaries-nodejs14.patch \
+ "
+SRC_URI:append:toolchain-clang:x86 = " \
+ file://libatomic-nodejs14.patch \
+ "
+SRC_URI:append:toolchain-clang:powerpc64le = " \
+ file://0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch \
+ "
+SRC_URI[sha256sum] = "3fa1d71adddfab2f5e3e41874b4eddbdf92b65cade4a43922fb1e437afcf89ed"
+
+S = "${WORKDIR}/node-v${PV}"
+
+# v8 errors out if you have set CCACHE
+CCACHE = ""
+
+def map_nodejs_arch(a, d):
+ import re
+
+ if re.match('i.86$', a): return 'ia32'
+ elif re.match('x86_64$', a): return 'x64'
+ elif re.match('aarch64$', a): return 'arm64'
+ elif re.match('(powerpc64|powerpc64le|ppc64le)$', a): return 'ppc64'
+ elif re.match('powerpc$', a): return 'ppc'
+ return a
+
+ARCHFLAGS:arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '--with-arm-float-abi=hard', '--with-arm-float-abi=softfp', d)} \
+ ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-arm-fpu=neon', \
+ bb.utils.contains('TUNE_FEATURES', 'vfpv3d16', '--with-arm-fpu=vfpv3-d16', \
+ bb.utils.contains('TUNE_FEATURES', 'vfpv3', '--with-arm-fpu=vfpv3', \
+ '--with-arm-fpu=vfp', d), d), d)}"
+GYP_DEFINES:append:mipsel = " mips_arch_variant='r1' "
+ARCHFLAGS ?= ""
+
+PACKAGECONFIG ??= "brotli icu zlib"
+
+PACKAGECONFIG[ares] = "--shared-cares,,c-ares"
+PACKAGECONFIG[brotli] = "--shared-brotli,,brotli"
+PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu"
+PACKAGECONFIG[libuv] = "--shared-libuv,,libuv"
+PACKAGECONFIG[nghttp2] = "--shared-nghttp2,,nghttp2"
+PACKAGECONFIG[shared] = "--shared"
+PACKAGECONFIG[zlib] = "--shared-zlib,,zlib"
+
+# We don't want to cross-compile during target compile,
+# and we need to use the right flags during host compile,
+# too.
+EXTRA_OEMAKE = "\
+ CC.host='${CC}' \
+ CFLAGS.host='${CPPFLAGS} ${CFLAGS}' \
+ CXX.host='${CXX}' \
+ CXXFLAGS.host='${CPPFLAGS} ${CXXFLAGS}' \
+ LDFLAGS.host='${LDFLAGS}' \
+ AR.host='${AR}' \
+ \
+ builddir_name=./ \
+"
+
+python do_unpack() {
+ import shutil
+
+ bb.build.exec_func('base_do_unpack', d)
+
+ if 'ares' in d.getVar('PACKAGECONFIG'):
+ shutil.rmtree(d.getVar('S') + '/deps/cares', True)
+ if 'brotli' in d.getVar('PACKAGECONFIG'):
+ shutil.rmtree(d.getVar('S') + '/deps/brotli', True)
+ if 'libuv' in d.getVar('PACKAGECONFIG'):
+ shutil.rmtree(d.getVar('S') + '/deps/uv', True)
+ if 'nghttp2' in d.getVar('PACKAGECONFIG'):
+ shutil.rmtree(d.getVar('S') + '/deps/nghttp2', True)
+ if 'zlib' in d.getVar('PACKAGECONFIG'):
+ shutil.rmtree(d.getVar('S') + '/deps/zlib', True)
+}
+
+# V8's JIT infrastructure requires binaries such as mksnapshot and
+# mkpeephole to be run in the host during the build. However, these
+# binaries must have the same bit-width as the target (e.g. a x86_64
+# host targeting ARMv6 needs to produce a 32-bit binary). Instead of
+# depending on a third Yocto toolchain, we just build those binaries
+# for the target and run them on the host with QEMU.
+python do_create_v8_qemu_wrapper () {
+ """Creates a small wrapper that invokes QEMU to run some target V8 binaries
+ on the host."""
+ qemu_libdirs = [d.expand('${STAGING_DIR_HOST}${libdir}'),
+ d.expand('${STAGING_DIR_HOST}${base_libdir}')]
+ qemu_cmd = qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST', True),
+ qemu_libdirs)
+ wrapper_path = d.expand('${B}/v8-qemu-wrapper.sh')
+ with open(wrapper_path, 'w') as wrapper_file:
+ wrapper_file.write("""#!/bin/sh
+
+# This file has been generated automatically.
+# It invokes QEMU to run binaries built for the target in the host during the
+# build process.
+
+%s "$@"
+""" % qemu_cmd)
+ os.chmod(wrapper_path, 0o755)
+}
+
+do_create_v8_qemu_wrapper[dirs] = "${B}"
+addtask create_v8_qemu_wrapper after do_configure before do_compile
+
+LDFLAGS:append:x86 = " -latomic"
+
+# Node is way too cool to use proper autotools, so we install two wrappers to forcefully inject proper arch cflags to workaround gypi
+do_configure () {
+ export LD="${CXX}"
+ GYP_DEFINES="${GYP_DEFINES}" export GYP_DEFINES
+ # $TARGET_ARCH settings don't match --dest-cpu settings
+ python3 configure.py --prefix=${prefix} --cross-compiling \
+ --without-dtrace \
+ --without-etw \
+ --dest-cpu="${@map_nodejs_arch(d.getVar('TARGET_ARCH'), d)}" \
+ --dest-os=linux \
+ --libdir=${D}${libdir} \
+ ${ARCHFLAGS} \
+ ${PACKAGECONFIG_CONFARGS}
+}
+
+do_compile () {
+ export LD="${CXX}"
+ install -Dm 0755 ${B}/v8-qemu-wrapper.sh ${B}/out/Release/v8-qemu-wrapper.sh
+ oe_runmake BUILDTYPE=Release
+}
+
+do_install () {
+ oe_runmake install DESTDIR=${D}
+
+ # wasn't updated since 2009 and is the only thing requiring python2 in runtime
+ # ERROR: nodejs-12.14.1-r0 do_package_qa: QA Issue: /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples contained in package nodejs-npm requires /usr/bin/python, but no providers found in RDEPENDS:nodejs-npm? [file-rdeps]
+ rm -f ${D}${exec_prefix}/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples
+}
+
+do_install:append:class-native() {
+ # use node from PATH instead of absolute path to sysroot
+ # node-v0.10.25/tools/install.py is using:
+ # shebang = os.path.join(node_prefix, 'bin/node')
+ # update_shebang(link_path, shebang)
+ # and node_prefix can be very long path to bindir in native sysroot and
+ # when it exceeds 128 character shebang limit it's stripped to incorrect path
+ # and npm fails to execute like in this case with 133 characters show in log.do_install:
+ # updating shebang of /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/work/x86_64-linux/nodejs-native/0.10.15-r0/image/home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/npm to /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/node
+ # /usr/bin/npm is symlink to /usr/lib/node_modules/npm/bin/npm-cli.js
+ # use sed on npm-cli.js because otherwise symlink is replaced with normal file and
+ # npm-cli.js continues to use old shebang
+ sed "1s^.*^#\!/usr/bin/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js
+
+ # Install the native binaries to provide it within sysroot for the target compilation
+ install -d ${D}${bindir}
+ install -m 0755 ${S}/out/Release/torque ${D}${bindir}/torque
+ install -m 0755 ${S}/out/Release/bytecode_builtins_list_generator ${D}${bindir}/bytecode_builtins_list_generator
+ if ${@bb.utils.contains('PACKAGECONFIG','icu','true','false',d)}; then
+ install -m 0755 ${S}/out/Release/gen-regexp-special-case ${D}${bindir}/gen-regexp-special-case
+ fi
+ install -m 0755 ${S}/out/Release/mkcodecache ${D}${bindir}/mkcodecache
+ install -m 0755 ${S}/out/Release/node_mksnapshot ${D}${bindir}/node_mksnapshot
+}
+
+do_install:append:class-target() {
+ sed "1s^.*^#\!${bindir}/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js
+}
+
+PACKAGES =+ "${PN}-npm"
+FILES:${PN}-npm = "${exec_prefix}/lib/node_modules ${bindir}/npm ${bindir}/npx"
+RDEPENDS:${PN}-npm = "bash python3-core python3-shell python3-datetime \
+ python3-misc python3-multiprocessing"
+
+PACKAGES =+ "${PN}-systemtap"
+FILES:${PN}-systemtap = "${datadir}/systemtap"
+
+BBCLASSEXTEND = "native"
diff --git a/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch b/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch
new file mode 100644
index 0000000..2aec818
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch
@@ -0,0 +1,38 @@
+From 790ff6dad16b70e68804a2d53ad54db40412e889 Mon Sep 17 00:00:00 2001
+From: Michael Heimpold <mhei@heimpold.de>
+Date: Sat, 8 Jan 2022 20:00:50 +0100
+Subject: [PATCH] modbus_reply: fix copy & paste error in sanity check (fixes
+ #614)
+
+[ Upstream commit b4ef4c17d618eba0adccc4c7d9e9a1ef809fc9b6 ]
+
+While handling MODBUS_FC_WRITE_AND_READ_REGISTERS, both address offsets
+must be checked, i.e. the read and the write address must be within the
+mapping range.
+
+At the moment, only the read address was considered, it looks like a
+simple copy and paste error, so let's fix it.
+
+CVE: CVE-2022-0367
+
+Signed-off-by: Michael Heimpold <mhei@heimpold.de>
+---
+ src/modbus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/modbus.c b/src/modbus.c
+index 68a28a3..c871152 100644
+--- a/src/modbus.c
++++ b/src/modbus.c
+@@ -961,7 +961,7 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
+ nb_write, nb, MODBUS_MAX_WR_WRITE_REGISTERS, MODBUS_MAX_WR_READ_REGISTERS);
+ } else if (mapping_address < 0 ||
+ (mapping_address + nb) > mb_mapping->nb_registers ||
+- mapping_address < 0 ||
++ mapping_address_write < 0 ||
+ (mapping_address_write + nb_write) > mb_mapping->nb_registers) {
+ rsp_length = response_exception(
+ ctx, &sft, MODBUS_EXCEPTION_ILLEGAL_DATA_ADDRESS, rsp, FALSE,
+--
+2.39.1
+
diff --git a/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb b/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb
index 075487a..5c59312 100644
--- a/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb
+++ b/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb
@@ -2,7 +2,10 @@
SRC_URI += "file://f1eb4bc7ccb09cd8d19ab641ee37637f8c34d16d.patch \
file://Fix-float-endianness-issue-on-big-endian-arch.patch \
- file://Fix-typo.patch"
+ file://Fix-typo.patch \
+ file://CVE-2022-0367.patch \
+ "
+
SRC_URI[md5sum] = "15c84c1f7fb49502b3efaaa668cfd25e"
SRC_URI[sha256sum] = "d7d9fa94a16edb094e5fdf5d87ae17a0dc3f3e3d687fead81835d9572cf87c16"
diff --git a/meta-openembedded/meta-oe/recipes-support/lcov/lcov_1.14.bb b/meta-openembedded/meta-oe/recipes-support/lcov/lcov_1.14.bb
index 0cc8b31..5e8fb93 100755
--- a/meta-openembedded/meta-oe/recipes-support/lcov/lcov_1.14.bb
+++ b/meta-openembedded/meta-oe/recipes-support/lcov/lcov_1.14.bb
@@ -59,7 +59,7 @@
SRC_URI[sha256sum] = "14995699187440e0ae4da57fe3a64adc0a3c5cf14feab971f8db38fb7d8f071a"
do_install() {
- oe_runmake install PREFIX=${D}${prefix} CFG_DIR=${D}${sysconfdir}
+ oe_runmake install PREFIX=${D}${prefix} CFG_DIR=${D}${sysconfdir} LCOV_PERL_PATH="/usr/bin/env perl"
}
BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-openembedded/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch b/meta-openembedded/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch
new file mode 100644
index 0000000..d06ef44
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch
@@ -0,0 +1,154 @@
+From cb57b930fa690ab79b3904846634681685e3470f Mon Sep 17 00:00:00 2001
+From: Martin Wilck <mwilck@suse.com>
+Date: Thu, 1 Sep 2022 19:21:30 +0200
+Subject: [PATCH] multipath-tools: use /run instead of /dev/shm
+
+/dev/shm may have unsafe permissions. Use /run instead.
+Use systemd's tmpfiles.d mechanism to create /run/multipath
+early during boot.
+
+For backward compatibilty, make the runtime directory configurable
+via the "runtimedir" make variable.
+
+Signed-off-by: Martin Wilck <mwilck@suse.com>
+Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com>
+
+CVE: CVE-2022-41973
+Upstream-Status: Backport [https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ .gitignore | 2 ++
+ Makefile.inc | 7 ++++++-
+ libmultipath/defaults.h | 3 +--
+ multipath/Makefile | 11 ++++++++---
+ multipath/{multipath.rules => multipath.rules.in} | 4 ++--
+ multipath/tmpfiles.conf.in | 1 +
+ 6 files changed, 20 insertions(+), 8 deletions(-)
+ rename multipath/{multipath.rules => multipath.rules.in} (95%)
+ create mode 100644 multipath/tmpfiles.conf.in
+
+diff --git a/.gitignore b/.gitignore
+index 9926756b..f90b0350 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -8,6 +8,8 @@
+ *.d
+ kpartx/kpartx
+ multipath/multipath
++multipath/multipath.rules
++multipath/tmpfiles.conf
+ multipathd/multipathd
+ mpathpersist/mpathpersist
+ .nfs*
+diff --git a/Makefile.inc b/Makefile.inc
+index 4eb08eed..648f91b4 100644
+--- a/Makefile.inc
++++ b/Makefile.inc
+@@ -44,6 +44,7 @@ exec_prefix = $(prefix)
+ usr_prefix = $(prefix)
+ bindir = $(exec_prefix)/usr/sbin
+ libudevdir = $(prefix)/$(SYSTEMDPATH)/udev
++tmpfilesdir = $(prefix)/$(SYSTEMDPATH)/tmpfiles.d
+ udevrulesdir = $(libudevdir)/rules.d
+ multipathdir = $(TOPDIR)/libmultipath
+ man8dir = $(prefix)/usr/share/man/man8
+@@ -60,6 +61,7 @@ libdmmpdir = $(TOPDIR)/libdmmp
+ nvmedir = $(TOPDIR)/libmultipath/nvme
+ includedir = $(prefix)/usr/include
+ pkgconfdir = $(usrlibdir)/pkgconfig
++runtimedir := /$(RUN)
+
+ GZIP = gzip -9 -c
+ RM = rm -f
+@@ -95,7 +97,10 @@ OPTFLAGS += -Wextra -Wstrict-prototypes -Wformat=2 -Werror=implicit-int \
+ -Wno-unused-parameter -Werror=cast-qual \
+ -Werror=discarded-qualifiers
+
+-CPPFLAGS := -Wp,-D_FORTIFY_SOURCE=2
++CPPFLAGS := $(FORTIFY_OPT) \
++ -DBIN_DIR=\"$(bindir)\" -DMULTIPATH_DIR=\"$(plugindir)\" -DRUN_DIR=\"${RUN}\" \
++ -DRUNTIME_DIR=\"$(runtimedir)\" \
++ -DCONFIG_DIR=\"$(configdir)\" -DEXTRAVERSION=\"$(EXTRAVERSION)\" -MMD -MP
+ CFLAGS := $(OPTFLAGS) -DBIN_DIR=\"$(bindir)\" -DLIB_STRING=\"${LIB}\" -DRUN_DIR=\"${RUN}\" \
+ -MMD -MP $(CFLAGS)
+ BIN_CFLAGS = -fPIE -DPIE
+diff --git a/libmultipath/defaults.h b/libmultipath/defaults.h
+index c2164c16..908e0ca3 100644
+--- a/libmultipath/defaults.h
++++ b/libmultipath/defaults.h
+@@ -64,8 +64,7 @@
+ #define DEFAULT_WWIDS_FILE "/etc/multipath/wwids"
+ #define DEFAULT_PRKEYS_FILE "/etc/multipath/prkeys"
+ #define DEFAULT_CONFIG_DIR "/etc/multipath/conf.d"
+-#define MULTIPATH_SHM_BASE "/dev/shm/multipath/"
+-
++#define MULTIPATH_SHM_BASE RUNTIME_DIR "/multipath/"
+
+ static inline char *set_default(char *str)
+ {
+diff --git a/multipath/Makefile b/multipath/Makefile
+index e720c7f6..28976546 100644
+--- a/multipath/Makefile
++++ b/multipath/Makefile
+@@ -12,7 +12,7 @@ EXEC = multipath
+
+ OBJS = main.o
+
+-all: $(EXEC)
++all: $(EXEC) multipath.rules tmpfiles.conf
+
+ $(EXEC): $(OBJS) $(multipathdir)/libmultipath.so $(mpathcmddir)/libmpathcmd.so
+ $(CC) $(CFLAGS) $(OBJS) -o $(EXEC) $(LDFLAGS) $(LIBDEPS)
+@@ -26,7 +26,9 @@ install:
+ $(INSTALL_PROGRAM) -m 755 mpathconf $(DESTDIR)$(bindir)/
+ $(INSTALL_PROGRAM) -d $(DESTDIR)$(udevrulesdir)
+ $(INSTALL_PROGRAM) -m 644 11-dm-mpath.rules $(DESTDIR)$(udevrulesdir)
+- $(INSTALL_PROGRAM) -m 644 $(EXEC).rules $(DESTDIR)$(libudevdir)/rules.d/62-multipath.rules
++ $(INSTALL_PROGRAM) -m 644 multipath.rules $(DESTDIR)$(udevrulesdir)/56-multipath.rules
++ $(INSTALL_PROGRAM) -d $(DESTDIR)$(tmpfilesdir)
++ $(INSTALL_PROGRAM) -m 644 tmpfiles.conf $(DESTDIR)$(tmpfilesdir)/multipath.conf
+ $(INSTALL_PROGRAM) -d $(DESTDIR)$(man8dir)
+ $(INSTALL_PROGRAM) -m 644 $(EXEC).8.gz $(DESTDIR)$(man8dir)
+ $(INSTALL_PROGRAM) -d $(DESTDIR)$(man5dir)
+@@ -43,9 +45,12 @@ uninstall:
+ $(RM) $(DESTDIR)$(man8dir)/mpathconf.8.gz
+
+ clean: dep_clean
+- $(RM) core *.o $(EXEC) *.gz
++ $(RM) core *.o $(EXEC) multipath.rules tmpfiles.conf
+
+ include $(wildcard $(OBJS:.o=.d))
+
+ dep_clean:
+ $(RM) $(OBJS:.o=.d)
++
++%: %.in
++ sed 's,@RUNTIME_DIR@,$(runtimedir),' $< >$@
+diff --git a/multipath/multipath.rules b/multipath/multipath.rules.in
+similarity index 95%
+rename from multipath/multipath.rules
+rename to multipath/multipath.rules.in
+index 0486bf70..5fb499e6 100644
+--- a/multipath/multipath.rules
++++ b/multipath/multipath.rules.in
+@@ -1,8 +1,8 @@
+ # Set DM_MULTIPATH_DEVICE_PATH if the device should be handled by multipath
+ SUBSYSTEM!="block", GOTO="end_mpath"
+ KERNEL!="sd*|dasd*|nvme*", GOTO="end_mpath"
+-ACTION=="remove", TEST=="/dev/shm/multipath/find_multipaths/$major:$minor", \
+- RUN+="/usr/bin/rm -f /dev/shm/multipath/find_multipaths/$major:$minor"
++ACTION=="remove", TEST=="@RUNTIME_DIR@/multipath/find_multipaths/$major:$minor", \
++ RUN+="/usr/bin/rm -f @RUNTIME_DIR@/multipath/find_multipaths/$major:$minor"
+ ACTION!="add|change", GOTO="end_mpath"
+
+ IMPORT{cmdline}="nompath"
+diff --git a/multipath/tmpfiles.conf.in b/multipath/tmpfiles.conf.in
+new file mode 100644
+index 00000000..21be438a
+--- /dev/null
++++ b/multipath/tmpfiles.conf.in
+@@ -0,0 +1 @@
++d @RUNTIME_DIR@/multipath 0700 root root -
+--
+2.25.1
+
diff --git a/meta-openembedded/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb b/meta-openembedded/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb
index 90cfd7d..23273f5 100644
--- a/meta-openembedded/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb
+++ b/meta-openembedded/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb
@@ -45,6 +45,7 @@
file://0031-Always-use-devmapper-for-kpartx.patch \
file://0001-fix-bug-of-do_compile-and-do_install.patch \
file://0001-add-explicit-dependency-on-libraries.patch \
+ file://CVE-2022-41973.patch \
"
LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
@@ -117,3 +118,6 @@
RDEPENDS_${PN} += "kpartx"
PARALLEL_MAKE = ""
+
+FILES:${PN}-libs += "usr/lib/*.so.*"
+FILES:${PN}-libs += "usr/lib/tmpfiles.d/*"
diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch b/meta-openembedded/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch
new file mode 100644
index 0000000..b935d9e
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch
@@ -0,0 +1,46 @@
+From 4e7e332b25a2794f381323518e52d8d95273b69e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?= <fkrenzel@redhat.com>
+Date: Mon, 30 Jan 2023 12:59:20 +0000
+Subject: [PATCH] Bug 1812671 - build failure while implicitly casting
+ SECStatus to PRUInt32. r=nss-reviewers,mt
+
+Author of the patch: Bob Relyea <rrelyea@redhat.com>
+
+Differential Revision: https://phabricator.services.mozilla.com/D167983
+
+--HG--
+extra : moz-landing-system : lando
+---
+ lib/ssl/ssl3exthandle.c | 2 +-
+ lib/ssl/sslsnce.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
+index b5ae62f39..7134447bf 100644
+--- a/lib/ssl/ssl3exthandle.c
++++ b/lib/ssl/ssl3exthandle.c
+@@ -201,7 +201,7 @@ ssl3_FreeSniNameArray(TLSExtensionData *xtnData)
+ * Clients sends a filled in session ticket if one is available, and otherwise
+ * sends an empty ticket. Servers always send empty tickets.
+ */
+-PRInt32
++SECStatus
+ ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+ {
+diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c
+index 56edafa1f..49f041c97 100644
+--- a/lib/ssl/sslsnce.c
++++ b/lib/ssl/sslsnce.c
+@@ -1820,7 +1820,7 @@ ssl_GetSelfEncryptKeyPair(SECKEYPublicKey **pubKey,
+ return SECSuccess;
+ }
+
+-static PRBool
++static SECStatus
+ ssl_GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName,
+ PK11SymKey **aesKey, PK11SymKey **macKey);
+
+--
+2.40.1
+
diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch b/meta-openembedded/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch
new file mode 100644
index 0000000..dc7e172
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch
@@ -0,0 +1,75 @@
+From cbf5a2bce75ca2c2fd3e247796b9892f5298584e Mon Sep 17 00:00:00 2001
+From: "John M. Schanck" <jschanck@mozilla.com>
+Date: Thu, 13 Apr 2023 17:43:46 +0000
+Subject: [PATCH] Bug 1826650 - cmd/ecperf: fix dangling pointer warning on gcc
+ 13. r=djackson
+
+Differential Revision: https://phabricator.services.mozilla.com/D174822
+
+--HG--
+extra : moz-landing-system : lando
+---
+ cmd/ecperf/ecperf.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/cmd/ecperf/ecperf.c b/cmd/ecperf/ecperf.c
+index 705d68f35..a07004d8e 100644
+--- a/cmd/ecperf/ecperf.c
++++ b/cmd/ecperf/ecperf.c
+@@ -53,6 +53,7 @@ PKCS11Thread(void *data)
+ SECItem sig;
+ CK_SESSION_HANDLE session;
+ CK_RV crv;
++ void *tmp = NULL;
+
+ threadData->status = SECSuccess;
+ threadData->count = 0;
+@@ -68,6 +69,7 @@ PKCS11Thread(void *data)
+ if (threadData->isSign) {
+ sig.data = sigData;
+ sig.len = sizeof(sigData);
++ tmp = threadData->p2;
+ threadData->p2 = (void *)&sig;
+ }
+
+@@ -79,6 +81,10 @@ PKCS11Thread(void *data)
+ }
+ threadData->count++;
+ }
++
++ if (threadData->isSign) {
++ threadData->p2 = tmp;
++ }
+ return;
+ }
+
+@@ -89,6 +95,7 @@ genericThread(void *data)
+ int iters = threadData->iters;
+ unsigned char sigData[256];
+ SECItem sig;
++ void *tmp = NULL;
+
+ threadData->status = SECSuccess;
+ threadData->count = 0;
+@@ -96,6 +103,7 @@ genericThread(void *data)
+ if (threadData->isSign) {
+ sig.data = sigData;
+ sig.len = sizeof(sigData);
++ tmp = threadData->p2;
+ threadData->p2 = (void *)&sig;
+ }
+
+@@ -107,6 +115,10 @@ genericThread(void *data)
+ }
+ threadData->count++;
+ }
++
++ if (threadData->isSign) {
++ threadData->p2 = tmp;
++ }
+ return;
+ }
+
+--
+2.40.1
+
diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb
index 1de2a40..af842ee 100644
--- a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb
+++ b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb
@@ -43,6 +43,8 @@
file://CVE-2021-43527.patch \
file://CVE-2022-22747.patch \
file://CVE-2023-0767.patch \
+ file://0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch;patchdir=nss \
+ file://0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch;patchdir=nss \
"
SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"
diff --git a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch
new file mode 100644
index 0000000..996eabf
--- /dev/null
+++ b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch
@@ -0,0 +1,31 @@
+From 5c9257fa34335ff83f7c01581cf953111072a457 Mon Sep 17 00:00:00 2001
+From: Valeria Petrov <valeria.petrov@spinetix.com>
+Date: Tue, 18 Apr 2023 15:38:53 +0200
+Subject: [PATCH] * modules/mappers/config9.m4: Add 'server' directory to
+ include path if mod_rewrite is enabled.
+
+Upstream-Status: Accepted [https://svn.apache.org/viewvc?view=revision&revision=1909241]
+
+---
+ modules/mappers/config9.m4 | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/modules/mappers/config9.m4 b/modules/mappers/config9.m4
+index 55a97ab993..7120b729b7 100644
+--- a/modules/mappers/config9.m4
++++ b/modules/mappers/config9.m4
+@@ -14,6 +14,11 @@ APACHE_MODULE(userdir, mapping of requests to user-specific directories, , , mos
+ APACHE_MODULE(alias, mapping of requests to different filesystem parts, , , yes)
+ APACHE_MODULE(rewrite, rule based URL manipulation, , , most)
+
++if test "x$enable_rewrite" != "xno"; then
++ # mod_rewrite needs test_char.h
++ APR_ADDTO(INCLUDES, [-I\$(top_builddir)/server])
++fi
++
+ APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current])
+
+ APACHE_MODPATH_FINISH
+--
+2.25.1
+
diff --git a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.56.bb b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.57.bb
similarity index 97%
rename from meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.56.bb
rename to meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.57.bb
index ed5690a..669d277 100644
--- a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.56.bb
+++ b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.57.bb
@@ -15,6 +15,7 @@
file://0007-apache2-allow-to-disable-selinux-support.patch \
file://0008-Fix-perl-install-directory-to-usr-bin.patch \
file://0009-support-apxs.in-force-destdir-to-be-empty-string.patch \
+ file://0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch \
"
SRC_URI:append:class-target = " \
@@ -26,7 +27,7 @@
"
LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3"
-SRC_URI[sha256sum] = "d8d45f1398ba84edd05bb33ca7593ac2989b17cb9c7a0cafe5442d41afdb2d7c"
+SRC_URI[sha256sum] = "dbccb84aee95e095edfbb81e5eb926ccd24e6ada55dcd83caecb262e5cf94d2a"
S = "${WORKDIR}/httpd-${PV}"
diff --git a/poky/meta/classes/populate_sdk_ext.bbclass b/poky/meta/classes/populate_sdk_ext.bbclass
index a43ff3f..1bdfd92 100644
--- a/poky/meta/classes/populate_sdk_ext.bbclass
+++ b/poky/meta/classes/populate_sdk_ext.bbclass
@@ -363,7 +363,8 @@
f.write('BUILDCFG_HEADER = ""\n\n')
# Write METADATA_REVISION
- f.write('METADATA_REVISION = "%s"\n\n' % d.getVar('METADATA_REVISION'))
+ # Needs distro override so it can override the value set in the bbclass code (later than local.conf)
+ f.write('METADATA_REVISION:%s = "%s"\n\n' % (d.getVar('DISTRO'), d.getVar('METADATA_REVISION')))
f.write('# Provide a flag to indicate we are in the EXT_SDK Context\n')
f.write('WITHIN_EXT_SDK = "1"\n\n')
diff --git a/poky/meta/classes/pypi.bbclass b/poky/meta/classes/pypi.bbclass
index 87b4c85..c683674 100644
--- a/poky/meta/classes/pypi.bbclass
+++ b/poky/meta/classes/pypi.bbclass
@@ -24,3 +24,5 @@
UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${PYPI_PACKAGE}/"
UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/"
+
+CVE_PRODUCT ?= "python:${PYPI_PACKAGE}"
diff --git a/poky/meta/lib/oeqa/selftest/cases/runtime_test.py b/poky/meta/lib/oeqa/selftest/cases/runtime_test.py
index 5439bd4..d80f85d 100644
--- a/poky/meta/lib/oeqa/selftest/cases/runtime_test.py
+++ b/poky/meta/lib/oeqa/selftest/cases/runtime_test.py
@@ -177,6 +177,8 @@
distro = oe.lsb.distro_identifier()
if distro and distro.startswith('almalinux'):
self.skipTest('virgl isn\'t working with Alma Linux')
+ if distro and distro.startswith('rocky'):
+ self.skipTest('virgl isn\'t working with Rocky Linux')
if distro and distro == 'debian-8':
self.skipTest('virgl isn\'t working with Debian 8')
if distro and distro == 'centos-7':
@@ -189,10 +191,14 @@
self.skipTest('virgl isn\'t working with Fedora 35')
if distro and distro == 'fedora-36':
self.skipTest('virgl isn\'t working with Fedora 36')
+ if distro and distro == 'fedora-37':
+ self.skipTest('virgl isn\'t working with Fedora 37')
if distro and distro == 'opensuseleap-15.0':
self.skipTest('virgl isn\'t working with Opensuse 15.0')
if distro and distro == 'ubuntu-22.04':
self.skipTest('virgl isn\'t working with Ubuntu 22.04')
+ if distro and distro == 'ubuntu-22.10':
+ self.skipTest('virgl isn\'t working with Ubuntu 22.10')
qemu_packageconfig = get_bb_var('PACKAGECONFIG', 'qemu-system-native')
sdl_packageconfig = get_bb_var('PACKAGECONFIG', 'libsdl2-native')
diff --git a/poky/meta/lib/oeqa/utils/metadata.py b/poky/meta/lib/oeqa/utils/metadata.py
index 8013aa6..15ec190 100644
--- a/poky/meta/lib/oeqa/utils/metadata.py
+++ b/poky/meta/lib/oeqa/utils/metadata.py
@@ -27,9 +27,9 @@
data_dict = get_bb_vars()
# Distro information
- info_dict['distro'] = {'id': data_dict['DISTRO'],
- 'version_id': data_dict['DISTRO_VERSION'],
- 'pretty_name': '%s %s' % (data_dict['DISTRO'], data_dict['DISTRO_VERSION'])}
+ info_dict['distro'] = {'id': data_dict.get('DISTRO', 'NODISTRO'),
+ 'version_id': data_dict.get('DISTRO_VERSION', 'NO_DISTRO_VERSION'),
+ 'pretty_name': '%s %s' % (data_dict.get('DISTRO', 'NODISTRO'), data_dict.get('DISTRO_VERSION', 'NO_DISTRO_VERSION'))}
# Host distro information
os_release = get_os_release()
diff --git a/poky/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/poky/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
new file mode 100644
index 0000000..ea1601c
--- /dev/null
+++ b/poky/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
@@ -0,0 +1,54 @@
+From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 11 Apr 2023 08:12:56 +0200
+Subject: gdhcp: Verify and sanitize packet length first
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
+CVE: CVE-2023-28488
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ gdhcp/client.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 7efa7e45..82017692 100644
+--- a/gdhcp/client.c
++++ b/gdhcp/client.c
+@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
+ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ struct sockaddr_in *dst_addr)
+ {
+- int bytes;
+ struct ip_udp_dhcp_packet packet;
+ uint16_t check;
++ int bytes, tot_len;
+
+ memset(&packet, 0, sizeof(packet));
+
+@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ if (bytes < 0)
+ return -1;
+
+- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+- return -1;
+-
+- if (bytes < ntohs(packet.ip.tot_len))
++ tot_len = ntohs(packet.ip.tot_len);
++ if (bytes > tot_len) {
++ /* ignore any extra garbage bytes */
++ bytes = tot_len;
++ } else if (bytes < tot_len) {
+ /* packet is bigger than sizeof(packet), we did partial read */
+ return -1;
++ }
+
+- /* ignore any extra garbage bytes */
+- bytes = ntohs(packet.ip.tot_len);
++ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
++ return -1;
+
+ if (!sanity_check(&packet, bytes))
+ return -1;
+--
+cgit
+
diff --git a/poky/meta/recipes-connectivity/connman/connman_1.37.bb b/poky/meta/recipes-connectivity/connman/connman_1.37.bb
index 73d7f75..8062a09 100644
--- a/poky/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/poky/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -14,6 +14,7 @@
file://CVE-2022-23098.patch \
file://CVE-2022-32292.patch \
file://CVE-2022-32293.patch \
+ file://CVE-2023-28488.patch \
"
SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
diff --git a/poky/meta/recipes-connectivity/openssh/openssh/sshd.socket b/poky/meta/recipes-connectivity/openssh/openssh/sshd.socket
index 12c39b2..8d76d62 100644
--- a/poky/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/poky/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,5 +1,6 @@
[Unit]
Conflicts=sshd.service
+Wants=sshdgenkeys.service
[Socket]
ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/poky/meta/recipes-connectivity/openssh/openssh/sshd@.service b/poky/meta/recipes-connectivity/openssh/openssh/sshd@.service
index 9d83dfb..422450c 100644
--- a/poky/meta/recipes-connectivity/openssh/openssh/sshd@.service
+++ b/poky/meta/recipes-connectivity/openssh/openssh/sshd@.service
@@ -1,13 +1,11 @@
[Unit]
Description=OpenSSH Per-Connection Daemon
-Wants=sshdgenkeys.service
After=sshdgenkeys.service
[Service]
Environment="SSHD_OPTS="
EnvironmentFile=-/etc/default/ssh
ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS
-ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
StandardInput=socket
StandardError=syslog
KillMode=process
diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
new file mode 100644
index 0000000..907f2c4
--- /dev/null
+++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
@@ -0,0 +1,79 @@
+From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:46:35 +0200
+Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
+
+Fix a null pointer dereference when parsing (invalid) XML schemas.
+
+Thanks to Robby Simpson for the report!
+
+Fixes #491.
+
+CVE: CVE-2023-28484
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ result/schemas/issue491_0_0.err | 1 +
+ test/schemas/issue491_0.xml | 1 +
+ test/schemas/issue491_0.xsd | 18 ++++++++++++++++++
+ xmlschemas.c | 2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 result/schemas/issue491_0_0.err
+ create mode 100644 test/schemas/issue491_0.xml
+ create mode 100644 test/schemas/issue491_0.xsd
+
+diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
+new file mode 100644
+index 00000000..9b2bb969
+--- /dev/null
++++ b/result/schemas/issue491_0_0.err
+@@ -0,0 +1 @@
++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
+diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
+new file mode 100644
+index 00000000..e2b2fc2e
+--- /dev/null
++++ b/test/schemas/issue491_0.xml
+@@ -0,0 +1 @@
++<Child xmlns="http://www.test.com">5</Child>
+diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
+new file mode 100644
+index 00000000..81702649
+--- /dev/null
++++ b/test/schemas/issue491_0.xsd
+@@ -0,0 +1,18 @@
++<?xml version='1.0' encoding='UTF-8'?>
++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
++ <xs:complexType name="BaseType">
++ <xs:simpleContent>
++ <xs:extension base="xs:int" />
++ </xs:simpleContent>
++ </xs:complexType>
++ <xs:complexType name="ChildType">
++ <xs:complexContent>
++ <xs:extension base="BaseType">
++ <xs:sequence>
++ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
++ </xs:sequence>
++ </xs:extension>
++ </xs:complexContent>
++ </xs:complexType>
++ <xs:element name="Child" type="ChildType" />
++</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 6a353858..a4eaf591 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
+ "allowed to appear inside other model groups",
+ NULL, NULL);
+
+- } else if (! dummySequence) {
++ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
+ xmlSchemaTreeItemPtr effectiveContent =
+ (xmlSchemaTreeItemPtr) type->subtypes;
+ /*
+--
+GitLab
+
diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
new file mode 100644
index 0000000..1252668
--- /dev/null
+++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
@@ -0,0 +1,42 @@
+From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:49:27 +0200
+Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
+ deterministic
+
+When hashing empty strings which aren't null-terminated,
+xmlDictComputeFastKey could produce inconsistent results. This could
+lead to various logic or memory errors, including double frees.
+
+For consistency the seed is also taken into account, but this shouldn't
+have an impact on security.
+
+Found by OSS-Fuzz.
+
+Fixes #510.
+
+CVE: CVE-2023-29469
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ dict.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index 86c3f6d7..d7fd1a06 100644
+--- a/dict.c
++++ b/dict.c
+@@ -451,7 +451,8 @@ static unsigned long
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+ unsigned long value = seed;
+
+- if (name == NULL) return(0);
++ if ((name == NULL) || (namelen <= 0))
++ return(value);
+ value = *name;
+ value <<= 5;
+ if (namelen > 10) {
+--
+GitLab
+
diff --git a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 40e3434..034192d 100644
--- a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -36,6 +36,8 @@
file://CVE-2016-3709.patch \
file://CVE-2022-40303.patch \
file://CVE-2022-40304.patch \
+ file://CVE-2023-28484.patch \
+ file://CVE-2023-29469.patch \
"
SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
diff --git a/poky/meta/recipes-devtools/git/files/CVE-2023-25652.patch b/poky/meta/recipes-devtools/git/files/CVE-2023-25652.patch
new file mode 100644
index 0000000..d6b17a2
--- /dev/null
+++ b/poky/meta/recipes-devtools/git/files/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
+From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <johannes.schindelin@gmx.de>
+Date: Thu, 9 Mar 2023 16:02:54 +0100
+Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
+ exists
+
+The `git apply --reject` is expected to write out `.rej` files in case
+one or more hunks fail to apply cleanly. Historically, the command
+overwrites any existing `.rej` files. The idea being that
+apply/reject/edit cycles are relatively common, and the generated `.rej`
+files are not considered precious.
+
+But the command does not overwrite existing `.rej` symbolic links, and
+instead follows them. This is unsafe because the same patch could
+potentially create such a symbolic link and point at arbitrary paths
+outside the current worktree, and `git apply` would write the contents
+of the `.rej` file into that location.
+
+Therefore, let's make sure that any existing `.rej` file or symbolic
+link is removed before writing it.
+
+Reported-by: RyotaK <ryotak.mail@gmail.com>
+Helped-by: Taylor Blau <me@ttaylorr.com>
+Helped-by: Junio C Hamano <gitster@pobox.com>
+Helped-by: Linus Torvalds <torvalds@linuxfoundation.org>
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
+CVE: CVE-2023-25652
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ apply.c | 14 ++++++++++++--
+ t/t4115-apply-symlink.sh | 15 +++++++++++++++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/apply.c b/apply.c
+index 4f303bf..aa7111d 100644
+--- a/apply.c
++++ b/apply.c
+@@ -4531,7 +4531,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
+ FILE *rej;
+ char namebuf[PATH_MAX];
+ struct fragment *frag;
+- int cnt = 0;
++ int fd, cnt = 0;
+ struct strbuf sb = STRBUF_INIT;
+
+ for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
+@@ -4571,7 +4571,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
+ memcpy(namebuf, patch->new_name, cnt);
+ memcpy(namebuf + cnt, ".rej", 5);
+
+- rej = fopen(namebuf, "w");
++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++ if (fd < 0) {
++ if (errno != EEXIST)
++ return error_errno(_("cannot open %s"), namebuf);
++ if (unlink(namebuf))
++ return error_errno(_("cannot unlink '%s'"), namebuf);
++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++ if (fd < 0)
++ return error_errno(_("cannot open %s"), namebuf);
++ }
++ rej = fdopen(fd, "w");
+ if (!rej)
+ return error_errno(_("cannot open %s"), namebuf);
+
+diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
+index 1acb7b2..2b034ff 100755
+--- a/t/t4115-apply-symlink.sh
++++ b/t/t4115-apply-symlink.sh
+@@ -125,4 +125,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' '
+ test_path_is_file .git/delete-me
+ '
+
++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
++ test_when_finished "git reset --hard && git clean -dfx" &&
++
++ test_commit file &&
++ echo modified >file.t &&
++ git diff -- file.t >patch &&
++ echo modified-again >file.t &&
++
++ ln -s foo file.t.rej &&
++ test_must_fail git apply patch --reject 2>err &&
++ test_i18ngrep "Rejected hunk" err &&
++ test_path_is_missing foo &&
++ test_path_is_file file.t.rej
++'
++
+ test_done
+--
+2.25.1
+
diff --git a/poky/meta/recipes-devtools/git/files/CVE-2023-29007.patch b/poky/meta/recipes-devtools/git/files/CVE-2023-29007.patch
new file mode 100644
index 0000000..e166c01
--- /dev/null
+++ b/poky/meta/recipes-devtools/git/files/CVE-2023-29007.patch
@@ -0,0 +1,159 @@
+From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
+From: Taylor Blau <me@ttaylorr.com>
+Date: Fri, 14 Apr 2023 11:46:59 -0400
+Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
+
+Avoids issues with renaming or deleting sections with long lines, where
+configuration values may be interpreted as sections, leading to
+configuration injection. Addresses CVE-2023-29007.
+
+* tb/config-copy-or-rename-in-file-injection:
+ config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+ config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+ config: avoid fixed-sized buffer when renaming/deleting a section
+ t1300: demonstrate failure when renaming sections with long lines
+
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4]
+CVE: CVE-2023-29007
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ config.c | 36 +++++++++++++++++++++++++-----------
+ t/t1300-config.sh | 30 ++++++++++++++++++++++++++++++
+ 2 files changed, 55 insertions(+), 11 deletions(-)
+
+diff --git a/config.c b/config.c
+index e7052b3..676b687 100644
+--- a/config.c
++++ b/config.c
+@@ -2987,9 +2987,10 @@ void git_config_set_multivar(const char *key, const char *value,
+ multi_replace);
+ }
+
+-static int section_name_match (const char *buf, const char *name)
++static size_t section_name_match (const char *buf, const char *name)
+ {
+- int i = 0, j = 0, dot = 0;
++ size_t i = 0, j = 0;
++ int dot = 0;
+ if (buf[i] != '[')
+ return 0;
+ for (i = 1; buf[i] && buf[i] != ']'; i++) {
+@@ -3042,6 +3043,8 @@ static int section_name_is_ok(const char *name)
+ return 1;
+ }
+
++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
++
+ /* if new_name == NULL, the section is removed instead */
+ static int git_config_copy_or_rename_section_in_file(const char *config_filename,
+ const char *old_name,
+@@ -3051,11 +3054,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ char *filename_buf = NULL;
+ struct lock_file lock = LOCK_INIT;
+ int out_fd;
+- char buf[1024];
++ struct strbuf buf = STRBUF_INIT;
+ FILE *config_file = NULL;
+ struct stat st;
+ struct strbuf copystr = STRBUF_INIT;
+ struct config_store_data store;
++ uint32_t line_nr = 0;
+
+ memset(&store, 0, sizeof(store));
+
+@@ -3092,16 +3096,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ goto out;
+ }
+
+- while (fgets(buf, sizeof(buf), config_file)) {
+- int i;
+- int length;
++ while (!strbuf_getwholeline(&buf, config_file, '\n')) {
++ size_t i, length;
+ int is_section = 0;
+- char *output = buf;
+- for (i = 0; buf[i] && isspace(buf[i]); i++)
++ char *output = buf.buf;
++
++ line_nr++;
++
++ if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) {
++ ret = error(_("refusing to work with overly long line "
++ "in '%s' on line %"PRIuMAX),
++ config_filename, (uintmax_t)line_nr);
++ goto out;
++ }
++
++ for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++)
+ ; /* do nothing */
+- if (buf[i] == '[') {
++ if (buf.buf[i] == '[') {
+ /* it's a section */
+- int offset;
++ size_t offset;
+ is_section = 1;
+
+ /*
+@@ -3118,7 +3131,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ strbuf_reset(©str);
+ }
+
+- offset = section_name_match(&buf[i], old_name);
++ offset = section_name_match(&buf.buf[i], old_name);
+ if (offset > 0) {
+ ret++;
+ if (new_name == NULL) {
+@@ -3193,6 +3206,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ out_no_rollback:
+ free(filename_buf);
+ config_store_data_clear(&store);
++ strbuf_release(&buf);
+ return ret;
+ }
+
+diff --git a/t/t1300-config.sh b/t/t1300-config.sh
+index 983a0a1..9b67f6b 100755
+--- a/t/t1300-config.sh
++++ b/t/t1300-config.sh
+@@ -616,6 +616,36 @@ test_expect_success 'renaming to bogus section is rejected' '
+ test_must_fail git config --rename-section branch.zwei "bogus name"
+ '
+
++test_expect_success 'renaming a section with a long line' '
++ {
++ printf "[b]\\n" &&
++ printf " c = d %1024s [a] e = f\\n" " " &&
++ printf "[a] g = h\\n"
++ } >y &&
++ git config -f y --rename-section a xyz &&
++ test_must_fail git config -f y b.e
++'
++
++test_expect_success 'renaming an embedded section with a long line' '
++ {
++ printf "[b]\\n" &&
++ printf " c = d %1024s [a] [foo] e = f\\n" " " &&
++ printf "[a] g = h\\n"
++ } >y &&
++ git config -f y --rename-section a xyz &&
++ test_must_fail git config -f y foo.e
++'
++
++test_expect_success 'renaming a section with an overly-long line' '
++ {
++ printf "[b]\\n" &&
++ printf " c = d %525000s e" " " &&
++ printf "[a] g = h\\n"
++ } >y &&
++ test_must_fail git config -f y --rename-section a xyz 2>err &&
++ test_i18ngrep "refusing to work with overly long line in .y. on line 2" err
++'
++
+ cat >> .git/config << EOF
+ [branch "zwei"] a = 1 [branch "vier"]
+ EOF
+--
+2.25.1
+
diff --git a/poky/meta/recipes-devtools/git/git.inc b/poky/meta/recipes-devtools/git/git.inc
index 36318ee..e64472e 100644
--- a/poky/meta/recipes-devtools/git/git.inc
+++ b/poky/meta/recipes-devtools/git/git.inc
@@ -28,6 +28,8 @@
file://CVE-2023-22490-2.patch \
file://CVE-2023-22490-3.patch \
file://CVE-2023-23946.patch \
+ file://CVE-2023-29007.patch \
+ file://CVE-2023-25652.patch \
"
S = "${WORKDIR}/git-${PV}"
diff --git a/poky/meta/recipes-devtools/go/go-1.14.inc b/poky/meta/recipes-devtools/go/go-1.14.inc
index 3b99b8f..2c500e8 100644
--- a/poky/meta/recipes-devtools/go/go-1.14.inc
+++ b/poky/meta/recipes-devtools/go/go-1.14.inc
@@ -58,6 +58,11 @@
file://CVE-2020-29510.patch \
file://CVE-2023-24537.patch \
file://CVE-2023-24534.patch \
+ file://CVE-2023-24538-1.patch \
+ file://CVE-2023-24538-2.patch \
+ file://CVE-2023-24538-3.patch \
+ file://CVE-2023-24539.patch \
+ file://CVE-2023-24540.patch \
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
new file mode 100644
index 0000000..eda26e5
--- /dev/null
+++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
@@ -0,0 +1,125 @@
+From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001
+From: Brad Fitzpatrick <bradfitz@golang.org>
+Date: Mon, 2 Aug 2021 14:55:51 -0700
+Subject: [PATCH 1/3] net/netip: add new IP address package
+
+Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati)
+Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
+Co-authored-by: David Anderson <dave@natulte.net> (Tailscale CLA)
+Co-authored-by: David Crawshaw <crawshaw@tailscale.com> (Tailscale CLA)
+Co-authored-by: Dmytro Shynkevych <dmytro@tailscale.com> (Tailscale CLA)
+Co-authored-by: Elias Naur <mail@eliasnaur.com>
+Co-authored-by: Joe Tsai <joetsai@digital-static.net> (Tailscale CLA)
+Co-authored-by: Jonathan Yu <jawnsy@cpan.org> (GitHub @jawnsy)
+Co-authored-by: Josh Bleecher Snyder <josharian@gmail.com> (Tailscale CLA)
+Co-authored-by: Maisem Ali <maisem@tailscale.com> (Tailscale CLA)
+Co-authored-by: Manuel Mendez (Go AUTHORS mmendez534@...)
+Co-authored-by: Matt Layher <mdlayher@gmail.com>
+Co-authored-by: Noah Treuhaft <noah.treuhaft@gmail.com> (GitHub @nwt)
+Co-authored-by: Stefan Majer <stefan.majer@gmail.com>
+Co-authored-by: Terin Stock <terinjokes@gmail.com> (Cloudflare CLA)
+Co-authored-by: Tobias Klauser <tklauser@distanz.ch>
+
+Fixes #46518
+
+Change-Id: I0041f9e1115d61fa6e95fcf32b01d9faee708712
+Reviewed-on: https://go-review.googlesource.com/c/go/+/339309
+Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Trust: Brad Fitzpatrick <bradfitz@golang.org>
+
+Dependency Patch #1
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0]
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/internal/godebug/godebug.go | 34 ++++++++++++++++++++++++++++++++++
+ src/internal/godebug/godebug_test.go | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+)
+ create mode 100644 src/internal/godebug/godebug.go
+ create mode 100644 src/internal/godebug/godebug_test.go
+
+diff --git a/src/internal/godebug/godebug.go b/src/internal/godebug/godebug.go
+new file mode 100644
+index 0000000..ac434e5
+--- /dev/null
++++ b/src/internal/godebug/godebug.go
+@@ -0,0 +1,34 @@
++// Copyright 2021 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++// Package godebug parses the GODEBUG environment variable.
++package godebug
++
++import "os"
++
++// Get returns the value for the provided GODEBUG key.
++func Get(key string) string {
++ return get(os.Getenv("GODEBUG"), key)
++}
++
++// get returns the value part of key=value in s (a GODEBUG value).
++func get(s, key string) string {
++ for i := 0; i < len(s)-len(key)-1; i++ {
++ if i > 0 && s[i-1] != ',' {
++ continue
++ }
++ afterKey := s[i+len(key):]
++ if afterKey[0] != '=' || s[i:i+len(key)] != key {
++ continue
++ }
++ val := afterKey[1:]
++ for i, b := range val {
++ if b == ',' {
++ return val[:i]
++ }
++ }
++ return val
++ }
++ return ""
++}
+diff --git a/src/internal/godebug/godebug_test.go b/src/internal/godebug/godebug_test.go
+new file mode 100644
+index 0000000..41b9117
+--- /dev/null
++++ b/src/internal/godebug/godebug_test.go
+@@ -0,0 +1,34 @@
++// Copyright 2021 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++package godebug
++
++import "testing"
++
++func TestGet(t *testing.T) {
++ tests := []struct {
++ godebug string
++ key string
++ want string
++ }{
++ {"", "", ""},
++ {"", "foo", ""},
++ {"foo=bar", "foo", "bar"},
++ {"foo=bar,after=x", "foo", "bar"},
++ {"before=x,foo=bar,after=x", "foo", "bar"},
++ {"before=x,foo=bar", "foo", "bar"},
++ {",,,foo=bar,,,", "foo", "bar"},
++ {"foodecoy=wrong,foo=bar", "foo", "bar"},
++ {"foo=", "foo", ""},
++ {"foo", "foo", ""},
++ {",foo", "foo", ""},
++ {"foo=bar,baz", "loooooooong", ""},
++ }
++ for _, tt := range tests {
++ got := get(tt.godebug, tt.key)
++ if got != tt.want {
++ t.Errorf("get(%q, %q) = %q; want %q", tt.godebug, tt.key, got, tt.want)
++ }
++ }
++}
+--
+2.7.4
diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
new file mode 100644
index 0000000..5036f28
--- /dev/null
+++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
@@ -0,0 +1,196 @@
+From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
+From: empijei <robclap8@gmail.com>
+Date: Fri, 27 Mar 2020 19:27:55 +0100
+Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes
+ for JSON compatibility
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The existing implementation is not compatible with JSON
+escape as it uses hex escaping.
+Unicode escape, instead, is valid for both JSON and JS.
+This fix avoids creating a separate escaping context for
+scripts of type "application/ld+json" and it is more
+future-proof in case more JSON+JS contexts get added
+to the platform (e.g. import maps).
+
+Fixes #33671
+Fixes #37634
+
+Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543
+Reviewed-on: https://go-review.googlesource.com/c/go/+/226097
+Reviewed-by: Carl Johnson <me@carlmjohnson.net>
+Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
+Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+
+Dependency Patch #2
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072ddacea0e0d6b55fb148fff18070
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/html/template/js.go | 70 +++++++++++++++++++++++++++-------------------
+ src/text/template/funcs.go | 8 +++---
+ 2 files changed, 46 insertions(+), 32 deletions(-)
+
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index 0e91458..ea9c183 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -163,7 +163,6 @@ func jsValEscaper(args ...interface{}) string {
+ }
+ // TODO: detect cycles before calling Marshal which loops infinitely on
+ // cyclic data. This may be an unacceptable DoS risk.
+-
+ b, err := json.Marshal(a)
+ if err != nil {
+ // Put a space before comment so that if it is flush against
+@@ -178,8 +177,8 @@ func jsValEscaper(args ...interface{}) string {
+ // TODO: maybe post-process output to prevent it from containing
+ // "<!--", "-->", "<![CDATA[", "]]>", or "</script"
+ // in case custom marshalers produce output containing those.
+-
+- // TODO: Maybe abbreviate \u00ab to \xab to produce more compact output.
++ // Note: Do not use \x escaping to save bytes because it is not JSON compatible and this escaper
++ // supports ld+json content-type.
+ if len(b) == 0 {
+ // In, `x=y/{{.}}*z` a json.Marshaler that produces "" should
+ // not cause the output `x=y/*z`.
+@@ -260,6 +259,8 @@ func replace(s string, replacementTable []string) string {
+ r, w = utf8.DecodeRuneInString(s[i:])
+ var repl string
+ switch {
++ case int(r) < len(lowUnicodeReplacementTable):
++ repl = lowUnicodeReplacementTable[r]
+ case int(r) < len(replacementTable) && replacementTable[r] != "":
+ repl = replacementTable[r]
+ case r == '\u2028':
+@@ -283,67 +284,80 @@ func replace(s string, replacementTable []string) string {
+ return b.String()
+ }
+
++var lowUnicodeReplacementTable = []string{
++ 0: `\u0000`, 1: `\u0001`, 2: `\u0002`, 3: `\u0003`, 4: `\u0004`, 5: `\u0005`, 6: `\u0006`,
++ '\a': `\u0007`,
++ '\b': `\u0008`,
++ '\t': `\t`,
++ '\n': `\n`,
++ '\v': `\u000b`, // "\v" == "v" on IE 6.
++ '\f': `\f`,
++ '\r': `\r`,
++ 0xe: `\u000e`, 0xf: `\u000f`, 0x10: `\u0010`, 0x11: `\u0011`, 0x12: `\u0012`, 0x13: `\u0013`,
++ 0x14: `\u0014`, 0x15: `\u0015`, 0x16: `\u0016`, 0x17: `\u0017`, 0x18: `\u0018`, 0x19: `\u0019`,
++ 0x1a: `\u001a`, 0x1b: `\u001b`, 0x1c: `\u001c`, 0x1d: `\u001d`, 0x1e: `\u001e`, 0x1f: `\u001f`,
++}
++
+ var jsStrReplacementTable = []string{
+- 0: `\0`,
++ 0: `\u0000`,
+ '\t': `\t`,
+ '\n': `\n`,
+- '\v': `\x0b`, // "\v" == "v" on IE 6.
++ '\v': `\u000b`, // "\v" == "v" on IE 6.
+ '\f': `\f`,
+ '\r': `\r`,
+ // Encode HTML specials as hex so the output can be embedded
+ // in HTML attributes without further encoding.
+- '"': `\x22`,
+- '&': `\x26`,
+- '\'': `\x27`,
+- '+': `\x2b`,
++ '"': `\u0022`,
++ '&': `\u0026`,
++ '\'': `\u0027`,
++ '+': `\u002b`,
+ '/': `\/`,
+- '<': `\x3c`,
+- '>': `\x3e`,
++ '<': `\u003c`,
++ '>': `\u003e`,
+ '\\': `\\`,
+ }
+
+ // jsStrNormReplacementTable is like jsStrReplacementTable but does not
+ // overencode existing escapes since this table has no entry for `\`.
+ var jsStrNormReplacementTable = []string{
+- 0: `\0`,
++ 0: `\u0000`,
+ '\t': `\t`,
+ '\n': `\n`,
+- '\v': `\x0b`, // "\v" == "v" on IE 6.
++ '\v': `\u000b`, // "\v" == "v" on IE 6.
+ '\f': `\f`,
+ '\r': `\r`,
+ // Encode HTML specials as hex so the output can be embedded
+ // in HTML attributes without further encoding.
+- '"': `\x22`,
+- '&': `\x26`,
+- '\'': `\x27`,
+- '+': `\x2b`,
++ '"': `\u0022`,
++ '&': `\u0026`,
++ '\'': `\u0027`,
++ '+': `\u002b`,
+ '/': `\/`,
+- '<': `\x3c`,
+- '>': `\x3e`,
++ '<': `\u003c`,
++ '>': `\u003e`,
+ }
+-
+ var jsRegexpReplacementTable = []string{
+- 0: `\0`,
++ 0: `\u0000`,
+ '\t': `\t`,
+ '\n': `\n`,
+- '\v': `\x0b`, // "\v" == "v" on IE 6.
++ '\v': `\u000b`, // "\v" == "v" on IE 6.
+ '\f': `\f`,
+ '\r': `\r`,
+ // Encode HTML specials as hex so the output can be embedded
+ // in HTML attributes without further encoding.
+- '"': `\x22`,
++ '"': `\u0022`,
+ '$': `\$`,
+- '&': `\x26`,
+- '\'': `\x27`,
++ '&': `\u0026`,
++ '\'': `\u0027`,
+ '(': `\(`,
+ ')': `\)`,
+ '*': `\*`,
+- '+': `\x2b`,
++ '+': `\u002b`,
+ '-': `\-`,
+ '.': `\.`,
+ '/': `\/`,
+- '<': `\x3c`,
+- '>': `\x3e`,
++ '<': `\u003c`,
++ '>': `\u003e`,
+ '?': `\?`,
+ '[': `\[`,
+ '\\': `\\`,
+diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go
+index 46125bc..f3de9fb 100644
+--- a/src/text/template/funcs.go
++++ b/src/text/template/funcs.go
+@@ -640,10 +640,10 @@ var (
+ jsBackslash = []byte(`\\`)
+ jsApos = []byte(`\'`)
+ jsQuot = []byte(`\"`)
+- jsLt = []byte(`\x3C`)
+- jsGt = []byte(`\x3E`)
+- jsAmp = []byte(`\x26`)
+- jsEq = []byte(`\x3D`)
++ jsLt = []byte(`\u003C`)
++ jsGt = []byte(`\u003E`)
++ jsAmp = []byte(`\u0026`)
++ jsEq = []byte(`\u003D`)
+ )
+
+ // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b.
+--
+2.7.4
diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch
new file mode 100644
index 0000000..d5bb33e
--- /dev/null
+++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch
@@ -0,0 +1,208 @@
+From 16f4882984569f179d73967c9eee679bb9b098c5 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Mon, 20 Mar 2023 11:01:13 -0700
+Subject: [PATCH 3/3] html/template: disallow actions in JS template literals
+
+ECMAScript 6 introduced template literals[0][1] which are delimited with
+backticks. These need to be escaped in a similar fashion to the
+delimiters for other string literals. Additionally template literals can
+contain special syntax for string interpolation.
+
+There is no clear way to allow safe insertion of actions within JS
+template literals, as handling (JS) string interpolation inside of these
+literals is rather complex. As such we've chosen to simply disallow
+template actions within these template literals.
+
+A new error code is added for this parsing failure case, errJsTmplLit,
+but it is unexported as it is not backwards compatible with other minor
+release versions to introduce an API change in a minor release. We will
+export this code in the next major release.
+
+The previous behavior (with the cavet that backticks are now escaped
+properly) can be re-enabled with GODEBUG=jstmpllitinterp=1.
+
+This change subsumes CL471455.
+
+Thanks to Sohom Datta, Manipal Institute of Technology, for reporting
+this issue.
+
+Fixes CVE-2023-24538
+For #59234
+Fixes #59271
+
+[0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals
+[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481987
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/html/template/context.go | 2 ++
+ src/html/template/error.go | 13 +++++++++++++
+ src/html/template/escape.go | 11 +++++++++++
+ src/html/template/js.go | 2 ++
+ src/html/template/jsctx_string.go | 9 +++++++++
+ src/html/template/transition.go | 7 ++++++-
+ 6 files changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index f7d4849..0b65313 100644
+--- a/src/html/template/context.go
++++ b/src/html/template/context.go
+@@ -116,6 +116,8 @@ const (
+ stateJSDqStr
+ // stateJSSqStr occurs inside a JavaScript single quoted string.
+ stateJSSqStr
++ // stateJSBqStr occurs inside a JavaScript back quoted string.
++ stateJSBqStr
+ // stateJSRegexp occurs inside a JavaScript regexp literal.
+ stateJSRegexp
+ // stateJSBlockCmt occurs inside a JavaScript /* block comment */.
+diff --git a/src/html/template/error.go b/src/html/template/error.go
+index 0e52706..fd26b64 100644
+--- a/src/html/template/error.go
++++ b/src/html/template/error.go
+@@ -211,6 +211,19 @@ const (
+ // pipeline occurs in an unquoted attribute value context, "html" is
+ // disallowed. Avoid using "html" and "urlquery" entirely in new templates.
+ ErrPredefinedEscaper
++
++ // errJSTmplLit: "... appears in a JS template literal"
++ // Example:
++ // <script>var tmpl = `{{.Interp}`</script>
++ // Discussion:
++ // Package html/template does not support actions inside of JS template
++ // literals.
++ //
++ // TODO(rolandshoemaker): we cannot add this as an exported error in a minor
++ // release, since it is backwards incompatible with the other minor
++ // releases. As such we need to leave it unexported, and then we'll add it
++ // in the next major release.
++ errJSTmplLit
+ )
+
+ func (e *Error) Error() string {
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index f12dafa..29ca5b3 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -8,6 +8,7 @@ import (
+ "bytes"
+ "fmt"
+ "html"
++ "internal/godebug"
+ "io"
+ "text/template"
+ "text/template/parse"
+@@ -203,6 +204,16 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
+ c.jsCtx = jsCtxDivOp
+ case stateJSDqStr, stateJSSqStr:
+ s = append(s, "_html_template_jsstrescaper")
++ case stateJSBqStr:
++ debugAllowActionJSTmpl := godebug.Get("jstmpllitinterp")
++ if debugAllowActionJSTmpl == "1" {
++ s = append(s, "_html_template_jsstrescaper")
++ } else {
++ return context{
++ state: stateError,
++ err: errorf(errJSTmplLit, n, n.Line, "%s appears in a JS template literal", n),
++ }
++ }
+ case stateJSRegexp:
+ s = append(s, "_html_template_jsregexpescaper")
+ case stateCSS:
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index ea9c183..b888eaf 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -308,6 +308,7 @@ var jsStrReplacementTable = []string{
+ // Encode HTML specials as hex so the output can be embedded
+ // in HTML attributes without further encoding.
+ '"': `\u0022`,
++ '`': `\u0060`,
+ '&': `\u0026`,
+ '\'': `\u0027`,
+ '+': `\u002b`,
+@@ -331,6 +332,7 @@ var jsStrNormReplacementTable = []string{
+ '"': `\u0022`,
+ '&': `\u0026`,
+ '\'': `\u0027`,
++ '`': `\u0060`,
+ '+': `\u002b`,
+ '/': `\/`,
+ '<': `\u003c`,
+diff --git a/src/html/template/jsctx_string.go b/src/html/template/jsctx_string.go
+index dd1d87e..2394893 100644
+--- a/src/html/template/jsctx_string.go
++++ b/src/html/template/jsctx_string.go
+@@ -4,6 +4,15 @@ package template
+
+ import "strconv"
+
++func _() {
++ // An "invalid array index" compiler error signifies that the constant values have changed.
++ // Re-run the stringer command to generate them again.
++ var x [1]struct{}
++ _ = x[jsCtxRegexp-0]
++ _ = x[jsCtxDivOp-1]
++ _ = x[jsCtxUnknown-2]
++}
++
+ const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown"
+
+ var _jsCtx_index = [...]uint8{0, 11, 21, 33}
+diff --git a/src/html/template/transition.go b/src/html/template/transition.go
+index 06df679..92eb351 100644
+--- a/src/html/template/transition.go
++++ b/src/html/template/transition.go
+@@ -27,6 +27,7 @@ var transitionFunc = [...]func(context, []byte) (context, int){
+ stateJS: tJS,
+ stateJSDqStr: tJSDelimited,
+ stateJSSqStr: tJSDelimited,
++ stateJSBqStr: tJSDelimited,
+ stateJSRegexp: tJSDelimited,
+ stateJSBlockCmt: tBlockCmt,
+ stateJSLineCmt: tLineCmt,
+@@ -262,7 +263,7 @@ func tURL(c context, s []byte) (context, int) {
+
+ // tJS is the context transition function for the JS state.
+ func tJS(c context, s []byte) (context, int) {
+- i := bytes.IndexAny(s, `"'/`)
++ i := bytes.IndexAny(s, "\"`'/")
+ if i == -1 {
+ // Entire input is non string, comment, regexp tokens.
+ c.jsCtx = nextJSCtx(s, c.jsCtx)
+@@ -274,6 +275,8 @@ func tJS(c context, s []byte) (context, int) {
+ c.state, c.jsCtx = stateJSDqStr, jsCtxRegexp
+ case '\'':
+ c.state, c.jsCtx = stateJSSqStr, jsCtxRegexp
++ case '`':
++ c.state, c.jsCtx = stateJSBqStr, jsCtxRegexp
+ case '/':
+ switch {
+ case i+1 < len(s) && s[i+1] == '/':
+@@ -303,6 +306,8 @@ func tJSDelimited(c context, s []byte) (context, int) {
+ switch c.state {
+ case stateJSSqStr:
+ specials = `\'`
++ case stateJSBqStr:
++ specials = "`\\"
+ case stateJSRegexp:
+ specials = `\/[]`
+ }
+--
+2.7.4
diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
new file mode 100644
index 0000000..281b648
--- /dev/null
+++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
@@ -0,0 +1,60 @@
+From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 13 Apr 2023 15:40:44 -0700
+Subject: [PATCH] html/template: disallow angle brackets in CSS values
+
+Angle brackets should not appear in CSS contexts, as they may affect
+token boundaries (such as closing a <style> tag, resulting in
+injection). Instead emit filterFailsafe, matching the behavior for other
+dangerous characters.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes #59720
+Fixes CVE-2023-24539
+
+Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491615
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport from [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1]
+CVE: CVE-2023-24539
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+---
+ src/html/template/css.go | 2 +-
+ src/html/template/css_test.go | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/html/template/css.go b/src/html/template/css.go
+index 890a0c6b227fe..f650d8b3e843a 100644
+--- a/src/html/template/css.go
++++ b/src/html/template/css.go
+@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string {
+ // inside a string that might embed JavaScript source.
+ for i, c := range b {
+ switch c {
+- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
++ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>':
+ return filterFailsafe
+ case '-':
+ // Disallow <!-- or -->.
+diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go
+index a735638b0314f..2b76256a766e9 100644
+--- a/src/html/template/css_test.go
++++ b/src/html/template/css_test.go
+@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) {
+ {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
+ {`-expre\0000073sion`, "-expre\x073sion"},
+ {`@import url evil.css`, "ZgotmplZ"},
++ {"<", "ZgotmplZ"},
++ {">", "ZgotmplZ"},
+ }
+ for _, test := range tests {
+ got := cssValueFilter(test.css)
diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch
new file mode 100644
index 0000000..799a0df
--- /dev/null
+++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch
@@ -0,0 +1,90 @@
+From ce7bd33345416e6d8cac901792060591cafc2797 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Tue, 11 Apr 2023 16:27:43 +0100
+Subject: [PATCH] [release-branch.go1.19] html/template: handle all JS
+ whitespace characters
+
+Rather than just a small set. Character class as defined by \s [0].
+
+Thanks to Juho Nurminen of Mattermost for reporting this.
+
+For #59721
+Fixes #59813
+Fixes CVE-2023-24540
+
+[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes
+
+Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491355
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+TryBot-Bypass: Carlos Amedee <carlos@golang.org>
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797]
+CVE: CVE-2023-24540
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/html/template/js.go | 8 +++++++-
+ src/html/template/js_test.go | 11 +++++++----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index fe7054efe5cd8..4e05c1455723f 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -13,6 +13,11 @@ import (
+ "unicode/utf8"
+ )
+
++// jsWhitespace contains all of the JS whitespace characters, as defined
++// by the \s character class.
++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes.
++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff"
++
+ // nextJSCtx returns the context that determines whether a slash after the
+ // given run of tokens starts a regular expression instead of a division
+ // operator: / or /=.
+@@ -26,7 +31,8 @@ import (
+ // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
+ // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
+ func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
+- s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
++ // Trim all JS whitespace characters
++ s = bytes.TrimRight(s, jsWhitespace)
+ if len(s) == 0 {
+ return preceding
+ }
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index e07c695f7a77d..e52180cc113b5 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) {
+ {jsCtxDivOp, "0"},
+ // Dots that are part of a number are div preceders.
+ {jsCtxDivOp, "0."},
++ // Some JS interpreters treat NBSP as a normal space, so
++ // we must too in order to properly escape things.
++ {jsCtxRegexp, "=\u00A0"},
+ }
+
+ for _, test := range tests {
+- if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx {
+- t.Errorf("want %s got %q", test.jsCtx, test.s)
++ if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx {
++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ }
+- if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx {
+- t.Errorf("want %s got %q", test.jsCtx, test.s)
++ if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx {
++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ }
+ }
+
diff --git a/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service b/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
index 7f72f33..b6b81d5 100644
--- a/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
+++ b/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
@@ -1,7 +1,7 @@
[Unit]
Description=Run pending postinsts
DefaultDependencies=no
-After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount
+After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount ldconfig.service
Before=sysinit.target
[Service]
diff --git a/poky/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch b/poky/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch
new file mode 100644
index 0000000..4b96e43
--- /dev/null
+++ b/poky/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch
@@ -0,0 +1,39 @@
+From 77ff5f1be394eb2c786df561ff37dde7f982ec76 Mon Sep 17 00:00:00 2001
+From: Stefano Babic <sbabic@denx.de>
+Date: Fri, 28 Jul 2017 13:20:52 +0200
+Subject: [PATCH] Wrong CRC with ASCII CRC for large files
+
+Due to signedness, the checksum is not computed when filesize is bigger
+a 2GB.
+
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/bug-cpio/2017-07/msg00004.html]
+Signed-off-by: Stefano Babic <sbabic@denx.de>
+---
+ src/copyout.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/copyout.c b/src/copyout.c
+index 1f0987a..727aeca 100644
+--- a/src/copyout.c
++++ b/src/copyout.c
+@@ -34,13 +34,13 @@
+ compute and return a checksum for them. */
+
+ static uint32_t
+-read_for_checksum (int in_file_des, int file_size, char *file_name)
++read_for_checksum (int in_file_des, unsigned int file_size, char *file_name)
+ {
+ uint32_t crc;
+ char buf[BUFSIZ];
+- int bytes_left;
+- int bytes_read;
+- int i;
++ unsigned int bytes_left;
++ unsigned int bytes_read;
++ unsigned int i;
+
+ crc = 0;
+
+--
+2.7.4
+
diff --git a/poky/meta/recipes-extended/cpio/cpio_2.13.bb b/poky/meta/recipes-extended/cpio/cpio_2.13.bb
index 7c8a465..86527da 100644
--- a/poky/meta/recipes-extended/cpio/cpio_2.13.bb
+++ b/poky/meta/recipes-extended/cpio/cpio_2.13.bb
@@ -10,6 +10,7 @@
file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0002-src-global.c-Remove-superfluous-declaration-of-progr.patch \
file://CVE-2021-38185.patch \
+ file://0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch \
"
SRC_URI[md5sum] = "389c5452d667c23b5eceb206f5000810"
diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch
new file mode 100644
index 0000000..852f245
--- /dev/null
+++ b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch
@@ -0,0 +1,54 @@
+From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Fri, 24 Mar 2023 13:19:57 +0000
+Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
+
+Bug #706494 "Buffer Overflow in s_xBCPE_process"
+
+As described in detail in the bug report, if the write buffer is filled
+to one byte less than full, and we then try to write an escaped
+character, we overrun the buffer because we don't check before
+writing two bytes to it.
+
+This just checks if we have two bytes before starting to write an
+escaped character and exits if we don't (replacing the consumed byte
+of the input).
+
+Up for further discussion; why do we even permit a BCP encoding filter
+anyway ? I think we should remove this, at least when SAFER is true.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179]
+CVE: CVE-2023-28879
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/sbcp.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/base/sbcp.c b/base/sbcp.c
+index 6b0383c..90784b5 100644
+--- a/base/sbcp.c
++++ b/base/sbcp.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2001-2019 Artifex Software, Inc.
++/* Copyright (C) 2001-2023 Artifex Software, Inc.
+ All Rights Reserved.
+
+ This software is provided AS-IS with no warranty, either express or
+@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
+ byte ch = *++p;
+
+ if (ch <= 31 && escaped[ch]) {
++ /* Make sure we have space to store two characters in the write buffer,
++ * if we don't then exit without consuming the input character, we'll process
++ * that on the next time round.
++ */
++ if (pw->limit - q < 2) {
++ p--;
++ break;
++ }
+ if (p == rlimit) {
+ p--;
+ break;
+--
+2.25.1
+
diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/poky/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
index a829d4b..57f0b51 100644
--- a/poky/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
+++ b/poky/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -39,6 +39,7 @@
file://CVE-2021-3781_1.patch \
file://CVE-2021-3781_2.patch \
file://CVE-2021-3781_3.patch \
+ file://CVE-2023-28879.patch \
"
SRC_URI = "${SRC_URI_BASE} \
diff --git a/poky/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/poky/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
new file mode 100644
index 0000000..800d775
--- /dev/null
+++ b/poky/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
@@ -0,0 +1,40 @@
+From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 14 Nov 2022 19:18:19 +0100
+Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
+ overflow.
+
+Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
+
+Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611]
+CVE: CVE-2023-2004
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/truetype/ttgxvar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index 78d87dc..258d701 100644
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -43,6 +43,7 @@
+ #include FT_INTERNAL_DEBUG_H
+ #include FT_CONFIG_CONFIG_H
+ #include FT_INTERNAL_STREAM_H
++#include <freetype/internal/ftcalc.h>
+ #include FT_INTERNAL_SFNT_H
+ #include FT_TRUETYPE_TAGS_H
+ #include FT_TRUETYPE_IDS_H
+@@ -1065,7 +1066,7 @@
+ delta == 1 ? "" : "s",
+ vertical ? "VVAR" : "HVAR" ));
+
+- *avalue += delta;
++ *avalue = ADD_INT( *avalue, delta );
+
+ Exit:
+ return error;
+--
+2.17.1
diff --git a/poky/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/poky/meta/recipes-graphics/freetype/freetype_2.10.1.bb
index 72001c5..6af744b 100644
--- a/poky/meta/recipes-graphics/freetype/freetype_2.10.1.bb
+++ b/poky/meta/recipes-graphics/freetype/freetype_2.10.1.bb
@@ -18,6 +18,7 @@
file://CVE-2022-27404.patch \
file://CVE-2022-27405.patch \
file://CVE-2022-27406.patch \
+ file://CVE-2023-2004.patch \
"
SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f"
SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f"
diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch
new file mode 100644
index 0000000..ef2ee5d
--- /dev/null
+++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch
@@ -0,0 +1,38 @@
+From 0ba6d8c37071131a49790243cdac55392ecf71ec Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 25 Jan 2023 11:41:40 +1000
+Subject: [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses
+
+CVE-2023-0494, ZDI-CAN-19596
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec]
+CVE: CVE-2023-0494
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/exevents.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 217baa9561..dcd4efb3bc 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+ memcpy(to->button->xkb_acts, from->button->xkb_acts,
+ sizeof(XkbAction));
+ }
+- else
++ else {
+ free(to->button->xkb_acts);
++ to->button->xkb_acts = NULL;
++ }
+
+ memcpy(to->button->labels, from->button->labels,
+ from->button->numButtons * sizeof(Atom));
+--
+GitLab
+
diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch
new file mode 100644
index 0000000..51d0e0c
--- /dev/null
+++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch
@@ -0,0 +1,46 @@
+From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Mar 2023 11:08:47 +0100
+Subject: [PATCH] composite: Fix use-after-free of the COW
+
+ZDI-CAN-19866/CVE-2023-1393
+
+If a client explicitly destroys the compositor overlay window (aka COW),
+we would leave a dangling pointer to that window in the CompScreen
+structure, which will trigger a use-after-free later.
+
+Make sure to clear the CompScreen pointer to the COW when the latter gets
+destroyed explicitly by the client.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3502f61ca722a7a3373507e88ef64110]
+CVE: CVE-2023-1393
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ composite/compwindow.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/composite/compwindow.c b/composite/compwindow.c
+index 4e2494b86b..b30da589e9 100644
+--- a/composite/compwindow.c
++++ b/composite/compwindow.c
+@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
+ ret = (*pScreen->DestroyWindow) (pWin);
+ cs->DestroyWindow = pScreen->DestroyWindow;
+ pScreen->DestroyWindow = compDestroyWindow;
++
++ /* Did we just destroy the overlay window? */
++ if (pWin == cs->pOverlayWin)
++ cs->pOverlayWin = NULL;
++
+ /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
+ return ret;
+ }
+--
+GitLab
+
diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
index ab18a87..5c604fa 100644
--- a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
+++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -14,6 +14,8 @@
file://CVE-2022-46342.patch \
file://CVE-2022-46343.patch \
file://CVE-2022-46344.patch \
+ file://CVE-2023-0494.patch \
+ file://CVE-2023-1393.patch \
"
SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230210.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb
similarity index 99%
rename from poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230210.bb
rename to poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb
index fb1ea61..9ac70b2 100644
--- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230210.bb
+++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb
@@ -108,7 +108,7 @@
file://LICENCE.OLPC;md5=5b917f9d8c061991be4f6f5f108719cd \
file://LICENCE.open-ath9k-htc-firmware;md5=1b33c9f4d17bc4d457bdb23727046837 \
file://LICENCE.phanfw;md5=954dcec0e051f9409812b561ea743bfa \
- file://LICENCE.qat_firmware;md5=9e7d8bea77612d7cc7d9e9b54b623062 \
+ file://LICENCE.qat_firmware;md5=72de83dfd9b87be7685ed099a39fbea4 \
file://LICENSE.qcom;md5=164e3362a538eb11d3ac51e8e134294b \
file://LICENSE.qcom_yamato;md5=d0de0eeccaf1843a850bf7a6777eec5c \
file://LICENCE.qla1280;md5=d6895732e622d950609093223a2c4f5d \
@@ -134,7 +134,7 @@
"
# WHENCE checksum is defined separately to ease overriding it if
# class-devupstream is selected.
-WHENCE_CHKSUM = "aadb3cccbde1e53fc244a409e9bd5a22"
+WHENCE_CHKSUM = "0782deea054d4b1b7f10c92c3a245da4"
# These are not common licenses, set NO_GENERIC_LICENSE for them
# so that the license files will be copied from fetched source
@@ -212,7 +212,7 @@
# Pin this to the 20220509 release, override this in local.conf
SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae"
-SRC_URI[sha256sum] = "6e3d9e8d52cffc4ec0dbe8533a8445328e0524a20f159a5b61c2706f983ce38a"
+SRC_URI[sha256sum] = "c3f9ad2bb5311cce2490f37a8052f836703d6936aabd840246b6576f1f71f607"
inherit allarch
diff --git a/poky/meta/recipes-kernel/linux/cve-exclusion.inc b/poky/meta/recipes-kernel/linux/cve-exclusion.inc
new file mode 100644
index 0000000..a18e603
--- /dev/null
+++ b/poky/meta/recipes-kernel/linux/cve-exclusion.inc
@@ -0,0 +1,1840 @@
+# Kernel CVE exclusion file
+
+# https://nvd.nist.gov/vuln/detail/CVE-2014-8171
+# Patched in kernel since v3.12 4942642080ea82d99ab5b653abb9a12b7ba31f4a
+CVE_CHECK_WHITELIST += "CVE-2014-8171"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2017-1000255
+# Patched in kernel since v4.14 265e60a170d0a0ecfc2d20490134ed2c48dd45ab
+CVE_CHECK_WHITELIST += "CVE-2017-1000255"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2018-5873
+# Patched in kernel since v4.11 073c516ff73557a8f7315066856c04b50383ac34
+CVE_CHECK_WHITELIST += "CVE-2018-5873"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2018-10840
+# Patched in kernel since v4.18 8a2b307c21d4b290e3cbe33f768f194286d07c23
+CVE_CHECK_WHITELIST += "CVE-2018-10840"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2018-10876
+# Patched in kernel since v4.18 8844618d8aa7a9973e7b527d038a2a589665002c
+CVE_CHECK_WHITELIST += "CVE-2018-10876"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2018-10882
+# Patched in kernel since v4.18 c37e9e013469521d9adb932d17a1795c139b36db
+CVE_CHECK_WHITELIST += "CVE-2018-10882"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2018-10902
+# Patched in kernel since v4.18 39675f7a7c7e7702f7d5341f1e0d01db746543a0
+CVE_CHECK_WHITELIST += "CVE-2018-10902"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2018-14625
+# Patched in kernel since v4.20 834e772c8db0c6a275d75315d90aba4ebbb1e249
+CVE_CHECK_WHITELIST += "CVE-2018-14625"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2018-16880
+# Patched in kernel since v5.0 b46a0bf78ad7b150ef5910da83859f7f5a514ffd
+CVE_CHECK_WHITELIST += "CVE-2018-16880"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2018-16884
+# Patched in kernel since v5.0 d4b09acf924b84bae77cad090a9d108e70b43643
+CVE_CHECK_WHITELIST += "CVE-2018-16884"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2019-3819
+# Patched in kernel since v5.0 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035
+CVE_CHECK_WHITELIST += "CVE-2019-3819"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2019-20810
+# Patched in kernel since v5.6 9453264ef58638ce8976121ac44c07a3ef375983
+# Backported in version v5.4.48 6e688a315acf9c2b9b6e8c3e3b7a0c2720f72cba
+CVE_CHECK_WHITELIST += "CVE-2019-20810"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-1749
+# Patched in kernel since v5.5 6c8991f41546c3c472503dff1ea9daaddf9331c2
+# Backported in version v5.4.5 48d58ae9e87aaa11814364ddb52b3461f9abac57
+CVE_CHECK_WHITELIST += "CVE-2020-1749"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-8428
+# Patched in kernel since v5.5 d0cb50185ae942b03c4327be322055d622dc79f6
+# Backported in version v5.4.16 454759886d0b463213fad0f1c733469e2c501ab9
+CVE_CHECK_WHITELIST += "CVE-2020-8428"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-8647
+# Patched in kernel since v5.6 513dc792d6060d5ef572e43852683097a8420f56
+# Backported in version v5.4.25 5d230547476eea90b57ed9fda4bfe5307779abbb
+CVE_CHECK_WHITELIST += "CVE-2020-8647"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-8649
+# Patched in kernel since v5.6 513dc792d6060d5ef572e43852683097a8420f56
+# Backported in version v5.4.25 5d230547476eea90b57ed9fda4bfe5307779abbb
+CVE_CHECK_WHITELIST += "CVE-2020-8649"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-8992
+# Patched in kernel since v5.6 af133ade9a40794a37104ecbcc2827c0ea373a3c
+# Backported in version v5.4.21 94f0fe04da78adc214b51523499031664f9db408
+CVE_CHECK_WHITELIST += "CVE-2020-8992"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-9383
+# Patched in kernel since v5.6 2e90ca68b0d2f5548804f22f0dd61145516171e3
+# Backported in version v5.4.23 1eb78bc92c847f9e1c01a01b2773fc2fe7b134cf
+CVE_CHECK_WHITELIST += "CVE-2020-9383"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-10690
+# Patched in kernel since v5.5 a33121e5487b424339636b25c35d3a180eaa5f5e
+# Backported in version v5.4.8 bfa2e0cd3dfda64fde43c3dca3aeba298d2fe7ad
+CVE_CHECK_WHITELIST += "CVE-2020-10690"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-10711
+# Patched in kernel since v5.7 eead1c2ea2509fd754c6da893a94f0e69e83ebe4
+# Backported in version v5.4.42 debcbc56fdfc2847804d3d00d43f68f3074c5987
+CVE_CHECK_WHITELIST += "CVE-2020-10711"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-10732
+# Patched in kernel since v5.7 1d605416fb7175e1adf094251466caa52093b413
+# Backported in version v5.4.44 a02c130efbbce91af1e9dd99a5a381dd43494e15
+CVE_CHECK_WHITELIST += "CVE-2020-10732"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-10742
+# Patched in kernel since v3.16 91f79c43d1b54d7154b118860d81b39bad07dfff
+CVE_CHECK_WHITELIST += "CVE-2020-10742"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-10757
+# Patched in kernel since v5.8 5bfea2d9b17f1034a68147a8b03b9789af5700f9
+# Backported in version v5.4.45 df4988aa1c9618d9c612639e96002cd4e772def2
+CVE_CHECK_WHITELIST += "CVE-2020-10757"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-10766
+# Patched in kernel since v5.8 dbbe2ad02e9df26e372f38cc3e70dab9222c832e
+# Backported in version v5.4.47 9d1dcba6dd48cf7c5801d8aee12852ca41110896
+CVE_CHECK_WHITELIST += "CVE-2020-10766"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-10767
+# Patched in kernel since v5.8 21998a351512eba4ed5969006f0c55882d995ada
+# Backported in version v5.4.47 6d60d5462a91eb46fb88b016508edfa8ee0bc7c8
+CVE_CHECK_WHITELIST += "CVE-2020-10767"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-10768
+# Patched in kernel since v5.8 4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf
+# Backported in version v5.4.47 e1545848ad5510e82eb75717c1f5757b984014cb
+CVE_CHECK_WHITELIST += "CVE-2020-10768"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-10781
+# Patched in kernel since v5.8 853eab68afc80f59f36bbdeb715e5c88c501e680
+# Backported in version v5.4.53 72648019cd52488716891c2cbb096ad1023ab83e
+CVE_CHECK_WHITELIST += "CVE-2020-10781"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-10942
+# Patched in kernel since v5.6 42d84c8490f9f0931786f1623191fcab397c3d64
+# Backported in version v5.4.24 f09fbb1175cffdbbb36b28e2ff7db96dcc90de08
+CVE_CHECK_WHITELIST += "CVE-2020-10942"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-11494
+# Patched in kernel since v5.7 b9258a2cece4ec1f020715fe3554bc2e360f6264
+# Backported in version v5.4.32 fdb6a094ba41e985d9fb14ae2bfc180e3e983720
+CVE_CHECK_WHITELIST += "CVE-2020-11494"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-11565
+# Patched in kernel since v5.7 aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd
+# Backported in version v5.4.31 c3f87e03f90ff2901525cc99c0e3bfb6fcbfd184
+CVE_CHECK_WHITELIST += "CVE-2020-11565"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-11608
+# Patched in kernel since v5.7 998912346c0da53a6dbb71fab3a138586b596b30
+# Backported in version v5.4.29 e4af1cf37b901839320e40515d9a60a1c8b51f3a
+CVE_CHECK_WHITELIST += "CVE-2020-11608"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-11609
+# Patched in kernel since v5.7 485b06aadb933190f4bc44e006076bc27a23f205
+# Backported in version v5.4.29 4490085a9e2d2cde69e865e3691223ea9e94513b
+CVE_CHECK_WHITELIST += "CVE-2020-11609"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-11668
+# Patched in kernel since v5.7 a246b4d547708f33ff4d4b9a7a5dbac741dc89d8
+# Backported in version v5.4.29 e7cd85f398cd1ffe3ce707ce7e2ec0e4a5010475
+CVE_CHECK_WHITELIST += "CVE-2020-11668"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-11884
+# Patched in kernel since v5.7 316ec154810960052d4586b634156c54d0778f74
+# Backported in version v5.4.36 44d9eb0ebe8fd04f46b18d10a18b2c543b379a0c
+CVE_CHECK_WHITELIST += "CVE-2020-11884"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-12464
+# Patched in kernel since v5.7 056ad39ee9253873522f6469c3364964a322912b
+# Backported in version v5.4.36 b48193a7c303272d357b27dd7d72cbf89f7b2d35
+CVE_CHECK_WHITELIST += "CVE-2020-12464"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-12465
+# Patched in kernel since v5.6 b102f0c522cf668c8382c56a4f771b37d011cda2
+# Backported in version v5.4.26 02013734629bf57070525a3515509780092a63ab
+CVE_CHECK_WHITELIST += "CVE-2020-12465"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-12653
+# Patched in kernel since v5.6 b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d
+# Backported in version v5.4.20 3c822e1f31186767d6b7261c3c066f01907ecfca
+CVE_CHECK_WHITELIST += "CVE-2020-12653"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-12654
+# Patched in kernel since v5.6 3a9b153c5591548612c3955c9600a98150c81875
+# Backported in version v5.4.20 c5b071e3f44d1125694ad4dcf1234fb9a78d0be6
+CVE_CHECK_WHITELIST += "CVE-2020-12654"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-12655
+# Patched in kernel since v5.7 d0c7feaf87678371c2c09b3709400be416b2dc62
+# Backported in version v5.4.50 ffd40b7962d463daa531a8110e5b708bcb5c6da7
+CVE_CHECK_WHITELIST += "CVE-2020-12655"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-12657
+# Patched in kernel since v5.7 2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9
+# Backported in version v5.4.33 b37de1b1e882fa3741d252333e5745eea444483b
+CVE_CHECK_WHITELIST += "CVE-2020-12657"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-12659
+# Patched in kernel since v5.7 99e3a236dd43d06c65af0a2ef9cb44306aef6e02
+# Backported in version v5.4.35 25c9cdef57488578da21d99eb614b97ffcf6e59f
+CVE_CHECK_WHITELIST += "CVE-2020-12659"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-12768
+# Patched in kernel since v5.6 d80b64ff297e40c2b6f7d7abc1b3eba70d22a068
+# Backported in version v5.4.43 ac46cea606d59be18a6afd4560c48bcca836c44c
+CVE_CHECK_WHITELIST += "CVE-2020-12768"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-12770
+# Patched in kernel since v5.7 83c6f2390040f188cc25b270b4befeb5628c1aee
+# Backported in version v5.4.42 2d6d0ce4de03832c8deedeb16c7af52868d7e99e
+CVE_CHECK_WHITELIST += "CVE-2020-12770"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-12771
+# Patched in kernel since v5.8 be23e837333a914df3f24bf0b32e87b0331ab8d1
+# Backported in version v5.4.49 f651e94899ed08b1766bda30f410d33fdd3970ff
+CVE_CHECK_WHITELIST += "CVE-2020-12771"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-12826
+# Patched in kernel since v5.7 d1e7fd6462ca9fc76650fbe6ca800e35b24267da
+# Backported in version v5.4.33 5f2d04139aa5ed04eab54b84e8a25bab87a2449c
+CVE_CHECK_WHITELIST += "CVE-2020-12826"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-12888
+# Patched in kernel since v5.8 abafbc551fddede3e0a08dee1dcde08fc0eb8476
+# Backported in version v5.4.64 8f747b0149c5a0c72626a87eb0dd2a5ec91f1a7d
+CVE_CHECK_WHITELIST += "CVE-2020-12888"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-13143
+# Patched in kernel since v5.7 15753588bcd4bbffae1cca33c8ced5722477fe1f
+# Backported in version v5.4.42 6bb054f006c3df224cc382f1ebd81b7276dcfb1c
+CVE_CHECK_WHITELIST += "CVE-2020-13143"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-14314
+# Patched in kernel since v5.9 5872331b3d91820e14716632ebb56b1399b34fe1
+# Backported in version v5.4.61 ea54176e5821936d109bb45dc2c19bd53559e735
+CVE_CHECK_WHITELIST += "CVE-2020-14314"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-14331
+# Patched in kernel since v5.9 ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d
+# Backported in version v5.4.58 8c3215a0426c404f4b7b02a1e0fdb0f7f4f1e6d3
+CVE_CHECK_WHITELIST += "CVE-2020-14331"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-14351
+# Patched in kernel since v5.10 f91072ed1b7283b13ca57fcfbece5a3b92726143
+# Backported in version v5.4.78 c5cf5c7b585c7f48195892e44b76237010c0747a
+CVE_CHECK_WHITELIST += "CVE-2020-14351"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-14381
+# Patched in kernel since v5.6 8019ad13ef7f64be44d4f892af9c840179009254
+# Backported in version v5.4.28 553d46b07dc4813e1d8e6a3b3d6eb8603b4dda74
+CVE_CHECK_WHITELIST += "CVE-2020-14381"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-14385
+# Patched in kernel since v5.9 f4020438fab05364018c91f7e02ebdd192085933
+# Backported in version v5.4.64 da7a1676d6c19971758976a84e87f5b1009409e7
+CVE_CHECK_WHITELIST += "CVE-2020-14385"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-14390
+# Patched in kernel since v5.9 50145474f6ef4a9c19205b173da6264a644c7489
+# Backported in version v5.4.66 cf5a7ded53652c3d63d7243944c6a8ec1f0ef392
+CVE_CHECK_WHITELIST += "CVE-2020-14390"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-15393
+# Patched in kernel since v5.8 28ebeb8db77035e058a510ce9bd17c2b9a009dba
+# Backported in version v5.4.51 3dca0a299ff43204a69c9a7a00ce2b3e7ab3088c
+CVE_CHECK_WHITELIST += "CVE-2020-15393"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-15436
+# Patched in kernel since v5.8 2d3a8e2deddea6c89961c422ec0c5b851e648c14
+# Backported in version v5.4.49 b3dc33946a742256ad9d2ccac848c9e3c2aaafef
+CVE_CHECK_WHITELIST += "CVE-2020-15436"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-15437
+# Patched in kernel since v5.8 f4c23a140d80ef5e6d3d1f8f57007649014b60fa
+# Backported in version v5.4.54 af811869db0698b587aa5418eab05c9f7e0bea3c
+CVE_CHECK_WHITELIST += "CVE-2020-15437"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-15780
+# Patched in kernel since v5.8 75b0cea7bf307f362057cc778efe89af4c615354
+# Backported in version v5.4.50 824d0b6225f3fa2992704478a8df520537cfcb56
+CVE_CHECK_WHITELIST += "CVE-2020-15780"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-16119
+# Patched in kernel since v5.15 d9ea761fdd197351890418acd462c51f241014a7
+# Backported in version v5.4.148 5ab04a4ffed02f66e8e6310ba8261a43d1572343
+# Backported in version v5.10.68 6c3cb65d561e76fd0398026c023e587fec70e188
+CVE_CHECK_WHITELIST += "CVE-2020-16119"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-16166
+# Patched in kernel since v5.8 f227e3ec3b5cad859ad15666874405e8c1bbc1d4
+# Backported in version v5.4.57 c15a77bdda2c4f8acaa3e436128630a81f904ae7
+CVE_CHECK_WHITELIST += "CVE-2020-16166"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-24394
+# Patched in kernel since v5.8 22cf8419f1319ff87ec759d0ebdff4cbafaee832
+# Backported in version v5.4.51 fe05e114d0fde7f644ac9ab5edfce3fa65650875
+CVE_CHECK_WHITELIST += "CVE-2020-24394"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-25211
+# Patched in kernel since v5.9 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6
+# Backported in version v5.4.70 253052b636e98083b1ecc3e9b0cf6f151e1cb8c6
+CVE_CHECK_WHITELIST += "CVE-2020-25211"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-25212
+# Patched in kernel since v5.9 b4487b93545214a9db8cbf32e86411677b0cca21
+# Backported in version v5.4.60 75cf7f895f563e14c82c1aeea0362dc155b5baf3
+CVE_CHECK_WHITELIST += "CVE-2020-25212"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-25284
+# Patched in kernel since v5.9 f44d04e696feaf13d192d942c4f14ad2e117065a
+# Backported in version v5.4.66 ea3d3bf85669195247ad6a522f4e4209695edca2
+CVE_CHECK_WHITELIST += "CVE-2020-25284"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-25285
+# Patched in kernel since v5.9 17743798d81238ab13050e8e2833699b54e15467
+# Backported in version v5.4.64 af7786b20c717ff13d9148161dad4b8e286bfd39
+CVE_CHECK_WHITELIST += "CVE-2020-25285"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-25639
+# Patched in kernel since v5.12 eaba3b28401f50e22d64351caa8afe8d29509f27
+# Backported in version v5.4.102 0faef25462f886a77e0b397cca31d51163215332
+# Backported in version v5.10.20 e3fcff9f45aa82dacad26e5828598340d2742f47
+CVE_CHECK_WHITELIST += "CVE-2020-25639"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-25641
+# Patched in kernel since v5.9 7e24969022cbd61ddc586f14824fc205661bb124
+# Backported in version v5.4.64 84c041c12442d233c9b3c593cbe9eb8a77875578
+CVE_CHECK_WHITELIST += "CVE-2020-25641"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-25643
+# Patched in kernel since v5.9 66d42ed8b25b64eb63111a2b8582c5afc8bf1105
+# Backported in version v5.4.68 c3de9daa662617132744731f1b4eb7b5cd1270a8
+CVE_CHECK_WHITELIST += "CVE-2020-25643"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-25645
+# Patched in kernel since v5.9 34beb21594519ce64a55a498c2fe7d567bc1ca20
+# Backported in version v5.4.68 745c24fd1d79b588a951d3c5beca43575907f881
+CVE_CHECK_WHITELIST += "CVE-2020-25645"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-25656
+# Patched in kernel since v5.10 82e61c3909db51d91b9d3e2071557b6435018b80
+# Backported in version v5.4.75 87d398f348b8a2d5246d3670a93fb63d4fd9f62a
+CVE_CHECK_WHITELIST += "CVE-2020-25656"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-25672
+# Patched in kernel since v5.12 7574fcdbdcb335763b6b322f6928dc0fd5730451
+# Backported in version v5.4.112 404daa4d62a364623b48349eb73a18579edf51ac
+# Backported in version v5.10.30 568ac94df580b1a65837dc299e8758635e7b1423
+CVE_CHECK_WHITELIST += "CVE-2020-25672"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-25704
+# Patched in kernel since v5.10 7bdb157cdebbf95a1cd94ed2e01b338714075d00
+# Backported in version v5.4.76 b7f7474b392194530d1ec07203c8668e81b7fdb9
+CVE_CHECK_WHITELIST += "CVE-2020-25704"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-25705
+# Patched in kernel since v5.10 b38e7819cae946e2edf869e604af1e65a5d241c5
+# Backported in version v5.4.73 8df0ffe2f32c09b4627cbce5cd5faf8e98a6a71e
+CVE_CHECK_WHITELIST += "CVE-2020-25705"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-26088
+# Patched in kernel since v5.9 26896f01467a28651f7a536143fe5ac8449d4041
+# Backported in version v5.4.59 0b305f259ca9b85c48f9cb3159d034b7328ed225
+CVE_CHECK_WHITELIST += "CVE-2020-26088"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-26541
+# Patched in kernel since v5.13 56c5812623f95313f6a46fbf0beee7fa17c68bbf
+# Backported in version v5.4.129 e20b90e4f81bb04e2b180824caae585928e24ba9
+# Backported in version v5.10.47 45109066f686597116467a53eaf4330450702a96
+CVE_CHECK_WHITELIST += "CVE-2020-26541"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-27170
+# Patched in kernel since v5.12 f232326f6966cf2a1d1db7bc917a4ce5f9f55f76
+# Backported in version v5.4.107 ea8fb45eaac141b13f656a7056e4823845aa3b69
+# Backported in version v5.10.25 c4d37eea1c641a9319baf34253cc373abb39d3e1
+CVE_CHECK_WHITELIST += "CVE-2020-27170"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-27171
+# Patched in kernel since v5.12 10d2bb2e6b1d8c4576c56a748f697dbeb8388899
+# Backported in version v5.4.107 2da0540739e43154b500a817d9c95d36c2f6a323
+# Backported in version v5.10.25 ac1b87a18c1ffbe3d093000b762121b5aae0a3f9
+CVE_CHECK_WHITELIST += "CVE-2020-27171"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-27675
+# Patched in kernel since v5.10 073d0552ead5bfc7a3a9c01de590e924f11b5dd2
+# Backported in version v5.4.75 a01379671d67d34f254cc81f42cf854aa628f3a3
+CVE_CHECK_WHITELIST += "CVE-2020-27675"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-27777
+# Patched in kernel since v5.10 bd59380c5ba4147dcbaad3e582b55ccfd120b764
+# Backported in version v5.4.75 240baebeda09e1e010fff58acc9183992f41f638
+CVE_CHECK_WHITELIST += "CVE-2020-27777"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-27784
+# Patched in kernel since v5.10 e8d5f92b8d30bb4ade76494490c3c065e12411b1
+# Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
+CVE_CHECK_WHITELIST += "CVE-2020-27784"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-27830
+# Patched in kernel since v5.10 f0992098cadb4c9c6a00703b66cafe604e178fea
+# Backported in version v5.4.83 b0d4fa10bfcc3051e9426b6286fb2d80bad04d74
+CVE_CHECK_WHITELIST += "CVE-2020-27830"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-28097
+# Patched in kernel since v5.9 973c096f6a85e5b5f2a295126ba6928d9a6afd45
+# Backported in version v5.4.66 087b6cb17df5834d395ab72da3f937380470ba15
+CVE_CHECK_WHITELIST += "CVE-2020-28097"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-28374
+# Patched in kernel since v5.11 2896c93811e39d63a4d9b63ccf12a8fbc226e5e4
+# Backported in version v5.4.89 485e21729b1e1235e6075318225c09e76b376e81
+# Backported in version v5.10.7 6f1e88527c1869de08632efa2cc796e0131850dc
+CVE_CHECK_WHITELIST += "CVE-2020-28374"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-28915
+# Patched in kernel since v5.9 5af08640795b2b9a940c9266c0260455377ae262
+# Backported in version v5.4.71 1b2fcd82c0ca23f6fa01298c0d7b59eb4efbaf48
+CVE_CHECK_WHITELIST += "CVE-2020-28915"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-28941
+# Patched in kernel since v5.10 d4122754442799187d5d537a9c039a49a67e57f1
+# Backported in version v5.4.80 3b78db264675e47ad3cf9c1e809e85d02fe1de90
+CVE_CHECK_WHITELIST += "CVE-2020-28941"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-28974
+# Patched in kernel since v5.10 3c4e0dff2095c579b142d5a0693257f1c58b4804
+# Backported in version v5.4.76 642181fe3567419d84d2457b58f262c37467f525
+CVE_CHECK_WHITELIST += "CVE-2020-28974"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-29368
+# Patched in kernel since v5.8 c444eb564fb16645c172d550359cb3d75fe8a040
+# Backported in version v5.4.48 a88d8aaf9b8b5e0af163a235a3baa9fdcb7d430a
+CVE_CHECK_WHITELIST += "CVE-2020-29368"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-29369
+# Patched in kernel since v5.8 246c320a8cfe0b11d81a4af38fa9985ef0cc9a4c
+# Backported in version v5.4.54 549bfc14270681cd776c6d9b78fe544cbd21673a
+CVE_CHECK_WHITELIST += "CVE-2020-29369"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-29370
+# Patched in kernel since v5.6 fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8
+# Backported in version v5.4.27 ae119b7e12472517bc35c1c003d5abf26653674a
+CVE_CHECK_WHITELIST += "CVE-2020-29370"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-29371
+# Patched in kernel since v5.9 bcf85fcedfdd17911982a3e3564fcfec7b01eebd
+# Backported in version v5.4.61 19a77c937a1914bdd655366e79a2a1b7d675f554
+CVE_CHECK_WHITELIST += "CVE-2020-29371"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-29373
+# Patched in kernel since v5.6 ff002b30181d30cdfbca316dadd099c3ca0d739c
+# Backported in version v5.4.24 cac68d12c531aa3010509a5a55a5dfd18dedaa80
+CVE_CHECK_WHITELIST += "CVE-2020-29373"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-29374
+# Patched in kernel since v5.8 17839856fd588f4ab6b789f482ed3ffd7c403e1f
+# Backported in version v5.4.47 1027dc04f557328eb7b7b7eea48698377a959157
+CVE_CHECK_WHITELIST += "CVE-2020-29374"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-29660
+# Patched in kernel since v5.10 c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9
+# Backported in version v5.4.83 35ee9ac513280f46eeb1196bac82ed5320380412
+CVE_CHECK_WHITELIST += "CVE-2020-29660"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-35508
+# Patched in kernel since v5.10 b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948
+# Backported in version v5.4.76 beeb658cfd3544ceca894375c36b6572e4ae7a5f
+CVE_CHECK_WHITELIST += "CVE-2020-35508"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-36158
+# Patched in kernel since v5.11 5c455c5ab332773464d02ba17015acdca198f03d
+# Backported in version v5.4.88 0a49aaf4df2936bca119ee38fe5a570a7024efdc
+# Backported in version v5.10.6 94cc73b27a2599e4c88b7b2d6fd190107c58e480
+CVE_CHECK_WHITELIST += "CVE-2020-36158"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-36311
+# Patched in kernel since v5.9 7be74942f184fdfba34ddd19a0d995deb34d4a03
+# Backported in version v5.4.131 abbd42939db646f7210e1473e9cb17c6bc6f184c
+CVE_CHECK_WHITELIST += "CVE-2020-36311"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-36312
+# Patched in kernel since v5.9 f65886606c2d3b562716de030706dfe1bea4ed5e
+# Backported in version v5.4.66 41b2ea7a6a11e2b1a7f2c29e1675a709a6b2b98d
+CVE_CHECK_WHITELIST += "CVE-2020-36312"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-36322
+# Patched in kernel since v5.11 5d069dbe8aaf2a197142558b6fb2978189ba3454
+# Backported in version v5.4.88 732251cabeb3bfd917d453a42274d769d6883fc4
+# Backported in version v5.10.6 36cf9ae54b0ead0daab7701a994de3dcd9ef605d
+CVE_CHECK_WHITELIST += "CVE-2020-36322"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-36386
+# Patched in kernel since v5.9 51c19bf3d5cfaa66571e4b88ba2a6f6295311101
+# Backported in version v5.4.58 c26eaaf547b785ae98fa08607b599c7df0da51bc
+CVE_CHECK_WHITELIST += "CVE-2020-36386"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-36516
+# Patched in kernel since v5.17 23f57406b82de51809d5812afd96f210f8b627f3
+# Backported in version v5.4.176 1f748455a8f0e984dc91fc09e6dfe99f0e58cfbe
+# Backported in version v5.10.96 b26fed25e67bc09f28f998569ed14022e07b174b
+# Backported in version v5.15.19 dee686cbfdd13ca022f20be344a14f595a93f303
+CVE_CHECK_WHITELIST += "CVE-2020-36516"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-36557
+# Patched in kernel since v5.7 ca4463bf8438b403596edd0ec961ca0d4fbe0220
+# Backported in version v5.4.30 acf0e94019310a9e1c4b6807c208f49a25f74573
+CVE_CHECK_WHITELIST += "CVE-2020-36557"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-36558
+# Patched in kernel since v5.6 6cd1ed50efd88261298577cd92a14f2768eddeeb
+# Backported in version v5.4.23 897d5aaf3397e64a56274f2176d9e1b13adcb92e
+CVE_CHECK_WHITELIST += "CVE-2020-36558"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3178
+# Patched in kernel since v5.11 51b2ee7d006a736a9126e8111d1f24e4fd0afaa6
+# Backported in version v5.4.92 4aef760c28e8bd1860a27fd78067b4ea77124987
+# Backported in version v5.10.10 fdcaa4af5e70e2d984c9620a09e9dade067f2620
+CVE_CHECK_WHITELIST += "CVE-2021-3178"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3348
+# Patched in kernel since v5.11 b98e762e3d71e893b221f871825dc64694cfb258
+# Backported in version v5.4.95 587c6b75d7fdd366ad7dc615471006ce73c03a51
+# Backported in version v5.10.13 41f6f4a3143506ea1499cda2f14a16a2f82118a8
+CVE_CHECK_WHITELIST += "CVE-2021-3348"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3483
+# Patched in kernel since v5.12 829933ef05a951c8ff140e814656d73e74915faf
+# Backported in version v5.4.110 5ecfad1efbc31ab913f16ed60f0efff301aebfca
+# Backported in version v5.10.28 c04adcc819d3bdd85a5dc2523687707b89724df7
+CVE_CHECK_WHITELIST += "CVE-2021-3483"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3506
+# Patched in kernel since v5.13 b862676e371715456c9dade7990c8004996d0d9e
+# Backported in version v5.4.118 27a130638406815eba083c632ee083f0c5e688c2
+# Backported in version v5.10.36 9aa4602237d535b83c579eb752e8fc1c3e7e7055
+CVE_CHECK_WHITELIST += "CVE-2021-3506"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3564
+# Patched in kernel since v5.13 6a137caec23aeb9e036cdfd8a46dd8a366460e5d
+# Backported in version v5.4.125 8d3d0ac73a4a1d31e3d4f7c068312aba78470166
+# Backported in version v5.10.43 3795007c8dfc8bca176529bfeceb17c6f4ef7e44
+CVE_CHECK_WHITELIST += "CVE-2021-3564"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3573
+# Patched in kernel since v5.13 e305509e678b3a4af2b3cfd410f409f7cdaabb52
+# Backported in version v5.4.125 b6f97555c71f78288682bc967121572f10715c89
+# Backported in version v5.10.43 74caf718cc7422a957aac381c73d798c0a999a65
+CVE_CHECK_WHITELIST += "CVE-2021-3573"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3609
+# Patched in kernel since v5.14 d5f9023fa61ee8b94f37a93f08e94b136cf1e463
+# Backported in version v5.4.132 70a9116b9e5ccd5332d3a60b359fb5902d268fd0
+# Backported in version v5.10.50 b52e0cf0bfc1ede495de36aec86f6013efa18f60
+CVE_CHECK_WHITELIST += "CVE-2021-3609"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3612
+# Patched in kernel since v5.14 f8f84af5da9ee04ef1d271528656dac42a090d00
+# Backported in version v5.4.132 0f382fa359ca1cb717ce27407538eb579b29a99f
+# Backported in version v5.10.50 b4c35e9e8061b2386da1aa0d708e991204e76c45
+CVE_CHECK_WHITELIST += "CVE-2021-3612"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3635
+# Patched in kernel since v5.5 335178d5429c4cee61b58f4ac80688f556630818
+# Backported in version v5.4.14 8f4dc50b5c12e159ac846fdc00702c547fdf2e95
+CVE_CHECK_WHITELIST += "CVE-2021-3635"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3640
+# Patched in kernel since v5.16 99c23da0eed4fd20cae8243f2b51e10e66aa0951
+# Backported in version v5.4.160 d416020f1a9cc5f903ae66649b2c56d9ad5256ab
+# Backported in version v5.10.80 4dfba42604f08a505f1a1efc69ec5207ea6243de
+# Backported in version v5.15.3 b990c219c4c9d4993ef65ea9db73d9497e70f697
+CVE_CHECK_WHITELIST += "CVE-2021-3640"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3653
+# Patched in kernel since v5.14 0f923e07124df069ba68d8bb12324398f4b6b709
+# Backported in version v5.4.142 7c1c96ffb658fbfe66c5ebed6bcb5909837bc267
+# Backported in version v5.10.60 c0883f693187c646c0972d73e525523f9486c2e3
+CVE_CHECK_WHITELIST += "CVE-2021-3653"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3679
+# Patched in kernel since v5.14 67f0d6d9883c13174669f88adac4f0ee656cc16a
+# Backported in version v5.4.136 f899f24d34d964593b16122a774c192a78e2ca56
+# Backported in version v5.10.54 757bdba8026be19b4f447487695cd0349a648d9e
+CVE_CHECK_WHITELIST += "CVE-2021-3679"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3732
+# Patched in kernel since v5.14 427215d85e8d1476da1a86b8d67aceb485eb3631
+# Backported in version v5.4.141 812f39ed5b0b7f34868736de3055c92c7c4cf459
+# Backported in version v5.10.59 6a002d48a66076524f67098132538bef17e8445e
+CVE_CHECK_WHITELIST += "CVE-2021-3732"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3739
+# Patched in kernel since v5.15 e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091
+# Backported in version v5.4.144 d7f7eca72ecc08f0bb6897fda2290293fca63068
+# Backported in version v5.10.62 c43add24dffdbac269d5610465ced70cfc1bad9e
+CVE_CHECK_WHITELIST += "CVE-2021-3739"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3744
+# Patched in kernel since v5.15 505d9dcb0f7ddf9d075e729523a33d38642ae680
+# Backported in version v5.4.151 24f3d2609114f1e1f6b487b511ce5fa36f21e0ae
+# Backported in version v5.10.71 17ccc64e4fa5d3673528474bfeda814d95dc600a
+CVE_CHECK_WHITELIST += "CVE-2021-3744"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3752
+# Patched in kernel since v5.16 1bff51ea59a9afb67d2dd78518ab0582a54a472c
+# Backported in version v5.4.160 67bd269a84ce29dfc543c1683a2553b4169f9a55
+# Backported in version v5.10.80 c10465f6d6208db2e45a6dac1db312b9589b2583
+# Backported in version v5.15.3 7e22e4db95b04f09adcce18c75d27cbca8f53b99
+CVE_CHECK_WHITELIST += "CVE-2021-3752"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3753
+# Patched in kernel since v5.15 2287a51ba822384834dafc1c798453375d1107c7
+# Backported in version v5.4.144 f4418015201bdca0cd4e28b363d88096206e4ad0
+# Backported in version v5.10.62 60d69cb4e60de0067e5d8aecacd86dfe92a5384a
+CVE_CHECK_WHITELIST += "CVE-2021-3753"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3759
+# Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
+# Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
+# Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
+CVE_CHECK_WHITELIST += "CVE-2021-3759"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3764
+# Patched in kernel since v5.15 505d9dcb0f7ddf9d075e729523a33d38642ae680
+# Backported in version v5.4.151 24f3d2609114f1e1f6b487b511ce5fa36f21e0ae
+# Backported in version v5.10.71 17ccc64e4fa5d3673528474bfeda814d95dc600a
+CVE_CHECK_WHITELIST += "CVE-2021-3764"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3923
+# Patched in kernel since v5.16 b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd
+# Backported in version v5.4.171 5eb5d9c6591d7e58f32088ef848503a4a947fc46
+# Backported in version v5.10.91 beeb0fdedae802a7fb606e955a81a56a2e3bbac1
+# Backported in version v5.15.14 e1e354771812b12f0b4c433bbaf916f87cd0f6c7
+CVE_CHECK_WHITELIST += "CVE-2021-3923"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-4002
+# Patched in kernel since v5.16 a4a118f2eead1d6c49e00765de89878288d4b890
+# Backported in version v5.4.162 201340ca4eb748c52062c5e938826ddfbe313088
+# Backported in version v5.10.82 40bc831ab5f630431010d1ff867390b07418a7ee
+# Backported in version v5.15.5 556d59293a2a94863797a7a50890992aa5e8db16
+CVE_CHECK_WHITELIST += "CVE-2021-4002"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-4083
+# Patched in kernel since v5.16 054aa8d439b9185d4f5eb9a90282d1ce74772969
+# Backported in version v5.4.164 03d4462ba3bc8f830d9807e3c3fde54fad06e2e2
+# Backported in version v5.10.84 4baba6ba56eb91a735a027f783cc4b9276b48d5b
+# Backported in version v5.15.7 6fe4eadd54da3040cf6f6579ae157ae1395dc0f8
+CVE_CHECK_WHITELIST += "CVE-2021-4083"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-4135
+# Patched in kernel since v5.16 481221775d53d6215a6e5e9ce1cce6d2b4ab9a46
+# Backported in version v5.4.168 699e794c12a3cd79045ff135bc87a53b97024e43
+# Backported in version v5.10.88 1a34fb9e2bf3029f7c0882069d67ff69cbd645d8
+# Backported in version v5.15.11 27358aa81a7d60e6bd36f0bb1db65cd084c2cad0
+CVE_CHECK_WHITELIST += "CVE-2021-4135"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-4149
+# Patched in kernel since v5.15 19ea40dddf1833db868533958ca066f368862211
+# Backported in version v5.4.155 005a07c9acd6cf8a40555884f0650dfd4ec23fbe
+# Backported in version v5.10.75 206868a5b6c14adc4098dd3210a2f7510d97a670
+CVE_CHECK_WHITELIST += "CVE-2021-4149"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-4155
+# Patched in kernel since v5.16 983d8e60f50806f90534cc5373d0ce867e5aaf79
+# Backported in version v5.4.171 102af6edfd3a372db6e229177762a91f552e5f5e
+# Backported in version v5.10.91 16d8568378f9ee2d1e69216d39961aa72710209f
+# Backported in version v5.15.14 b0e72ba9e520b95346e68800afff0db65e766ca8
+CVE_CHECK_WHITELIST += "CVE-2021-4155"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-4159
+# Patched in kernel since v5.7 294f2fc6da27620a506e6c050241655459ccd6bd
+# Backported in version v5.4.210 7c1134c7da997523e2834dd516e2ddc51920699a
+CVE_CHECK_WHITELIST += "CVE-2021-4159"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-4203
+# Patched in kernel since v5.15 35306eb23814444bd4021f8a1c3047d3cb0c8b2b
+# Backported in version v5.4.151 0fcfaa8ed9d1dcbe377b202a1b3cdfd4e566114c
+# Backported in version v5.10.71 3db53827a0e9130d9e2cbe3c3b5bca601caa4c74
+CVE_CHECK_WHITELIST += "CVE-2021-4203"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-20265
+# Patched in kernel since v4.5 fa0dc04df259ba2df3ce1920e9690c7842f8fa4b
+CVE_CHECK_WHITELIST += "CVE-2021-20265"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-20292
+# Patched in kernel since v5.9 5de5b6ecf97a021f29403aa272cb4e03318ef586
+# Backported in version v5.4.59 c6d2ddf1a30d524106265ad2c48b907cd7a083d4
+CVE_CHECK_WHITELIST += "CVE-2021-20292"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-20321
+# Patched in kernel since v5.15 a295aef603e109a47af355477326bd41151765b6
+# Backported in version v5.4.153 fab338f33c25c4816ca0b2d83a04a0097c2c4aaf
+# Backported in version v5.10.73 9763ffd4da217adfcbdcd519e9f434dfa3952fc3
+CVE_CHECK_WHITELIST += "CVE-2021-20321"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-23133
+# Patched in kernel since v5.13 34e5b01186858b36c4d7c87e1a025071e8e2401f
+# Backported in version v5.4.119 3fe9ee040fb7332e2b4cc04c85561eced0a7f227
+# Backported in version v5.10.37 42f1b8653f85924743ea5b57b051a4e1f05b5e43
+CVE_CHECK_WHITELIST += "CVE-2021-23133"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-23134
+# Patched in kernel since v5.13 c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6
+# Backported in version v5.4.119 e32352070bcac22be6ed8ab635debc280bb65b8c
+# Backported in version v5.10.37 6b7021ed36dabf29e56842e3408781cd3b82ef6e
+CVE_CHECK_WHITELIST += "CVE-2021-23134"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-27363
+# Patched in kernel since v5.12 688e8128b7a92df982709a4137ea4588d16f24aa
+# Backported in version v5.4.103 ca3afdd0377379f5031f376aec4b0c1b0285b556
+# Backported in version v5.10.21 c71edc5d2480774ec2fec62bb84064aed6d582bd
+CVE_CHECK_WHITELIST += "CVE-2021-27363"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-27364
+# Patched in kernel since v5.12 688e8128b7a92df982709a4137ea4588d16f24aa
+# Backported in version v5.4.103 ca3afdd0377379f5031f376aec4b0c1b0285b556
+# Backported in version v5.10.21 c71edc5d2480774ec2fec62bb84064aed6d582bd
+CVE_CHECK_WHITELIST += "CVE-2021-27364"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-28714
+# Patched in kernel since v5.16 6032046ec4b70176d247a71836186d47b25d1684
+# Backported in version v5.4.168 8bfcd0385211044627f93d170991da1ae5937245
+# Backported in version v5.10.88 525875c410df5d876b9615c44885ca7640aed6f2
+# Backported in version v5.15.11 88449dbe6203c3a91cf1c39ea3032ad61a297bd7
+CVE_CHECK_WHITELIST += "CVE-2021-28714"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-28715
+# Patched in kernel since v5.16 be81992f9086b230623ae3ebbc85ecee4d00a3d3
+# Backported in version v5.4.168 0d99b3c6bd39a0a023e972d8f912fd47698bbbb8
+# Backported in version v5.10.88 88f20cccbeec9a5e83621df5cc2453b5081454dc
+# Backported in version v5.15.11 bd926d189210cd1d5b4e618e45898053be6b4b3b
+CVE_CHECK_WHITELIST += "CVE-2021-28715"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-28950
+# Patched in kernel since v5.12 775c5033a0d164622d9d10dd0f0a5531639ed3ed
+# Backported in version v5.4.107 187ae04636531065cdb4d0f15deac1fe0e812104
+# Backported in version v5.10.25 d955f13ea2120269319d6133d0dd82b66d1eeca3
+CVE_CHECK_WHITELIST += "CVE-2021-28950"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-28964
+# Patched in kernel since v5.12 dbcc7d57bffc0c8cac9dac11bec548597d59a6a5
+# Backported in version v5.4.108 5b3b99525c4f18e543f6ef17ef97c29f5694e8b4
+# Backported in version v5.10.26 38ffe9eaeb7cce383525439f0948f9eb74632e1d
+CVE_CHECK_WHITELIST += "CVE-2021-28964"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-28971
+# Patched in kernel since v5.12 d88d05a9e0b6d9356e97129d4ff9942d765f46ea
+# Backported in version v5.4.108 da326ba3b84aae8ac0513aa4725a49843f2f871e
+# Backported in version v5.10.26 514ea597be8e4b6a787bc34da111c44944fbf5a5
+CVE_CHECK_WHITELIST += "CVE-2021-28971"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-28972
+# Patched in kernel since v5.12 cc7a0bb058b85ea03db87169c60c7cfdd5d34678
+# Backported in version v5.4.108 51a2b19b554c8c75ee2d253b87240309cd81f1fc
+# Backported in version v5.10.26 be1f58e58f7644ab33f1413685c84173766408d3
+CVE_CHECK_WHITELIST += "CVE-2021-28972"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-29265
+# Patched in kernel since v5.12 9380afd6df70e24eacbdbde33afc6a3950965d22
+# Backported in version v5.4.106 8698133003cfb67e0f04dd044c954198e421b152
+# Backported in version v5.10.24 ab5c3186686aa87c741381d10a948817f1deb9b2
+CVE_CHECK_WHITELIST += "CVE-2021-29265"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-29647
+# Patched in kernel since v5.12 50535249f624d0072cd885bcdce4e4b6fb770160
+# Backported in version v5.4.109 ae23957bd1fb3184a9935bd99c5ad2351a59d7c8
+# Backported in version v5.10.27 fce6fb90218935f7319265459484b3762c80d0a8
+CVE_CHECK_WHITELIST += "CVE-2021-29647"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-29650
+# Patched in kernel since v5.12 175e476b8cdf2a4de7432583b49c871345e4f8a1
+# Backported in version v5.4.109 19a5fb4ceada903e692de96b8aa8494179abbf0b
+# Backported in version v5.10.27 3fdebc2d8e7965f946a3d716ffdd482e66c1f46c
+CVE_CHECK_WHITELIST += "CVE-2021-29650"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-30002
+# Patched in kernel since v5.12 fb18802a338b36f675a388fc03d2aa504a0d0899
+# Backported in version v5.4.103 027ddd67f68583a178a9bd65220611e9f978f014
+# Backported in version v5.10.21 5400770e31e8b80efc25b4c1d619361255174d11
+CVE_CHECK_WHITELIST += "CVE-2021-30002"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-31916
+# Patched in kernel since v5.12 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a
+# Backported in version v5.4.109 e6587d142d0214eb466f9978e25f0575c19b1ea0
+# Backported in version v5.10.27 921aae17bb0f02181fa05cf5580ebc855fdbd74d
+CVE_CHECK_WHITELIST += "CVE-2021-31916"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-32399
+# Patched in kernel since v5.13 e2cb6b891ad2b8caa9131e3be70f45243df82a80
+# Backported in version v5.4.119 eeec325c9944b4427f482018d00b737220c31fd9
+# Backported in version v5.10.37 2d84ef4e6569a818f912d93d5345c21542807ac7
+CVE_CHECK_WHITELIST += "CVE-2021-32399"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-33656
+# Patched in kernel since v5.12 ff2047fb755d4415ec3c70ac799889371151796d
+# Backported in version v5.4.202 c87e851b23e5cb2ba90a3049ef38340ed7d5746f
+# Backported in version v5.10.127 3acb7dc242ca25eb258493b513ef2f4b0f2a9ad1
+CVE_CHECK_WHITELIST += "CVE-2021-33656"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-34693
+# Patched in kernel since v5.13 5e87ddbe3942e27e939bdc02deb8579b0cbd8ecc
+# Backported in version v5.4.128 c297559a2a2a6b6f0de61ed333a978a118b0e660
+# Backported in version v5.10.46 acb755be1f7adb204dcedc4d3b204ef098628623
+CVE_CHECK_WHITELIST += "CVE-2021-34693"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-35039
+# Patched in kernel since v5.13 0c18f29aae7ce3dadd26d8ee3505d07cc982df75
+# Backported in version v5.4.129 e2dc07ca4e0148d75963e14d2b78afc12426a487
+# Backported in version v5.10.47 3051f230f19feb02dfe5b36794f8c883b576e184
+CVE_CHECK_WHITELIST += "CVE-2021-35039"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-37159
+# Patched in kernel since v5.14 a6ecfb39ba9d7316057cea823b196b734f6b18ca
+# Backported in version v5.4.151 fe57d53dd91d7823f1ceef5ea8e9458a4aeb47fa
+# Backported in version v5.10.54 115e4f5b64ae8d9dd933167cafe2070aaac45849
+CVE_CHECK_WHITELIST += "CVE-2021-37159"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-38160
+# Patched in kernel since v5.14 d00d8da5869a2608e97cfede094dfc5e11462a46
+# Backported in version v5.4.134 52bd1bce8624acb861fa96b7c8fc2e75422dc8f7
+# Backported in version v5.10.52 f6ec306b93dc600a0ab3bb2693568ef1cc5f7f7a
+CVE_CHECK_WHITELIST += "CVE-2021-38160"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-38198
+# Patched in kernel since v5.13 b1bd5cba3306691c771d558e94baa73e8b0b96b7
+# Backported in version v5.4.141 d28adaabbbf4a6949d0f6f71daca6744979174e2
+# Backported in version v5.10.44 6b6ff4d1f349cb35a7c7d2057819af1b14f80437
+CVE_CHECK_WHITELIST += "CVE-2021-38198"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-38199
+# Patched in kernel since v5.14 dd99e9f98fbf423ff6d365b37a98e8879170f17c
+# Backported in version v5.4.134 81e03fe5bf8f5f66b8a62429fb4832b11ec6b272
+# Backported in version v5.10.52 ff4023d0194263a0827c954f623c314978cf7ddd
+CVE_CHECK_WHITELIST += "CVE-2021-38199"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-38204
+# Patched in kernel since v5.14 b5fdf5c6e6bee35837e160c00ac89327bdad031b
+# Backported in version v5.4.136 863d071dbcd54dacf47192a1365faec46b7a68ca
+# Backported in version v5.10.54 7af54a4e221e5619a87714567e2258445dc35435
+CVE_CHECK_WHITELIST += "CVE-2021-38204"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-38205
+# Patched in kernel since v5.14 d0d62baa7f505bd4c59cd169692ff07ec49dde37
+# Backported in version v5.4.141 38b8485b72cbe4521fd2e0b8770e3d78f9b89e60
+# Backported in version v5.10.59 25cff25ec60690247db8138cd1af8b867df2c489
+CVE_CHECK_WHITELIST += "CVE-2021-38205"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-38207
+# Patched in kernel since v5.13 c364df2489b8ef2f5e3159b1dff1ff1fdb16040d
+# Backported in version v5.4.128 b6c0ab11c88fb016bfc85fa4f6f878f5f4263646
+# Backported in version v5.10.46 cfe403f209b11fad123a882100f0822a52a7630f
+CVE_CHECK_WHITELIST += "CVE-2021-38207"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-38208
+# Patched in kernel since v5.13 4ac06a1e013cf5fdd963317ffd3b968560f33bba
+# Backported in version v5.4.125 5d4c4b06ed9fb7a69d0b2e2a73fc73226d25ab70
+# Backported in version v5.10.43 48ee0db61c8299022ec88c79ad137f290196cac2
+CVE_CHECK_WHITELIST += "CVE-2021-38208"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-38209
+# Patched in kernel since v5.13 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6
+# Backported in version v5.4.120 baea536cf51f8180ab993e374cb134b5edad25e2
+# Backported in version v5.10.35 d3598eb3915cc0c0d8cab42f4a6258ff44c4033e
+CVE_CHECK_WHITELIST += "CVE-2021-38209"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-40490
+# Patched in kernel since v5.15 a54c4613dac1500b40e4ab55199f7c51f028e848
+# Backported in version v5.4.145 9b3849ba667af99ee99a7853a021a7786851b9fd
+# Backported in version v5.10.63 09a379549620f122de3aa4e65df9329976e4cdf5
+CVE_CHECK_WHITELIST += "CVE-2021-40490"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-41864
+# Patched in kernel since v5.15 30e29a9a2bc6a4888335a6ede968b75cd329657a
+# Backported in version v5.4.153 b14f28126c51533bb329379f65de5b0dd689b13a
+# Backported in version v5.10.73 064faa8e8a9b50f5010c5aa5740e06d477677a89
+CVE_CHECK_WHITELIST += "CVE-2021-41864"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-42008
+# Patched in kernel since v5.14 19d1532a187669ce86d5a2696eb7275310070793
+# Backported in version v5.4.143 a73b9aa142691c2ae313980a8734997a78f74b22
+# Backported in version v5.10.61 85e0518f181a0ff060f5543d2655fb841a83d653
+CVE_CHECK_WHITELIST += "CVE-2021-42008"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-42252
+# Patched in kernel since v5.15 b49a0e69a7b1a68c8d3f64097d06dabb770fec96
+# Backported in version v5.4.148 2712f29c44f18db826c7e093915a727b6f3a20e4
+# Backported in version v5.10.67 3fdf2feb6cbe76c6867224ed8527b356e805352c
+CVE_CHECK_WHITELIST += "CVE-2021-42252"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-42739
+# Patched in kernel since v5.16 35d2969ea3c7d32aee78066b1f3cf61a0d935a4e
+# Backported in version v5.4.158 2461f38384d50dd966e1db44fe165b1896f5df5a
+# Backported in version v5.10.78 d7fc85f6104259541ec136199d3bf7c8a736613d
+# Backported in version v5.15.1 cb667140875a3b1db92e4c50b4617a7cbf84659b
+CVE_CHECK_WHITELIST += "CVE-2021-42739"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-43389
+# Patched in kernel since v5.15 1f3e2e97c003f80c4b087092b225c8787ff91e4d
+# Backported in version v5.4.156 285e9210b1fab96a11c0be3ed5cea9dd48b6ac54
+# Backported in version v5.10.76 7f221ccbee4ec662e2292d490a43ce6c314c4594
+CVE_CHECK_WHITELIST += "CVE-2021-43389"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-43975
+# Patched in kernel since v5.16 b922f622592af76b57cbc566eaeccda0b31a3496
+# Backported in version v5.4.164 89d15a2e40d7edaaa16da2763b349dd7b056cc09
+# Backported in version v5.10.84 2c514d25003ac89bb7716bb4402918ccb141f8f5
+# Backported in version v5.15.7 cec49b6dfdb0b9fefd0f17c32014223f73ee2605
+CVE_CHECK_WHITELIST += "CVE-2021-43975"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-43976
+# Patched in kernel since v5.17 04d80663f67ccef893061b49ec8a42ff7045ae84
+# Backported in version v5.4.174 ae56c5524a750fd8cf32565cb3902ce5baaeb4e6
+# Backported in version v5.10.94 6036500fdf77caaca9333003f78d25a3d61c4e40
+# Backported in version v5.15.17 b2762757f4e484f8a164546f93aca82568d87649
+CVE_CHECK_WHITELIST += "CVE-2021-43976"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-44733
+# Patched in kernel since v5.16 dfd0743f1d9ea76931510ed150334d571fbab49d
+# Backported in version v5.4.170 940e68e57ab69248fabba5889e615305789db8a7
+# Backported in version v5.10.89 c05d8f66ec3470e5212c4d08c46d6cb5738d600d
+# Backported in version v5.15.12 492eb7afe858d60408b2da09adc78540c4d16543
+CVE_CHECK_WHITELIST += "CVE-2021-44733"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-45095
+# Patched in kernel since v5.16 bcd0f93353326954817a4f9fa55ec57fb38acbb0
+# Backported in version v5.4.171 2a6a811a45fde5acb805ead4d1e942be3875b302
+# Backported in version v5.10.91 4f260ea5537db35d2eeec9bca78a74713078a544
+# Backported in version v5.15.14 9ca97a693aa8b86e8424f0047198ea3ab997d50f
+CVE_CHECK_WHITELIST += "CVE-2021-45095"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-45480
+# Patched in kernel since v5.16 5f9562ebe710c307adc5f666bf1a2162ee7977c0
+# Backported in version v5.4.168 166f0adf7e7525c87595ceadb21a91e2a9519a1e
+# Backported in version v5.10.88 74dc97dfb276542f12746d706abef63364d816bb
+# Backported in version v5.15.11 68014890e4382ff9192e1357be39b7d0455665fa
+CVE_CHECK_WHITELIST += "CVE-2021-45480"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-45485
+# Patched in kernel since v5.14 62f20e068ccc50d6ab66fdb72ba90da2b9418c99
+# Backported in version v5.4.133 ccde03a6a0fbdc3c0ba81930e629b8b14974cce4
+# Backported in version v5.10.51 8f939b79579715b195dc3ad36669707fce6853ee
+CVE_CHECK_WHITELIST += "CVE-2021-45485"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-45486
+# Patched in kernel since v5.13 aa6dd211e4b1dde9d5dc25d699d35f789ae7eeba
+# Backported in version v5.4.119 fee81285bd09ec2080ce2cbb5063aad0e58eb272
+# Backported in version v5.10.37 a273c27d7255fc527023edeb528386d1b64bedf5
+CVE_CHECK_WHITELIST += "CVE-2021-45486"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-45868
+# Patched in kernel since v5.16 9bf3d20331295b1ecb81f4ed9ef358c51699a050
+# Backported in version v5.4.160 10b808307d37d09b132fc086002bc1aa9910d315
+# Backported in version v5.10.80 ceeb0a8a8716a1c72af3fa4d4f98c3aced32b037
+# Backported in version v5.15.3 332db0909293f3f4d853ee2ea695272c75082d87
+CVE_CHECK_WHITELIST += "CVE-2021-45868"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0322
+# Patched in kernel since v5.15 a2d859e3fc97e79d907761550dbc03ff1b36479c
+# Backported in version v5.4.155 d88774539539dcbf825a25e61234f110513f5963
+# Backported in version v5.10.75 d84a69ac410f6228873d05d35120f6bdddab7fc3
+CVE_CHECK_WHITELIST += "CVE-2022-0322"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0330
+# Patched in kernel since v5.17 7938d61591d33394a21bdd7797a245b65428f44c
+# Backported in version v5.4.175 1b5553c79d52f17e735cd924ff2178a2409e6d0b
+# Backported in version v5.10.95 6a6acf927895c38bdd9f3cd76b8dbfc25ac03e88
+# Backported in version v5.15.18 8a17a077e7e9ecce25c95dbdb27843d2d6c2f0f7
+CVE_CHECK_WHITELIST += "CVE-2022-0330"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0487
+# Patched in kernel since v5.17 bd2db32e7c3e35bd4d9b8bbff689434a50893546
+# Backported in version v5.4.179 3a0a7ec5574b510b067cfc734b8bdb6564b31d4e
+# Backported in version v5.10.100 be93028d306dac9f5b59ebebd9ec7abcfc69c156
+# Backported in version v5.15.23 af0e6c49438b1596e4be8a267d218a0c88a42323
+CVE_CHECK_WHITELIST += "CVE-2022-0487"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0492
+# Patched in kernel since v5.17 24f6008564183aa120d07c03d9289519c2fe02af
+# Backported in version v5.4.177 0e8283cbe4996ae046cd680b3ed598a8f2b0d5d8
+# Backported in version v5.10.97 1fc3444cda9a78c65b769e3fa93455e09ff7a0d3
+# Backported in version v5.15.20 4b1c32bfaa02255a5df602b41587174004996477
+CVE_CHECK_WHITELIST += "CVE-2022-0492"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0494
+# Patched in kernel since v5.17 cc8f7fe1f5eab010191aa4570f27641876fa1267
+# Backported in version v5.4.193 c7337efd1d11acb6f84c68ffee57d3f312e87b24
+# Backported in version v5.10.115 a439819f4797f0846c7cffa9475f44aef23c541f
+# Backported in version v5.15.27 a1ba98731518b811ff90009505c1aebf6e400bc2
+CVE_CHECK_WHITELIST += "CVE-2022-0494"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0812
+# Patched in kernel since v5.8 912288442cb2f431bf3c8cb097a5de83bc6dbac1
+# Backported in version v5.4.53 c8a4452da9f4b09c28d904f70247b097d4c14932
+CVE_CHECK_WHITELIST += "CVE-2022-0812"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0850
+# Patched in kernel since v5.14 ce3aba43599f0b50adbebff133df8d08a3d5fffe
+# Backported in version v5.4.132 ed628b2531196cc76d7c9b730abe4020cad26b0b
+# Backported in version v5.10.50 ea5466f1a77720217a25a859b5a58b618aaba544
+CVE_CHECK_WHITELIST += "CVE-2022-0850"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0854
+# Patched in kernel since v5.18 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544
+# Backported in version v5.4.196 b2f140a9f980806f572d672e1780acea66b9a25c
+# Backported in version v5.10.118 f3f2247ac31cb71d1f05f56536df5946c6652f4a
+# Backported in version v5.15.33 7007c894631cf43041dcfa0da7142bbaa7eb673c
+CVE_CHECK_WHITELIST += "CVE-2022-0854"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1011
+# Patched in kernel since v5.17 0c4bcfdecb1ac0967619ee7ff44871d93c08c909
+# Backported in version v5.4.185 a9174077febfb1608ec3361622bf5f91e2668d7f
+# Backported in version v5.10.106 ab5595b45f732212b3b1974041b43a257153edb7
+# Backported in version v5.15.29 ca62747b38f59d4e75967ebf63c992de8852ca1b
+CVE_CHECK_WHITELIST += "CVE-2022-1011"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1016
+# Patched in kernel since v5.18 4c905f6740a365464e91467aa50916555b28213d
+# Backported in version v5.4.188 06f0ff82c70241a766a811ae1acf07d6e2734dcb
+# Backported in version v5.10.109 2c74374c2e88c7b7992bf808d9f9391f7452f9d9
+# Backported in version v5.15.32 fafb904156fbb8f1dd34970cd5223e00b47c33be
+CVE_CHECK_WHITELIST += "CVE-2022-1016"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1055
+# Patched in kernel since v5.17 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5
+# Backported in version v5.4.177 b1d17e920dfcd4b56fa2edced5710c191f7e50b5
+# Backported in version v5.10.97 e7be56926397cf9d992be8913f74a76152f8f08d
+# Backported in version v5.15.20 f36cacd6c933183c1a8827d5987cf2cfc0a44c76
+CVE_CHECK_WHITELIST += "CVE-2022-1055"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1195
+# Patched in kernel since v5.16 b2f37aead1b82a770c48b5d583f35ec22aabb61e
+# Backported in version v5.4.169 a5c6a13e9056d87805ba3042c208fbd4164ad22b
+# Backported in version v5.10.89 7dd52af1eb5798f590d9d9e1c56ed8f5744ee0ca
+# Backported in version v5.15.12 03d00f7f1815ec00dab5035851b3de83afd054a8
+CVE_CHECK_WHITELIST += "CVE-2022-1195"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1198
+# Patched in kernel since v5.17 efe4186e6a1b54bf38b9e05450d43b0da1fd7739
+# Backported in version v5.4.189 28c8fd84bea13cbf238d7b19d392de2fcc31331c
+# Backported in version v5.10.110 f67a1400788f550d201c71aeaf56706afe57f0da
+# Backported in version v5.15.33 3eb18f8a1d02a9462a0e4903efc674ca3d0406d1
+CVE_CHECK_WHITELIST += "CVE-2022-1198"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1199
+# Patched in kernel since v5.17 71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac
+# Backported in version v5.4.185 0a64aea5fe023cf1e4973676b11f49038b1f045b
+# Backported in version v5.10.106 e2201ef32f933944ee02e59205adb566bafcdf91
+# Backported in version v5.15.29 46ad629e58ce3a88c924ff3c5a7e9129b0df5659
+CVE_CHECK_WHITELIST += "CVE-2022-1199"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1353
+# Patched in kernel since v5.17 9a564bccb78a76740ea9d75a259942df8143d02c
+# Backported in version v5.4.189 ef388db2fe351230ff7194b37d507784bef659ec
+# Backported in version v5.10.110 8d3f4ad43054619379ccc697cfcbdb2c266800d8
+# Backported in version v5.15.33 d06ee4572fd916fbb34d16dc81eb37d1dff83446
+CVE_CHECK_WHITELIST += "CVE-2022-1353"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1419
+# Patched in kernel since v5.6 4b848f20eda5974020f043ca14bacf7a7e634fc8
+# Backported in version v5.4.21 3ea7f138cec139be98f8bb9fc1a6b432003f834e
+CVE_CHECK_WHITELIST += "CVE-2022-1419"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
+# Patched in kernel since v5.19 a501ab75e7624d133a5a3c7ec010687c8b961d23
+# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
+# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
+# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
+CVE_CHECK_WHITELIST += "CVE-2022-1462"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1734
+# Patched in kernel since v5.18 d270453a0d9ec10bb8a802a142fb1b3601a83098
+# Backported in version v5.4.193 33d3e76fc7a7037f402246c824d750542e2eb37f
+# Backported in version v5.10.115 1961c5a688edb53fe3bc25cbda57f47adf12563c
+# Backported in version v5.15.39 b8f2b836e7d0a553b886654e8b3925a85862d2eb
+CVE_CHECK_WHITELIST += "CVE-2022-1734"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2196
+# Patched in kernel since v6.2 2e7eab81425ad6c875f2ed47c0ce01e78afc38a5
+# Backported in version v5.4.233 f93a1a5bdcdd122aae0a3eab7a52c15b71fb725b
+# Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
+# Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
+# Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
+CVE_CHECK_WHITELIST += "CVE-2022-2196"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2318
+# Patched in kernel since v5.19 9cc02ede696272c5271a401e4f27c262359bc2f6
+# Backported in version v5.4.204 bb91556d2af066f8ca2e7fd8e334d652e731ee29
+# Backported in version v5.10.129 8f74cb27c2b4872fd14bf046201fa7b36a46885e
+# Backported in version v5.15.53 659d39545260100628d8a30020d09fb6bf63b915
+CVE_CHECK_WHITELIST += "CVE-2022-2318"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2380
+# Patched in kernel since v5.18 bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8
+# Backported in version v5.4.189 478154be3a8c21ff106310bb1037b1fc9d81dc62
+# Backported in version v5.10.110 72af8810922eb143ed4f116db246789ead2d8543
+# Backported in version v5.15.33 46cdbff26c88fd75dccbf28df1d07cbe18007eac
+CVE_CHECK_WHITELIST += "CVE-2022-2380"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2503
+# Patched in kernel since v5.19 4caae58406f8ceb741603eee460d79bacca9b1b5
+# Backported in version v5.4.197 fd2f7e9984850a0162bfb6948b98ffac9fb5fa58
+# Backported in version v5.10.120 8df42bcd364cc3b41105215d841792aea787b133
+# Backported in version v5.15.45 69712b170237ec5979f168149cd31e851a465853
+CVE_CHECK_WHITELIST += "CVE-2022-2503"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2663
+# Patched in kernel since v6.0 e8d5dfd1d8747b56077d02664a8838c71ced948e
+# Backported in version v5.4.215 d0a24bc8e2aa703030d80affa3e5237fe3ad4dd2
+# Backported in version v5.10.146 9a5d7e0acb41bb2aac552f8eeb4b404177f3f66d
+# Backported in version v5.15.71 dc33ffbc361e2579a8f31b8724ef85d4117440e4
+# Backported in version v5.19.12 510ea9eae5ee45f4e443023556532bda99387351
+CVE_CHECK_WHITELIST += "CVE-2022-2663"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2873
+# Patched in kernel since v6.2 39244cc754829bf707dccd12e2ce37510f5b1f8d
+# Backported in version v5.4.229 cdcbae2c5003747ddfd14e29db9c1d5d7e7c44dd
+# Backported in version v5.10.163 9ac541a0898e8ec187a3fa7024b9701cffae6bf2
+# Backported in version v5.15.86 96c12fd0ec74641295e1c3c34dea3dce1b6c3422
+# Backported in version v6.1.2 233348a04becf133283f0076e20b317302de21d9
+CVE_CHECK_WHITELIST += "CVE-2022-2873"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3028
+# Patched in kernel since v6.0 ba953a9d89a00c078b85f4b190bc1dde66fe16b5
+# Backported in version v5.4.212 8ee27a4f0f1ad36d430221842767880df6494147
+# Backported in version v5.10.140 c5c4d4c9806dadac7bc82f9c29ef4e1b78894775
+# Backported in version v5.15.64 103bd319c0fc90f1cb013c3a508615e6df8af823
+# Backported in version v5.19.6 6901885656c029c976498290b52f67f2c251e6a0
+CVE_CHECK_WHITELIST += "CVE-2022-3028"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3105
+# Patched in kernel since v5.16 7694a7de22c53a312ea98960fcafc6ec62046531
+# Backported in version v5.4.171 7646a340b25bb68cfb6d2e087a608802346d0f7b
+# Backported in version v5.10.91 16e5cad6eca1e506c38c39dc256298643fa1852a
+# Backported in version v5.15.14 0ea8bb0811ba0ec22903cbb48ff2cd872382e8d4
+CVE_CHECK_WHITELIST += "CVE-2022-3105"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3107
+# Patched in kernel since v5.17 886e44c9298a6b428ae046e2fa092ca52e822e6a
+# Backported in version v5.4.187 b01e2df5fbf68719dfb8e766c1ca6089234144c2
+# Backported in version v5.10.108 9b763ceda6f8963cc99df5772540c54ba46ba37c
+# Backported in version v5.15.31 ab0ab176183191cffc69fe9dd8ac6c8db23f60d3
+CVE_CHECK_WHITELIST += "CVE-2022-3107"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3111
+# Patched in kernel since v5.18 6dee930f6f6776d1e5a7edf542c6863b47d9f078
+# Backported in version v5.4.189 90bec38f6a4c81814775c7f3dfc9acf281d5dcfa
+# Backported in version v5.10.110 48d23ef90116c8c702bfa4cad93744e4e5588d7d
+# Backported in version v5.15.33 4124966fbd95eeecca26d52433f393e2b9649a33
+CVE_CHECK_WHITELIST += "CVE-2022-3111"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3115
+# Patched in kernel since v5.19 73c3ed7495c67b8fbdc31cf58e6ca8757df31a33
+# Backported in version v5.4.198 fa0d7ba25a53ac2e4bb24ef31aec49ff3578b44f
+# Backported in version v5.10.121 b4c7dd0037e6aeecad9b947b30f0d9eaeda11762
+# Backported in version v5.15.46 4cb37f715f601cee5b026c6f9091a466266b5ba5
+CVE_CHECK_WHITELIST += "CVE-2022-3115"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3202
+# Patched in kernel since v5.18 a53046291020ec41e09181396c1e829287b48d47
+# Backported in version v5.4.189 e19c3149a80e4fc8df298d6546640e01601f3758
+# Backported in version v5.10.111 b9c5ac0a15f24d63b20f899072fa6dd8c93af136
+# Backported in version v5.15.34 d925b7e78b62805fcc5440d1521181c82b6f03cb
+CVE_CHECK_WHITELIST += "CVE-2022-3202"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3303
+# Patched in kernel since v6.0 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d
+# Backported in version v5.4.215 4051324a6dafd7053c74c475e80b3ba10ae672b0
+# Backported in version v5.10.148 fce793a056c604b41a298317cf704dae255f1b36
+# Backported in version v5.15.68 8015ef9e8a0ee5cecfd0cb6805834d007ab26f86
+# Backported in version v5.19.9 723ac5ab2891b6c10dd6cc78ef5456af593490eb
+CVE_CHECK_WHITELIST += "CVE-2022-3303"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3424
+# Patched in kernel since v6.2 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc
+# Backported in version v5.4.229 0078dd8758561540ed30b2c5daa1cb647e758977
+# Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
+# Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
+# Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
+CVE_CHECK_WHITELIST += "CVE-2022-3424"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3435
+# Patched in kernel since v6.1 61b91eb33a69c3be11b259c5ea484505cd79f883
+# Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
+# Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
+# Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
+CVE_CHECK_WHITELIST += "CVE-2022-3435"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3521
+# Patched in kernel since v6.1 ec7eede369fe5b0d085ac51fdbb95184f87bfc6c
+# Backported in version v5.4.225 ad39d09190a545d0f05ae0a82900eee96c5facea
+# Backported in version v5.10.156 7deb7a9d33e4941c5ff190108146d3a56bf69e9d
+# Backported in version v5.15.80 27d706b0d394a907ff8c4f83ffef9d3e5817fa84
+CVE_CHECK_WHITELIST += "CVE-2022-3521"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3545
+# Patched in kernel since v6.0 02e1a114fdb71e59ee6770294166c30d437bf86a
+# Backported in version v5.4.228 3c837460f920a63165961d2b88b425703f59affb
+# Backported in version v5.10.160 eb6313c12955c58c3d3d40f086c22e44ca1c9a1b
+# Backported in version v5.15.84 9d933af8fef33c32799b9f2d3ff6bf58a63d7f24
+CVE_CHECK_WHITELIST += "CVE-2022-3545"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3564
+# Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
+# Backported in version v5.4.224 4cd094fd5d872862ca278e15b9b51b07e915ef3f
+# Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
+# Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
+CVE_CHECK_WHITELIST += "CVE-2022-3564"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3586
+# Patched in kernel since v6.0 9efd23297cca530bb35e1848665805d3fcdd7889
+# Backported in version v5.4.213 279c7668e354fa151d5fd2e8c42b5153a1de3135
+# Backported in version v5.10.143 2ee85ac1b29dbd2ebd2d8e5ac1dd5793235d516b
+# Backported in version v5.15.68 1a889da60afc017050e1f517b3b976b462846668
+# Backported in version v5.19.9 8f796f36f5ba839c11eb4685150ebeed496c546f
+CVE_CHECK_WHITELIST += "CVE-2022-3586"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3594
+# Patched in kernel since v6.1 93e2be344a7db169b7119de21ac1bf253b8c6907
+# Backported in version v5.4.220 61fd56b0a1a3e923aced4455071177778dd59e88
+# Backported in version v5.10.150 484400d433ca1903a87268c55f019e932297538a
+# Backported in version v5.15.75 b3179865cf7e892b26eedab3d6c54b4747c774a2
+# Backported in version v5.19.17 2e896abccf99fef76691d8e1019bd44105a12e1f
+CVE_CHECK_WHITELIST += "CVE-2022-3594"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3621
+# Patched in kernel since v6.1 21a87d88c2253350e115029f14fe2a10a7e6c856
+# Backported in version v5.4.218 792211333ad77fcea50a44bb7f695783159fc63c
+# Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
+# Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
+# Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
+CVE_CHECK_WHITELIST += "CVE-2022-3621"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3623
+# Patched in kernel since v6.1 fac35ba763ed07ba93154c95ffc0c4a55023707f
+# Backported in version v5.4.228 176ba4c19d1bb153aa6baaa61d586e785b7d736c
+# Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
+# Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
+# Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
+CVE_CHECK_WHITELIST += "CVE-2022-3623"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3629
+# Patched in kernel since v6.0 7e97cfed9929eaabc41829c395eb0d1350fccb9d
+# Backported in version v5.4.211 f82f1e2042b397277cd39f16349950f5abade58d
+# Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
+# Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
+# Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
+CVE_CHECK_WHITELIST += "CVE-2022-3629"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3633
+# Patched in kernel since v6.0 8c21c54a53ab21842f5050fa090f26b03c0313d6
+# Backported in version v5.4.211 04e41b6bacf474f5431491f92e981096e8cc8e93
+# Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
+# Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
+# Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
+CVE_CHECK_WHITELIST += "CVE-2022-3633"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3635
+# Patched in kernel since v6.0 3f4093e2bf4673f218c0bf17d8362337c400e77b
+# Backported in version v5.4.211 9a6cbaa50f263b12df18a051b37f3f42f9fb5253
+# Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
+# Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
+# Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
+CVE_CHECK_WHITELIST += "CVE-2022-3635"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3646
+# Patched in kernel since v6.1 d0d51a97063db4704a5ef6bc978dddab1636a306
+# Backported in version v5.4.218 b7e409d11db9ce9f8bc05fcdfa24d143f60cd393
+# Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
+# Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
+# Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
+CVE_CHECK_WHITELIST += "CVE-2022-3646"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3649
+# Patched in kernel since v6.1 d325dc6eb763c10f591c239550b8c7e5466a5d09
+# Backported in version v5.4.220 d1c2d820a2cd73867b7d352e89e92fb3ac29e926
+# Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
+# Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
+# Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
+CVE_CHECK_WHITELIST += "CVE-2022-3649"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3707
+# Patched in kernel since v6.2 4a61648af68f5ba4884f0e3b494ee1cabc4b6620
+# Backported in version v5.4.233 787ef0db014085df8691e5aeb58ab0bb081e5ff0
+# Backported in version v5.10.170 3d743415c6fb092167df6c23e9c7e9f6df7db625
+# Backported in version v5.15.96 0d3d5099a50badadad6837edda00e42149b2f657
+# Backported in version v6.1.5 1022519da69d99d455c58ca181a6c499c562c70e
+CVE_CHECK_WHITELIST += "CVE-2022-3707"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-4095
+# Patched in kernel since v6.0 e230a4455ac3e9b112f0367d1b8e255e141afae0
+# Backported in version v5.4.213 d0aac7146e96bf39e79c65087d21dfa02ef8db38
+# Backported in version v5.10.142 19e3f69d19801940abc2ac37c169882769ed9770
+# Backported in version v5.15.66 dc02aaf950015850e7589696521c7fca767cea77
+# Backported in version v5.19.8 b1727def850904e4b8ba384043775672841663a1
+CVE_CHECK_WHITELIST += "CVE-2022-4095"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-4139
+# Patched in kernel since v6.1 04aa64375f48a5d430b5550d9271f8428883e550
+# Backported in version v5.4.226 3659e33c1e4f8cfc62c6c15aca5d797010c277a4
+# Backported in version v5.10.157 86f0082fb9470904b15546726417f28077088fee
+# Backported in version v5.15.81 ee2d04f23bbb16208045c3de545c6127aaa1ed0e
+CVE_CHECK_WHITELIST += "CVE-2022-4139"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-4382
+# Patched in kernel since v6.2 d18dcfe9860e842f394e37ba01ca9440ab2178f4
+# Backported in version v5.4.230 9a39f4626b361ee7aa10fd990401c37ec3b466ae
+# Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
+# Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
+# Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
+CVE_CHECK_WHITELIST += "CVE-2022-4382"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-4662
+# Patched in kernel since v6.0 9c6d778800b921bde3bff3cff5003d1650f942d1
+# Backported in version v5.4.213 df1875084898b15cbc42f712e93d7f113ae6271b
+# Backported in version v5.10.142 abe3cfb7a7c8e907b312c7dbd7bf4d142b745aa8
+# Backported in version v5.15.66 c548b99e1c37db6f7df86ecfe9a1f895d6c5966e
+# Backported in version v5.19.8 d5eb850b3e8836197a38475840725260b9783e94
+CVE_CHECK_WHITELIST += "CVE-2022-4662"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-24448
+# Patched in kernel since v5.17 ac795161c93699d600db16c1a8cc23a65a1eceaf
+# Backported in version v5.4.176 0dfacee40021dcc0a9aa991edd965addc04b9370
+# Backported in version v5.10.96 ce8c552b88ca25d775ecd0a0fbef4e0e03de9ed2
+# Backported in version v5.15.19 4c36ca387af4a9b5d775e46a6cb9dc2d151bf057
+CVE_CHECK_WHITELIST += "CVE-2022-24448"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-24959
+# Patched in kernel since v5.17 29eb31542787e1019208a2e1047bb7c76c069536
+# Backported in version v5.4.176 7afc09c8915b0735203ebcb8d766d7db37b794c0
+# Backported in version v5.10.96 729e54636b3ebefb77796702a5b1f1ed5586895e
+# Backported in version v5.15.19 0690c3943ed0fa76654e600eca38cde6a13c87ac
+CVE_CHECK_WHITELIST += "CVE-2022-24959"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-25258
+# Patched in kernel since v5.17 75e5b4849b81e19e9efe1654b30d7f3151c33c2c
+# Backported in version v5.4.180 38fd68f55a7ef57fb9cc3102ac65d1ac474a1a18
+# Backported in version v5.10.101 22ec1004728548598f4f5b4a079a7873409eacfd
+# Backported in version v5.15.24 3e33e5c67cb9ebd2b791b9a9fb2b71daacebd8d4
+CVE_CHECK_WHITELIST += "CVE-2022-25258"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-25375
+# Patched in kernel since v5.17 38ea1eac7d88072bbffb630e2b3db83ca649b826
+# Backported in version v5.4.180 c9e952871ae47af784b4aef0a77db02e557074d6
+# Backported in version v5.10.101 fb4ff0f96de37c44236598e8b53fe43b1df36bf3
+# Backported in version v5.15.24 2da3b0ab54fb7f4d7c5a82757246d0ee33a47197
+CVE_CHECK_WHITELIST += "CVE-2022-25375"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-25636
+# Patched in kernel since v5.17 b1a5983f56e371046dcf164f90bfaf704d2b89f6
+# Backported in version v5.4.182 49c011a44edd14adb555dbcbaf757f52b1f2f748
+# Backported in version v5.10.103 68f19845f580a1d3ac1ef40e95b0250804e046bb
+# Backported in version v5.15.26 6c5d780469d6c3590729940e2be8a3bd66ea4814
+CVE_CHECK_WHITELIST += "CVE-2022-25636"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-26365
+# Patched in kernel since v5.19 2f446ffe9d737e9a844b97887919c4fda18246e7
+# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
+# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
+# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
+CVE_CHECK_WHITELIST += "CVE-2022-26365"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-26490
+# Patched in kernel since v5.17 4fbcc1a4cb20fe26ad0225679c536c80f1648221
+# Backported in version v5.4.188 0aef7184630b599493a0dcad4eec6d42b3e68e91
+# Backported in version v5.10.109 25c23fe40e6e1ef8e6d503c52b4f518b2e520ab7
+# Backported in version v5.15.32 a34c47b1ab07153a047476de83581dc822287f39
+CVE_CHECK_WHITELIST += "CVE-2022-26490"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-26966
+# Patched in kernel since v5.17 e9da0b56fe27206b49f39805f7dcda8a89379062
+# Backported in version v5.4.182 b95d71abeb7d31d4d51cd836d80f99fd783fd6d5
+# Backported in version v5.10.103 4f5f5411f0c14ac0b61d5e6a77d996dd3d5b5fd3
+# Backported in version v5.15.26 9f2d614779906f3d8ad4fb882c5b3e5ad6150bbe
+CVE_CHECK_WHITELIST += "CVE-2022-26966"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-27223
+# Patched in kernel since v5.17 7f14c7227f342d9932f9b918893c8814f86d2a0d
+# Backported in version v5.4.182 6b23eda989236fd75b4a9893cc816cd690c29dfc
+# Backported in version v5.10.103 bfa8ffbaaaaf9752f66bc7cabcef2de715e7621f
+# Backported in version v5.15.26 2c775ad1fd5e014b35e483da2aab8400933fb09d
+CVE_CHECK_WHITELIST += "CVE-2022-27223"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-27666
+# Patched in kernel since v5.17 ebe48d368e97d007bfeb76fcb065d6cfc4c96645
+# Backported in version v5.4.188 fee4dfbda68ba10f3bbcf51c861d6aa32f08f9e4
+# Backported in version v5.10.108 9248694dac20eda06e22d8503364dc9d03df4e2f
+# Backported in version v5.15.29 4aaabbffc3b0658ce80eebdde9bafa20a3f932e0
+CVE_CHECK_WHITELIST += "CVE-2022-27666"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-28356
+# Patched in kernel since v5.18 764f4eb6846f5475f1244767d24d25dd86528a4a
+# Backported in version v5.4.188 572f9a0d3f3feb8bd3422e88ad71882bc034b3ff
+# Backported in version v5.10.109 571df3393f523b59cba87e2f3e80a3a624030f9c
+# Backported in version v5.15.32 e9072996108387ab19b497f5b557c93f98d96b0b
+CVE_CHECK_WHITELIST += "CVE-2022-28356"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-28388
+# Patched in kernel since v5.18 3d3925ff6433f98992685a9679613a2cc97f3ce2
+# Backported in version v5.4.191 660784e7194ac2953aebe874c1f75f2441ba3d19
+# Backported in version v5.10.110 5318cdf4fd834856ce71238b064f35386f9ef528
+# Backported in version v5.15.33 f2ce5238904f539648aaf56c5ee49e5eaf44d8fc
+CVE_CHECK_WHITELIST += "CVE-2022-28388"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-28389
+# Patched in kernel since v5.18 04c9b00ba83594a29813d6b1fb8fdc93a3915174
+# Backported in version v5.4.189 2dfe9422d528630e2ce0d454147230cce113f814
+# Backported in version v5.10.110 0801a51d79389282c1271e623613b2e1886e071e
+# Backported in version v5.15.33 37f07ad24866c6c1423b37b131c9a42414bcf8a1
+CVE_CHECK_WHITELIST += "CVE-2022-28389"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-28390
+# Patched in kernel since v5.18 c70222752228a62135cee3409dccefd494a24646
+# Backported in version v5.4.189 e27caad38b59b5b00b9c5228d04c13111229deec
+# Backported in version v5.10.110 b417f9c50586588754b2b0453a1f99520cf7c0e8
+# Backported in version v5.15.33 459b19f42fd5e031e743dfa119f44aba0b62ff97
+CVE_CHECK_WHITELIST += "CVE-2022-28390"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-28893
+# Patched in kernel since v5.18 f00432063db1a0db484e85193eccc6845435b80e
+# Backported in version v5.4.196 2f8f6c393b11b5da059b1fc10a69fc2f2b6c446a
+# Backported in version v5.10.117 e68b60ae29de10c7bd7636e227164a8dbe305a82
+# Backported in version v5.15.41 54f6834b283d9b4d070b0639d9ef5e1d156fe7b0
+CVE_CHECK_WHITELIST += "CVE-2022-28893"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-32250
+# Patched in kernel since v5.19 520778042ccca019f3ffa136dd0ca565c486cedd
+# Backported in version v5.4.198 f36736fbd48491a8d85cd22f4740d542c5a1546e
+# Backported in version v5.10.120 ea62d169b6e731e0b54abda1d692406f6bc6a696
+# Backported in version v5.15.45 f692bcffd1f2ce5488d24fbcb8eab5f351abf79d
+CVE_CHECK_WHITELIST += "CVE-2022-32250"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-32296
+# Patched in kernel since v5.18 4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5
+# Backported in version v5.4.201 c26e1addf15763ae404f4bbf131719a724e768ab
+# Backported in version v5.10.125 9429b75bc271b6f29e50dbb0ee0751800ff87dd9
+# Backported in version v5.15.41 952a238d779eea4ecb2f8deb5004c8f56be79bc9
+CVE_CHECK_WHITELIST += "CVE-2022-32296"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-32981
+# Patched in kernel since v5.19 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9
+# Backported in version v5.4.198 0c4bc0a2f8257f79a70fe02b9a698eb14695a64b
+# Backported in version v5.10.122 3be74fc0afbeadc2aff8dc69f3bf9716fbe66486
+# Backported in version v5.15.47 2a0165d278973e30f2282c15c52d91788749d2d4
+CVE_CHECK_WHITELIST += "CVE-2022-32981"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33740
+# Patched in kernel since v5.19 307c8de2b02344805ebead3440d8feed28f2f010
+# Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
+# Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
+# Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
+CVE_CHECK_WHITELIST += "CVE-2022-33740"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33741
+# Patched in kernel since v5.19 4491001c2e0fa69efbb748c96ec96b100a5cdb7e
+# Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
+# Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
+# Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
+CVE_CHECK_WHITELIST += "CVE-2022-33741"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33742
+# Patched in kernel since v5.19 2400617da7eebf9167d71a46122828bc479d64c9
+# Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
+# Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
+# Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
+CVE_CHECK_WHITELIST += "CVE-2022-33742"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33744
+# Patched in kernel since v5.19 b75cd218274e01d026dc5240e86fdeb44bbed0c8
+# Backported in version v5.4.204 5c03cad51b84fb26ccea7fd99130d8ec47949cfc
+# Backported in version v5.10.129 43c8d33ce353091f15312cb6de3531517d7bba90
+# Backported in version v5.15.53 9f83c8f6ab14bbf4311b70bf1b7290d131059101
+CVE_CHECK_WHITELIST += "CVE-2022-33744"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33981
+# Patched in kernel since v5.18 233087ca063686964a53c829d547c7571e3f67bf
+# Backported in version v5.4.192 7dea5913000c6a2974a00d9af8e7ffb54e47eac1
+# Backported in version v5.10.114 54c028cfc49624bfc27a571b94edecc79bbaaab4
+# Backported in version v5.15.37 e52da8e4632f9c8fe78bf1c5881ce6871c7e08f3
+CVE_CHECK_WHITELIST += "CVE-2022-33981"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-36123
+# Patched in kernel since v5.19 38fa5479b41376dc9d7f57e71c83514285a25ca0
+# Backported in version v5.4.207 a3c7c1a726a4c6b63b85e8c183f207543fd75e1b
+# Backported in version v5.10.132 136d7987fcfdeca73ee3c6a29e48f99fdd0f4d87
+# Backported in version v5.15.56 26bb7afc027ce6ac8ab6747babec674d55689ff0
+CVE_CHECK_WHITELIST += "CVE-2022-36123"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-36280
+# Patched in kernel since v6.2 4cf949c7fafe21e085a4ee386bb2dade9067316e
+# Backported in version v5.4.229 94b283341f9f3f0ed56a360533766377a01540e0
+# Backported in version v5.10.163 439cbbc1519547f9a7b483f0de33b556ebfec901
+# Backported in version v5.15.87 6948e570f54f2044dd4da444b10471373a047eeb
+# Backported in version v6.1.4 622d527decaac0eb65512acada935a0fdc1d0202
+CVE_CHECK_WHITELIST += "CVE-2022-36280"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-36879
+# Patched in kernel since v5.19 f85daf0e725358be78dfd208dea5fd665d8cb901
+# Backported in version v5.4.208 f4248bdb7d5c1150a2a6f8c3d3b6da0b71f62a20
+# Backported in version v5.10.134 47b696dd654450cdec3103a833e5bf29c4b83bfa
+# Backported in version v5.15.58 c8e32bca0676ac663266a3b16562cb017300adcd
+CVE_CHECK_WHITELIST += "CVE-2022-36879"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-36946
+# Patched in kernel since v5.19 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164
+# Backported in version v5.4.209 52be29e8b6455788a4d0f501bd87aa679ca3ba3c
+# Backported in version v5.10.135 440dccd80f627e0e11ceb0429e4cdab61857d17e
+# Backported in version v5.15.59 91c11008aab0282957b8b8ccb0707d90e74cc3b9
+CVE_CHECK_WHITELIST += "CVE-2022-36946"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-39188
+# Patched in kernel since v5.19 b67fbebd4cf980aecbcc750e1462128bffe8ae15
+# Backported in version v5.4.212 c9c5501e815132530d741ec9fdd22657f91656bc
+# Backported in version v5.10.141 895428ee124ad70b9763259308354877b725c31d
+# Backported in version v5.15.65 3ffb97fce282df03723995f5eed6a559d008078e
+CVE_CHECK_WHITELIST += "CVE-2022-39188"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-39842
+# Patched in kernel since v5.19 a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7
+# Backported in version v5.4.215 1878eaf0edb8c9e58a6ca0cf31b7a647ca346be9
+# Backported in version v5.10.145 06e194e1130c98f82d46beb40cdbc88a0d4fd6de
+# Backported in version v5.15.70 ab5140c6ddd7473509e12f468948de91138b124e
+CVE_CHECK_WHITELIST += "CVE-2022-39842"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-40307
+# Patched in kernel since v6.0 9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95
+# Backported in version v5.4.213 8028ff4cdbb3f20d3c1c04be33a83bab0cb94997
+# Backported in version v5.10.143 918d9c4a4bdf5205f2fb3f64dddfb56c9a1d01d6
+# Backported in version v5.15.68 dd291e070be0eca8807476b022bda00c891d9066
+# Backported in version v5.19.9 d46815a8f26ca6db2336106a148265239f73b0af
+CVE_CHECK_WHITELIST += "CVE-2022-40307"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-40768
+# Patched in kernel since v6.1 6022f210461fef67e6e676fd8544ca02d1bcfa7a
+# Backported in version v5.4.218 20a5bde605979af270f94b9151f753ec2caf8b05
+# Backported in version v5.10.148 36b33c63515a93246487691046d18dd37a9f589b
+# Backported in version v5.15.74 76efb4897bc38b2f16176bae27ae801037ebf49a
+# Backported in version v5.19.16 6ae8aa5dcf0d7ada07964c8638e55d3af5896a86
+CVE_CHECK_WHITELIST += "CVE-2022-40768"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-41218
+# Patched in kernel since v6.2 fd3d91ab1c6ab0628fe642dd570b56302c30a792
+# Backported in version v5.4.229 a29d6213098816ed4574824b6adae94fb1c0457d
+# Backported in version v5.10.163 3df07728abde249e2d3f47cf22f134cb4d4f5fb1
+# Backported in version v5.15.87 8b45a3b19a2e909e830d09a90a7e1ec8601927d9
+# Backported in version v6.1.4 530ca64b44625f7d39eb1d5efb6f9ff21da991e2
+CVE_CHECK_WHITELIST += "CVE-2022-41218"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-41222
+# Patched in kernel since v5.14 97113eb39fa7972722ff490b947d8af023e1f6a2
+# Backported in version v5.4.211 79e522101cf40735f1936a10312e17f937b8dcad
+# Backported in version v5.10.137 2613baa3ab2153cc45b175c58700d93f72ef36c4
+CVE_CHECK_WHITELIST += "CVE-2022-41222"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-41849
+# Patched in kernel since v6.1 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c
+# Backported in version v5.4.220 3742e9fd552e6c4193ebc5eb3d2cd02d429cad9c
+# Backported in version v5.10.150 e50472949604f385e09ce3fa4e74dce9f44fb19b
+# Backported in version v5.15.75 2b0897e33682a332167b7d355eec28693b62119e
+# Backported in version v5.19.17 02c871d44090c851b07770176f88c6f5564808a1
+CVE_CHECK_WHITELIST += "CVE-2022-41849"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-41850
+# Patched in kernel since v6.1 cacdb14b1c8d3804a3a7d31773bc7569837b71a4
+# Backported in version v5.4.220 e30c3a9a88818e5cf3df3fda6ab8388bef3bc6cd
+# Backported in version v5.10.150 dbcca76435a606a352c794956e6df62eedd3a353
+# Backported in version v5.15.75 c61786dc727d1850336d12c85a032c9a36ae396d
+# Backported in version v5.19.17 2d38886ae0365463cdba3db669170eef1e3d55c0
+CVE_CHECK_WHITELIST += "CVE-2022-41850"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-41858
+# Patched in kernel since v5.18 ec4eb8a86ade4d22633e1da2a7d85a846b7d1798
+# Backported in version v5.4.190 d05cd68ed8460cb158cc62c41ffe39fe0ca16169
+# Backported in version v5.10.112 ca24c5e8f0ac3d43ec0cff29e1c861be73aff165
+# Backported in version v5.15.35 efb020924a71391fc12e6f204eaf25694cc116a1
+CVE_CHECK_WHITELIST += "CVE-2022-41858"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42328
+# Patched in kernel since v6.1 74e7e1efdad45580cc3839f2a155174cf158f9b5
+# Backported in version v5.4.227 50e1ab7e638f1009d953658af8f6b2d7813a7883
+# Backported in version v5.10.159 83632fc41449c480f2d0193683ec202caaa186c9
+# Backported in version v5.15.83 5d0fa6fc8899fe842329c0109f8ddd01144b1ed8
+CVE_CHECK_WHITELIST += "CVE-2022-42328"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42329
+# Patched in kernel since v6.1 74e7e1efdad45580cc3839f2a155174cf158f9b5
+# Backported in version v5.4.227 50e1ab7e638f1009d953658af8f6b2d7813a7883
+# Backported in version v5.10.159 83632fc41449c480f2d0193683ec202caaa186c9
+# Backported in version v5.15.83 5d0fa6fc8899fe842329c0109f8ddd01144b1ed8
+CVE_CHECK_WHITELIST += "CVE-2022-42329"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42703
+# Patched in kernel since v6.0 2555283eb40df89945557273121e9393ef9b542b
+# Backported in version v5.4.212 2fe3eee48899a890310177d54537d5b8e255eb31
+# Backported in version v5.10.141 98f401d36396134c0c86e9e3bd00b6b6b028b521
+# Backported in version v5.15.65 c18a209b56e37b2a60414f714bd70b084ef25835
+# Backported in version v5.19.7 7877eaa1131147b4d6a063962f3aac0ab1b8ea1c
+CVE_CHECK_WHITELIST += "CVE-2022-42703"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42721
+# Patched in kernel since v6.1 bcca852027e5878aec911a347407ecc88d6fff7f
+# Backported in version v5.4.218 77bb20ccb9dfc9ed4f9c93788c90d08cfd891cdc
+# Backported in version v5.10.148 b0e5c5deb7880be5b8a459d584e13e1f9879d307
+# Backported in version v5.15.74 0a8ee682e4f992eccce226b012bba600bb2251e2
+# Backported in version v5.19.16 1d73c990e9bafc2754b1ced71345f73f5beb1781
+CVE_CHECK_WHITELIST += "CVE-2022-42721"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42895
+# Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
+# Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_CHECK_WHITELIST += "CVE-2022-42895"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-47929
+# Patched in kernel since v6.2 96398560f26aa07e8f2969d73c8197e6a6d10407
+# Backported in version v5.4.229 9b83ec63d0de7b1f379daa1571e128bc7b9570f8
+# Backported in version v5.10.163 9f7bc28a6b8afc2274e25650511555e93f45470f
+# Backported in version v5.15.88 04941c1d5bb59d64165e09813de2947bdf6f4f28
+# Backported in version v6.1.6 e8988e878af693ac13b0fa80ba2e72d22d68f2dd
+CVE_CHECK_WHITELIST += "CVE-2022-47929"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-0394
+# Patched in kernel since v6.2 cb3e9864cdbe35ff6378966660edbcbac955fe17
+# Backported in version v5.4.229 3998dba0f78a59922b0ef333ccfeb58d9410cd3d
+# Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
+# Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
+# Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
+CVE_CHECK_WHITELIST += "CVE-2023-0394"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-0458
+# Patched in kernel since v6.2 739790605705ddcf18f21782b9c99ad7d53a8c11
+# Backported in version v5.4.230 96b02125dd68d77e28a29488e6f370a5eac7fb1c
+# Backported in version v5.10.165 9f8e45720e0e7edb661d0082422f662ed243d8d8
+# Backported in version v5.15.90 f01aefe374d32c4bb1e5fd1e9f931cf77fca621a
+# Backported in version v6.1.8 91185568c99d60534bacf38439846103962d1e2c
+CVE_CHECK_WHITELIST += "CVE-2023-0458"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-0461
+# Patched in kernel since v6.2 2c02d41d71f90a5168391b6a5f2954112ba2307c
+# Backported in version v5.4.229 c6d29a5ffdbc362314853462a0e24e63330a654d
+# Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
+# Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
+# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
+CVE_CHECK_WHITELIST += "CVE-2023-0461"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1073
+# Patched in kernel since v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456
+# Backported in version v5.4.231 89e7fe3999e057c91f157b6ba663264f4cdfcb55
+# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
+# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
+# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
+CVE_CHECK_WHITELIST += "CVE-2023-1073"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1074
+# Patched in kernel since v6.2 458e279f861d3f61796894cd158b780765a1569f
+# Backported in version v5.4.231 a7585028ac0a5836f39139c11594d79ede97d975
+# Backported in version v5.10.166 6ef652f35dcfaa1ab2b2cf6c1694718595148eee
+# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
+# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
+CVE_CHECK_WHITELIST += "CVE-2023-1074"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1077
+# Patched in kernel since v6.3 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
+# Backported in version v5.4.235 084cd75643b61fb924f70cba98a71dea14942938
+# Backported in version v5.10.173 80a1751730b302d8ab63a084b2fa52c820ad0273
+# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
+# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
+# Backported in version v6.2.3 1099004ae1664703ec573fc4c61ffb24144bcb63
+CVE_CHECK_WHITELIST += "CVE-2023-1077"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1078
+# Patched in kernel since v6.2 f753a68980cf4b59a80fe677619da2b1804f526d
+# Backported in version v5.4.232 ba38eacade35dd2316d77b37494e6e0c01bab595
+# Backported in version v5.10.168 c53f34ec3fbf3e9f67574118a6bb35ae1146f7ca
+# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
+# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
+CVE_CHECK_WHITELIST += "CVE-2023-1078"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1079
+# Patched in kernel since v6.3 4ab3a086d10eeec1424f2e8a968827a6336203df
+# Backported in version v5.4.235 dd08e68d04d08d2f42b09162c939a0b0841216cc
+# Backported in version v5.10.173 21a2eec4a440060a6eb294dc890eaf553101ba09
+# Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
+# Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
+# Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
+CVE_CHECK_WHITELIST += "CVE-2023-1079"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1095
+# Patched in kernel since v6.0 580077855a40741cf511766129702d97ff02f4d9
+# Backported in version v5.4.211 a452bc3deb23bf93f8a13d3e24611b7ef39645dc
+# Backported in version v5.10.137 80977126bc20309f7f7bae6d8621356b393e8b41
+# Backported in version v5.15.61 8a2df34b5bf652566f2889d9fa321f3b398547ef
+# Backported in version v5.19.2 109539c9ba8497aad2948af4f09077f6a65059fe
+CVE_CHECK_WHITELIST += "CVE-2023-1095"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1118
+# Patched in kernel since v6.3 29b0589a865b6f66d141d79b2dd1373e4e50fe17
+# Backported in version v5.4.235 d120334278b370b6a1623a75ebe53b0c76cb247c
+# Backported in version v5.10.173 78da5a378bdacd5bf68c3a6389bdc1dd0c0f5b3c
+# Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
+# Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
+# Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
+CVE_CHECK_WHITELIST += "CVE-2023-1118"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1382
+# Patched in kernel since v6.1 a7b42969d63f47320853a802efd879fbdc4e010e
+# Backported in version v5.4.226 59f9aad22fd743572bdafa37d3e1dd5dc5658e26
+# Backported in version v5.10.157 4058e3b74ab3eabe0835cee9a0c6deda79e8a295
+# Backported in version v5.15.81 33fb115a76ae6683e34f76f7e07f6f0734b2525f
+CVE_CHECK_WHITELIST += "CVE-2023-1382"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1390
+# Patched in kernel since v5.11 b77413446408fdd256599daf00d5be72b5f3e7c6
+# Backported in version v5.4.92 56e8947bcf814d195eb4954b4821868803d3dd67
+# Backported in version v5.10.10 60b8b4e6310b7dfc551ba68e8639eeaf70a0b2dd
+CVE_CHECK_WHITELIST += "CVE-2023-1390"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1513
+# Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
+# Backported in version v5.4.232 9f95a161a7deef62d6d2f57b1a69f94e0546d8d8
+# Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
+# Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
+# Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
+CVE_CHECK_WHITELIST += "CVE-2023-1513"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1829
+# Patched in kernel since v6.3 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
+# Backported in version v5.4.235 7a6fb69bbcb21e9ce13bdf18c008c268874f0480
+# Backported in version v5.10.173 18c3fa7a7fdbb4d21dafc8a7710ae2c1680930f6
+# Backported in version v5.15.100 7c183dc0af472dec33d2c0786a5e356baa8cad19
+# Backported in version v6.1.18 3abebc503a5148072052c229c6b04b329a420ecd
+# Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
+CVE_CHECK_WHITELIST += "CVE-2023-1829"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1838
+# Patched in kernel since v5.18 fb4554c2232e44d595920f4d5c66cf8f7d13f9bc
+# Backported in version v5.4.196 3a12b2c413b20c17832ec51cb836a0b713b916ac
+# Backported in version v5.10.118 ec0d801d1a44d9259377142c6218885ecd685e41
+# Backported in version v5.15.42 42d8a6dc45fc6619b8def1a70b7bd0800bcc4574
+CVE_CHECK_WHITELIST += "CVE-2023-1838"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1998
+# Patched in kernel since v6.3 6921ed9049bc7457f66c1596c5b78aec0dae4a9d
+# Backported in version v5.4.235 34c1b60e7a80404056c03936dd9c2438da2789d4
+# Backported in version v5.10.173 abfed855f05863d292de2d0ebab4656791bab9c8
+# Backported in version v5.15.99 e7f1ddebd9f5b12de40bc37db9243957678f1448
+# Backported in version v6.1.16 08d87c87d6461d16827c9b88d84c48c26b6c994a
+# Backported in version v6.2.3 ead3c8e54d28fa1d5454b1f8a21b96b4a969b1cb
+CVE_CHECK_WHITELIST += "CVE-2023-1998"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-2008
+# Patched in kernel since v5.19 05b252cccb2e5c3f56119d25de684b4f810ba40a
+# Backported in version v5.4.202 c7bdaad9cbfe17c83e4f56c7bb7a2d87d944f0fb
+# Backported in version v5.10.127 20119c1e0fff89542ff3272ace87e04cf6ee6bea
+# Backported in version v5.15.51 5b45535865d62633e3816ee30eb8d3213038dc17
+CVE_CHECK_WHITELIST += "CVE-2023-2008"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-2162
+# Patched in kernel since v6.2 f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3
+# Backported in version v5.4.232 d4d765f4761f9e3a2d62992f825aeee593bcb6b9
+# Backported in version v5.10.168 9758ffe1c07b86aefd7ca8e40d9a461293427ca0
+# Backported in version v5.15.93 0aaabdb900c7415caa2006ef580322f7eac5f6b6
+# Backported in version v6.1.11 61e43ebfd243bcbad11be26bd921723027b77441
+CVE_CHECK_WHITELIST += "CVE-2023-2162"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-2166
+# Patched in kernel since v6.1 0acc442309a0a1b01bcdaa135e56e6398a49439c
+# Backported in version v5.4.227 3982652957e8d79ac32efcb725450580650a8644
+# Backported in version v5.10.159 c42221efb1159d6a3c89e96685ee38acdce86b6f
+# Backported in version v5.15.83 c142cba37de29f740a3852f01f59876af8ae462a
+CVE_CHECK_WHITELIST += "CVE-2023-2166"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-2177
+# Patched in kernel since v5.19 181d8d2066c000ba0a0e6940a7ad80f1a0e68e9d
+# Backported in version v5.4.209 8d6dab81ee3d0309c09987ff76164a25486c43e0
+# Backported in version v5.10.135 6f3505588d66b27220f07d0cab18da380fae2e2d
+# Backported in version v5.15.59 e796e1fe20ecaf6da419ef6a5841ba181bba7a0c
+CVE_CHECK_WHITELIST += "CVE-2023-2177"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-23006
+# Patched in kernel since v5.16 6b8b42585886c59a008015083282aae434349094
+# Backported in version v5.4.170 db484d35a9482d21a7f36da4dfc7a68aa2e9e1d6
+# Backported in version v5.10.90 4cd1da02f0c39606e3378c9255f17d6f85d106c7
+# Backported in version v5.15.13 4595dffccfa5b9360162c72cc0f6a33477d871cf
+CVE_CHECK_WHITELIST += "CVE-2023-23006"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-23454
+# Patched in kernel since v6.2 caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12
+# Backported in version v5.4.229 6b17b84634f932f4787f04578f5d030874b9ff32
+# Backported in version v5.10.163 b2c917e510e5ddbc7896329c87d20036c8b82952
+# Backported in version v5.15.87 04dc4003e5df33fb38d3dd85568b763910c479d4
+# Backported in version v6.1.5 dc46e39b727fddc5aacc0272ef83ee872d51be16
+CVE_CHECK_WHITELIST += "CVE-2023-23454"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-23455
+# Patched in kernel since v6.2 a2965c7be0522eaa18808684b7b82b248515511b
+# Backported in version v5.4.229 63e469cb54a87df53edcfd85bb5bcdd84327ae4a
+# Backported in version v5.10.163 5f65f48516bfeebaab1ccc52c8fad698ddf21282
+# Backported in version v5.15.87 f02327a4877a06cbc8277e22d4834cb189565187
+# Backported in version v6.1.5 85655c63877aeafdc23226510ea268a9fa0af807
+CVE_CHECK_WHITELIST += "CVE-2023-23455"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-23559
+# Patched in kernel since v6.2 b870e73a56c4cccbec33224233eaf295839f228c
+# Backported in version v5.4.231 9042a9a3f29c942387e6d6036551d90c9ae6ce4f
+# Backported in version v5.10.166 802fd7623e9ed19ee809b503e93fccc1e3f37bd6
+# Backported in version v5.15.91 8cbf932c5c40b0c20597fa623c308d5bde0848b5
+# Backported in version v6.1.9 7794efa358bca8b8a2a80070c6e088a74945f018
+CVE_CHECK_WHITELIST += "CVE-2023-23559"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-25012
+# Patched in kernel since v6.3 76ca8da989c7d97a7f76c75d475fe95a584439d7
+# Backported in version v5.4.235 25e14bf0c894f9003247e3475372f33d9be1e424
+# Backported in version v5.10.173 fddde36316da8acb45a3cca2e5fda102f5215877
+# Backported in version v5.15.99 0fd9998052926ed24cfb30ab1a294cfeda4d0a8f
+# Backported in version v6.1.16 f2bf592ebd5077661e00aa11e12e054c4c8f6dd0
+# Backported in version v6.2.3 90289e71514e9533a9c44d694e2b492be9ed2b77
+CVE_CHECK_WHITELIST += "CVE-2023-25012"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-26545
+# Patched in kernel since v6.2 fda6c89fe3d9aca073495a664e1d5aea28cd4377
+# Backported in version v5.4.232 df099e65564aa47478eb1cacf81ba69024fb5c69
+# Backported in version v5.10.169 7ff0fdba82298d1f456c685e24930da89703c0fb
+# Backported in version v5.15.95 59a74da8da75bdfb464cbdb399e87ba4f7500e96
+# Backported in version v6.1.13 c376227845eef8f2e62e2c29c3cf2140d35dd8e8
+CVE_CHECK_WHITELIST += "CVE-2023-26545"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-28327
+# Patched in kernel since v6.1 b3abe42e94900bdd045c472f9c9be620ba5ce553
+# Backported in version v5.4.227 c66d78aee55dab72c92020ebfbebc464d4f5dd2a
+# Backported in version v5.10.159 575a6266f63dbb3b8eb1da03671451f0d81b8034
+# Backported in version v5.15.83 5c014eb0ed6c8c57f483e94cc6e90f34ce426d91
+CVE_CHECK_WHITELIST += "CVE-2023-28327"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-28328
+# Patched in kernel since v6.2 0ed554fd769a19ea8464bb83e9ac201002ef74ad
+# Backported in version v5.4.229 8b256d23361c51aa4b7fdb71176c1ca50966fb39
+# Backported in version v5.10.163 559891d430e3f3a178040c4371ed419edbfa7d65
+# Backported in version v5.15.86 210fcf64be4db82c0e190e74b5111e4eef661a7a
+# Backported in version v6.1.2 6b60cf73a931af34b7a0a3f467a79d9fe0df2d70
+CVE_CHECK_WHITELIST += "CVE-2023-28328"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-28772
+# Patched in kernel since v5.14 d3b16034a24a112bb83aeb669ac5b9b01f744bb7
+# Backported in version v5.4.133 33ab9138a13e379cf1c4ccd76b97ae2ee8c5421b
+# Backported in version v5.10.51 f9fb4986f4d81182f938d16beb4f983fe71212aa
+CVE_CHECK_WHITELIST += "CVE-2023-28772"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index e096722..01eca24 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "f064f6017b7ce09ade0f365e1b7d776dc9e2e168"
-SRCREV_meta ?= "c7e2e528893abbebd14447510d38ded1ef98dcd2"
+SRCREV_machine ?= "c705bb899d37bbd61a87a2f850e4d6f04613a908"
+SRCREV_meta ?= "c7d5b73674d53f51772862b951d8cc56683ef04f"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.4.237"
+LINUX_VERSION ?= "5.4.243"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 6cdf007..c3d4ff4 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.4.237"
+LINUX_VERSION ?= "5.4.243"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "00c3a33c0f772ff1fa8902e8fe8856131c27a9b5"
-SRCREV_machine ?= "0693cbc007cf6a7b335edb5f78542d77b048d5dd"
-SRCREV_meta ?= "c7e2e528893abbebd14447510d38ded1ef98dcd2"
+SRCREV_machine_qemuarm ?= "140d4ff6bab1e5959377d4974ade490c837ef9cc"
+SRCREV_machine ?= "66990885cd865944a093b47ee7164ef2838f75a3"
+SRCREV_meta ?= "c7d5b73674d53f51772862b951d8cc56683ef04f"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto.inc b/poky/meta/recipes-kernel/linux/linux-yocto.inc
index 0a4d528..2978c2f 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/poky/meta/recipes-kernel/linux/linux-yocto.inc
@@ -56,3 +56,6 @@
# enable kernel-sample for oeqa/runtime/cases's ksample.py test
KERNEL_FEATURES_append_qemuall=" features/kernel-sample/kernel-sample.scc"
+
+# CVE exclusion
+include recipes-kernel/linux/cve-exclusion.inc
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index e95a044..c361f0c 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@
KBRANCH_qemux86-64 ?= "v5.4/standard/base"
KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "981be716d817e38d2d67269aab3caaa095bd2bdd"
-SRCREV_machine_qemuarm64 ?= "32083245f7eb993b85a33a8d30bd9f41128b6147"
-SRCREV_machine_qemumips ?= "4d002b5ac3b434b21ae58ac15cd73be3ae5ef5a8"
-SRCREV_machine_qemuppc ?= "82b4b51143a6beeb49efa548494bdb5c01f336b2"
-SRCREV_machine_qemuriscv64 ?= "936721bc390034d774b28393bf61808de8899718"
-SRCREV_machine_qemux86 ?= "936721bc390034d774b28393bf61808de8899718"
-SRCREV_machine_qemux86-64 ?= "936721bc390034d774b28393bf61808de8899718"
-SRCREV_machine_qemumips64 ?= "d662d749c441de5a09bfd8870cd10e41b1e27b6b"
-SRCREV_machine ?= "936721bc390034d774b28393bf61808de8899718"
-SRCREV_meta ?= "c7e2e528893abbebd14447510d38ded1ef98dcd2"
+SRCREV_machine_qemuarm ?= "3c105623bdba36118195e9c188d728edcc00345a"
+SRCREV_machine_qemuarm64 ?= "993c666984249097d093ee71eb3dffa0844fef6c"
+SRCREV_machine_qemumips ?= "2469bc35f1c2ef5ab2e85b7b705b32e33c6350c7"
+SRCREV_machine_qemuppc ?= "98229034b888ad319d7d030d279381a671c41dc0"
+SRCREV_machine_qemuriscv64 ?= "ba7e46214a9d60247170245cc09e2e1faf6622a1"
+SRCREV_machine_qemux86 ?= "ba7e46214a9d60247170245cc09e2e1faf6622a1"
+SRCREV_machine_qemux86-64 ?= "ba7e46214a9d60247170245cc09e2e1faf6622a1"
+SRCREV_machine_qemumips64 ?= "fb1936fa93be6bfd1b18cd8568cfc5b279904fa5"
+SRCREV_machine ?= "ba7e46214a9d60247170245cc09e2e1faf6622a1"
+SRCREV_meta ?= "c7d5b73674d53f51772862b951d8cc56683ef04f"
# remap qemuarm to qemuarma15 for the 5.4 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.237"
+LINUX_VERSION ?= "5.4.243"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
diff --git a/poky/meta/recipes-kernel/perf/perf.bb b/poky/meta/recipes-kernel/perf/perf.bb
index 9c9bf16..91bf648 100644
--- a/poky/meta/recipes-kernel/perf/perf.bb
+++ b/poky/meta/recipes-kernel/perf/perf.bb
@@ -13,7 +13,7 @@
PACKAGECONFIG ??= "scripting tui libunwind"
PACKAGECONFIG[dwarf] = ",NO_DWARF=1"
-PACKAGECONFIG[scripting] = ",NO_LIBPERL=1 NO_LIBPYTHON=1,perl python3"
+PACKAGECONFIG[scripting] = ",NO_LIBPERL=1 NO_LIBPYTHON=1,perl python3 python3-setuptools-native"
# gui support was added with kernel 3.6.35
# since 3.10 libnewt was replaced by slang
# to cover a wide range of kernel we add both dependencies
diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
new file mode 100644
index 0000000..7070737
--- /dev/null
+++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
@@ -0,0 +1,136 @@
+From d4b7b3c03ee2baf0166ce49dff17ec9beff684db Mon Sep 17 00:00:00 2001
+From: Anton Khirnov <anton@khirnov.net>
+Date: Fri, 2 Sep 2022 22:21:27 +0200
+Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in
+ worker threads
+
+This state is not refcounted, so make sure it always has a well-defined
+owner.
+
+Remove the block added in 091341f2ab5bd35ca1a2aae90503adc74f8d3523, as
+this commit also solves that issue in a more general way.
+
+(cherry picked from commit cc867f2c09d2b69cee8a0eccd62aff002cbbfe11)
+Signed-off-by: Anton Khirnov <anton@khirnov.net>
+(cherry picked from commit 35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda)
+Signed-off-by: Anton Khirnov <anton@khirnov.net>
+(cherry picked from commit 3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba)
+Signed-off-by: Anton Khirnov <anton@khirnov.net>
+
+CVE: CVE-2022-48434
+Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db]
+Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com
+Comment: Hunk#6 refreshed to backport changes and other to remove patch-fuzz warnings
+---
+ libavcodec/pthread_frame.c | 46 +++++++++++++++++++++++++++++---------
+ 1 file changed, 35 insertions(+), 11 deletions(-)
+
+diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c
+index 36ac0ac..bbc5ba6 100644
+--- a/libavcodec/pthread_frame.c
++++ b/libavcodec/pthread_frame.c
+@@ -135,6 +135,12 @@ typedef struct FrameThreadContext {
+ * Set for the first N packets, where N is the number of threads.
+ * While it is set, ff_thread_en/decode_frame won't return any results.
+ */
++
++ /* hwaccel state is temporarily stored here in order to transfer its ownership
++ * to the next decoding thread without the need for extra synchronization */
++ const AVHWAccel *stash_hwaccel;
++ void *stash_hwaccel_context;
++ void *stash_hwaccel_priv;
+ } FrameThreadContext;
+
+ #define THREAD_SAFE_CALLBACKS(avctx) \
+@@ -211,9 +217,17 @@ static attribute_align_arg void *frame_worker_thread(void *arg)
+ ff_thread_finish_setup(avctx);
+
+ if (p->hwaccel_serializing) {
++ /* wipe hwaccel state to avoid stale pointers lying around;
++ * the state was transferred to FrameThreadContext in
++ * ff_thread_finish_setup(), so nothing is leaked */
++ avctx->hwaccel = NULL;
++ avctx->hwaccel_context = NULL;
++ avctx->internal->hwaccel_priv_data = NULL;
++
+ p->hwaccel_serializing = 0;
+ pthread_mutex_unlock(&p->parent->hwaccel_mutex);
+ }
++ av_assert0(!avctx->hwaccel);
+
+ if (p->async_serializing) {
+ p->async_serializing = 0;
+@@ -275,14 +289,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
+ dst->color_range = src->color_range;
+ dst->chroma_sample_location = src->chroma_sample_location;
+
+- dst->hwaccel = src->hwaccel;
+- dst->hwaccel_context = src->hwaccel_context;
+-
+ dst->channels = src->channels;
+ dst->sample_rate = src->sample_rate;
+ dst->sample_fmt = src->sample_fmt;
+ dst->channel_layout = src->channel_layout;
+- dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;
+
+ if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx ||
+ (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) {
+@@ -415,6 +425,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx,
+ pthread_mutex_unlock(&p->mutex);
+ return err;
+ }
++
++ /* transfer hwaccel state stashed from previous thread, if any */
++ av_assert0(!p->avctx->hwaccel);
++ FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel);
++ FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context);
++ FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
+ }
+
+ av_packet_unref(&p->avpkt);
+@@ -616,6 +632,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) {
+ async_lock(p->parent);
+ }
+
++ /* save hwaccel state for passing to the next thread;
++ * this is done here so that this worker thread can wipe its own hwaccel
++ * state after decoding, without requiring synchronization */
++ av_assert0(!p->parent->stash_hwaccel);
++ p->parent->stash_hwaccel = avctx->hwaccel;
++ p->parent->stash_hwaccel_context = avctx->hwaccel_context;
++ p->parent->stash_hwaccel_priv = avctx->internal->hwaccel_priv_data;
++
+ pthread_mutex_lock(&p->progress_mutex);
+ if(atomic_load(&p->state) == STATE_SETUP_FINISHED){
+ av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n");
+@@ -657,13 +681,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
+
+ park_frame_worker_threads(fctx, thread_count);
+
+- if (fctx->prev_thread && fctx->prev_thread != fctx->threads)
+- if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) {
+- av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n");
+- fctx->prev_thread->avctx->internal->is_copy = fctx->threads->avctx->internal->is_copy;
+- fctx->threads->avctx->internal->is_copy = 1;
+- }
+-
+ for (i = 0; i < thread_count; i++) {
+ PerThreadContext *p = &fctx->threads[i];
+
+@@ -713,6 +730,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
+ pthread_mutex_destroy(&fctx->async_mutex);
+ pthread_cond_destroy(&fctx->async_cond);
+
++ /* if we have stashed hwaccel state, move it to the user-facing context,
++ * so it will be freed in avcodec_close() */
++ av_assert0(!avctx->hwaccel);
++ FFSWAP(const AVHWAccel*, avctx->hwaccel, fctx->stash_hwaccel);
++ FFSWAP(void*, avctx->hwaccel_context, fctx->stash_hwaccel_context);
++ FFSWAP(void*, avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
++
+ av_freep(&avctx->internal->thread_ctx);
+
+ if (avctx->priv_data && avctx->codec && avctx->codec->priv_class)
+--
+2.25.1
+
diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
index 1e000dd..f120525 100644
--- a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
+++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
@@ -32,6 +32,7 @@
file://CVE-2022-1475.patch \
file://CVE-2022-3109.patch \
file://CVE-2022-3341.patch \
+ file://CVE-2022-48434.patch \
"
SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"
SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"
diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
new file mode 100644
index 0000000..46c57af
--- /dev/null
+++ b/poky/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
@@ -0,0 +1,51 @@
+From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
+From: Eric Vigeant <evigeant@gmail.com>
+Date: Wed, 2 Nov 2022 11:47:09 -0400
+Subject: [PATCH] cur_path: do not add '/' if homedir ends with one
+
+When using SFTP and a path relative to the user home, do not add a
+trailing '/' to the user home dir if it already ends with one.
+
+Closes #9844
+
+CVE: CVE-2023-27534
+Note:
+- The upstream patch for CVE-2023-27534 does three things:
+1) creates new path with dynbuf(dynamic buffer)
+2) solves the tilde error which causes CVE-2023-27534
+3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.
+- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
+- This patch completes the 3rd task of the patch which was implemented without using dynbuf
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/curl_path.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index f429634..40b92ee 100644
+--- a/lib/curl_path.c
++++ b/lib/curl_path.c
+@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
+ /* It is referenced to the home directory, so strip the
+ leading '/' */
+ memcpy(real_path, homedir, homelen);
+- real_path[homelen] = '/';
+- real_path[homelen + 1] = '\0';
++ /* Only add a trailing '/' if homedir does not end with one */
++ if(homelen == 0 || real_path[homelen - 1] != '/') {
++ real_path[homelen] = '/';
++ homelen++;
++ real_path[homelen] = '\0';
++ }
+ if(working_path_len > 3) {
+- memcpy(real_path + homelen + 1, working_path + 3,
++ memcpy(real_path + homelen, working_path + 3,
+ 1 + working_path_len -3);
+ }
+ }
+--
+2.24.4
+
diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch
index aeeffd5..3ecd181 100644
--- a/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch
+++ b/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch
@@ -3,121 +3,31 @@
Date: Thu, 9 Mar 2023 16:22:11 +0100
Subject: [PATCH] curl_path: create the new path with dynbuf
+Closes #10729
+
CVE: CVE-2023-27534
-Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
+Note: This patch is needed to backport CVE-2023-27534
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
- lib/curl_path.c | 71 ++++++++++++++++++++++++-------------------------
- 1 file changed, 35 insertions(+), 36 deletions(-)
+ lib/curl_path.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/curl_path.c b/lib/curl_path.c
-index f429634..e17db4b 100644
+index 40b92ee..598c5dd 100644
--- a/lib/curl_path.c
+++ b/lib/curl_path.c
-@@ -30,6 +30,8 @@
- #include "escape.h"
- #include "memdebug.h"
-
-+#define MAX_SSHPATH_LEN 100000 /* arbitrary */
-+
- /* figure out the path to work with in this particular request */
- CURLcode Curl_getworkingpath(struct connectdata *conn,
- char *homedir, /* when SFTP is used */
-@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
- real path to work with */
- {
- struct Curl_easy *data = conn->data;
-- char *real_path = NULL;
- char *working_path;
- size_t working_path_len;
-+ struct dynbuf npath;
- CURLcode result =
- Curl_urldecode(data, data->state.up.path, 0, &working_path,
- &working_path_len, FALSE);
- if(result)
- return result;
-
-+ /* new path to switch to in case we need to */
-+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
-+
- /* Check for /~/, indicating relative to the user's home directory */
-- if(conn->handler->protocol & CURLPROTO_SCP) {
-- real_path = malloc(working_path_len + 1);
-- if(real_path == NULL) {
-+ if((data->conn->handler->protocol & CURLPROTO_SCP) &&
-+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
-+ /* It is referenced to the home directory, so strip the leading '/~/' */
-+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
- free(working_path);
- return CURLE_OUT_OF_MEMORY;
- }
-- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
-- /* It is referenced to the home directory, so strip the leading '/~/' */
-- memcpy(real_path, working_path + 3, working_path_len - 2);
-- else
-- memcpy(real_path, working_path, 1 + working_path_len);
+@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
+ memcpy(real_path, working_path, 1 + working_path_len);
}
-- else if(conn->handler->protocol & CURLPROTO_SFTP) {
+ else if(conn->handler->protocol & CURLPROTO_SFTP) {
- if((working_path_len > 1) && (working_path[1] == '~')) {
-- size_t homelen = strlen(homedir);
-- real_path = malloc(homelen + working_path_len + 1);
-- if(real_path == NULL) {
-- free(working_path);
-- return CURLE_OUT_OF_MEMORY;
-- }
-- /* It is referenced to the home directory, so strip the
-- leading '/' */
-- memcpy(real_path, homedir, homelen);
-- real_path[homelen] = '/';
-- real_path[homelen + 1] = '\0';
-- if(working_path_len > 3) {
-- memcpy(real_path + homelen + 1, working_path + 3,
-- 1 + working_path_len -3);
-- }
-+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) &&
-+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
-+ size_t len;
-+ const char *p;
-+ int copyfrom = 3;
-+ if(Curl_dyn_add(&npath, homedir)) {
-+ free(working_path);
-+ return CURLE_OUT_OF_MEMORY;
- }
-- else {
-- real_path = malloc(working_path_len + 1);
-- if(real_path == NULL) {
-- free(working_path);
-- return CURLE_OUT_OF_MEMORY;
-- }
-- memcpy(real_path, working_path, 1 + working_path_len);
-+ /* Copy a separating '/' if homedir does not end with one */
-+ len = Curl_dyn_len(&npath);
-+ p = Curl_dyn_ptr(&npath);
-+ if(len && (p[len-1] != '/'))
-+ copyfrom = 2;
-+
-+ if(Curl_dyn_addn(&npath,
-+ &working_path[copyfrom], working_path_len - copyfrom)) {
-+ free(working_path);
-+ return CURLE_OUT_OF_MEMORY;
- }
- }
-
-- free(working_path);
-+ if(Curl_dyn_len(&npath)) {
-+ free(working_path);
-
-- /* store the pointer for the caller to receive */
-- *path = real_path;
-+ /* store the pointer for the caller to receive */
-+ *path = Curl_dyn_ptr(&npath);
-+ }
-+ else
-+ *path = working_path;
-
- return CURLE_OK;
- }
++ if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
+ size_t homelen = strlen(homedir);
+ real_path = malloc(homelen + working_path_len + 1);
+ if(real_path == NULL) {
--
-2.25.1
+2.24.4
diff --git a/poky/meta/recipes-support/curl/curl_7.69.1.bb b/poky/meta/recipes-support/curl/curl_7.69.1.bb
index 32d18dd..13ec117 100644
--- a/poky/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/poky/meta/recipes-support/curl/curl_7.69.1.bb
@@ -43,6 +43,7 @@
file://CVE-2022-35260.patch \
file://CVE-2022-43552.patch \
file://CVE-2023-23916.patch \
+ file://CVE-2023-27534-pre1.patch \
file://CVE-2023-27534.patch \
file://CVE-2023-27538.patch \
file://CVE-2023-27533.patch \
diff --git a/poky/meta/recipes-support/libbsd/libbsd_0.10.0.bb b/poky/meta/recipes-support/libbsd/libbsd_0.10.0.bb
index 5b32b9a..5892573 100644
--- a/poky/meta/recipes-support/libbsd/libbsd_0.10.0.bb
+++ b/poky/meta/recipes-support/libbsd/libbsd_0.10.0.bb
@@ -29,6 +29,12 @@
# License: public-domain-Colin-Plumb
LICENSE = "BSD-3-Clause & BSD-4-Clause & ISC & PD"
LICENSE_${PN} = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-dbg = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-dev = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-doc = "BSD-3-Clause & BSD-4-Clause & ISC & PD"
+LICENSE:${PN}-locale = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-src = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-staticdev = "BSD-3-Clause & ISC & PD"
LIC_FILES_CHKSUM = "file://COPYING;md5=2120be0173469a06ed185b688e0e1ae0"
SECTION = "libs"
diff --git a/poky/scripts/lib/wic/plugins/source/bootimg-efi.py b/poky/scripts/lib/wic/plugins/source/bootimg-efi.py
index 2cfdc10..05e8471 100644
--- a/poky/scripts/lib/wic/plugins/source/bootimg-efi.py
+++ b/poky/scripts/lib/wic/plugins/source/bootimg-efi.py
@@ -277,6 +277,13 @@
logger.debug("Added %d extra blocks to %s to get to %d total blocks",
extra_blocks, part.mountpoint, blocks)
+ # required for compatibility with certain devices expecting file system
+ # block count to be equal to partition block count
+ if blocks < part.fixed_size:
+ blocks = part.fixed_size
+ logger.debug("Overriding %s to %d total blocks for compatibility",
+ part.mountpoint, blocks)
+
# dosfs image, created by mkdosfs
bootimg = "%s/boot.img" % cr_workdir