From patchwork Mon Apr 8 13:20:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Purdie X-Patchwork-Id: 42094 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30C79CD128A for ; Mon, 8 Apr 2024 13:20:22 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.web11.106448.1712582412753240365 for ; Mon, 08 Apr 2024 06:20:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linuxfoundation.org header.s=google header.b=Jj7XKM+K; spf=pass (domain: linuxfoundation.org, ip: 209.85.128.53, mailfrom: richard.purdie@linuxfoundation.org) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-4168a5d75aaso2920295e9.1 for ; Mon, 08 Apr 2024 06:20:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; t=1712582411; x=1713187211; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=eWlVgIsFWdRsOvvACQtR3dtdPN8eqb0opX0wSsUzvFs=; b=Jj7XKM+Kr7Po0mnvqXqsoXcNAd21BhIcQJGTOWJ4xNenaHfWXMfP1PFzJti+x1Tj2P vhNK5tDome/aLDOA1SYXpZhTPR1GSthuSN/GYTHYrQs0PeIvLim9P9FhwKHesSBvRB3D SToaRwtcQoLuM+xCZYVsDwrCZjHbc4Fv10gHM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712582411; x=1713187211; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=eWlVgIsFWdRsOvvACQtR3dtdPN8eqb0opX0wSsUzvFs=; b=tWhkekM41StotNHpzFwscU+A2goVK0ksLJV5gwPdQlWRbtB6nxjouRb5Q0spnBoOx8 IohLnyFnXR/099yZgKTfICjo/zGp1a6rWPZGMVtN9EaChtqK9HxsZ2H1HnYhegiPrNj4 jb8tRN50ACMEGXZlW4994zU3b1qPrrkKnJH4FnuofKDpuicKgxapX7E4arDU6xhBxG7p mMYeFcjII1dE/0TLOzVd2brl05NTUBA4iEL5n/yb68tCBRSrom7fRU7lqBZBxVSVA0cv bov6QNQAZW4BKLshDoSHAj76G7nBTEsk1eDWVQ4dLx3EB1vfY4+MQyXViHUmuToO+YUc zZRA== X-Gm-Message-State: AOJu0YzxjnooBZBWD/lKfJAl5Ha97BWxkDmMyrAA7Ohpu9mPhW3R9hbv bXcCXfHqY5GBv6/Vqya5C0CJ6xpRESqSCQ0RETK9nZNFuWbQDHDq0FCmMpxnGbM0iZooPlN8uHP G X-Google-Smtp-Source: AGHT+IGKpUy2SxW0pQF75jWvYdLAA7OQ/Gp5gsujGZWv+W523ydMhKeASkLoHDG+8FEnoZo8fKlg8g== X-Received: by 2002:a05:600c:34c3:b0:415:4a83:88f9 with SMTP id d3-20020a05600c34c300b004154a8388f9mr6031974wmq.38.1712582410727; Mon, 08 Apr 2024 06:20:10 -0700 (PDT) Received: from max.int.rpsys.net ([2001:8b0:aba:5f3c:c0d5:82ce:9fe1:f44f]) by smtp.gmail.com with ESMTPSA id hn3-20020a05600ca38300b004162b578d8bsm13139748wmb.1.2024.04.08.06.20.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Apr 2024 06:20:10 -0700 (PDT) From: Richard Purdie To: openembedded-core@lists.openembedded.org Subject: [PATCH 1/3] xwayland: Upgrade 23.2.4 -> 23.2.5 Date: Mon, 8 Apr 2024 14:20:07 +0100 Message-Id: <20240408132009.1763710-1-richard.purdie@linuxfoundation.org> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 08 Apr 2024 13:20:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/198011 """ This release contains the 3 security fixes that actually apply to Xwayland reported in today's security advisory: * CVE-2024-31080 * CVE-2024-31081 * CVE-2024-31083 Additionally, it also contains a couple of other fixes, a copy/paste error in the DeviceStateNotify event and a fix to enable buttons with pointer gestures for backward compatibility with legacy X11 clients. """ https://lists.x.org/archives/xorg/2024-April/061614.html Signed-off-by: Richard Purdie --- .../xwayland/{xwayland_23.2.4.bb => xwayland_23.2.5.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-graphics/xwayland/{xwayland_23.2.4.bb => xwayland_23.2.5.bb} (95%) diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.4.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb similarity index 95% rename from meta/recipes-graphics/xwayland/xwayland_23.2.4.bb rename to meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 092359172ab..b934a873d19 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.4.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -10,7 +10,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880" SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz" -SRC_URI[sha256sum] = "a99e159b6d0d33098b3b6ab22a88bfcece23c8b9d0ca72c535c55dcb0681b46b" +SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" UPSTREAM_CHECK_REGEX = "xwayland-(?P\d+(\.(?!90\d)\d+)+)\.tar" From patchwork Mon Apr 8 13:20:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Purdie X-Patchwork-Id: 42093 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A2FACD1296 for ; Mon, 8 Apr 2024 13:20:22 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.web11.106449.1712582412912623973 for ; Mon, 08 Apr 2024 06:20:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linuxfoundation.org header.s=google header.b=UGnZAyO7; spf=pass (domain: linuxfoundation.org, ip: 209.85.128.42, mailfrom: richard.purdie@linuxfoundation.org) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-416664dbee1so6176045e9.0 for ; Mon, 08 Apr 2024 06:20:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; t=1712582411; x=1713187211; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7Va8C/mgBFUQ8KUt8N1rkXFasU5hUXkd51+3KlVDl4E=; b=UGnZAyO7ij+UDZKdMrVngOGqEWa0zu7IjMEvt4l65NKNawMz968C4vZnclcFFWAuCW DhvhtqbUcS1HVv2gd9VjPMxgm6Aj4Dtu3QlAFld8jZBmFZxDwnpHYlBlYKfpeISmhPcL m9STtyZcmSiiGOWoGwJRw/t7Q/zUZG6EnAVLA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712582411; x=1713187211; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7Va8C/mgBFUQ8KUt8N1rkXFasU5hUXkd51+3KlVDl4E=; b=sRjw96TXkaVT+wQ9x8QPjtoTWj5vqw1yw3+MNfHXlii8QfrG6APg7sAbyTWglCQ/RC S7UsUyV9aJ6rNfCBs9QeEzUVbNRo2K9YFXKX0TFP9JXw7mlkm4HbBN5Vc2rSRcaaYQYI SK37LKT/NINxM9ACqUWzMOzqnOgWax2sYr8gcLdO4zGO60ELgmWVBqg4ceBXyqkgfAAY 4SLyz6iya8VJXAPpVvuFC2Ujy9VM2+aVZzuJ14fg0BvApEjOPVPbRVTRGkZVB1zIkUy5 DyssKbDivZkyYj1+n1Dso602ODy7o+czODQRvclHR680aY5hy4+eg11OCSjAyFaHcgy9 XgsQ== X-Gm-Message-State: AOJu0YzMe8uWyGcJIC5jFiR63OUaeq7hOa7+ss1kg9yk2wjcya2Iaa77 dWl67tMWrOUiJt3C0ea6AsdgDb7iWfNUA/jXaq2ql6soNKAxJ7nZHvzDR3CrYolMyYYFXqP+6X8 p X-Google-Smtp-Source: AGHT+IH3ePh23c62L/cSlTmGQOo44XXM4Mqj3sS3ltKU7N4C5QjyO1/n0MM5HogJynHuVunAgLVL1w== X-Received: by 2002:a05:600c:470d:b0:416:6adf:fe44 with SMTP id v13-20020a05600c470d00b004166adffe44mr2788808wmo.17.1712582411247; Mon, 08 Apr 2024 06:20:11 -0700 (PDT) Received: from max.int.rpsys.net ([2001:8b0:aba:5f3c:c0d5:82ce:9fe1:f44f]) by smtp.gmail.com with ESMTPSA id hn3-20020a05600ca38300b004162b578d8bsm13139748wmb.1.2024.04.08.06.20.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Apr 2024 06:20:10 -0700 (PDT) From: Richard Purdie To: openembedded-core@lists.openembedded.org Subject: [PATCH 2/3] curl: Upgrade 8.6.0 -> 8.7.1 Date: Mon, 8 Apr 2024 14:20:08 +0100 Message-Id: <20240408132009.1763710-2-richard.purdie@linuxfoundation.org> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20240408132009.1763710-1-richard.purdie@linuxfoundation.org> References: <20240408132009.1763710-1-richard.purdie@linuxfoundation.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 08 Apr 2024 13:20:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/198012 This includes 4 security fixes: CVE-2024-2466 - TLS certificate check bypass with mbedTLS CVE-2024-2398 - HTTP/2 push headers memory-leak CVE-2024-2379 - QUIC certificate check bypass with wolfSSL CVE-2024-2004 - Usage of disabled protocol Along with many other changes, mostly bugfixes: https://curl.se/changes.html Signed-off-by: Richard Purdie --- meta/recipes-support/curl/curl/no-test-timeout.patch | 11 +++++++++-- .../curl/{curl_8.6.0.bb => curl_8.7.1.bb} | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) rename meta/recipes-support/curl/{curl_8.6.0.bb => curl_8.7.1.bb} (98%) diff --git a/meta/recipes-support/curl/curl/no-test-timeout.patch b/meta/recipes-support/curl/curl/no-test-timeout.patch index b4cfe716db7..7122b6f0435 100644 --- a/meta/recipes-support/curl/curl/no-test-timeout.patch +++ b/meta/recipes-support/curl/curl/no-test-timeout.patch @@ -1,10 +1,17 @@ -Set the max-time timeout to 600 so the timeout is 10 minutes instead of 13 seconds. +From 42cddb52e821cfc2f09f1974742714e5f2f1856e Mon Sep 17 00:00:00 2001 +From: Ross Burton +Date: Fri, 15 Mar 2024 14:37:37 +0000 +Subject: [PATCH] Set the max-time timeout to 600 so the timeout is 10 minutes + instead of 13 seconds. Upstream-Status: Inappropriate Signed-off-by: Ross Burton +--- + tests/servers.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/servers.pm b/tests/servers.pm -index d4472d509..aeab62c47 100644 +index d4472d5..9999938 100644 --- a/tests/servers.pm +++ b/tests/servers.pm @@ -120,7 +120,7 @@ my $sshdverstr; # for socks server, ssh daemon version string diff --git a/meta/recipes-support/curl/curl_8.6.0.bb b/meta/recipes-support/curl/curl_8.7.1.bb similarity index 98% rename from meta/recipes-support/curl/curl_8.6.0.bb rename to meta/recipes-support/curl/curl_8.7.1.bb index 49ba0cb4a7e..c6654bbad6d 100644 --- a/meta/recipes-support/curl/curl_8.6.0.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -15,7 +15,7 @@ SRC_URI = " \ file://disable-tests \ file://no-test-timeout.patch \ " -SRC_URI[sha256sum] = "3ccd55d91af9516539df80625f818c734dc6f2ecf9bada33c76765e99121db15" +SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c659710cd" # Curl has used many names over the years... CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" From patchwork Mon Apr 8 13:20:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Purdie X-Patchwork-Id: 42092 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 36773C67861 for ; Mon, 8 Apr 2024 13:20:22 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.web10.106153.1712582413735488132 for ; Mon, 08 Apr 2024 06:20:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linuxfoundation.org header.s=google header.b=auBB7ku9; spf=pass (domain: linuxfoundation.org, ip: 209.85.128.52, mailfrom: richard.purdie@linuxfoundation.org) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4168a5d75c4so3729025e9.0 for ; Mon, 08 Apr 2024 06:20:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; t=1712582412; x=1713187212; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=XPFqEiBUGZXYeqh1wSwnErJijnMHlYjJb0KWRIqSR1w=; b=auBB7ku9Cj6iSQhCWaSqQo35V2R53dU41UfK5ci3e9MErh4sTCH6AkQSm9pBy3ottb dt/NtJvU5I3PQXqeLjwzPBYHI24geT9FCnFF9CvFRiu6O3btHMZ5vt5Ool4W7vWlAsQd ROVG0xUdacPwGfKTrh5zRi9x2HtkX+T9vRpDY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712582412; x=1713187212; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XPFqEiBUGZXYeqh1wSwnErJijnMHlYjJb0KWRIqSR1w=; b=Eeo1N3KpGqT0XYFDn5hG/h1Po63zLMPeLqLI7dGjDt/chqQ7dwgt4+tEP9VBr8KWTq RZH28KYyUix1HXfblPxhCRIMK7YRiEMrGwgLEJJp9QxhFyqXjbsXMX7skRhl46qMX09f Tb2w1Er59TFfF1LLI5t8HsmSDho258IJTiwPgiOakj1NmRA2cYYE54PepvmCxbIZfgJE ZZAkMYjJVpmp+V3JT1nV6vyNfmBAuZSbdLRC4N+2ixuB7w6i6SQ7s82vBtjElnHCU+7o g749j9N+bsFY3pAwX6Jjm/VAi44iQCsNmzsAQGPgzSY9g+XVHLwff6vKJ4uTfhTPerci 8Lsg== X-Gm-Message-State: AOJu0Yz/BWHq4GRI8pCqUkw99meADIczJtDNyai0oOsB4AiPxZvCux+Z h88whNSpNS/xhTygGLHq+Zwn2vbCv8p6WCK5IMmeOvTrnycFLJptqPz0zvjMTs1Uh6jS1OwH1PL b X-Google-Smtp-Source: AGHT+IF0t92aurPr/BP5YGaA40agDzjAcwhO91B/RRMmf0vhLTI+Zf+wzr9aciZAZj9urzDJnlSlYQ== X-Received: by 2002:a05:600c:4451:b0:416:2441:eac6 with SMTP id v17-20020a05600c445100b004162441eac6mr8187354wmn.0.1712582412017; Mon, 08 Apr 2024 06:20:12 -0700 (PDT) Received: from max.int.rpsys.net ([2001:8b0:aba:5f3c:c0d5:82ce:9fe1:f44f]) by smtp.gmail.com with ESMTPSA id hn3-20020a05600ca38300b004162b578d8bsm13139748wmb.1.2024.04.08.06.20.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Apr 2024 06:20:11 -0700 (PDT) From: Richard Purdie To: openembedded-core@lists.openembedded.org Subject: [PATCH 3/3] nghttp2: Upgrade 1.60.1 -> 1.61.0 Date: Mon, 8 Apr 2024 14:20:09 +0100 Message-Id: <20240408132009.1763710-3-richard.purdie@linuxfoundation.org> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20240408132009.1763710-1-richard.purdie@linuxfoundation.org> References: <20240408132009.1763710-1-richard.purdie@linuxfoundation.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 08 Apr 2024 13:20:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/198013 Includes a fix for CVE-2024-28182. Signed-off-by: Richard Purdie --- .../nghttp2/{nghttp2_1.60.0.bb => nghttp2_1.61.0.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-support/nghttp2/{nghttp2_1.60.0.bb => nghttp2_1.61.0.bb} (91%) diff --git a/meta/recipes-support/nghttp2/nghttp2_1.60.0.bb b/meta/recipes-support/nghttp2/nghttp2_1.61.0.bb similarity index 91% rename from meta/recipes-support/nghttp2/nghttp2_1.60.0.bb rename to meta/recipes-support/nghttp2/nghttp2_1.61.0.bb index cf62c32d8b8..ad85576dcbc 100644 --- a/meta/recipes-support/nghttp2/nghttp2_1.60.0.bb +++ b/meta/recipes-support/nghttp2/nghttp2_1.61.0.bb @@ -5,7 +5,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=764abdf30b2eadd37ce47dcbce0ea1ec" SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/nghttp2-${PV}.tar.xz" -SRC_URI[sha256sum] = "625d6c3da1d9ca4fd643a638256431ae68fd1901653b2a61a245eea7b261bf4e" +SRC_URI[sha256sum] = "c0e660175b9dc429f11d25b9507a834fb752eea9135ab420bb7cb7e9dbcc9654" inherit cmake manpages python3native github-releases PACKAGECONFIG[manpages] = ""