From patchwork Mon Mar 11 08:39:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 40766 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18D5AC54E58 for ; Mon, 11 Mar 2024 08:40:18 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19]) by mx.groups.io with SMTP id smtpd.web10.57746.1710146410684632311 for ; Mon, 11 Mar 2024 01:40:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=CsDDiIqL; spf=pass (domain: intel.com, ip: 198.175.65.19, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1710146411; x=1741682411; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=tcKaXhgccVLmwC6GUCykjz6znrgNPHN4s2c2zxsjPrU=; b=CsDDiIqLL+wv7EDvqg4GHzDJegdrv46UJv/SgRmn9QbFCObJwqv0T78k ZE1PHfy54x14Zag6Ek/xWi57kKYmypk8UMMZbAflXQ/9wj0Lo6F9Hzscz Kc+mcYvdlSGx6CHRPCWYHxgYx9sR8WncSOwOkTTRQJDJ8KikcwLPPNLjP YP/XrU07M3HudwPtp/D9z97y/e1Z0QlMFPSpMzjhc0J+ZF21ongnxMZCt T6Yo7+YE3IRVOSkFU3Qn1gxE+k1nd5pA4agRHF1f4Twk+KgSNaP+3cu1e +s70/0lu3xHJWBH2SzRWNbAJWVloDLafO3819sJ6U7dQY49nUsUgM4ydT Q==; X-IronPort-AV: E=McAfee;i="6600,9927,11009"; a="4656118" X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="4656118" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Mar 2024 01:40:11 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="15593970" Received: from andromeda02.png.intel.com ([10.221.253.198]) by fmviesa005.fm.intel.com with ESMTP; 11 Mar 2024 01:40:09 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [nanbield][PATCH 1/7] libxml2: upgrade to 2.11.7 Date: Mon, 11 Mar 2024 16:39:48 +0800 Message-Id: <20240311083954.418271-1-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 11 Mar 2024 08:40:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/196920 From: Lee Chee Yang libxml2 2.11.7 Security [CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking libxml2 2.11.6 Regressions threads: Fix --with-thread-alloc xinclude: Fix 'last' pointer in xmlXIncludeCopyNode Bug fixes parser: Fix potential use-after-free in xmlParseCharDataInternal Signed-off-by: Lee Chee Yang --- .../libxml/{libxml2_2.11.5.bb => libxml2_2.11.7.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-core/libxml/{libxml2_2.11.5.bb => libxml2_2.11.7.bb} (97%) diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb b/meta/recipes-core/libxml/libxml2_2.11.7.bb similarity index 97% rename from meta/recipes-core/libxml/libxml2_2.11.5.bb rename to meta/recipes-core/libxml/libxml2_2.11.7.bb index fc82912df2..482ce9042d 100644 --- a/meta/recipes-core/libxml/libxml2_2.11.5.bb +++ b/meta/recipes-core/libxml/libxml2_2.11.7.bb @@ -18,7 +18,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://install-tests.patch \ " -SRC_URI[archive.sha256sum] = "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6" +SRC_URI[archive.sha256sum] = "fb27720e25eaf457f94fd3d7189bcf2626c6dccf4201553bc8874d50e3560162" SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273" # Disputed as a security issue, but fixed in d39f780 From patchwork Mon Mar 11 08:39:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 40769 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 631D2C54E6A for ; Mon, 11 Mar 2024 08:40:18 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19]) by mx.groups.io with SMTP id smtpd.web10.57746.1710146410684632311 for ; Mon, 11 Mar 2024 01:40:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=Jj7aEUMN; spf=pass (domain: intel.com, ip: 198.175.65.19, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1710146412; x=1741682412; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=MMetb81Lo5yLtt94Eu5rQUfLwkJt9F0WDUWu0G2xwdQ=; b=Jj7aEUMNDyLAZ1c0569hO2T91U245O1GLOqMcE7XGY7ZbNjcYmLZosG6 NZP7JPCKu7IJw35lNAJTHCGUfsgsCn98Cjh+xIoaWraoUZGP/LAj8A6P3 5SfJ/Dpmrzu7rxWijwYuYX+aiTVklh7X4ViAPK08LYFL+iPS12gG1Cf5Q 4melbYhwwOxrpnn7Su1uei2WBCK+B9eX+LCGukYkTdhEKZ2FCwD5srqZi UDgP2zUP14L6GM1R9IgZmG0qYjyBUWPISu7IUVdc3FljwEmNALei0/3eh Bn2/+ee4TEjzNKAS5Sg1a0JaqaxtOHkiwc8fZOXXgM4qw8y0S5WjzrqX/ w==; X-IronPort-AV: E=McAfee;i="6600,9927,11009"; a="4656120" X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="4656120" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Mar 2024 01:40:11 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="15593982" Received: from andromeda02.png.intel.com ([10.221.253.198]) by fmviesa005.fm.intel.com with ESMTP; 11 Mar 2024 01:40:10 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [nanbield][PATCH 2/7] openssl: upgrade to 3.1.5 Date: Mon, 11 Mar 2024 16:39:49 +0800 Message-Id: <20240311083954.418271-2-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20240311083954.418271-1-chee.yang.lee@intel.com> References: <20240311083954.418271-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 11 Mar 2024 08:40:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/196921 From: Lee Chee Yang Changes between 3.1.4 and 3.1.5 [30 Jan 2024] * A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL did not correctly check for this case. A fix has been applied to prevent a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue prior to this fix. OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. ([CVE-2024-0727]) https://www.openssl.org/news/cl31.txt drop fix_random_labels.patch as fixed in https://github.com/openssl/openssl/commit/99630a1b08fd6464d95052dee4a3500afeb95867 Signed-off-by: Lee Chee Yang --- .../openssl/openssl/fix_random_labels.patch | 22 ------------------- .../{openssl_3.1.4.bb => openssl_3.1.5.bb} | 3 +-- 2 files changed, 1 insertion(+), 24 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch rename meta/recipes-connectivity/openssl/{openssl_3.1.4.bb => openssl_3.1.5.bb} (98%) diff --git a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch b/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch deleted file mode 100644 index 78dcd81685..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch +++ /dev/null @@ -1,22 +0,0 @@ -The perl script adds random suffixes to the local function names to ensure -it doesn't clash with other parts of openssl. Set the random number seed -to something predictable so the assembler files are generated consistently -and our own reproducible builds tests pass. - -Upstream-Status: Pending -Signed-off-by: Richard Purdie - -Index: openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl -=================================================================== ---- openssl-3.1.0.orig/crypto/modes/asm/aes-gcm-avx512.pl -+++ openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl -@@ -191,6 +191,9 @@ my $CTX_OFFSET_HTable = (16 * 6); - # ;;; Helper functions - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - -+# Ensure the local labels are reproduicble -+srand(10000); -+ - # ; Generates "random" local labels - sub random_string() { - my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_'); diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb similarity index 98% rename from meta/recipes-connectivity/openssl/openssl_3.1.4.bb rename to meta/recipes-connectivity/openssl/openssl_3.1.5.bb index 0fe4e76808..9c1d4e31be 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb @@ -11,7 +11,6 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://run-ptest \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ - file://fix_random_labels.patch \ file://0001-Added-handshake-history-reporting-when-test-fails.patch \ " @@ -19,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3" +SRC_URI[sha256sum] = "6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262" inherit lib_package multilib_header multilib_script ptest perlnative manpages MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" From patchwork Mon Mar 11 08:39:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 40770 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 583C1C54E68 for ; Mon, 11 Mar 2024 08:40:18 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19]) by mx.groups.io with SMTP id smtpd.web10.57746.1710146410684632311 for ; Mon, 11 Mar 2024 01:40:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=H8uB/opn; spf=pass (domain: intel.com, ip: 198.175.65.19, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1710146412; x=1741682412; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=tLtSRNsG625n2HaenVsnmVYiYnPT1ZGtFUzdgm+UHUU=; b=H8uB/opnHJPNNkRdHULA79MMJtyDjQRk2DAw7pqlH/R9rrwCGupZ7iOV k44nf02XjtM4ZSUJzzTk/4YxewXb4kF8WSwOqATnimK5XSa9NOMcMnTxB hK342/RemDLD+JDdsdcreqnzNbL6RNBG+tH9XNUj6/LmBnAJiZwHVca9X HsNgy/du3ntaLSDrPjZ9fBaFs4kQzkVTK39/C2I7vrdbHBzH2SHzPqOBV mSR3qP/coU23r1ZsmiAO6DtY0oNKCK2d2C9XQag0Td8iCCHNQME0kTa8h 9KwkG7h3fjAuecKZiRkL3tnk0kmiX0Vu0f5kFcJcr+JU9PgMGAkNbAfnq Q==; X-IronPort-AV: E=McAfee;i="6600,9927,11009"; a="4656126" X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="4656126" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Mar 2024 01:40:12 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="15593990" Received: from andromeda02.png.intel.com ([10.221.253.198]) by fmviesa005.fm.intel.com with ESMTP; 11 Mar 2024 01:40:11 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [nanbield][PATCH 3/7] python3-jinja2: upgrade 3.1.2 -> 3.1.3 Date: Mon, 11 Mar 2024 16:39:50 +0800 Message-Id: <20240311083954.418271-3-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20240311083954.418271-1-chee.yang.lee@intel.com> References: <20240311083954.418271-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 11 Mar 2024 08:40:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/196922 From: Wang Mingyu Changelog: ========== -Fix compiler error when checking if required blocks in parent templates are empty. -xmlattr filter does not allow keys with spaces. -Make error messages stemming from invalid nesting of {% trans %} blocks more helpful upgrade include fix for CVE-2024-22195. (cherry-pick from Oe-Core rev 8a0524464583d69df7746253f5020c2c125a8e1f) Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie Signed-off-by: Lee Chee Yang --- .../python/{python3-jinja2_3.1.2.bb => python3-jinja2_3.1.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-devtools/python/{python3-jinja2_3.1.2.bb => python3-jinja2_3.1.3.bb} (92%) diff --git a/meta/recipes-devtools/python/python3-jinja2_3.1.2.bb b/meta/recipes-devtools/python/python3-jinja2_3.1.3.bb similarity index 92% rename from meta/recipes-devtools/python/python3-jinja2_3.1.2.bb rename to meta/recipes-devtools/python/python3-jinja2_3.1.3.bb index fa6d930a9c..18057809c8 100644 --- a/meta/recipes-devtools/python/python3-jinja2_3.1.2.bb +++ b/meta/recipes-devtools/python/python3-jinja2_3.1.3.bb @@ -4,7 +4,7 @@ HOMEPAGE = "https://pypi.org/project/Jinja2/" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" -SRC_URI[sha256sum] = "31351a702a408a9e7595a8fc6150fc3f43bb6bf7e319770cbc0db9df9437e852" +SRC_URI[sha256sum] = "ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90" PYPI_PACKAGE = "Jinja2" From patchwork Mon Mar 11 08:39:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 40768 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 46BD8C54E69 for ; Mon, 11 Mar 2024 08:40:18 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19]) by mx.groups.io with SMTP id smtpd.web10.57746.1710146410684632311 for ; Mon, 11 Mar 2024 01:40:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=KlY9sQot; spf=pass (domain: intel.com, ip: 198.175.65.19, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1710146413; x=1741682413; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=/5UFJ3shlcRYgs5rCwXkp8y8VRHiwH9TV5+c+CL/7mQ=; b=KlY9sQotLYavDy+I2Km9lmKw1YA3UopK1QRAbVByYu9bera48M9Li8Td YO+azeLmiYLDJTTj/GV7ge6o13Enz4HbbCk7MkmaO0+I8XhFWZbdFGKF5 T4yDjIQ4xY/891Xy0jBPDRplrsJhDM+hWs5oKBEhfgjutYTRv1pPBYcwS fTExefRo7bqk1UFntybP1o1Qu/xzxJC5Ou49PTVp/A8NpnCBQCzxuc3as smTNn+awf26qDvNxR1BJzxJ47nBwasyD3e+4WRKNRVwcj8PGLTS6uPYqw kIVeOLDI+KGPd3FNPXPM+k8Txr+AmPgjsWam8u8fg3Ii/F/auGOVQn3sS Q==; X-IronPort-AV: E=McAfee;i="6600,9927,11009"; a="4656129" X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="4656129" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Mar 2024 01:40:13 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="15593995" Received: from andromeda02.png.intel.com ([10.221.253.198]) by fmviesa005.fm.intel.com with ESMTP; 11 Mar 2024 01:40:12 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [nanbield][PATCH 4/7] bind: upgrade 9.18.20 -> 9.18.21 Date: Mon, 11 Mar 2024 16:39:51 +0800 Message-Id: <20240311083954.418271-4-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20240311083954.418271-1-chee.yang.lee@intel.com> References: <20240311083954.418271-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 11 Mar 2024 08:40:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/196923 From: Wang Mingyu bind-ensure-searching-for-json-headers-searches-sysr.patch refreshed for 9.18.21 Changelog: ========== -Improve LRU cleaning behaviour. -The "resolver-nonbackoff-tries" and "resolver-retry-interval" options are deprecated; a warning will be logged if they are used. -BIND might sometimes crash after startup or re-configuration when one 'tls' entry is used multiple times to connect to remote servers due to initialisation attempts from contexts of multiple threads. That has been fixed. -Dig +yaml will now report "no servers could be reached" also for UDP setup failure when no other servers or tries are left. -Recognize escapes when reading the public key from file. -Dig +yaml will now report "no servers could be reached" on TCP connection failure as well as for UDP timeouts. -Deprecate AES-based DNS cookies. (cherry-pick from Oe-core rev b750d54622a0fa0a35d83ddc59f07661e903360b) Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie Signed-off-by: Lee Chee Yang --- ...nd-ensure-searching-for-json-headers-searches-sysr.patch | 6 +++--- .../bind/{bind_9.18.20.bb => bind_9.18.21.bb} | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) rename meta/recipes-connectivity/bind/{bind_9.18.20.bb => bind_9.18.21.bb} (97%) diff --git a/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch index f1abd179e8..38d07cae39 100644 --- a/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch +++ b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch @@ -1,4 +1,4 @@ -From 246087f89e9434b726c7884e4c0964f71084f091 Mon Sep 17 00:00:00 2001 +From 5ae30329f168c1e8d2e0c3831988a4f3e9096e39 Mon Sep 17 00:00:00 2001 From: Paul Gortmaker Date: Tue, 9 Jun 2015 11:22:00 -0400 Subject: [PATCH] bind: ensure searching for json headers searches sysroot @@ -33,10 +33,10 @@ Signed-off-by: Paul Gortmaker 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index 10e8bf6..bf20690 100644 +index 2ab8ddd..92fe983 100644 --- a/configure.ac +++ b/configure.ac -@@ -814,7 +814,7 @@ AS_CASE([$with_lmdb], +@@ -761,7 +761,7 @@ AS_CASE([$with_lmdb], [no],[], [auto|yes], [PKG_CHECK_MODULES([LMDB], [lmdb], [ac_lib_lmdb_found=yes], diff --git a/meta/recipes-connectivity/bind/bind_9.18.20.bb b/meta/recipes-connectivity/bind/bind_9.18.21.bb similarity index 97% rename from meta/recipes-connectivity/bind/bind_9.18.20.bb rename to meta/recipes-connectivity/bind/bind_9.18.21.bb index 187685eef5..f5fb4bd1e5 100644 --- a/meta/recipes-connectivity/bind/bind_9.18.20.bb +++ b/meta/recipes-connectivity/bind/bind_9.18.21.bb @@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "4b891ebf58d3f2a7ac3dd2682990f528a3448eaa1c992ddc5c141b8587a98ec5" +SRC_URI[sha256sum] = "a556be22505d9ea4f9c6717aee9c549739c68498aff3ca69035787ecc648fec5" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # follow the ESV versions divisible by 2 From patchwork Mon Mar 11 08:39:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 40767 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33977C54E67 for ; Mon, 11 Mar 2024 08:40:18 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19]) by mx.groups.io with SMTP id smtpd.web10.57746.1710146410684632311 for ; Mon, 11 Mar 2024 01:40:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=PYiMYdPm; spf=pass (domain: intel.com, ip: 198.175.65.19, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1710146414; x=1741682414; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=5sfiEyX015GJBikLiOmt+56Lw4JsoXKAMO5/tK4pvvI=; b=PYiMYdPmkey2dTwEMaqPgkGdpTE6SMX66RmHJubocUXB+wD6ZEk/HTwI siGJ/D2+bP7gS9WQmTB8kd6APq7xgggH6umlMx4j9E1QzjYkSKC+VgWi8 D1eBPjRlcqWjpKHsEZMbxmSFZF3ockEQPbnOg7lQ/nHQDGF+fCvoY6IVV P5jkd5pplMdwqfwxbJwGLezzri+xnVJXR0PYpKQnHnCe+NoVOLqKrdRna Q1BinKXvGhOKzS7BAAlfFP4q41xMeXj75s6Jx+HsbMG1RDmu+tXaa38OX 47pkk5UFNchyLITxGmjvknUcut71pqyz5k9mshONRrT9yz+1KinAoMLEK g==; X-IronPort-AV: E=McAfee;i="6600,9927,11009"; a="4656133" X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="4656133" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Mar 2024 01:40:14 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="15594001" Received: from andromeda02.png.intel.com ([10.221.253.198]) by fmviesa005.fm.intel.com with ESMTP; 11 Mar 2024 01:40:12 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [nanbield][PATCH 5/7] bind: Upgrade 9.18.21 -> 9.18.24 Date: Mon, 11 Mar 2024 16:39:52 +0800 Message-Id: <20240311083954.418271-5-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20240311083954.418271-1-chee.yang.lee@intel.com> References: <20240311083954.418271-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 11 Mar 2024 08:40:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/196924 From: Soumya Sambu Changelog: ========= 9.18.24: - Fix case insensitive setting for isc_ht hashtable. [GL #4568] 9.18.23: - Specific DNS answers could cause a denial-of-service condition due to DNS validation taking a long time. (CVE-2023-50387) [GL #4424] - Change 6315 inadvertently introduced regressions that could cause named to crash. [GL #4234] - Under some circumstances, the DoT code in client mode could process more than one message at a time when that was not expected. That has been fixed. [GL #4487] 9.18.22: - Limit isc_task_send() overhead for RBTDB tree pruning. [GL #4383] - Restore DNS64 state when handling a serve-stale timeout. (CVE-2023-5679) [GL #4334] - Specific queries could trigger an assertion check with nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281] - Speed up parsing of DNS messages with many different names. (CVE-2023-4408) [GL #4234] - Address race conditions in dns_tsigkey_find(). [GL #4182] - Conversion from NSEC3 signed to NSEC signed could temporarily put the zone into a state where it was treated as unsigned until the NSEC chain was built. Additionally conversion from one set of NSEC3 parameters to another could also temporarily put the zone into a state where it was treated as unsigned until the new NSEC3 chain was built. [GL #1794] [GL #4495] - Memory leak in zone.c:sign_zone. When named signed a zone it could leak dst_keys due to a misplaced 'continue'. [GL #4488] - Log more details about the cause of "not exact" errors. [GL #4500] - The wrong time was being used to determine what RRSIGs where to be generated when dnssec-policy was in use. [GL #4494] - The "trust-anchor-telemetry" statement is no longer marked as experimental. This silences a relevant log message that was emitted even when the feature was explicitly disabled. [GL #4497] - Fix statistics export to use full 64 bit signed numbers instead of truncating values to unsigned 32 bits. [GL #4467] - NetBSD has added 'hmac' to libc which collides with our use of 'hmac'. [GL #4478] (cherry-pick from Oe-Core rev d7f31aba343948dbaadafc8c0c66f78e6ffb46e3) Signed-off-by: Soumya Sambu Signed-off-by: Richard Purdie Signed-off-by: Lee Chee Yang --- .../bind/{bind_9.18.21.bb => bind_9.18.24.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-connectivity/bind/{bind_9.18.21.bb => bind_9.18.24.bb} (97%) diff --git a/meta/recipes-connectivity/bind/bind_9.18.21.bb b/meta/recipes-connectivity/bind/bind_9.18.24.bb similarity index 97% rename from meta/recipes-connectivity/bind/bind_9.18.21.bb rename to meta/recipes-connectivity/bind/bind_9.18.24.bb index f5fb4bd1e5..2874990320 100644 --- a/meta/recipes-connectivity/bind/bind_9.18.21.bb +++ b/meta/recipes-connectivity/bind/bind_9.18.24.bb @@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "a556be22505d9ea4f9c6717aee9c549739c68498aff3ca69035787ecc648fec5" +SRC_URI[sha256sum] = "709d73023c9115ddad3bab65b6c8c79a590196d0d114f5d0ca2533dbd52ddf66" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # follow the ESV versions divisible by 2 From patchwork Mon Mar 11 08:39:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 40765 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2680EC5475B for ; Mon, 11 Mar 2024 08:40:18 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19]) by mx.groups.io with SMTP id smtpd.web10.57746.1710146410684632311 for ; Mon, 11 Mar 2024 01:40:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=Qz/117T+; spf=pass (domain: intel.com, ip: 198.175.65.19, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1710146415; x=1741682415; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=KhXzqQkX7Zrla7ZmK6HGDWd/SUtY/gearsykNBSVhSU=; b=Qz/117T+or7dL959zed2pw5p7HGdWxzGYujp0WSYwUMLlWWUpafH0Dfu XEuDPig0IRwbcIHjM5uvpBB+C3xfR8PG8MXZkXDaZLW7Kkhx/XCS6J1Ay Q4aYkY2VOKzwIIxSUlTdO4MIjoAjjPAc/jJZYQs3MGTt/xSLn+2ewYwpX RVPY47g2uj5oTRXq2ZV08LjEzE0g+PlzSPWzcM1vYs+nlgSgxmO+qGxpy QNZAFklZDKD3qo871fB/SpPgsIyPizJOgslKEoTOp4kJU5oTcP6pJRFon 7bokn9H1hCZIQFvV4hfU0E2lgHOGBWNayqDBix4Dxx5Mpev5ApBrzG3fl A==; X-IronPort-AV: E=McAfee;i="6600,9927,11009"; a="4656138" X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="4656138" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Mar 2024 01:40:15 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="15594005" Received: from andromeda02.png.intel.com ([10.221.253.198]) by fmviesa005.fm.intel.com with ESMTP; 11 Mar 2024 01:40:13 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [nanbield][PATCH 6/7] gnutls: upgrade 3.8.1 -> 3.8.2 Date: Mon, 11 Mar 2024 16:39:53 +0800 Message-Id: <20240311083954.418271-6-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20240311083954.418271-1-chee.yang.lee@intel.com> References: <20240311083954.418271-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 11 Mar 2024 08:40:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/196925 From: Wang Mingyu Changelog: ============ ** libgnutls: Fix timing side-channel inside RSA-PSK key exchange. ** libgnutls: Add API functions to perform ECDH and DH key agreement ** libgnutls: Added support for AES-GCM-SIV ciphers ** libgnutls: transparent KTLS support is extended to FreeBSD kernel ** gnutls-cli: New option --starttls-name (cherry-pick from Oe-Core rev 3c01bb0be8ddafa0aa1ad996ec524b51fd28f512) Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni Signed-off-by: Lee Chee Yang --- .../recipes-support/gnutls/{gnutls_3.8.1.bb => gnutls_3.8.2.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-support/gnutls/{gnutls_3.8.1.bb => gnutls_3.8.2.bb} (97%) diff --git a/meta/recipes-support/gnutls/gnutls_3.8.1.bb b/meta/recipes-support/gnutls/gnutls_3.8.2.bb similarity index 97% rename from meta/recipes-support/gnutls/gnutls_3.8.1.bb rename to meta/recipes-support/gnutls/gnutls_3.8.2.bb index 455031dd47..43fb5c4c4e 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.1.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.2.bb @@ -25,7 +25,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://Add-ptest-support.patch \ " -SRC_URI[sha256sum] = "ba8b9e15ae20aba88f44661978f5b5863494316fe7e722ede9d069fe6294829c" +SRC_URI[sha256sum] = "e765e5016ffa9b9dd243e363a0460d577074444ee2491267db2e96c9c2adef77" inherit autotools texinfo pkgconfig gettext lib_package gtk-doc ptest From patchwork Mon Mar 11 08:39:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 40764 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18D97C54E66 for ; Mon, 11 Mar 2024 08:40:18 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19]) by mx.groups.io with SMTP id smtpd.web10.57746.1710146410684632311 for ; Mon, 11 Mar 2024 01:40:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=JUM27Mq2; spf=pass (domain: intel.com, ip: 198.175.65.19, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1710146416; x=1741682416; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=WAzx1p5nZ0ltYOp9HcUPYUSPmYhqVeXwR9tfOqpdWJo=; b=JUM27Mq2tH/F0GJEtN0tRyqZwwrqT3btANxYRF1NCycYYy2+kpLtS+rQ Hbr9s0bGdup+C+wWzX31iEAq8v1KN5av1z+RvcLOGlNB06MwDlWmGlFY8 LHrIMdRn72ERzeYYUAm/rZoyyKYJQnWaSegRqYJjhiohvk4QflnlIztfh 3cWfnOCdF6jzkRUDWKt+6ksoOzq3Q7stiL0PiUuwijgNGgOJnZug2TtE5 DXTorBW05JYctWCI1wdBLs7S2W8SrZJcsbdgh2jiypZVwdmZMbt6ox85Z ay3SZpU55nKKZm/GoyuD6QewP3GvXRl4D5/rF21Mmm94C2z4W6AIktuHH Q==; X-IronPort-AV: E=McAfee;i="6600,9927,11009"; a="4656146" X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="4656146" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Mar 2024 01:40:16 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,116,1708416000"; d="scan'208";a="15594010" Received: from andromeda02.png.intel.com ([10.221.253.198]) by fmviesa005.fm.intel.com with ESMTP; 11 Mar 2024 01:40:14 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [nanbield][PATCH 7/7] gnutls: Upgrade 3.8.2 -> 3.8.3 Date: Mon, 11 Mar 2024 16:39:54 +0800 Message-Id: <20240311083954.418271-7-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20240311083954.418271-1-chee.yang.lee@intel.com> References: <20240311083954.418271-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 11 Mar 2024 08:40:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/196926 From: Simone Weiß Upgrade version to adress recent CVE findings. Changelog ========= ** libgnutls: Fix more timing side-channel inside RSA-PSK key exchange [GNUTLS-SA-2024-01-14, CVSS: medium] [CVE-2024-0553] ** libgnutls: Fix assertion failure when verifying a certificate chain with a cycle of cross signatures [GNUTLS-SA-2024-01-09, CVSS: medium] [CVE-2024-0567] ** libgnutls: Fix regression in handling Ed25519 keys stored in PKCS#11 token certtool was unable to handle Ed25519 keys generated on PKCS#11 with pkcs11-tool (OpenSC). This is a regression introduced in 3.8.2. (cherry-pick from Oe-Core rev 705d2972b38efc9f331e3635c07ca92f8812b365) Signed-off-by: Simone Weiß Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie Signed-off-by: Lee Chee Yang --- .../recipes-support/gnutls/{gnutls_3.8.2.bb => gnutls_3.8.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-support/gnutls/{gnutls_3.8.2.bb => gnutls_3.8.3.bb} (97%) diff --git a/meta/recipes-support/gnutls/gnutls_3.8.2.bb b/meta/recipes-support/gnutls/gnutls_3.8.3.bb similarity index 97% rename from meta/recipes-support/gnutls/gnutls_3.8.2.bb rename to meta/recipes-support/gnutls/gnutls_3.8.3.bb index 43fb5c4c4e..27d6753be0 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.2.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.3.bb @@ -25,7 +25,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://Add-ptest-support.patch \ " -SRC_URI[sha256sum] = "e765e5016ffa9b9dd243e363a0460d577074444ee2491267db2e96c9c2adef77" +SRC_URI[sha256sum] = "f74fc5954b27d4ec6dfbb11dea987888b5b124289a3703afcada0ee520f4173e" inherit autotools texinfo pkgconfig gettext lib_package gtk-doc ptest