Re: [OE-core] [PATCH 35/47] python3-jsonschema: upgrade 4.17.3 -> 4.21.1 and add new dependencies

[Theodore A. Roth]

On Wed, Mar 6, 2024 at 8:42 AM Alexander Kanavin 
wrote:
>
> Signed-off-by: Alexander Kanavin 
> ---
>  meta/conf/distro/include/maintainers.inc  |  3 +
>  ...on3-jsonschema-specifications_2023.12.1.bb | 18 +
>  ...4.17.3.bb => python3-jsonschema_4.21.1.bb} |  4 +-
>  .../python/python3-referencing_0.33.0.bb  | 14 
>  .../python/python3-rpds-py-crates.inc | 80 +++
>  .../python/python3-rpds-py_0.18.0.bb  | 17 
>  6 files changed, 135 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-devtools/python/
python3-jsonschema-specifications_2023.12.1.bb
>  rename meta/recipes-devtools/python/{python3-jsonschema_4.17.3.bb =>
python3-jsonschema_4.21.1.bb} (88%)
>  create mode 100644 meta/recipes-devtools/python/
python3-referencing_0.33.0.bb
>  create mode 100644
meta/recipes-devtools/python/python3-rpds-py-crates.inc
>  create mode 100644 meta/recipes-devtools/python/python3-rpds-py_0.18.0.bb
>

Hi,

Since this was merged to poky master our application which uses jsonschema
dies with a stack
trace indicating a failure to import rpds.

After a bit of investigation, I found that it looks like yocto is
installing the rust library
module into the site-packages on the device as '
rpds.cpython-312-armv7l-linux-gnueabihf.so' and the
python interpreter is looking for 'rpds.cpython-312-arm-linux-gnueabihf.so'.

When I rename the .so file to what the python interpreter is looking for,
things work and I can
import rpds successfully.

It seems like something is going wrong with maturin building the wheel for
the armv7l target, but
unfortunately my skills with rust and maturin are lacking, so I can't
figure out how to fix this.

We are building our images using HEAD of master/main for all of our meta
layers, so this landed
in our builds a few days ago.

Simple way to tickle the error on a device:

###

root@mp1010:~# find /usr/lib/python3.12/site-packages/ -name '*.so'
/usr/lib/python3.12/site-packages/_
cffi_backend.cpython-312-arm-linux-gnueabihf.so
/usr/lib/python3.12/site-packages/cryptography/hazmat/bindings/_
rust.cpython-312-arm-linux-gnueabihf.so
/usr/lib/python3.12/site-packages/markupsafe/_
speedups.cpython-312-arm-linux-gnueabihf.so
/usr/lib/python3.12/site-packages/pkcs11/_
pkcs11.cpython-312-arm-linux-gnueabihf.so
/usr/lib/python3.12/site-packages/
pvectorc.cpython-312-arm-linux-gnueabihf.so
/usr/lib/python3.12/site-packages/pycurl.cpython-312-arm-linux-gnueabihf.so
/usr/lib/python3.12/site-packages/rpds/
rpds.cpython-312-armv7l-linux-gnueabihf.so
/usr/lib/python3.12/site-packages/rpds/
rpds.cpython-312-arm-linux-gnueabihf.so
/usr/lib/python3.12/site-packages/sdbus/
sd_bus_internals.cpython-312-arm-linux-gnueabihf.so
/usr/lib/python3.12/site-packages/simplejson/_
speedups.cpython-312-arm-linux-gnueabihf.so
/usr/lib/python3.12/site-packages/spidev.cpython-312-arm-linux-gnueabihf.so
/usr/lib/python3.12/site-packages/tornado/speedups.abi3.so
/usr/lib/python3.12/site-packages/yaml/_
yaml.cpython-312-arm-linux-gnueabihf.so
/usr/lib/python3.12/site-packages/zenoh/zenoh.abi3.so

root@mp1010:~# python3
Python 3.12.2 (main, Feb  6 2024, 20:19:44) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import rpds
>>>

root@mp1010:~# cd /lib/python3.12/site-packages/rpds

root@mp1010:/lib/python3.12/site-packages/rpds# ls -1
__init__.py
__init__.pyi
__pycache__/
py.typed
rpds.cpython-312-arm-linux-gnueabihf.so*
rpds.cpython-312-armv7l-linux-gnueabihf.so*
root@mp1010:/lib/python3.12/site-packages/rpds# rm
rpds.cpython-312-arm-linux-gnueabihf.so
rm: remove regular file 'rpds.cpython-312-arm-linux-gnueabihf.so'? y

root@mp1010:/lib/python3.12/site-packages/rpds# python3
Python 3.12.2 (main, Feb  6 2024, 20:19:44) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import rpds
Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python3.12/site-packages/rpds/__init__.py", line 1, in

from .rpds import *
ModuleNotFoundError: No module named 'rpds.rpds'
>>>

###

Target processor is a TI AM57xx.

Any help or things to try would be appreciated. More than happy to provide
more information if needed.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197001): 
https://lists.openembedded.org/g/openembedded-core/message/197001
Mute This Topic: https://lists.openembedded.org/mt/104767980/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [OE-core] Yocto Project Status 12 March 2024 (WW11)

[Alexander Kanavin]

On Tue, 12 Mar 2024 at 18:29, Richard Purdie
 wrote:
> > I'd like to see the issue, as one recent change in devtool tests was
> > in the minicom version update commit.
>
> e.g.
> https://autobuilder.yoctoproject.org/typhoon/#/builders/87/builds/6519/steps/14/logs/stdio
>
> which looks a race between:
>
> overlayfs.OverlayFSTests.test_correct_image_fstab and
> devtool.DevtoolUpdateTests.test_devtool_update_recipe_local_files
>
> (over makedevs).
>
> but there looked to be more going on there too.

Right, the minicom stuff is probably not the culprit. At first glance,
devtool tests do ensure to make a copy of meta/ and operate on that,
but the failures seem to indicate they modified the original common
meta/ instead :-/

Alex

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#62746): https://lists.yoctoproject.org/g/yocto/message/62746
Mute This Topic: https://lists.yoctoproject.org/mt/104887397/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [OE-core] Yocto Project Status 12 March 2024 (WW11)

[Richard Purdie]

On Tue, 2024-03-12 at 17:03 +0100, Alexander Kanavin wrote:
> On Tue, 12 Mar 2024 at 15:45, Stephen Jolley
>  wrote:
> > We are seeing issues with devtool tests changing metadata and
> > causing race issues. It is unclear why we’re seeing these now.
> 
> I'd like to see the issue, as one recent change in devtool tests was
> in the minicom version update commit.

e.g.
https://autobuilder.yoctoproject.org/typhoon/#/builders/87/builds/6519/steps/14/logs/stdio

which looks a race between:

overlayfs.OverlayFSTests.test_correct_image_fstab and
devtool.DevtoolUpdateTests.test_devtool_update_recipe_local_files

(over makedevs).

but there looked to be more going on there too.

Cheers,

Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#62745): https://lists.yoctoproject.org/g/yocto/message/62745
Mute This Topic: https://lists.yoctoproject.org/mt/104887397/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] gcc: Oe-selftest failure analysis - fix for tcl errors

[Sadineni, Harish via lists.openembedded.org]

From: Harish Sadineni 

gcc testsuite unable to read the value of variable $do-what-limit and causing 
below tcl errors.
ERROR: can't read "do": no such variable
while executing
"set do_what $do-what-limit"

To fix this, quote the variable using braces, as in ${do-what-limit}.

Signed-off-by: Harish Sadineni 
---
 .../gcc/gcc/0025-gcc-testsuite-tweaks-for-mips-OE.patch   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git 
a/meta/recipes-devtools/gcc/gcc/0025-gcc-testsuite-tweaks-for-mips-OE.patch 
b/meta/recipes-devtools/gcc/gcc/0025-gcc-testsuite-tweaks-for-mips-OE.patch
index c405d8d484..e4d57c27ef 100644
--- a/meta/recipes-devtools/gcc/gcc/0025-gcc-testsuite-tweaks-for-mips-OE.patch
+++ b/meta/recipes-devtools/gcc/gcc/0025-gcc-testsuite-tweaks-for-mips-OE.patch
@@ -80,8 +80,8 @@ index 9d79b9402e9..e0e5cbb1af8 100644
 +# Demote run tests to $do-what-limit if set
 +  switch $do_what {
 +  run {
-+  set do_what $do-what-limit
-+  set dg-do-what $do-what-limit
++  set do_what ${do-what-limit}
++  set dg-do-what ${do-what-limit}
 +  }
 +}
 +}
-- 
2.43.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196998): 
https://lists.openembedded.org/g/openembedded-core/message/196998
Mute This Topic: https://lists.openembedded.org/mt/104888061/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [nanbield][PATCH 2/7] openssl: upgrade to 3.1.5

[Steve Sakoman]

I'm getting ptest failures with this patch, both on qemux86-64-pteset
and qemuarm64-ptest.

Links to logs below:

https://autobuilder.yocto.io/pub/non-release/20240311-30/testresults/qemux86-64-ptest/core-image-ptest-openssl/log.do_testimage.831625.20240311232818
https://autobuilder.yocto.io/pub/non-release/20240311-30/testresults/qemuarm64-ptest/core-image-ptest-openssl/log.do_testimage.152067.20240312011738

Steve

On Sun, Mar 10, 2024 at 10:40 PM Lee Chee Yang  wrote:
>
> From: Lee Chee Yang 
>
> Changes between 3.1.4 and 3.1.5 [30 Jan 2024]
>  * A file in PKCS12 format can contain certificates and keys and may
> come from
>an untrusted source. The PKCS12 specification allows certain fields
> to be
>NULL, but OpenSSL did not correctly check for this case. A fix has
> been
>applied to prevent a NULL pointer dereference that results in OpenSSL
>crashing. If an application processes PKCS12 files from an untrusted
> source
>using the OpenSSL APIs then that application will be vulnerable to
> this
>issue prior to this fix.
>
>OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
>PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(),
> PKCS12_unpack_authsafes()
>and PKCS12_newpass().
>
>We have also fixed a similar issue in SMIME_write_PKCS7(). However
> since this
>function is related to writing data we do not consider it security
>significant.
>
>([CVE-2024-0727])
> https://www.openssl.org/news/cl31.txt
>
> drop fix_random_labels.patch as fixed in
> https://github.com/openssl/openssl/commit/99630a1b08fd6464d95052dee4a3500afeb95867
>
> Signed-off-by: Lee Chee Yang 
> ---
>  .../openssl/openssl/fix_random_labels.patch   | 22 ---
>  .../{openssl_3.1.4.bb => openssl_3.1.5.bb}|  3 +--
>  2 files changed, 1 insertion(+), 24 deletions(-)
>  delete mode 100644 
> meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
>  rename meta/recipes-connectivity/openssl/{openssl_3.1.4.bb => 
> openssl_3.1.5.bb} (98%)
>
> diff --git 
> a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch 
> b/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
> deleted file mode 100644
> index 78dcd81685..00
> --- a/meta/recipes-connectivity/openssl/openssl/fix_random_labels.patch
> +++ /dev/null
> @@ -1,22 +0,0 @@
> -The perl script adds random suffixes to the local function names to ensure
> -it doesn't clash with other parts of openssl. Set the random number seed
> -to something predictable so the assembler files are generated consistently
> -and our own reproducible builds tests pass.
> -
> -Upstream-Status: Pending
> -Signed-off-by: Richard Purdie 
> -
> -Index: openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl
> -===
>  openssl-3.1.0.orig/crypto/modes/asm/aes-gcm-avx512.pl
> -+++ openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl
> -@@ -191,6 +191,9 @@ my $CTX_OFFSET_HTable= (16 * 6);
> - # ;;; Helper functions
> - # ;
> -
> -+# Ensure the local labels are reproduicble
> -+srand(1);
> -+
> - # ; Generates "random" local labels
> - sub random_string() {
> -   my @chars  = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_');
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb 
> b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb
> similarity index 98%
> rename from meta/recipes-connectivity/openssl/openssl_3.1.4.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.1.5.bb
> index 0fe4e76808..9c1d4e31be 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.1.4.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb
> @@ -11,7 +11,6 @@ SRC_URI = 
> "http://www.openssl.org/source/openssl-${PV}.tar.gz \
> file://run-ptest \
> 
> file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
> file://0001-Configure-do-not-tweak-mips-cflags.patch \
> -   file://fix_random_labels.patch \
> 
> file://0001-Added-handshake-history-reporting-when-test-fails.patch \
> "
>
> @@ -19,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
> file://environment.d-openssl.sh \
> "
>
> -SRC_URI[sha256sum] = 
> "840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
> +SRC_URI[sha256sum] = 
> "6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262"
>
>  inherit lib_package multilib_header multilib_script ptest perlnative manpages
>  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> --
> 2.37.3
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196997): 
https://lists.openembedded.org/g/openembedded-core/message/196997
Mute This Topic: https://lists.openembedded.org/mt/104859411/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]

Re: [OE-core] Yocto Project Status 12 March 2024 (WW11)

[Alexander Kanavin]

On Tue, 12 Mar 2024 at 15:45, Stephen Jolley  wrote:
> We are seeing issues with devtool tests changing metadata and causing race 
> issues. It is unclear why we’re seeing these now.

I'd like to see the issue, as one recent change in devtool tests was
in the minicom version update commit.

Alex

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196996): 
https://lists.openembedded.org/g/openembedded-core/message/196996
Mute This Topic: https://lists.openembedded.org/mt/104885738/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [RFC OE-core] Bug 15423

[Shinde, Yash via lists.openembedded.org]

Hi,

For https://bugzilla.yoctoproject.org/show_bug.cgi?id=15423,

I am working on to find a work-around until a proper fix is found.

I am looking into if there is any 
way to skip/disable individual test cases(tst-scm_rights.c and 
tst-scm_rights-time64.c which cause stale qemu processes) for glibc 
testsuite but didn't find anything useful.


Another way to handle this can be toadd runCmd() that kills 
the stray processes after the testsuite is completed in glibc.py file.

Something like following,

*cmd = "ps -el | awk '/qemu-ppc/ {print $4}' | xargs -I{} kill {}"
runCmd(cmd)*

Let me know your views or suggestions.

--
Regards,
Yash Shinde

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196995): 
https://lists.openembedded.org/g/openembedded-core/message/196995
Mute This Topic: https://lists.openembedded.org/mt/104887354/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] gcc: Oe-selftest failure analysis - fix for tcl errors

[Sadineni, Harish via lists.openembedded.org]

From: Harish Sadineni 

gcc testsuite unable to read the value of variable $do-what-limit and causing 
below tcl errors.
ERROR: can't read "do": no such variable
while executing
"set do_what $do-what-limit"

To fix this the variable changed as ${do-what-limit}

Signed-off-by: Harish Sadineni 
---
 .../gcc/gcc/0025-gcc-testsuite-tweaks-for-mips-OE.patch   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git 
a/meta/recipes-devtools/gcc/gcc/0025-gcc-testsuite-tweaks-for-mips-OE.patch 
b/meta/recipes-devtools/gcc/gcc/0025-gcc-testsuite-tweaks-for-mips-OE.patch
index c405d8d484..e4d57c27ef 100644
--- a/meta/recipes-devtools/gcc/gcc/0025-gcc-testsuite-tweaks-for-mips-OE.patch
+++ b/meta/recipes-devtools/gcc/gcc/0025-gcc-testsuite-tweaks-for-mips-OE.patch
@@ -80,8 +80,8 @@ index 9d79b9402e9..e0e5cbb1af8 100644
 +# Demote run tests to $do-what-limit if set
 +  switch $do_what {
 +  run {
-+  set do_what $do-what-limit
-+  set dg-do-what $do-what-limit
++  set do_what ${do-what-limit}
++  set dg-do-what ${do-what-limit}
 +  }
 +}
 +}
-- 
2.43.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196994): 
https://lists.openembedded.org/g/openembedded-core/message/196994
Mute This Topic: https://lists.openembedded.org/mt/104886730/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [RFC PATCH V2 0/5] Fix persistent tmp

[Randy MacLeod via lists.openembedded.org]

Add Trevor who made the original commit:

commit d5d40479d706cbb382850b9479c5dd9bfb801c99
Author: Trevor Woerner 
Date:   Mon Feb 27 00:00:40 2023

    VOLATILE_TMP_DIR: add

    Provide a mechanism to allow users to choose whether the /tmp directory
    is on persistent storage (non-volatile) or a RAM-based tmpfs 
(volatile).

    The default is volatile.

    Works for both sysvinit-based and systemd-based systems.


and Ross who said he'd take a look at this RFC.


On 2024-02-03 9:58 p.m., Changqing Li via lists.openembedded.org wrote:

ping

On 12/11/23 08:58, Changqing Li wrote:

From: Changqing Li 

Hi, All

Currently, VOLATILE_TMP_DIR not works,
set VOLATILE_TMP_DIR="no", VOLATILE_LOG_DIR="no", after boot target,
/var/tmp still link to tmpfs /var/volatile/tmp

lrwxrwxrwx  1 root root   11 Mar  9  2018 lock -> ../run/lock
drwxr-xr-x  4 root root 1024 Dec  4 07:55 log
lrwxrwxrwx  1 root root    6 Mar  9  2018 run -> ../run
drwxr-xr-x  3 root root 1024 Mar  9  2018 spool
lrwxrwxrwx  1 root root   12 Mar  9  2018 tmp -> volatile/tmp
drwxrwxrwt  4 root root   80 Dec  4 07:55 volatile

So I do some research, fix this issue and do some other changes 
accordingly. Please

help to review this patch, thanks.

Targets:
1. Support persistent tmp,  For persistent tmp, only /var/tmp is 
persistent, /tmp is tmpfs,
    For volatile tmp, /tmp link to /var/tmp, /var/tmp link to 
/var/volatile/tmp

2. make systemd and SysVinit have the same directory structure.

Currently, systemd and SysVinit have different directory structure, 
the difference focus on how to handle /tmp.


when volatile is enabled, for sysVinit, /tmp link to /var/tmp, 
/var/tmp link to /var/volatile/tmp
refer [4][5]. but for systemd, /tmp is a directory, it is mounted by 
systemd as tmpfs. /var/tmp
linked to /var/volatile/tmp.  And for systemd, refer [6], set 
different age for /tmp and /var/tmp.


I find that structured text helps me understand things, so here's a 
structured version of the sentences above:



Currently, systemd and SysVinit have different directory structure; the 
difference focus on how to handle /tmp.


When volatile is enabled, for sysVinit:
      /tmp link to /var/tmp,
  /var/tmp link to /var/volatile/tmp
   refer [4][5]

but for systemd:
   /tmp is a directory, it is mounted by systemd as tmpfs.
  /var/tmp linked to /var/volatile/tmp

and for systemd, refer [6], set different age for /tmp and /var/tmp.






Since volatile disabled not works, ignore the difference when 
volatile is disabled.


With this patch, VOLATILE_TMP_DIR will behavior like this:
For both sysvinit and systemd:
1. VOLATILE_TMP_DIR="yes":
/tmp link to /var/tmp,  /var/tmp link to /var/volatile/log, 
/var/volatile is mounted as tmpfs
In this case, for systemd, /tmp and /var/tmp will set to the same 
age, 10d.


Compare to current behavior, there are 2 changes:
    1) for systemd,  /tmp changed from a directy to a symlink to 
/var/tmp

    2) age of /tmp and /var/tmp will be same



Okay but is an identical timestamp absolutely required or are you just 
trying to make things consistent


to reduce the chance that a different timestamp could cause problems?

I may have missed an explanation of why you want the 10d old timestamp 
anyway, that seems like

a separate change that should follow-up the re-org changes.




2. VOLATILE_TMP_DIR="no":
/tmp is a directory mounted as tmpfs, /var/tmp is a directory on 
persistent fs, and keep the age as [6]


Change like this in order to meet [1][2], also maybe [3] for systemd.

Compare to current behavior, there is one change:
    1) for sysVinit, /tmp changed from a symlink to a directory


You've carefully explained things but it does seem a bit complicated 
when you first read
the explaination. It may have been better to start your explaination 
with the last statement you

made, by saying something like this:

   This is going to be a detailed, lengthy explaination but the only 
change in runtime will be
   for sysVinit where /tmp is changed from a symlink to a directory to 
make it persistent.



Ross, Trevor,
Any comments or concerns ?

Changqing is no one replies today, please just rebase and repost your 
full RFC patch

to try to restart the discussion.


Thanks,

../Randy



[1] https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s18.html
[2] https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s15.html
[3] https://systemd.io/TEMPORARY_DIRECTORIES/
[4] 
https://git.openembedded.org/openembedded/tree/docs/usermanual/chapters/recipes.xml#n3535
[5] 
https://git.openembedded.org/openembedded-core/commit/?id=12c4acd7ac5a27cf3676065b60f1c8395c96854c

[6] https://github.com/systemd/systemd/blob/main/tmpfiles.d/tmp.conf
[7] 
https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html



Test Result of following cases:
1.
SysVinit
VOLATILE_TMP_DIR="yes"
VOLATILE_LOG_DIR="yes"

root@qemux86-64:~# ls -al /tmp
lrwxrwxrwx    1 root root 8 Dec  8 08:51 /tmp -> 
/var/tmp

[OE-core] Yocto Project Status 12 March 2024 (WW11)

[Stephen Jolley]

Current Dev Position: YP 5.0 M4 - Final Release

Next Deadline: 1st April 2024 YP 5.0 M4 build

Next Team Meetings:

   -

   Bug Triage meeting Thursday March 14th at 7:30 am PST (
   https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
   -

   Weekly Project Engineering Sync Tuesday March 12th at 8 am PST (
   https://zoom.us/j/990892712?pwd=cHU1MjhoM2x6ck81bkcrYjRrcmJsUT09)
   
   -

   Twitch -  See https://www.twitch.tv/theyoctojester


Key Status/Updates:

   -

   YP 5.0 M3 is in QA
   -

   YP 3.1.32 was released
   -

   A key worry now is the documentation for the release, especially given
   it is an LTS
   -

   The QA screenshot changes were merged but not enabled as there were too
   many bugs still present.
   -

   The go upgrade to 1.22 did merge
   -

   We are seeing issues with devtool tests changing metadata and causing
   race issues. It is unclear why we’re seeing these now.
   -

   The opkg lock issue with systemd images continues to be a significant
   concern for the release.
   -

   The previously reported CVE database update issue on the autobuilder has
   not been addressed yet. This is causing higher numbers of CVEs to be
   reported on the autobuilder generated charts.
   -

   There have been questions about official RISC-V support in this next
   release, especially since it is an LTS. We will trial qemuriscv64 support
   in M3 but remove it before the final LTS release as there is no sponsor for
   that support.


Ways to contribute:

   -

   As people are likely aware, the project has a number of components which
   are either unmaintained, or have people with little to no time trying to
   keep them alive. These components include: devtool, toaster, wic, oeqa,
   autobuilder, CROPs containers, pseudo and more. Many have open bugs. Help
   is welcome in trying to better look after these components!
   -

   There are bugs identified as possible for newcomers to the project:
   https://wiki.yoctoproject.org/wiki/Newcomers
   -

   There are bugs that are currently unassigned for YP 5.0. See:
   
https://wiki.yoctoproject.org/wiki/Bug_Triage#Medium+_5.0_Unassigned_Enhancements/Bugs
   -

   We’d welcome new maintainers for recipes in OE-Core. Please see the list
   at:
   
http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/conf/distro/include/maintainers.inc
   and discuss with the existing maintainer, or ask on the OE-Core mailing
   list. We will likely move a chunk of these to “Unassigned” soon to help
   facilitate this.
   -

   Help is very much welcome in trying to resolve our autobuilder
   intermittent issues. You can see the list of failures we’re continuing to
   see by searching for the “AB-INT” tag in bugzilla:
   https://bugzilla.yoctoproject.org/buglist.cgi?quicksearch=AB-INT.
   -

   Help us resolve CVE issues: CVE metrics
   
   -

   We have a growing number of bugs in bugzilla, any help with them is
   appreciated.
   -

   Regarding bugs, even if you can’t fix a bug, submitting a failing test
   case that can reproduce the issue significantly improves the chances it
   might get fixed.


YP 5.0 Milestone Dates:

   -

   YP 5.0 M3 is in QA.
   -

   YP 5.0 M4 build date  2024/04/01
   -

   YP 5.0 M4 Release date 2024/04/30


Upcoming dot releases:

   -

   YP 3.1.32 was released.
   -

   YP 4.0.17 build date 2024/03/11
   -

   YP 4.0.17 Release date 2024/03/22
   -

   YP 4.3.4 build date 2024/03/25
   -

   YP 4.3.4 Release date 2024/04/05
   -

   YP 3.1.33 build date 2024/04/15
   -

   YP 3.1.33 Release date 2024/04/26
   -

   YP 4.0.18 build date 2024/04/22
   -

   YP 4.0.18 Release date 2024/05/03
   -

   YP 4.0.19 build date 2024/06/03
   -

   YP 4.0.19 Release date 2024/06/14


Tracking Metrics:

   -

   WDD 2688 (last week 2618) (
   https://wiki.yoctoproject.org/charts/combo.html)
   -

   OE-Core/Poky Patch Metrics
   -

  Total patches found: 1148 (last week 1155)
  -

  Patches in the Pending State: 249 (22%) [last week 249 (22%)]
  -

   https://autobuilder.yocto.io/pub/non-release/patchmetrics/


The Yocto Project’s technical governance is through its Technical Steering
Committee, more information is available at:

https://wiki.yoctoproject.org/wiki/TSC

The Status reports are now stored on the wiki at:
https://wiki.yoctoproject.org/wiki/Weekly_Status

[If anyone has suggestions for other information you’d like to see on this
weekly status update, let us know!]

Thanks,



*Stephen K. Jolley*

*Yocto Project Program Manager*

(*Cell*:(208) 244-4460

* *Email*: *s
jolley.yp...@gmail.com *

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196992): 
https://lists.openembedded.org/g/openembedded-core/message/196992
Mute This Topic: https://lists.openembedded.org/mt/104885738/21656
Group Owner: 

Re: [OE-core] [PATCH 1/7, v3] openssh: replace complete configuration files by patch

[Enrico Scholz via lists.openembedded.org]

Alexander Kanavin  writes:

> Why is the patch inappropriate for upstream submission? To me it looks
> like it should be at least proposed.
>
> ++Include /etc/ssh/sshd_config.d/*.conf

Underlying feature exists for 4 years and nearly every major linux
distribution (including OE) has such a line.  So I assume there is a
reason that it is not upstream yet.

I added an upstream report
(https://bugzilla.mindrot.org/show_bug.cgi?id=3672) and will update
patch status when resubmitting.



Enrico

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196991): 
https://lists.openembedded.org/g/openembedded-core/message/196991
Mute This Topic: https://lists.openembedded.org/mt/104882201/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 8/8] librsvg: Fix do_package_qa error for librsvg

[Steve Sakoman]

From: Nikhil R 

When using meta-rust layer for rust below
do_package_qa error in librsvg is observed

Fix the below error:
ERROR: librsvg-2.52.10-r0 do_package_qa: QA Issue: File /usr/bin/rsvg-convert 
in package rsvg doesn't have GNU_HASH (didn't pass LDFLAGS?) File 
/usr/bin/rsvg-convert in package rsvg doesn't have GNU_HASH (didn't pass 
LDFLAGS?) [ldflags] ERROR: librsvg-2.52.10-r0 do_package_qa: Fatal QA errors 
were found, failing task.

Signed-off-by: Nikhil R 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-gnome/librsvg/librsvg_2.52.10.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-gnome/librsvg/librsvg_2.52.10.bb 
b/meta/recipes-gnome/librsvg/librsvg_2.52.10.bb
index b79e95a04f..21f502444b 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.52.10.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.52.10.bb
@@ -73,3 +73,5 @@ FILES:librsvg-gtk = "${libdir}/gdk-pixbuf-2.0/*/*/*.so \
 RRECOMMENDS:librsvg-gtk = "gdk-pixbuf-bin"
 
 PIXBUF_PACKAGES = "librsvg-gtk"
+
+TARGET_CC_ARCH += "${LDFLAGS}"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196990): 
https://lists.openembedded.org/g/openembedded-core/message/196990
Mute This Topic: https://lists.openembedded.org/mt/104884681/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 7/8] linux-yocto/5.15: fix partion scanning

[Steve Sakoman]

From: Bruce Ashfield 

Integrating the following commit(s) to linux-yocto/5.15:

1/1 [
Author: Christoph Hellwig
Email: h...@lst.de
Subject: block, loop: support partitions without scanning
Date: Fri, 27 May 2022 07:58:06 +0200

Historically we did distinguish between a flag that surpressed partition
scanning, and a combinations of the minors variable and another flag if
any partitions were supported.  This was generally confusing and doesn't
make much sense, but some corner case uses of the loop driver actually
do want to support manually added partitions on a device that does not
actively scan for partitions.  To make things worsee the loop driver
also wants to dynamically toggle the scanning for partitions on a live
gendisk, which makes the disk->flags updates non-atomic.

Introduce a new GD_SUPPRESS_PART_SCAN bit in disk->state that disables
just scanning for partitions, and toggle that instead of GENHD_FL_NO_PART
in the loop driver.

[bva: Notes for this backport:
   - drop return code in disk_scan_partitions for GD_SUPPRESS_PART_SCAN.
 The check doesn't strictly need ot be in this routine in 5.15, but
 this faciliates future changes in this area, since there are
 other checks in the same function.
   - GD_SUPPRESS_PART_SCAN could go to genh.c, but genhd.c includes
 blkdev.h, so we leave the new GD_SUPPRESS_PART_SCAN definition
 in the same places as where it was introduced upstream to keep
 the changes to a minimum
   - upstream commit e16e506ccd673 merges blkdev_reread_part into
 disk_scan_partitions. Backporting that change is more churn
 than we need, so we also add the check for GD_SUPPRESS_PART_SCAN
 into that routine to have the check hit in a 5.15 context.
]

Upstream-Status: Backport [commit b9684a71fca79]

Fixes: 1ebe2e5f9d68 ("block: remove GENHD_FL_EXT_DEVT")
Reported-by: Ming Lei 
Signed-off-by: Christoph Hellwig 
Reviewed-by: Ming Lei 
Link: https://lore.kernel.org/r/20220527055806.1972352-1-...@lst.de
Signed-off-by: Jens Axboe 
Signed-off-by: Bruce Ashfield 
]

Signed-off-by: Bruce Ashfield 
Signed-off-by: Steve Sakoman 
---
 .../linux/linux-yocto-rt_5.15.bb  |  4 ++--
 .../linux/linux-yocto-tiny_5.15.bb|  4 ++--
 meta/recipes-kernel/linux/linux-yocto_5.15.bb | 22 +--
 3 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb 
b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
index 7e80b6a3b2..00c03411b1 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb
@@ -11,8 +11,8 @@ python () {
 raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to 
linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "e856ac0473964a3f7b3b5544814decb8ae514c9a"
-SRCREV_meta ?= "7057b38eb882224cc002d13b7303e1a1767fa629"
+SRCREV_machine ?= "da32201bc41d994b0300c6b4738505f4875dc190"
+SRCREV_meta ?= "bef59dc5a78b4d101d1be23d4b36a73fd849241a"
 
 SRC_URI = 
"git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \

git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb 
b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
index 7253ab15f3..2051d1c0a1 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb
@@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine ?= "9dc9a9a07dba418b65e884e42e230c6c6e1a7f44"
-SRCREV_meta ?= "7057b38eb882224cc002d13b7303e1a1767fa629"
+SRCREV_machine ?= "540fc92dd7359025bb09962431565b5a9627536b"
+SRCREV_meta ?= "bef59dc5a78b4d101d1be23d4b36a73fd849241a"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb 
b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
index 065091f25a..101aceb3dc 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb
@@ -14,17 +14,17 @@ KBRANCH:qemux86  ?= "v5.15/standard/base"
 KBRANCH:qemux86-64 ?= "v5.15/standard/base"
 KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
 
-SRCREV_machine:qemuarm ?= "f99523c4bf2f8e48e9b2d2cd3cffee6c494b124e"
-SRCREV_machine:qemuarm64 ?= "8ee4ded018a7d795de4df15931c4a0a3a1b1d54d"
-SRCREV_machine:qemumips ?= "b8fbb69a10c4eea7ae580e8249a46056d1db24d1"
-SRCREV_machine:qemuppc ?= "533c5a1f7605c4f94161378a24a5d938b4b8c269"
-SRCREV_machine:qemuriscv64 ?= "68dd3d2718105c6a692c1333ae24c939297f8337"
-SRCREV_machine:qemuriscv32 ?= "68dd3d2718105c6a692c1333ae24c939297f8337"
-SRCREV_machine:qemux86 ?= "68dd3d2718105c6a692c1333ae24c939297f8337"
-SRCREV_machine:qemux86-64 ?= 

[OE-core][kirkstone 6/8] linux-yocto/5.15: update CVE exclusions (5.15.150)

[Steve Sakoman]

From: Bruce Ashfield 

Data pulled from: https://github.com/nluedtke/linux_kernel_cves

1/1 [
Author: Nicholas Luedtke
Email: nicholas.lued...@uwalumni.com
Subject: Update 25Feb24
Date: Sun, 25 Feb 2024 07:03:08 -0500

]

Signed-off-by: Bruce Ashfield 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-kernel/linux/cve-exclusion_5.15.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-kernel/linux/cve-exclusion_5.15.inc 
b/meta/recipes-kernel/linux/cve-exclusion_5.15.inc
index 2e30efe6be..922d7f457f 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_5.15.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_5.15.inc
@@ -1,9 +1,9 @@
 
 # Auto-generated CVE metadata, DO NOT EDIT BY HAND.
-# Generated at 2024-02-26 23:36:34.200936 for version 5.15.149
+# Generated at 2024-03-08 10:36:30.059302 for version 5.15.150
 
 python check_kernel_cve_status_version() {
-this_version = "5.15.149"
+this_version = "5.15.150"
 kernel_version = d.getVar("LINUX_VERSION")
 if kernel_version != this_version:
 bb.warn("Kernel CVE status needs updating: generated for %s but kernel 
is %s" % (this_version, kernel_version))
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196988): 
https://lists.openembedded.org/g/openembedded-core/message/196988
Mute This Topic: https://lists.openembedded.org/mt/104884679/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 5/8] linux-yocto/5.15: update to v5.15.150

[Steve Sakoman]

From: Bruce Ashfield 

Updating linux-yocto/5.15 to the latest korg -stable release that comprises
the following commits:

80efc6265290 Linux 5.15.150
da6cabc1981e r8169: use new PM macros
b7f3fac6d301 netfilter: nf_tables: can't schedule in nft_chain_validate
a4efc62cd1ed ext4: avoid bb_free and bb_fragments inconsistency in 
mb_free_blocks()
c1317822e2de ext4: regenerate buddy after block freeing failed if under fc 
replay
d82ec7529c5f netfilter: nf_tables: fix scheduling-while-atomic splat
97eaa2955db4 arp: Prevent overflow in arp_req_get().
d7b6fa97ec89 fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via 
libaio
df31d05f0678 cifs: fix mid leak during reconnection after timeout threshold
aade859419ce i2c: imx: when being a target, mark the last read as processed
cb21407f0b39 i2c: imx: Add timer for handling the stop condition
33f649f1b1ce drm/amd/display: Fix memory leak in dm_sw_fini()
9a03126588e5 drm/syncobj: call drm_syncobj_fence_add_wait when 
WAIT_AVAILABLE flag is set
13b57b5cd591 netfilter: nft_flow_offload: release dst in case direct xmit 
path is used
4c167af9f6b5 netfilter: nft_flow_offload: reset dst in route object after 
setting up flow
7c71b831220e netfilter: flowtable: simplify route logic
664264a5c55b netfilter: nf_tables: set dormant flag on hook register failure
4338032aa90b tls: stop recv() if initial process_rx_list gave us non-DATA
ea845237a39d tls: rx: drop pointless else after goto
8b32e43a80a1 tls: rx: jump to a more appropriate label
39603a6d4e71 s390: use the correct count for __iowrite64_copy()
8cae520f21ad octeontx2-af: Consider the action set by PF
6dae096960bc drm/nouveau/instmem: fix uninitialized_var.cocci warning
4d3b2bd995ed net: dev: Convert sa_data to flexible array in struct sockaddr
d65ec3e48f70 packet: move from strlcpy with unused retval to strscpy
91b020aaa1e5 ipv6: sr: fix possible use-after-free and null-ptr-deref
e56662160fc2 afs: Increase buffer size in afs_update_volume_status()
5268bb02107b bpf: Fix racing between bpf_timer_cancel_and_free and 
bpf_timer_cancel
6800ad7417f3 ata: ahci_ceva: fix error handling for Xilinx GT PHY support
7fcc31a3a705 ata: libahci_platform: Introduce reset assertion/deassertion 
methods
ddac2e0e656e ata: libahci_platform: Convert to using devm bulk clocks API
302b92b37304 ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid
a75b49547831 ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid
2a7b878a7dad net: stmmac: Fix incorrect dereference in interrupt handlers
a41d9142d2dd nouveau: fix function cast warnings
1087c284fd11 scsi: jazz_esp: Only build if SCSI core is builtin
4e395fb89e7e bpf, scripts: Correct GPL license name
cd6070d9f5e7 RDMA/srpt: fix function pointer cast warnings
656bd1702fea arm64: dts: rockchip: set num-cs property for spi on px30
135e5465fefa RDMA/qedr: Fix qedr_create_user_qp error flow
989af2f29342 RDMA/srpt: Support specifying the srpt_service_guid parameter
b6e660e07622 RDMA/irdma: Add AE for too many RNRS
056ed95befd1 RDMA/irdma: Set the CQ read threshold for GEN 1
a95d4cf82775 RDMA/irdma: Validate max_send_wr and max_recv_wr
635d79aa477f RDMA/irdma: Fix KASAN issue with tasklet
aeb5ac1c9d10 RDMA/bnxt_re: Return error for SRQ resize
52de5805c147 IB/hfi1: Fix a memleak in init_credit_return
48c63a174489 cifs: add a warning when the in-flight count goes negative
6538b6d13ce3 xhci: track port suspend state correctly in unsuccessful 
resume cases
8839d5728baa xhci: decouple usb2 port resume and get_port_status request 
handling
8af9de2a5ba1 xhci: clear usb2 resume related variables in one place.
a99c8f1abef9 xhci: rename resume_done to resume_timestamp
63f0e79cf382 xhci: move port specific items such as state completions to 
port structure
ea6c19c7365d xhci: cleanup xhci_hub_control port references
95973afc870c ACPI: resource: Skip IRQ override on ASUS ExpertBook B1502CBA
4f080b6487bd ACPI: resource: Skip IRQ override on Asus Expertbook B2402CBA
c2a9376d507e ACPI: resource: Add Asus ExpertBook B2502 to Asus quirks
1b64ff947a5a ACPI: resource: Skip IRQ override on Asus Vivobook S5602ZA
f3607954f2e6 ACPI: resource: Add ASUS model S5402ZA to quirks
27e99d785721 ACPI: video: Add backlight=native DMI quirk for Apple iMac12,1 
and iMac12,2
cb1003c07e74 ARM: dts: BCM53573: Describe on-SoC BCM53125 rev 4 switch
28e5e3e59b3b arm64: dts: rockchip: add SPDIF node for ROCK Pi 4
99c8b2e99783 arm64: dts: rockchip: add ES8316 codec for ROCK Pi 4
371036bf7666 arm64: dts: rockchip: fix regulator name on rk3399-rock-4
92dcd7d6c606 exfat: support dynamic allocate bh for exfat_entry_set_cache
b4dc693b29ef wifi: iwlwifi: mvm: avoid baid size integer overflow
fa92c463eba7 igb: Fix igb_down hung on surprise removal
16f653776caf wifi: 

[OE-core][kirkstone 3/8] linux-yocto/5.15: update CVE exclusions

[Steve Sakoman]

From: Bruce Ashfield 

Data pulled from: https://github.com/nluedtke/linux_kernel_cves

1/1 [
Author: Nicholas Luedtke
Email: nicholas.lued...@uwalumni.com
Subject: Update 25Feb24
Date: Sun, 25 Feb 2024 07:03:08 -0500

]

Signed-off-by: Bruce Ashfield 
Signed-off-by: Steve Sakoman 
---
 .../linux/cve-exclusion_5.15.inc  | 197 +-
 1 file changed, 190 insertions(+), 7 deletions(-)

diff --git a/meta/recipes-kernel/linux/cve-exclusion_5.15.inc 
b/meta/recipes-kernel/linux/cve-exclusion_5.15.inc
index d33f2b3c7f..2e30efe6be 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_5.15.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_5.15.inc
@@ -1,9 +1,9 @@
 
 # Auto-generated CVE metadata, DO NOT EDIT BY HAND.
-# Generated at 2024-02-06 21:02:11.546853 for version 5.15.148
+# Generated at 2024-02-26 23:36:34.200936 for version 5.15.149
 
 python check_kernel_cve_status_version() {
-this_version = "5.15.148"
+this_version = "5.15.149"
 kernel_version = d.getVar("LINUX_VERSION")
 if kernel_version != this_version:
 bb.warn("Kernel CVE status needs updating: generated for %s but kernel 
is %s" % (this_version, kernel_version))
@@ -7433,6 +7433,99 @@ CVE_CHECK_IGNORE += "CVE-2023-5197"
 # cpe-stable-backport: Backported in 5.15.147
 CVE_CHECK_IGNORE += "CVE-2023-52340"
 
+# cpe-stable-backport: Backported in 5.15.149
+CVE_CHECK_IGNORE += "CVE-2023-52429"
+
+# fixed-version: only affects 6.5rc6 onwards
+CVE_CHECK_IGNORE += "CVE-2023-52433"
+
+# CVE-2023-52434 needs backporting (fixed from 6.7rc6)
+
+# cpe-stable-backport: Backported in 5.15.149
+CVE_CHECK_IGNORE += "CVE-2023-52435"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52436"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52438"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52439"
+
+# fixed-version: only affects 5.17rc4 onwards
+CVE_CHECK_IGNORE += "CVE-2023-52440"
+
+# cpe-stable-backport: Backported in 5.15.145
+CVE_CHECK_IGNORE += "CVE-2023-52441"
+
+# cpe-stable-backport: Backported in 5.15.145
+CVE_CHECK_IGNORE += "CVE-2023-52442"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52443"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52444"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52445"
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-52446"
+
+# CVE-2023-52447 needs backporting (fixed from 6.8rc1)
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52448"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52449"
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-52450"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52451"
+
+# CVE-2023-52452 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-52453"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52454"
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-52455"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52456"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52457"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52458"
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-52459"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-52460"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-52461"
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_IGNORE += "CVE-2023-52462"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52463"
+
+# cpe-stable-backport: Backported in 5.15.148
+CVE_CHECK_IGNORE += "CVE-2023-52464"
+
 # fixed-version: only affects 6.1rc1 onwards
 CVE_CHECK_IGNORE += "CVE-2023-5345"
 
@@ -7464,6 +7557,8 @@ CVE_CHECK_IGNORE += "CVE-2023-6200"
 
 # CVE-2023-6238 has no known resolution
 
+# CVE-2023-6240 has no known resolution
+
 # CVE-2023-6270 has no known resolution
 
 # CVE-2023-6356 has no known resolution
@@ -7511,7 +7606,8 @@ CVE_CHECK_IGNORE += "CVE-2023-7192"
 # fixed-version: only affects 6.5rc6 onwards
 CVE_CHECK_IGNORE += "CVE-2024-0193"
 
-# CVE-2024-0340 needs backporting (fixed from 6.4rc6)
+# cpe-stable-backport: Backported in 5.15.149
+CVE_CHECK_IGNORE += "CVE-2024-0340"
 
 # fixed-version: only affects 6.2rc1 onwards
 CVE_CHECK_IGNORE += "CVE-2024-0443"
@@ -7549,22 +7645,109 @@ CVE_CHECK_IGNORE += "CVE-2024-0775"
 # cpe-stable-backport: Backported in 5.15.148
 CVE_CHECK_IGNORE += "CVE-2024-1085"
 
-# CVE-2024-1086 needs backporting (fixed from 6.8rc2)
+# cpe-stable-backport: Backported in 5.15.149

[OE-core][kirkstone 4/8] linux-yocto/5.10: update to v5.10.210

[Steve Sakoman]

From: Bruce Ashfield 

Updating linux-yocto/5.10 to the latest korg -stable release that comprises
the following commits:

aa6ca808a467 Linux 5.10.210
cf5a69e35591 PCI: dwc: Fix a 64bit bug in dw_pcie_ep_raise_msix_irq()
9f53d24852ff net: bcmgenet: Fix EEE implementation
9a865a11d689 netfilter: nf_tables: fix pointer math issue in 
nft_byteorder_eval()
67f386f75637 drm/msm/dsi: Enable runtime PM
21b38d85f6de PM: runtime: Have devm_pm_runtime_enable() handle 
pm_runtime_dont_use_autosuspend()
ede393e11819 PM: runtime: add devm_pm_runtime_enable helper
a891a0621e72 dm: limit the number of targets and parameter size area
c90746c03b3c nilfs2: replace WARN_ONs for invalid DAT metadata block 
requests
f3e4963566f5 nilfs2: fix potential bug in end_buffer_async_write
db896bbe4a9c sched/membarrier: reduce the ability to hammer on 
sys_membarrier
8f8f18564374 net: prevent mss overflow in skb_segment()
f7e0231eeaa3 Revert "arm64: Stash shadow stack pointer in the task struct 
on interrupt"
70ca0dbae4e9 hrtimer: Ignore slack time for RT tasks in 
schedule_hrtimeout_range()
c80ddc10927f netfilter: ipset: Missing gc cancellations fixed
a24d5f2ac8ef netfilter: ipset: fix performance regression in swap operation
583a6c76b949 scripts/decode_stacktrace.sh: optionally use LLVM utilities
0f906882eba5 scripts: decode_stacktrace: demangle Rust symbols
a3d71b6ae935 scripts/decode_stacktrace.sh: support old bash version
ae992f14b117 scripts/decode_stacktrace.sh: silence stderr messages from 
addr2line/nm
00f09825e14c serial: 8250_exar: Set missing rs485_supported flag
84bf7b87594d serial: 8250_exar: Fill in rs485_supported
dfd8b9d26b8b serial: Add rs485_supported to uart_port
0c3687822259 crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init
e0d2eeec88ae mips: Fix max_mapnr being uninitialized on early stages
41a4bd51d87c PCI: dwc: endpoint: Fix dw_pcie_ep_raise_msix_irq() alignment 
support
ff67f77fb0fc bus: moxtet: Add spi device table
88ec9bbcd33c Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
6a42eb0d2170 tracing: Inform kmemleak of saved_cmdlines allocation
3a6e27dbe2fe pmdomain: core: Move the unused cleanup to a _sync initcall
978e50ef8c38 can: j1939: Fix UAF in j1939_sk_match_filter during 
setsockopt(SO_J1939_FILTER)
e4a6d3acaddb of: property: fix typo in io-channels
8180d0c27b93 ceph: prevent use-after-free in encode_cap_msg()
2e9506c9e0b9 s390/qeth: Fix potential loss of L3-IP@ in case of network 
issues
888679afbfc2 irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update
2809645d8ae2 irqchip/irq-brcmstb-l2: Add write memory barrier before exit
45a3657c3fae wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()
c7fa9590a9b2 nfp: flower: prevent re-adding mac index for bonded port
962091c40813 nfp: use correct macro for LengthSelect in BAR config
58054faf3bd2 crypto: ccp - Fix null pointer dereference in 
__sev_platform_shutdown_locked
98a4026b22ff nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
364a66be2abd nilfs2: fix data corruption in dsync block recovery for small 
block sizes
a643d8d17947 ALSA: hda/conexant: Add quirk for SWS JS201D
ca0533fe6650 mmc: slot-gpio: Allow non-sleeping GPIO ro
bdc29f9ca3b1 x86/mm/ident_map: Use gbpages only where full GB page should 
be mapped.
09f21bee5b02 x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6
1a8a72ee17e4 serial: max310x: improve crystal stable clock detection
6f248ee7aade serial: max310x: set default value when reading clock ready bit
92a0a5d61376 ring-buffer: Clean ring_buffer_poll_wait() error return
9ec807e7b6f5 hv_netvsc: Fix race condition between netvsc_probe and 
netvsc_remove
93d8109bf182 media: rc: bpf attach/detach requires write permission
a98ccbcddbb5 iio: accel: bma400: Fix a compilation problem
36a49290d7e6 iio: magnetometer: rm3100: add boundary check for the value 
read from RM3100_REG_TMRC
fa5884dd5bc2 staging: iio: ad5933: fix type mismatch regression
8a744f925de0 tracing: Fix wasted memory in saved_cmdlines logic
d033a555d9a1 ext4: fix double-free of blocks due to wrong extents moved_len
f86e12415b4e misc: fastrpc: Mark all sessions as invalid in cb_remove
a423042052ec binder: signal epoll threads of self-work
6d11240dd11b ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL
cdaddb457d9e xen-netback: properly sync TX responses
0d8011a878fd net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()
2f6d16f0520d nfc: nci: free rx_data_reassembly skb on NCI device cleanup
5abf3e8af2e3 kbuild: Fix changing ELF file type for output of gen_btf for 
big endian
6717c593c7cf firewire: core: correct documentation of fw_csr_string() 
kernel API
2dc1d93b2c77 lsm: fix the logic in security_inode_getsecctx()
7d4e19f7ff64 scsi: Revert "scsi: fcoe: Fix potential deadlock 

[OE-core][kirkstone 1/8] go: Backport fix CVE-2024-24784 & CVE-2024-24785

[Steve Sakoman]

From: Vivek Kumbhar 

Backport fixes for :

CVE-2024-24784 - Upstream-Status: Backport from 
https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c
CVE-2024-24785 - Upstream-Status: Backport from 
https://github.com/golang/go/commit/056b0edcb8c152152021eebf4cf42adbfbe77992

Signed-off-by: Vivek Kumbhar 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-devtools/go/go-1.17.13.inc   |   2 +
 .../go/go-1.18/CVE-2024-24784.patch   | 207 ++
 .../go/go-1.18/CVE-2024-24785.patch   | 196 +
 3 files changed, 405 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index e635445579..768961de2c 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -53,6 +53,8 @@ SRC_URI += "\
 file://CVE-2023-45287.patch \
 file://CVE-2023-45289.patch \
 file://CVE-2023-45290.patch \
+file://CVE-2024-24784.patch \
+file://CVE-2024-24785.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch 
b/meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch
new file mode 100644
index 00..d3fc6b0313
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch
@@ -0,0 +1,207 @@
+From 5330cd225ba54c7dc78c1b46dcdf61a4671a632c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker 
+Date: Wed, 10 Jan 2024 11:02:14 -0800
+Subject: [PATCH] [release-branch.go1.22] net/mail: properly handle special
+ characters in phrase and obs-phrase
+
+Fixes a couple of misalignments with RFC 5322 which introduce
+significant diffs between (mostly) conformant parsers.
+
+This change reverts the changes made in CL50911, which allowed certain
+special RFC 5322 characters to appear unquoted in the "phrase" syntax.
+It is unclear why this change was made in the first place, and created
+a divergence from comformant parsers. In particular this resulted in
+treating comments in display names incorrectly.
+
+Additionally properly handle trailing malformed comments in the group
+syntax.
+
+For #65083
+Fixed #65849
+
+Change-Id: I00dddc044c6ae3381154e43236632604c390f672
+Reviewed-on: https://go-review.googlesource.com/c/go/+/96
+Reviewed-by: Damien Neil 
+LUCI-TryBot-Result: Go LUCI 

+Reviewed-on: https://go-review.googlesource.com/c/go/+/566215
+Reviewed-by: Carlos Amedee 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
+CVE: CVE-2024-24784
+Signed-off-by: Vivek Kumbhar 
+---
+ src/net/mail/message.go  | 30 +++
+ src/net/mail/message_test.go | 40 ++--
+ 2 files changed, 46 insertions(+), 24 deletions(-)
+
+diff --git a/src/net/mail/message.go b/src/net/mail/message.go
+index 47bbf6c..84f48f0 100644
+--- a/src/net/mail/message.go
 b/src/net/mail/message.go
+@@ -231,7 +231,7 @@ func (a *Address) String() string {
+   // Add quotes if needed
+   quoteLocal := false
+   for i, r := range local {
+-  if isAtext(r, false, false) {
++  if isAtext(r, false) {
+   continue
+   }
+   if r == '.' {
+@@ -395,7 +395,7 @@ func (p *addrParser) parseAddress(handleGroup bool) 
([]*Address, error) {
+   if !p.consume('<') {
+   atext := true
+   for _, r := range displayName {
+-  if !isAtext(r, true, false) {
++  if !isAtext(r, true) {
+   atext = false
+   break
+   }
+@@ -430,7 +430,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, 
error) {
+   // handle empty group.
+   p.skipSpace()
+   if p.consume(';') {
+-  p.skipCFWS()
++  if !p.skipCFWS() {
++  return nil, errors.New("mail: misformatted 
parenthetical comment")
++  }
+   return group, nil
+   }
+
+@@ -447,7 +449,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, 
error) {
+   return nil, errors.New("mail: misformatted 
parenthetical comment")
+   }
+   if p.consume(';') {
+-  p.skipCFWS()
++  if !p.skipCFWS() {
++  return nil, errors.New("mail: misformatted 
parenthetical comment")
++  }
+   break
+   }
+   if !p.consume(',') {
+@@ -517,6 +521,12 @@ func (p *addrParser) consumePhrase() (phrase string, err 
error) {
+   var words []string
+   var isPrevEncoded bool
+   for {
++  // obs-phrase allows CFWS after one word

[OE-core][kirkstone 2/8] linux-yocto/5.15: update to v5.15.149

[Steve Sakoman]

From: Bruce Ashfield 

Updating linux-yocto/5.15 to the latest korg -stable release that comprises
the following commits:

458ce51d0356 Linux 5.15.149
d72da18772ff usb: dwc3: gadget: Ignore End Transfer delay on teardown
acff71e58748 media: Revert "media: rkisp1: Drop IRQF_SHARED"
9ae312f7f3c2 usb: dwc3: gadget: Execute gadget stop after halting the 
controller
921acacb92b7 usb: dwc3: gadget: Don't delay End Transfer on delayed_status
4178bfa3fc9d staging: fbtft: core: set smem_len before fb_deferred_io_init 
call
9e25a0054090 smb3: Replace smb2pdu 1-element arrays with flex-arrays
0b49eac39c99 fs/ntfs3: Add null pointer checks
4c73597f68d7 net: bcmgenet: Fix EEE implementation
62900d358c48 Revert "selftests/bpf: Test tail call counting with bpf2bpf 
and data on stack"
75ac8dc02850 drm/msm/dsi: Enable runtime PM
c7a0fa3a6657 PM: runtime: Have devm_pm_runtime_enable() handle 
pm_runtime_dont_use_autosuspend()
1974b3c19a79 arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 
errata
888a0a46b80f dm: limit the number of targets and parameter size area
cf4da91e99f1 nilfs2: replace WARN_ONs for invalid DAT metadata block 
requests
8fa90634ec3e nilfs2: fix potential bug in end_buffer_async_write
50fb4e17df31 sched/membarrier: reduce the ability to hammer on 
sys_membarrier
b9aafef74407 netfilter: ipset: Missing gc cancellations fixed
6c53e8547687 net: prevent mss overflow in skb_segment()
95c0babebe6a hrtimer: Ignore slack time for RT tasks in 
schedule_hrtimeout_range()
c2dc077d8f72 netfilter: ipset: fix performance regression in swap operation
3b3e4d3560e3 scripts/decode_stacktrace.sh: optionally use LLVM utilities
473791d286a8 scripts: decode_stacktrace: demangle Rust symbols
1ce4ac55d96e scripts/decode_stacktrace.sh: support old bash version
2655757a3f10 fbdev: flush deferred IO before closing
15492bab7393 fbdev: Fix incorrect page mapping clearance at 
fb_deferred_io_release()
87b9802ca824 fbdev: Fix invalid page access after closing deferred I/O 
devices
9a95fc04261f fbdev: Rename pagelist to pagereflist for deferred I/O
186b89659c4c fbdev: Track deferred-I/O pages in pageref struct
e79b2b2aadef fbdev: defio: fix the pagelist corruption
0616b00a31d6 fbdev: Don't sort deferred-I/O pages by default
5d3aff76a316 fbdev/defio: Early-out if page is already enlisted
48a09969e43e serial: 8250_exar: Set missing rs485_supported flag
9ef7419bc20c serial: 8250_exar: Fill in rs485_supported
aded03eda2ba usb: dwc3: gadget: Queue PM runtime idle on disconnect event
21f0bff281b5 usb: dwc3: gadget: Handle EP0 request dequeuing properly
89353c886477 usb: dwc3: gadget: Refactor EP0 forced stall/restart into a 
separate API
915619257332 usb: dwc3: gadget: Stall and restart EP0 if host is 
unresponsive
352b38d15c6d usb: dwc3: gadget: Submit endxfer command if delayed during 
disconnect
9cccdcc95e33 usb: dwc3: gadget: Force sending delayed status during soft 
disconnect
1ea8a2a532e9 usb: dwc3: Fix ep0 handling when getting reset while doing 
control transfer
12c0a0804ade usb: dwc3: gadget: Delay issuing End Transfer
487341852fbc usb: dwc3: gadget: Only End Transfer for ep0 data phase
9273bd26b06d usb: dwc3: ep0: Don't prepare beyond Setup stage
92f7a10a2bfe usb: dwc3: gadget: Wait for ep0 xfers to complete during 
dequeue
2bb86817b33c crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init
44a8a2c92e5a bus: moxtet: Add spi device table
4e82b9c11d3c dma-buf: add dma_fence_timestamp helper
36f7371de977 af_unix: Fix task hung while purging oob_skb in GC.
ff2f35f5cda0 tracing: Inform kmemleak of saved_cmdlines allocation
579cb4ff1fc5 pmdomain: core: Move the unused cleanup to a _sync initcall
41ccb5bcbf03 can: j1939: Fix UAF in j1939_sk_match_filter during 
setsockopt(SO_J1939_FILTER)
03358aba9916 can: j1939: prevent deadlock by changing j1939_socks_lock to 
rwlock
6315697fc5bf of: property: fix typo in io-channels
310c7d9853ef mm: hugetlb pages should not be reserved by shmat() if 
SHM_NORESERVE
70e329b44076 ceph: prevent use-after-free in encode_cap_msg()
99fa6d451d98 net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio
ff42d99e50b9 s390/qeth: Fix potential loss of L3-IP@ in case of network 
issues
ddb4be0eb2ac net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio
86244ae70715 irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update
27a2af914ff5 irqchip/irq-brcmstb-l2: Add write memory barrier before exit
b10c8883f845 wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()
ef5b1041f756 nfp: flower: prevent re-adding mac index for bonded port
e58efe0f7af8 nfp: use correct macro for LengthSelect in BAR config
7535ec350a5f crypto: ccp - Fix null pointer dereference in 
__sev_platform_shutdown_locked
7e9b622bd074 nilfs2: fix hang in 

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, March 13

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6670

The following changes since commit e5aae8a371717215a7d78459788ad67dfaefe37e:

  golang: Fix CVE-2023-45289 & CVE-2023-45290 (2024-03-07 04:18:33 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (6):
  linux-yocto/5.15: update to v5.15.149
  linux-yocto/5.15: update CVE exclusions
  linux-yocto/5.10: update to v5.10.210
  linux-yocto/5.15: update to v5.15.150
  linux-yocto/5.15: update CVE exclusions (5.15.150)
  linux-yocto/5.15: fix partion scanning

Nikhil R (1):
  librsvg: Fix do_package_qa error for librsvg

Vivek Kumbhar (1):
  go: Backport fix CVE-2024-24784 & CVE-2024-24785

 meta/recipes-devtools/go/go-1.17.13.inc   |   2 +
 .../go/go-1.18/CVE-2024-24784.patch   | 207 ++
 .../go/go-1.18/CVE-2024-24785.patch   | 196 +
 meta/recipes-gnome/librsvg/librsvg_2.52.10.bb |   2 +
 .../linux/cve-exclusion_5.15.inc  | 197 -
 .../linux/linux-yocto-rt_5.10.bb  |   4 +-
 .../linux/linux-yocto-rt_5.15.bb  |   6 +-
 .../linux/linux-yocto-tiny_5.10.bb|   6 +-
 .../linux/linux-yocto-tiny_5.15.bb|   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb |  22 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 +--
 11 files changed, 632 insertions(+), 42 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch

-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196982): 
https://lists.openembedded.org/g/openembedded-core/message/196982
Mute This Topic: https://lists.openembedded.org/mt/104884665/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] Yocto rpm packages do not keep the modified CONFFILES

[Alexander Kanavin]

On Tue, 12 Mar 2024 at 02:57, Chen, Qi  wrote:
>
> Packages + overrides are a very common way to configure/customize images.
>
> Take OE itself as an example, the sshd_config is a conffile for openssh, but 
> in rootfs-postcommands.bbclass, it is customized.
> This means sshd_config might be different from the one that is recorded in 
> rpm database. This is a similar situation with the original question.
> The original question is basically equal to: are we going to keep the 
> sshd_config we customized when we upgrade the openssh on target?
>
> Ideally, packages should be designed to allow config snippets 
> (/etc/xxx.conf.d/) or some override mechanism (default conf in /usr/lib and 
> override in /etc). But there'll always be packages that lack such mechanisms. 
> Using 'noreplace' seems a reasonable choice.
>
> For the default behavior of OE, I'd suggest we change to use 'noreplace'. 
> Because the more unlikely people modify their target files (as Alex pointed 
> out for embedded devices), the more important those modifications might be.

With this I agree. There's also just been a patchset that refactors
ssh config into just that kind of snippet mechanism.

But if we add noreplace, we also need to ensure its behaviour is
consistent with deb and ipk backends as RP said.

Alex

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196981): 
https://lists.openembedded.org/g/openembedded-core/message/196981
Mute This Topic: https://lists.openembedded.org/mt/104859795/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] Patchtest results for [PATCH 2/7] openssh-config: initial checkin

[Trevor Gamblin]

On 2024-03-11 14:12, Enrico Scholz via lists.openembedded.org wrote:

patcht...@automation.yoctoproject.org writes:


FAIL: test lic files chksum modified not mentioned: LIC_FILES_CHKSUM changed without 
"License-Update:" tag and description in commit message 
(test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)

This failure seems to be bogus; patch creates a new recipe with a new
LIC_FILES_CHKSUM.  It does not change/update an existing tag.

Noted. We'll have to tweak the test...



Enrico




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196980): 
https://lists.openembedded.org/g/openembedded-core/message/196980
Mute This Topic: https://lists.openembedded.org/mt/104868543/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH 0/7] Replace sshd_config patching by snippets

[Alexander Kanavin]

It's a very much welcome refactoring (existing code is an inconsistent
mess), but there's also a feature freeze right now, and this patchset
is invasive. Can you resubmit once the LTS is out?

Alex

On Mon, 11 Mar 2024 at 18:19, Enrico Scholz via lists.openembedded.org
 wrote:
>
> To deal with system setups, sshd was configured in the following way:
>
>  - sshd_config is shipped completely by OE and DISTRO_FEATURES (pam,
>x11) are patched in during do_install
>
>--> this is difficulty to maintain; e.g. sshd_config must be
>synchronized between OpenSSH releases and OE adaptations
>manually inserted
>
>  - two different configuration files (sshd_config + sshd_config_readonly)
>are created; IMAGE_FEATURES decides which one is used and it is patched
>in a ROOTFS_COMMAND in the system
>
>--> this make it difficult for third party recipes to incorporate
>their changes (they have to go over both files)
>
>--> the readonly HostKey locations and algorithms are hardcoded
>which makes it difficult to place them e.g. on a persistent
>/opt partition and disable e.g. ecdsa
>
>  - depending on IMAGE_FEATURES (empty passwords, root login), both
>files are patched by a ROOTFS_POSTCOMMAND
>
>--> these changes are lost when pkgmgmt is used for the image and
>openssh being updated
>
>
> The patchset:
>
>  - reduces changes to sshd_config to
>
>| Include /etc/ssh/sshd_config.d/*.conf
>
>--> This is already the done in current recipe and most mainline
>Linux distributions are doing it
>
>  - moves configuration in new openssh-config recipe which is a weak
>dependency of openssh (and can be replaced by another IMAGE_INSTALL)
>
>Recipe ships configuration as small snippets which might contain
>dynamically created content (e.g. 'UsePAM yes')
>
>  - IMAGE_FEATURE based setup is done by creating subpackages with
>the corresponding options.  These subpackages are added to
>FEATURE_PACKAGES_ssh-server-openssh
>
>  - readonly rootfs setup has been enhanced by
>
>| RO_KEYDIR ??= "/var/run/ssh"
>| KEY_ALGORITHMS ??= "rsa ecdsa ed25519"
>
>parameters which can be overridden.
>
>
> Enrico Scholz (7):
>   openssh: replace complete configuration files by patch
>   openssh-config: initial checkin
>   openssh: move configuration tweaking in configuration recipe
>   image: prepare openssh configuration
>   openssh: replace 'allow-empty-password' rootfs scipt by configuration
>   openssh: replace 'allow-root-login' rootfs scipt by configuration
>   openssh: move read-only-rootfs setup in configuration snippet
>
>  meta/classes-recipe/core-image.bbclass|  19 ++-
>  .../rootfs-postcommands.bbclass   |  25 +---
>  .../openssh/openssh-config.bb |  51 
>  .../60-allow-empty-password.conf  |   1 +
>  .../openssh-config/60-allow-root-login.conf   |   1 +
>  .../openssh/openssh-config/80-oe.conf |   5 +
>  .../openssh/openssh/include-conf.patch|  32 +
>  .../openssh/openssh/ssh_config|  48 ---
>  .../openssh/openssh/sshd_config   | 119 --
>  .../openssh/openssh_9.6p1.bb  |  20 +--
>  10 files changed, 112 insertions(+), 209 deletions(-)
>  create mode 100644 meta/recipes-connectivity/openssh/openssh-config.bb
>  create mode 100644 
> meta/recipes-connectivity/openssh/openssh-config/60-allow-empty-password.conf
>  create mode 100644 
> meta/recipes-connectivity/openssh/openssh-config/60-allow-root-login.conf
>  create mode 100644 
> meta/recipes-connectivity/openssh/openssh-config/80-oe.conf
>  create mode 100644 
> meta/recipes-connectivity/openssh/openssh/include-conf.patch
>  delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config
>  delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config
>
> --
> 2.44.0
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196979): 
https://lists.openembedded.org/g/openembedded-core/message/196979
Mute This Topic: https://lists.openembedded.org/mt/104868003/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH 1/7, v3] openssh: replace complete configuration files by patch

[Alexander Kanavin]

Why is the patch inappropriate for upstream submission? To me it looks
like it should be at least proposed.

Alex

On Tue, 12 Mar 2024 at 12:00, Enrico Scholz via lists.openembedded.org
 wrote:
>
> From: Enrico Scholz 
>
> Instead of shipping the whole configuration files for openssh, add
> small patch includes configuration snippets from subdirectories.
>
> This allows us to keep the original upstream configuration which is
> mainly useful for documentation purposes.  It makes it more easy to
> identify OE specific setup.
>
> Signed-off-by: Enrico Scholz 
> ---
>  .../openssh/openssh/include-conf.patch|  34 +
>  .../openssh/openssh/ssh_config|  48 ---
>  .../openssh/openssh/sshd_config   | 119 --
>  .../openssh/openssh_9.6p1.bb  |   5 +-
>  4 files changed, 35 insertions(+), 171 deletions(-)
>  create mode 100644 
> meta/recipes-connectivity/openssh/openssh/include-conf.patch
>  delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config
>  delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/include-conf.patch 
> b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
> new file mode 100644
> index ..0a3f6839f838
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
> @@ -0,0 +1,34 @@
> +Include configuration snippets from subdirectory.
> +
> +NOTE: first configuration option wins.
> +
> +Upstream-Status: Inappropriate [configuration]
> +
> +Signed-off-by: Enrico Scholz 
> +
> +Index: openssh-9.5p1/ssh_config
> +===
> +--- openssh-9.5p1.orig/ssh_config
>  openssh-9.5p1/ssh_config
> +@@ -5,6 +5,8 @@
> + # users, and the values can be changed in per-user configuration files
> + # or on the command line.
> +
> ++Include /etc/ssh/ssh_config.d/*.conf
> ++
> + # Configuration data is parsed as follows:
> + #  1. command line options
> + #  2. user-specific file
> +Index: openssh-9.5p1/sshd_config
> +===
> +--- openssh-9.5p1.orig/sshd_config
>  openssh-9.5p1/sshd_config
> +@@ -10,6 +10,8 @@
> + # possible, but leave them commented.  Uncommented options override the
> + # default value.
> +
> ++Include /etc/ssh/sshd_config.d/*.conf
> ++
> + #Port 22
> + #AddressFamily any
> + #ListenAddress 0.0.0.0
> diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config 
> b/meta/recipes-connectivity/openssh/openssh/ssh_config
> deleted file mode 100644
> index cb2774a163ed..
> --- a/meta/recipes-connectivity/openssh/openssh/ssh_config
> +++ /dev/null
> @@ -1,48 +0,0 @@
> -#  $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
> -
> -# This is the ssh client system-wide configuration file.  See
> -# ssh_config(5) for more information.  This file provides defaults for
> -# users, and the values can be changed in per-user configuration files
> -# or on the command line.
> -
> -# Configuration data is parsed as follows:
> -#  1. command line options
> -#  2. user-specific file
> -#  3. system-wide file
> -# Any configuration value is only changed the first time it is set.
> -# Thus, host-specific definitions should be at the beginning of the
> -# configuration file, and defaults at the end.
> -
> -# Site-wide defaults for some commonly used options.  For a comprehensive
> -# list of available options, their meanings and defaults, please see the
> -# ssh_config(5) man page.
> -
> -Include /etc/ssh/ssh_config.d/*.conf
> -
> -# Host *
> -#   ForwardAgent no
> -#   ForwardX11 no
> -#   PasswordAuthentication yes
> -#   HostbasedAuthentication no
> -#   GSSAPIAuthentication no
> -#   GSSAPIDelegateCredentials no
> -#   BatchMode no
> -#   CheckHostIP yes
> -#   AddressFamily any
> -#   ConnectTimeout 0
> -#   StrictHostKeyChecking ask
> -#   IdentityFile ~/.ssh/id_rsa
> -#   IdentityFile ~/.ssh/id_dsa
> -#   IdentityFile ~/.ssh/id_ecdsa
> -#   IdentityFile ~/.ssh/id_ed25519
> -#   Port 22
> -#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
> -#   MACs hmac-md5,hmac-sha1,umac...@openssh.com
> -#   EscapeChar ~
> -#   Tunnel no
> -#   TunnelDevice any:any
> -#   PermitLocalCommand no
> -#   VisualHostKey no
> -#   ProxyCommand ssh -q -W %h:%p gateway.example.com
> -#   RekeyLimit 1G 1h
> -#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config 
> b/meta/recipes-connectivity/openssh/openssh/sshd_config
> deleted file mode 100644
> index e9eaf9315775..
> --- a/meta/recipes-connectivity/openssh/openssh/sshd_config
> +++ /dev/null
> @@ -1,119 +0,0 @@
> -#  $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
> -
> -# This is the sshd server system-wide configuration file.  See
> -# sshd_config(5) for more information.
> -
> -# This sshd was compiled with 

Re: [oe-core][kirkstone][PATCH 1/1] expat: Upgrade to 2.6.0

[Randy MacLeod]

On Tue, Mar 12, 2024, 03:54 Meenali Gupta via lists.openembedded.org
 wrote:

> From: Meenali Gupta 
>
> Package and run benchmark as part of ptest
> This is a major release



As explained in:

https://lists.openembedded.org/g/openembedded-core/message/196837

we can't do major release updates on kirkstone so please checkout the
Debian back-port mentioned in the other thread.

Thanks,
../Randy

with following changes [1]
>
> ChangeLog:
> https://github.com/libexpat/libexpat/blob/R_2_6_1/expat/Changes
>
> Security fixes:
>   #789 #814  CVE-2023-52425 -- Fix quadratic runtime issues with big
> tokens
>that can cause denial of service, in partial where
>dealing with compressed XML input.  Applications
>that parsed a document in one go -- a single call to
>functions XML_Parse or XML_ParseBuffer -- were not
> affected.
>The smaller the chunks/buffers you use for parsing
>previously, the bigger the problem prior to the fix.
>Backporters should be careful to no omit parts of
>pull request #789 and to include earlier pull request
> #771,
>in order to not break the fix.
>#777  CVE-2023-52426 -- Fix billion laughs attacks for users
>compiling *without* XML_DTD defined (which is not
> common).
>Users with XML_DTD defined have been protected since
>Expat >=2.4.0 (and that was CVE-2013-0340 back then).
>
> Bug fixes:
> #753  Fix parse-size-dependent "invalid token" error for
> external entities that start with a byte order mark
> #780  Fix NULL pointer dereference in setContext via
> XML_ExternalEntityParserCreate for compilation with
> XML_DTD undefined
>#812 #813  Protect against closing entities out of order
>
> Other changes:
> #723  Improve support for arc4random/arc4random_buf
>#771 #788  Improve buffer growth in XML_GetBuffer and XML_Parse
>#761 #770  xmlwf: Support --help and --version
>#759 #770  xmlwf: Support custom buffer size for XML_GetBuffer and
> read
> #744  xmlwf: Improve language and URL clickability in help
> output
> #673  examples: Add new example "element_declarations.c"
> #764  Be stricter about macro XML_CONTEXT_BYTES at build time
> #765  Make inclusion to expat_config.h consistent
>#726 #727  Autotools: configure.ac: Support
> --disable-maintainer-mode
> #678 #705 ..
>   #706 #733 #792  Autotools: Sync CMake templates with CMake 3.26
> #795  Autotools: Make installation of shipped man page
> doc/xmlwf.1
> independent of docbook2man availability
> #815  Autotools|CMake: Add missing -DXML_STATIC to pkg-config
> file
> section "Cflags.private" in order to fix compilation
> against static libexpat using pkg-config on Windows
>#724 #751  Autotools|CMake: Require a C99 compiler
> (a de-facto requirement already since Expat 2.2.2 of
> 2017)
> #793  Autotools|CMake: Fix PACKAGE_BUGREPORT variable
>#750 #786  Autotools|CMake: Make test suite require a C++11 compiler
> #749  CMake: Require CMake >=3.5.0
> #672  CMake: Lowercase off_t and size_t to help a bug in Meson
> #746  CMake: Sort xmlwf sources alphabetically
> #785  CMake|Windows: Fix generation of DLL file version info
> #790  CMake: Build tests/benchmark/benchmark.c as well for
> a build with -DEXPAT_BUILD_TESTS=ON
>#745 #757  docs: Document the importance of isFinal + adjust tests
> accordingly
> #736  docs: Improve use of "NULL" and "null"
> #713  docs: Be specific about version of XML (XML 1.0r4)
> and version of C (C99); (XML 1.0r5 will need a
> sponsor.)
> #762  docs: reference.html: Promote function XML_ParseBuffer
> more
> #779  docs: reference.html: Add HTML anchors to XML_* macros
> #760  docs: reference.html: Upgrade to OK.css 1.2.0
>#763 #739  docs: Fix typos
> #696  docs|CI: Use HTTPS URLs instead of HTTP at various places
> #669 #670 ..
> #692 #703 ..
>#733 #772  Address compiler warnings
>#798 #800  Address clang-tidy warnings
>#775 #776  Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
> to 10:0:9 (libexpat*.so.1.9.0); see
> https://verbump.de/
> for what these numbers do
>
> Infrastructure:
>#700 #701  docs: Document security policy in file SECURITY.md
> #766  docs: Improve parse buffer variables in-code
> documentation
> #674 #738 ..

Re: [oe-core][kirkstone][PATCH 1/1] expat: fix CVE-2023-52426

[Randy MacLeod]

On Tue, Mar 12, 2024, 03:58 Meenali Gupta via lists.openembedded.org
 wrote:

> Hi Anuj,
>
> I have sent the upgrade to 2.6.0 , it includes the complete security fix
> for CVE-2023-52426 and CVE-2023-52425.
>

Unfortunately that update changes the so version number, so it isn't
acceptable for kirkstone.


  #775 #776  Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
for what these numbers do


I think you will have to carefully back-port the two CVE fixes.

It looks like Debian devs may have already  back-ported at least one of
these CVs to version 2.5.0-x

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063238

Thanks,

../Randy


> Regards
> Meenali
> --
> *From:* Mittal, Anuj 
> *Sent:* 11 March 2024 08:37
> *To:* Gupta, Meenali ;
> openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org>
> *Subject:* Re: [oe-core][kirkstone][PATCH 1/1] expat: fix CVE-2023-52426
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe.
>
> On Thu, 2024-03-07 at 16:08 -0800, Meenali Gupta via
> lists.openembedded.org wrote:
> > From: Meenali Gupta 
> >
> > A flaw was found in Expat (libexpat). If XML_DTD is undefined at
> > compile time, a recursive XML Entity
> > Expansion condition can be triggered. This issue may lead to a
> > condition where data is expanded exponentially,
> > which will quickly consume system resources and cause a denial of
> > service.
> >
> > Signed-off-by: Meenali Gupta 
> > ---
> >  .../expat/expat/CVE-2023-52426.patch  | 429
> > ++
> >  meta/recipes-core/expat/expat_2.5.0.bb|   1 +
> >  2 files changed, 430 insertions(+)
> >  create mode 100644 meta/recipes-core/expat/expat/CVE-2023-
> > 52426.patch
> >
> > diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> > b/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> > new file mode 100644
> > index 00..b78a8ee0dc
> > --- /dev/null
> > +++ b/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> > @@ -0,0 +1,429 @@
> > +From 0f075ec8ecb5e43f8fdca5182f8cca4703da0404 Mon Sep 17 00:00:00
> > 2001
> > +From: Sebastian Pipping 
> > +Date: Thu, 26 Oct 2023 00:43:22 +0200
> > +Subject: [PATCH] lib|xmlwf|cmake: Extend scope of billion laughs
> > attack
> > + protection
> > +
> > +.. from "defined(XML_DTD)" to "defined(XML_DTD) || XML_GE==1".
> > +
> > +CVE: CVE-2023-52426
> > +Upstream-Status: Backport
> > [https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca518
> > 2f8cca4703da0404]
>
> The PR that this commit is part of includes other commits as well. Is
> there any reason why only this is included or required?
>
> I didn't check in detail but as an example, it seems this commit uses
> EXPAT_GE which was introduced in an earlier commit in that PR:
>
>
> https://github.com/libexpat/libexpat/pull/777/commits/daa89e42c005cc7f4f7af9eee271ae0723d30300
>
> So, is this supposed to work as intended?
>
> Thanks,
>
> Anuj
>
> > +
> > +Signed-off-by: Meenali Gupta 
> > +---
> > + CMakeLists.txt |  8 -
> > + lib/expat.h|  8 +++--
> > + lib/internal.h |  2 +-
> > + lib/libexpat.def.cmake |  4 +--
> > + lib/xmlparse.c | 71 ++-
> > ---
> > + xmlwf/xmlwf.c  | 18 ++-
> > + 6 files changed, 62 insertions(+), 49 deletions(-)
> > +
> > +diff --git a/CMakeLists.txt b/CMakeLists.txt
> > +index 2b4c13c..183c5c2 100644
> > +--- a/CMakeLists.txt
> >  b/CMakeLists.txt
> > +@@ -381,7 +381,13 @@ if(EXPAT_SHARED_LIBS)
> > + endif()
> > + endmacro()
> > +
> > +-_expat_def_file_toggle(EXPAT_DTD _EXPAT_COMMENT_DTD)
> > ++if(EXPAT_DTD OR EXPAT_GE)
> > ++set(_EXPAT_DTD_OR_GE TRUE)
> > ++else()
> > ++set(_EXPAT_DTD_OR_GE FALSE)
> > ++endif()
> > ++
> > ++_expat_def_file_toggle(_EXPAT_DTD_OR_GE
> > _EXPAT_COMMENT_DTD_OR_GE)
> > + _expat_def_file_toggle(EXPAT_ATTR_INFO
> > _EXPAT_COMMENT_ATTR_INFO)
> > +
> > +
> > configure_file("${CMAKE_CURRENT_SOURCE_DIR}/lib/libexpat.def.cmake"
> > "${CMAKE_CURRENT_BINARY_DIR}/lib/libexpat.def")
> > +diff --git a/lib/expat.h b/lib/expat.h
> > +index 1c83563..33c94af 100644
> > +--- a/lib/expat.h
> >  b/lib/expat.h
> > +@@ -1038,13 +1038,15 @@ typedef struct {
> > + XMLPARSEAPI(const XML_Feature *)
> > + XML_GetFeatureList(void);
> > +
> > +-#ifdef XML_DTD
> > +-/* Added in Expat 2.4.0. */
> > ++#if defined(XML_DTD) || XML_GE == 1
> > ++/* Added in Expat 2.4.0 for XML_DTD defined and
> > ++ * added in Expat 2.6.0 for XML_GE == 1. */
> > + XMLPARSEAPI(XML_Bool)
> > + XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> > + XML_Parser parser, float maximumAmplificationFactor);
> > +
> > +-/* Added in Expat 2.4.0. */
> > ++/* 

[OE-core] [PATCH 1/7, v3] openssh: replace complete configuration files by patch

[Enrico Scholz via lists.openembedded.org]

From: Enrico Scholz 

Instead of shipping the whole configuration files for openssh, add
small patch includes configuration snippets from subdirectories.

This allows us to keep the original upstream configuration which is
mainly useful for documentation purposes.  It makes it more easy to
identify OE specific setup.

Signed-off-by: Enrico Scholz 
---
 .../openssh/openssh/include-conf.patch|  34 +
 .../openssh/openssh/ssh_config|  48 ---
 .../openssh/openssh/sshd_config   | 119 --
 .../openssh/openssh_9.6p1.bb  |   5 +-
 4 files changed, 35 insertions(+), 171 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/include-conf.patch
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config
 delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config

diff --git a/meta/recipes-connectivity/openssh/openssh/include-conf.patch 
b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
new file mode 100644
index ..0a3f6839f838
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/include-conf.patch
@@ -0,0 +1,34 @@
+Include configuration snippets from subdirectory.
+
+NOTE: first configuration option wins.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Enrico Scholz 
+
+Index: openssh-9.5p1/ssh_config
+===
+--- openssh-9.5p1.orig/ssh_config
 openssh-9.5p1/ssh_config
+@@ -5,6 +5,8 @@
+ # users, and the values can be changed in per-user configuration files
+ # or on the command line.
+
++Include /etc/ssh/ssh_config.d/*.conf
++
+ # Configuration data is parsed as follows:
+ #  1. command line options
+ #  2. user-specific file
+Index: openssh-9.5p1/sshd_config
+===
+--- openssh-9.5p1.orig/sshd_config
 openssh-9.5p1/sshd_config
+@@ -10,6 +10,8 @@
+ # possible, but leave them commented.  Uncommented options override the
+ # default value.
+
++Include /etc/ssh/sshd_config.d/*.conf
++
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config 
b/meta/recipes-connectivity/openssh/openssh/ssh_config
deleted file mode 100644
index cb2774a163ed..
--- a/meta/recipes-connectivity/openssh/openssh/ssh_config
+++ /dev/null
@@ -1,48 +0,0 @@
-#  $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
-
-# This is the ssh client system-wide configuration file.  See
-# ssh_config(5) for more information.  This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-
-# Configuration data is parsed as follows:
-#  1. command line options
-#  2. user-specific file
-#  3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-
-# Site-wide defaults for some commonly used options.  For a comprehensive
-# list of available options, their meanings and defaults, please see the
-# ssh_config(5) man page.
-
-Include /etc/ssh/ssh_config.d/*.conf
-
-# Host *
-#   ForwardAgent no
-#   ForwardX11 no
-#   PasswordAuthentication yes
-#   HostbasedAuthentication no
-#   GSSAPIAuthentication no
-#   GSSAPIDelegateCredentials no
-#   BatchMode no
-#   CheckHostIP yes
-#   AddressFamily any
-#   ConnectTimeout 0
-#   StrictHostKeyChecking ask
-#   IdentityFile ~/.ssh/id_rsa
-#   IdentityFile ~/.ssh/id_dsa
-#   IdentityFile ~/.ssh/id_ecdsa
-#   IdentityFile ~/.ssh/id_ed25519
-#   Port 22
-#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
-#   MACs hmac-md5,hmac-sha1,umac...@openssh.com
-#   EscapeChar ~
-#   Tunnel no
-#   TunnelDevice any:any
-#   PermitLocalCommand no
-#   VisualHostKey no
-#   ProxyCommand ssh -q -W %h:%p gateway.example.com
-#   RekeyLimit 1G 1h
-#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config 
b/meta/recipes-connectivity/openssh/openssh/sshd_config
deleted file mode 100644
index e9eaf9315775..
--- a/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ /dev/null
@@ -1,119 +0,0 @@
-#  $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-Include /etc/ssh/sshd_config.d/*.conf
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey 

Re: [OE-core] [PATCH] ptest: test for PTEST_ENABLED instead of DISTRO_FEATURES

[Richard Purdie]

On Sat, 2024-03-09 at 02:29 -0800, Robert P. J. Day wrote:
> 
> As ptest.bbclass defines the more intuitive ptest-related variable:
> 
>   PTEST_ENABLED =
>     "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', '1', '0', d)}"
> 
> modify a number of obvious recipe ptest checks to use that simpler
> form.
> 
> Signed-off-by: Robert P. J. Day 
> 
> ---
> 
>   i did a simple textual substitution so as long as that's all that's
> needed, this should work.

As others have noted, it breaks things. This is why I'm very nervous of
patches that aren't properly tested :(.

I personally also really don't "1" being a magic value for comparison
but that is a different problem.

Cheers,

Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196974): 
https://lists.openembedded.org/g/openembedded-core/message/196974
Mute This Topic: https://lists.openembedded.org/mt/104825491/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [oe-core][kirkstone][PATCH 1/1] expat: fix CVE-2023-52426

[Meenali Gupta via lists.openembedded.org]

Hi Anuj,

I have sent the upgrade to 2.6.0 , it includes the complete security fix for 
CVE-2023-52426 and CVE-2023-52425.

Regards
Meenali

From: Mittal, Anuj 
Sent: 11 March 2024 08:37
To: Gupta, Meenali ; 
openembedded-core@lists.openembedded.org 

Subject: Re: [oe-core][kirkstone][PATCH 1/1] expat: fix CVE-2023-52426

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

On Thu, 2024-03-07 at 16:08 -0800, Meenali Gupta via
lists.openembedded.org wrote:
> From: Meenali Gupta 
>
> A flaw was found in Expat (libexpat). If XML_DTD is undefined at
> compile time, a recursive XML Entity
> Expansion condition can be triggered. This issue may lead to a
> condition where data is expanded exponentially,
> which will quickly consume system resources and cause a denial of
> service.
>
> Signed-off-by: Meenali Gupta 
> ---
>  .../expat/expat/CVE-2023-52426.patch  | 429
> ++
>  meta/recipes-core/expat/expat_2.5.0.bb|   1 +
>  2 files changed, 430 insertions(+)
>  create mode 100644 meta/recipes-core/expat/expat/CVE-2023-
> 52426.patch
>
> diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> b/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> new file mode 100644
> index 00..b78a8ee0dc
> --- /dev/null
> +++ b/meta/recipes-core/expat/expat/CVE-2023-52426.patch
> @@ -0,0 +1,429 @@
> +From 0f075ec8ecb5e43f8fdca5182f8cca4703da0404 Mon Sep 17 00:00:00
> 2001
> +From: Sebastian Pipping 
> +Date: Thu, 26 Oct 2023 00:43:22 +0200
> +Subject: [PATCH] lib|xmlwf|cmake: Extend scope of billion laughs
> attack
> + protection
> +
> +.. from "defined(XML_DTD)" to "defined(XML_DTD) || XML_GE==1".
> +
> +CVE: CVE-2023-52426
> +Upstream-Status: Backport
> [https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca518
> 2f8cca4703da0404]

The PR that this commit is part of includes other commits as well. Is
there any reason why only this is included or required?

I didn't check in detail but as an example, it seems this commit uses
EXPAT_GE which was introduced in an earlier commit in that PR:

https://github.com/libexpat/libexpat/pull/777/commits/daa89e42c005cc7f4f7af9eee271ae0723d30300

So, is this supposed to work as intended?

Thanks,

Anuj

> +
> +Signed-off-by: Meenali Gupta 
> +---
> + CMakeLists.txt |  8 -
> + lib/expat.h|  8 +++--
> + lib/internal.h |  2 +-
> + lib/libexpat.def.cmake |  4 +--
> + lib/xmlparse.c | 71 ++-
> ---
> + xmlwf/xmlwf.c  | 18 ++-
> + 6 files changed, 62 insertions(+), 49 deletions(-)
> +
> +diff --git a/CMakeLists.txt b/CMakeLists.txt
> +index 2b4c13c..183c5c2 100644
> +--- a/CMakeLists.txt
>  b/CMakeLists.txt
> +@@ -381,7 +381,13 @@ if(EXPAT_SHARED_LIBS)
> + endif()
> + endmacro()
> +
> +-_expat_def_file_toggle(EXPAT_DTD _EXPAT_COMMENT_DTD)
> ++if(EXPAT_DTD OR EXPAT_GE)
> ++set(_EXPAT_DTD_OR_GE TRUE)
> ++else()
> ++set(_EXPAT_DTD_OR_GE FALSE)
> ++endif()
> ++
> ++_expat_def_file_toggle(_EXPAT_DTD_OR_GE
> _EXPAT_COMMENT_DTD_OR_GE)
> + _expat_def_file_toggle(EXPAT_ATTR_INFO
> _EXPAT_COMMENT_ATTR_INFO)
> +
> +
> configure_file("${CMAKE_CURRENT_SOURCE_DIR}/lib/libexpat.def.cmake"
> "${CMAKE_CURRENT_BINARY_DIR}/lib/libexpat.def")
> +diff --git a/lib/expat.h b/lib/expat.h
> +index 1c83563..33c94af 100644
> +--- a/lib/expat.h
>  b/lib/expat.h
> +@@ -1038,13 +1038,15 @@ typedef struct {
> + XMLPARSEAPI(const XML_Feature *)
> + XML_GetFeatureList(void);
> +
> +-#ifdef XML_DTD
> +-/* Added in Expat 2.4.0. */
> ++#if defined(XML_DTD) || XML_GE == 1
> ++/* Added in Expat 2.4.0 for XML_DTD defined and
> ++ * added in Expat 2.6.0 for XML_GE == 1. */
> + XMLPARSEAPI(XML_Bool)
> + XML_SetBillionLaughsAttackProtectionMaximumAmplification(
> + XML_Parser parser, float maximumAmplificationFactor);
> +
> +-/* Added in Expat 2.4.0. */
> ++/* Added in Expat 2.4.0 for XML_DTD defined and
> ++ * added in Expat 2.6.0 for XML_GE == 1. */
> + XMLPARSEAPI(XML_Bool)
> + XML_SetBillionLaughsAttackProtectionActivationThreshold(
> + XML_Parser parser, unsigned long long
> activationThresholdBytes);
> +diff --git a/lib/internal.h b/lib/internal.h
> +index e09f533..1851925 100644
> +--- a/lib/internal.h
>  b/lib/internal.h
> +@@ -154,7 +154,7 @@ extern "C" {
> + void _INTERNAL_trim_to_complete_utf8_characters(const char *from,
> + const char
> **fromLimRef);
> +
> +-#if defined(XML_DTD)
> ++#if defined(XML_DTD) || XML_GE == 1
> + unsigned long long testingAccountingGetCountBytesDirect(XML_Parser
> parser);
> + unsigned long long
> testingAccountingGetCountBytesIndirect(XML_Parser parser);
> + const char *unsignedCharToPrintable(unsigned char c);
> +diff --git a/lib/libexpat.def.cmake 

[oe-core][kirkstone][PATCH 1/1] expat: Upgrade to 2.6.0

[Meenali Gupta via lists.openembedded.org]

From: Meenali Gupta 

Package and run benchmark as part of ptest
This is a major release with following changes [1]

ChangeLog:
https://github.com/libexpat/libexpat/blob/R_2_6_1/expat/Changes

Security fixes:
  #789 #814  CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
   that can cause denial of service, in partial where
   dealing with compressed XML input.  Applications
   that parsed a document in one go -- a single call to
   functions XML_Parse or XML_ParseBuffer -- were not affected.
   The smaller the chunks/buffers you use for parsing
   previously, the bigger the problem prior to the fix.
   Backporters should be careful to no omit parts of
   pull request #789 and to include earlier pull request #771,
   in order to not break the fix.
   #777  CVE-2023-52426 -- Fix billion laughs attacks for users
   compiling *without* XML_DTD defined (which is not common).
   Users with XML_DTD defined have been protected since
   Expat >=2.4.0 (and that was CVE-2013-0340 back then).

Bug fixes:
#753  Fix parse-size-dependent "invalid token" error for
external entities that start with a byte order mark
#780  Fix NULL pointer dereference in setContext via
XML_ExternalEntityParserCreate for compilation with
XML_DTD undefined
   #812 #813  Protect against closing entities out of order

Other changes:
#723  Improve support for arc4random/arc4random_buf
   #771 #788  Improve buffer growth in XML_GetBuffer and XML_Parse
   #761 #770  xmlwf: Support --help and --version
   #759 #770  xmlwf: Support custom buffer size for XML_GetBuffer and read
#744  xmlwf: Improve language and URL clickability in help output
#673  examples: Add new example "element_declarations.c"
#764  Be stricter about macro XML_CONTEXT_BYTES at build time
#765  Make inclusion to expat_config.h consistent
   #726 #727  Autotools: configure.ac: Support --disable-maintainer-mode
#678 #705 ..
  #706 #733 #792  Autotools: Sync CMake templates with CMake 3.26
#795  Autotools: Make installation of shipped man page doc/xmlwf.1
independent of docbook2man availability
#815  Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
section "Cflags.private" in order to fix compilation
against static libexpat using pkg-config on Windows
   #724 #751  Autotools|CMake: Require a C99 compiler
(a de-facto requirement already since Expat 2.2.2 of 2017)
#793  Autotools|CMake: Fix PACKAGE_BUGREPORT variable
   #750 #786  Autotools|CMake: Make test suite require a C++11 compiler
#749  CMake: Require CMake >=3.5.0
#672  CMake: Lowercase off_t and size_t to help a bug in Meson
#746  CMake: Sort xmlwf sources alphabetically
#785  CMake|Windows: Fix generation of DLL file version info
#790  CMake: Build tests/benchmark/benchmark.c as well for
a build with -DEXPAT_BUILD_TESTS=ON
   #745 #757  docs: Document the importance of isFinal + adjust tests
accordingly
#736  docs: Improve use of "NULL" and "null"
#713  docs: Be specific about version of XML (XML 1.0r4)
and version of C (C99); (XML 1.0r5 will need a sponsor.)
#762  docs: reference.html: Promote function XML_ParseBuffer more
#779  docs: reference.html: Add HTML anchors to XML_* macros
#760  docs: reference.html: Upgrade to OK.css 1.2.0
   #763 #739  docs: Fix typos
#696  docs|CI: Use HTTPS URLs instead of HTTP at various places
#669 #670 ..
#692 #703 ..
   #733 #772  Address compiler warnings
   #798 #800  Address clang-tidy warnings
   #775 #776  Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
for what these numbers do

Infrastructure:
   #700 #701  docs: Document security policy in file SECURITY.md
#766  docs: Improve parse buffer variables in-code documentation
#674 #738 ..
#740 #747 ..
  #748 #781 #782  Refactor coverage and conformance tests
   #714 #716  Refactor debug level variables to unsigned long
#671  Improve handling of empty environment variable value
in function getDebugLevel (without visible user effect)
#755 #774 ..
#758 #783 ..
   #784 #787  tests: Improve test coverage with regard to parse chunk size
  #660 #797 #801  Fuzzing: Improve fuzzing coverage
   #367 #799  Fuzzing|CI: