documentation: Updated title page notes

Fixed the title page notes to help the user get the exact
set of documentation for the appropriate YP release.

(From yocto-docs rev: 09bcec491f9edf5a4e7dac8b6818ce22b5df163f)

Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

bitbake/doc/bitbake-user-manual/bitbake-user-manual-hello.xml

@@ -135,7 +135,7 @@
                     <ulink url="http://www.mail-archive.com/yocto@yoctoproject.org/msg09379.html">Mailing List post - The BitBake equivalent of "Hello, World!"</ulink>
                     </para></listitem>
                 <listitem><para>
-                    <ulink url="http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/">Hambedded Linux blog post - From Bitbake Hello World to an Image</ulink>
+                    <ulink url="https://web.archive.org/web/20150325165911/http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/">Hambedded Linux blog post - From Bitbake Hello World to an Image</ulink>
                     </para></listitem>
             </itemizedlist>
         </note>
@@ -270,7 +270,7 @@
                 and define some key BitBake variables.
                 For more information on the <filename>bitbake.conf</filename>,
                 see
-                <ulink url='http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/#an-overview-of-bitbakeconf'></ulink>
+                <ulink url='https://web.archive.org/web/20150325165911/http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/#an-overview-of-bitbakeconf'></ulink>
                 </para>
                 <para>Use the following commands to create the <filename>conf</filename>
                 directory in the project directory:
@@ -355,7 +355,7 @@ ERROR: Unable to parse base: ParseError in configuration INHERITs: Could not inh
                 supporting.
                 For more information on the <filename>base.bbclass</filename> file,
                 you can look at
-                <ulink url='http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/#tasks'></ulink>.
+                <ulink url='https://web.archive.org/web/20150325165911/http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/#tasks'></ulink>.
                 </para></listitem>
             <listitem><para><emphasis>Run Bitbake:</emphasis>
                 After making sure that the <filename>classes/base.bbclass</filename>
@@ -377,7 +377,7 @@ ERROR: Unable to parse base: ParseError in configuration INHERITs: Could not inh
                 Thus, this example creates and uses a layer called "mylayer".
                 <note>
                     You can find additional information on adding a layer at
-                    <ulink url='http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/#adding-an-example-layer'></ulink>.
+                    <ulink url='https://web.archive.org/web/20150325165911/http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/#adding-an-example-layer'></ulink>.
                 </note>
                 </para>
                 <para>Minimally, you need a recipe file and a layer configuration

bitbake/lib/bb/fetch2/__init__.py

@@ -955,7 +955,7 @@ def try_mirror_url(fetch, origud, ud, ld, check = False):
                 origud.method.download(origud, ld)
                 if hasattr(origud.method,"build_mirror_data"):
                     origud.method.build_mirror_data(origud, ld)
-            return ud.localpath
+            return origud.localpath
         # Otherwise the result is a local file:// and we symlink to it
         if not os.path.exists(origud.localpath):
             if os.path.islink(origud.localpath):

bitbake/lib/bb/fetch2/git.py

@@ -289,7 +289,7 @@ class Git(FetchMethod):
                 branchname =  ud.branches[ud.names[0]]
                 runfetchcmd("%s checkout -B %s %s" % (ud.basecmd, branchname, \
                             ud.revisions[ud.names[0]]), d)
-                runfetchcmd("%s branch --set-upstream %s origin/%s" % (ud.basecmd, branchname, \
+                runfetchcmd("%s branch %s --set-upstream-to origin/%s" % (ud.basecmd, branchname, \
                             branchname), d)
             else:
                 runfetchcmd("%s checkout %s" % (ud.basecmd, ud.revisions[ud.names[0]]), d)

bitbake/lib/bb/fetch2/gitsm.py

@@ -110,8 +110,7 @@ class GitSM(Git):
         os.chdir(tmpclonedir)
         runfetchcmd(ud.basecmd + " reset --hard", d)
         runfetchcmd(ud.basecmd + " checkout " + ud.revisions[ud.names[0]], d)
-        runfetchcmd(ud.basecmd + " submodule init", d)
-        runfetchcmd(ud.basecmd + " submodule update", d)
+        runfetchcmd(ud.basecmd + " submodule update --init --recursive", d)
         self._set_relative_paths(tmpclonedir)
         runfetchcmd("sed " + gitdir + "/config -i -e 's/bare.*=.*false/bare = true/'", d)
         os.rename(gitdir, ud.clonedir,)
@@ -131,7 +130,5 @@ class GitSM(Git):
         os.chdir(ud.destdir)
         submodules = self.uses_submodules(ud, d)
         if submodules:
-            runfetchcmd("cp -r " + ud.clonedir + "/modules " + ud.destdir + "/.git/", d)
-            runfetchcmd(ud.basecmd + " submodule init", d)
-            runfetchcmd(ud.basecmd + " submodule update", d)
-
+            runfetchcmd(ud.basecmd + " checkout " + ud.revisions[ud.names[0]], d)
+            runfetchcmd(ud.basecmd + " submodule update --init --recursive", d)

bitbake/lib/bb/fetch2/wget.py

@@ -234,38 +234,64 @@ class Wget(FetchMethod):
 
             return exported
 
-        def head_method(self):
-            return "HEAD"
+        class HTTPMethodFallback(urllib2.BaseHandler):
+            """
+            Fallback to GET if HEAD is not allowed (405 HTTP error)
+            """
+            def http_error_405(self, req, fp, code, msg, headers):
+                fp.read()
+                fp.close()
 
+                newheaders = dict((k,v) for k,v in req.headers.items()
+                                  if k.lower() not in ("content-length", "content-type"))
+                return self.parent.open(urllib2.Request(req.get_full_url(),
+                                                        headers=newheaders,
+                                                        origin_req_host=req.get_origin_req_host(),
+                                                        unverifiable=True))
+
+            """
+            Some servers (e.g. GitHub archives, hosted on Amazon S3) return 403
+            Forbidden when they actually mean 405 Method Not Allowed.
+            """
+            http_error_403 = http_error_405
+
+            """
+            Some servers (e.g. FusionForge) returns 406 Not Acceptable when they
+            actually mean 405 Method Not Allowed.
+            """
+            http_error_406 = http_error_405
+
+        class FixedHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
+            """
+            urllib2.HTTPRedirectHandler resets the method to GET on redirect,
+            when we want to follow redirects using the original method.
+            """
+            def redirect_request(self, req, fp, code, msg, headers, newurl):
+                newreq = urllib2.HTTPRedirectHandler.redirect_request(self, req, fp, code, msg, headers, newurl)
+                newreq.get_method = lambda: req.get_method()
+                return newreq
         exported_proxies = export_proxies(d)
 
+        handlers = [FixedHTTPRedirectHandler, HTTPMethodFallback]
+        if export_proxies:
+            handlers.append(urllib2.ProxyHandler())
+        handlers.append(CacheHTTPHandler())
         # XXX: Since Python 2.7.9 ssl cert validation is enabled by default
         # see PEP-0476, this causes verification errors on some https servers
         # so disable by default.
         import ssl
-        ssl_context = None
         if hasattr(ssl, '_create_unverified_context'):
-            ssl_context = ssl._create_unverified_context()
-
-        if exported_proxies == True and ssl_context is not None:
-            opener = urllib2.build_opener(urllib2.ProxyHandler, CacheHTTPHandler,
-                    urllib2.HTTPSHandler(context=ssl_context))
-        elif exported_proxies == False and ssl_context is not None:
-            opener = urllib2.build_opener(CacheHTTPHandler,
-                    urllib2.HTTPSHandler(context=ssl_context))
-        elif exported_proxies == True and ssl_context is None:
-            opener = urllib2.build_opener(urllib2.ProxyHandler, CacheHTTPHandler)
-        else:
-            opener = urllib2.build_opener(CacheHTTPHandler)
-
-        urllib2.Request.get_method = head_method
-        urllib2.install_opener(opener)
-
-        uri = ud.url.split(";")[0]
+            handlers.append(urllib2.HTTPSHandler(context=ssl._create_unverified_context()))
+        opener = urllib2.build_opener(*handlers)
 
         try:
-            urllib2.urlopen(uri)
-        except:
+            uri = ud.url.split(";")[0]
+            r = urllib2.Request(uri)
+            r.get_method = lambda: "HEAD"
+            opener.open(r)
+        except urllib2.URLError as e:
+            # debug for now to avoid spamming the logs in e.g. remote sstate searches
+            logger.debug(2, "checkstatus() urlopen failed: %s" % e)
             return False
         return True
 

bitbake/lib/bb/tests/fetch.py

@@ -692,8 +692,8 @@ class FetchLatestVersionTest(FetcherTest):
             : "5.0",
         ("xserver-xorg", "http://xorg.freedesktop.org/releases/individual/xserver/xorg-server-1.15.1.tar.bz2", "", "")
             : "1.15.1",
-        # packages with valid REGEX_URI and REGEX
-        ("cups", "http://www.cups.org/software/1.7.2/cups-1.7.2-source.tar.bz2", "http://www.cups.org/software.php", "(?P<name>cups\-)(?P<pver>((\d+[\.\-_]*)+))\-source\.tar\.gz")
+        # packages with valid UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX
+        ("cups", "http://www.cups.org/software/1.7.2/cups-1.7.2-source.tar.bz2", "https://github.com/apple/cups/releases", "(?P<name>cups\-)(?P<pver>((\d+[\.\-_]*)+))\-source\.tar\.gz")
             : "2.0.0",
         ("db", "http://download.oracle.com/berkeley-db/db-5.3.21.tar.gz", "http://www.oracle.com/technetwork/products/berkeleydb/downloads/index-082944.html", "http://download.oracle.com/otn/berkeley-db/(?P<name>db-)(?P<pver>((\d+[\.\-_]*)+))\.tar\.gz")
             : "6.1.19",
@@ -726,7 +726,6 @@ class FetchLatestVersionTest(FetcherTest):
 
 class FetchCheckStatusTest(FetcherTest):
     test_wget_uris = ["http://www.cups.org/software/1.7.2/cups-1.7.2-source.tar.bz2",
-                      "http://www.cups.org/software/ipptool/ipptool-20130731-linux-ubuntu-i686.tar.gz",
                       "http://www.cups.org/",
                       "http://downloads.yoctoproject.org/releases/sato/sato-engine-0.1.tar.gz",
                       "http://downloads.yoctoproject.org/releases/sato/sato-engine-0.2.tar.gz",
@@ -738,6 +737,8 @@ class FetchCheckStatusTest(FetcherTest):
                       "ftp://ftp.gnu.org/gnu/autoconf/autoconf-2.60.tar.gz",
                       "ftp://ftp.gnu.org/gnu/chess/gnuchess-5.08.tar.gz",
                       "ftp://ftp.gnu.org/gnu/gmp/gmp-4.0.tar.gz",
+                      # GitHub releases are hosted on Amazon S3, which doesn't support HEAD
+                      "https://github.com/kergoth/tslib/releases/download/1.1/tslib-1.1.tar.xz"
                       ]
 
     if os.environ.get("BB_SKIP_NETTESTS") == "yes":

bitbake/lib/bb/tests/utils.py

@@ -376,3 +376,206 @@ do_functionname() {
         (updated, newlines) = bb.utils.edit_metadata(self._origfile.splitlines(True), varlist, handle_var)
         self.assertTrue(updated, 'List should be updated but isn\'t')
         self.assertEqual(newlines, newfile5.splitlines(True))
+
+
+class EditBbLayersConf(unittest.TestCase):
+
+    def _test_bblayers_edit(self, before, after, add, remove, notadded, notremoved):
+        with tempfile.NamedTemporaryFile('w', delete=False) as tf:
+            tf.write(before)
+            tf.close()
+            try:
+                actual_notadded, actual_notremoved = bb.utils.edit_bblayers_conf(tf.name, add, remove)
+                with open(tf.name) as f:
+                    actual_after = f.readlines()
+                self.assertEqual(after.splitlines(True), actual_after)
+                self.assertEqual(notadded, actual_notadded)
+                self.assertEqual(notremoved, actual_notremoved)
+            finally:
+                os.remove(tf.name)
+
+
+    def test_bblayers_remove(self):
+        before = r"""
+# A comment
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+BBLAYERS = " \
+  /home/user/path/layer1 \
+  /home/user/path/layer2 \
+  /home/user/path/subpath/layer3 \
+  /home/user/path/layer4 \
+  "
+"""
+        after = r"""
+# A comment
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+BBLAYERS = " \
+  /home/user/path/layer1 \
+  /home/user/path/subpath/layer3 \
+  /home/user/path/layer4 \
+  "
+"""
+        self._test_bblayers_edit(before, after,
+                                 None,
+                                 '/home/user/path/layer2',
+                                 [],
+                                 [])
+
+
+    def test_bblayers_add(self):
+        before = r"""
+# A comment
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+BBLAYERS = " \
+  /home/user/path/layer1 \
+  /home/user/path/layer2 \
+  /home/user/path/subpath/layer3 \
+  /home/user/path/layer4 \
+  "
+"""
+        after = r"""
+# A comment
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+BBLAYERS = " \
+  /home/user/path/layer1 \
+  /home/user/path/layer2 \
+  /home/user/path/subpath/layer3 \
+  /home/user/path/layer4 \
+  /other/path/to/layer5 \
+  "
+"""
+        self._test_bblayers_edit(before, after,
+                                 '/other/path/to/layer5/',
+                                 None,
+                                 [],
+                                 [])
+
+
+    def test_bblayers_add_remove(self):
+        before = r"""
+# A comment
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+BBLAYERS = " \
+  /home/user/path/layer1 \
+  /home/user/path/layer2 \
+  /home/user/path/subpath/layer3 \
+  /home/user/path/layer4 \
+  "
+"""
+        after = r"""
+# A comment
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+BBLAYERS = " \
+  /home/user/path/layer1 \
+  /home/user/path/layer2 \
+  /home/user/path/layer4 \
+  /other/path/to/layer5 \
+  "
+"""
+        self._test_bblayers_edit(before, after,
+                                 ['/other/path/to/layer5', '/home/user/path/layer2/'], '/home/user/path/subpath/layer3/',
+                                 ['/home/user/path/layer2'],
+                                 [])
+
+
+    def test_bblayers_add_remove_home(self):
+        before = r"""
+# A comment
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+BBLAYERS = " \
+  ~/path/layer1 \
+  ~/path/layer2 \
+  ~/otherpath/layer3 \
+  ~/path/layer4 \
+  "
+"""
+        after = r"""
+# A comment
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+BBLAYERS = " \
+  ~/path/layer2 \
+  ~/path/layer4 \
+  ~/path2/layer5 \
+  "
+"""
+        self._test_bblayers_edit(before, after,
+                                 [os.environ['HOME'] + '/path/layer4', '~/path2/layer5'],
+                                 [os.environ['HOME'] + '/otherpath/layer3', '~/path/layer1', '~/path/notinlist'],
+                                 [os.environ['HOME'] + '/path/layer4'],
+                                 ['~/path/notinlist'])
+
+
+    def test_bblayers_add_remove_plusequals(self):
+        before = r"""
+# A comment
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+BBLAYERS += " \
+  /home/user/path/layer1 \
+  /home/user/path/layer2 \
+  "
+"""
+        after = r"""
+# A comment
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+BBLAYERS += " \
+  /home/user/path/layer2 \
+  /home/user/path/layer3 \
+  "
+"""
+        self._test_bblayers_edit(before, after,
+                                 '/home/user/path/layer3',
+                                 '/home/user/path/layer1',
+                                 [],
+                                 [])
+
+
+    def test_bblayers_add_remove_plusequals2(self):
+        before = r"""
+# A comment
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+BBLAYERS += " \
+  /home/user/path/layer1 \
+  /home/user/path/layer2 \
+  /home/user/path/layer3 \
+  "
+BBLAYERS += "/home/user/path/layer4"
+BBLAYERS += "/home/user/path/layer5"
+"""
+        after = r"""
+# A comment
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+BBLAYERS += " \
+  /home/user/path/layer2 \
+  /home/user/path/layer3 \
+  "
+BBLAYERS += "/home/user/path/layer5"
+BBLAYERS += "/home/user/otherpath/layer6"
+"""
+        self._test_bblayers_edit(before, after,
+                                 ['/home/user/otherpath/layer6', '/home/user/path/layer3'], ['/home/user/path/layer1', '/home/user/path/layer4', '/home/user/path/layer7'],
+                                 ['/home/user/path/layer3'],
+                                 ['/home/user/path/layer7'])

bitbake/lib/bb/utils.py

@@ -1177,7 +1177,7 @@ def edit_metadata(meta_lines, variables, varfunc, match_overrides=False):
             if not skip:
                 if checkspc:
                     checkspc = False
-                    if newlines[-1] == '\n' and line == '\n':
+                    if newlines and newlines[-1] == '\n' and line == '\n':
                         # Squash blank line if there are two consecutive blanks after a removal
                         continue
                 newlines.append(line)
@@ -1201,7 +1201,19 @@ def edit_metadata_file(meta_file, variables, varfunc):
 
 
 def edit_bblayers_conf(bblayers_conf, add, remove):
-    """Edit bblayers.conf, adding and/or removing layers"""
+    """Edit bblayers.conf, adding and/or removing layers
+    Parameters:
+        bblayers_conf: path to bblayers.conf file to edit
+        add: layer path (or list of layer paths) to add; None or empty
+            list to add nothing
+        remove: layer path (or list of layer paths) to remove; None or
+            empty list to remove nothing
+    Returns a tuple:
+        notadded: list of layers specified to be added but weren't
+            (because they were already in the list)
+        notremoved: list of layers that were specified to be removed
+            but weren't (because they weren't in the list)
+    """
 
     import fnmatch
 
@@ -1210,6 +1222,13 @@ def edit_bblayers_conf(bblayers_conf, add, remove):
             pth = pth[:-1]
         return pth
 
+    approved = bb.utils.approved_variables()
+    def canonicalise_path(pth):
+        pth = remove_trailing_sep(pth)
+        if 'HOME' in approved and '~' in pth:
+            pth = os.path.expanduser(pth)
+        return pth
+
     def layerlist_param(value):
         if not value:
             return []
@@ -1218,49 +1237,80 @@ def edit_bblayers_conf(bblayers_conf, add, remove):
         else:
             return [remove_trailing_sep(value)]
 
-    notadded = []
-    notremoved = []
-
     addlayers = layerlist_param(add)
     removelayers = layerlist_param(remove)
 
     # Need to use a list here because we can't set non-local variables from a callback in python 2.x
     bblayercalls = []
+    removed = []
+    plusequals = False
+    orig_bblayers = []
+
+    def handle_bblayers_firstpass(varname, origvalue, op, newlines):
+        bblayercalls.append(op)
+        if op == '=':
+            del orig_bblayers[:]
+        orig_bblayers.extend([canonicalise_path(x) for x in origvalue.split()])
+        return (origvalue, None, 2, False)
 
     def handle_bblayers(varname, origvalue, op, newlines):
-        bblayercalls.append(varname)
         updated = False
         bblayers = [remove_trailing_sep(x) for x in origvalue.split()]
         if removelayers:
             for removelayer in removelayers:
-                matched = False
                 for layer in bblayers:
-                    if fnmatch.fnmatch(layer, removelayer):
+                    if fnmatch.fnmatch(canonicalise_path(layer), canonicalise_path(removelayer)):
                         updated = True
-                        matched = True
                         bblayers.remove(layer)
+                        removed.append(removelayer)
                         break
-                if not matched:
-                    notremoved.append(removelayer)
-        if addlayers:
+        if addlayers and not plusequals:
             for addlayer in addlayers:
                 if addlayer not in bblayers:
                     updated = True
                     bblayers.append(addlayer)
-                else:
-                    notadded.append(addlayer)
             del addlayers[:]
 
         if updated:
+            if op == '+=' and not bblayers:
+                bblayers = None
             return (bblayers, None, 2, False)
         else:
             return (origvalue, None, 2, False)
 
-    edit_metadata_file(bblayers_conf, ['BBLAYERS'], handle_bblayers)
+    with open(bblayers_conf, 'r') as f:
+        (_, newlines) = edit_metadata(f, ['BBLAYERS'], handle_bblayers_firstpass)
 
     if not bblayercalls:
         raise Exception('Unable to find BBLAYERS in %s' % bblayers_conf)
 
+    # Try to do the "smart" thing depending on how the user has laid out
+    # their bblayers.conf file
+    if bblayercalls.count('+=') > 1:
+        plusequals = True
+
+    removelayers_canon = [canonicalise_path(layer) for layer in removelayers]
+    notadded = []
+    for layer in addlayers:
+        layer_canon = canonicalise_path(layer)
+        if layer_canon in orig_bblayers and not layer_canon in removelayers_canon:
+            notadded.append(layer)
+    notadded_canon = [canonicalise_path(layer) for layer in notadded]
+    addlayers[:] = [layer for layer in addlayers if canonicalise_path(layer) not in notadded_canon]
+
+    (updated, newlines) = edit_metadata(newlines, ['BBLAYERS'], handle_bblayers)
+    if addlayers:
+        # Still need to add these
+        for addlayer in addlayers:
+            newlines.append('BBLAYERS += "%s"\n' % addlayer)
+        updated = True
+
+    if updated:
+        with open(bblayers_conf, 'w') as f:
+            f.writelines(newlines)
+
+    notremoved = list(set(removelayers) - set(removed))
+
     return (notadded, notremoved)
 
 

bitbake/lib/bs4/builder/_html5lib.py

@@ -11,7 +11,14 @@ from bs4.builder import (
     )
 from bs4.element import NamespacedAttribute
 import html5lib
+try:
+    # html5lib >= 0.99999999/1.0b9
+    from html5lib.treebuilders import base as treebuildersbase
+except ImportError:
+    # html5lib <= 0.9999999/1.0b8
+    from html5lib.treebuilders import _base as treebuildersbase
 from html5lib.constants import namespaces
+
 from bs4.element import (
     Comment,
     Doctype,
@@ -54,7 +61,7 @@ class HTML5TreeBuilder(HTMLTreeBuilder):
         return u'<html><head></head><body>%s</body></html>' % fragment
 
 
-class TreeBuilderForHtml5lib(html5lib.treebuilders._base.TreeBuilder):
+class TreeBuilderForHtml5lib(treebuildersbase.TreeBuilder):
 
     def __init__(self, soup, namespaceHTMLElements):
         self.soup = soup
@@ -92,7 +99,7 @@ class TreeBuilderForHtml5lib(html5lib.treebuilders._base.TreeBuilder):
         return self.soup
 
     def getFragment(self):
-        return html5lib.treebuilders._base.TreeBuilder.getFragment(self).element
+        return treebuildersbase.TreeBuilder.getFragment(self).element
 
 class AttrList(object):
     def __init__(self, element):
@@ -115,9 +122,9 @@ class AttrList(object):
         return name in list(self.attrs.keys())
 
 
-class Element(html5lib.treebuilders._base.Node):
+class Element(treebuildersbase.Node):
     def __init__(self, element, soup, namespace):
-        html5lib.treebuilders._base.Node.__init__(self, element.name)
+        treebuildersbase.Node.__init__(self, element.name)
         self.element = element
         self.soup = soup
         self.namespace = namespace
@@ -277,7 +284,7 @@ class Element(html5lib.treebuilders._base.Node):
 
 class TextNode(Element):
     def __init__(self, element, soup):
-        html5lib.treebuilders._base.Node.__init__(self, None)
+        treebuildersbase.Node.__init__(self, None)
         self.element = element
         self.soup = soup
 

bitbake/lib/toaster/bldcontrol/management/commands/runbuilds.py

@@ -5,6 +5,7 @@ from bldcontrol.bbcontroller import getBuildEnvironmentController, ShellCmdExcep
 from bldcontrol.models import BuildRequest, BuildEnvironment, BRError, BRVariable
 import os
 import logging
+import time
 
 logger = logging.getLogger("ToasterScheduler")
 
@@ -128,6 +129,12 @@ class Command(NoArgsCommand):
 
 
     def handle_noargs(self, **options):
-        self.cleanup()
-        self.archive()
-        self.schedule()
+        while True:
+            try:
+                self.cleanup()
+                self.archive()
+                self.schedule()
+            except:
+                pass
+
+            time.sleep(1)

documentation/adt-manual/adt-manual.xml

@@ -91,6 +91,21 @@
                 <date>October 2015</date>
                 <revremark>Released with the Yocto Project 2.0 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.1</revnumber>
+                <date>March 2016</date>
+                <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>
@@ -103,12 +118,46 @@
         Permission is granted to copy, distribute and/or modify this document under
         the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
       </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_ADT_URL;'>Yocto Project Application Developer's Guide</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Application Developer's Guide</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
 
     </legalnotice>
 

documentation/bsp-guide/bsp-guide.xml

@@ -103,6 +103,21 @@
                 <date>October 2015</date>
                 <revremark>Released with the Yocto Project 2.0 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.1</revnumber>
+                <date>March 2016</date>
+                <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
@@ -113,14 +128,48 @@
     <legalnotice>
       <para>
         Permission is granted to copy, distribute and/or modify this document under
-        the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-nc-sa/2.0/uk/">Creative Commons Attribution-Non-Commercial-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
+        the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-nc-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
       </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_BSP_URL;'>Yocto Project Board Support Package (BSP) Developer's Guide</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Board Support Package (BSP) Developer's Guide</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
     </legalnotice>
 
     </bookinfo>

documentation/dev-manual/dev-manual-common-tasks.xml

@@ -4558,9 +4558,17 @@
                             option or the equivalent rootfs derived from the
 			                <filename>-e</filename> command-line
 			                option.
-                            Exactly what those contents and
-			                filesystem type end up being are dependent
-			                on the given plugin implementation.
+                            Exactly what those contents and filesystem type end
+                            up being are dependent on the given plugin
+                            implementation.
+                            </para>
+                            <para>If you do not use the
+                            <filename>--source</filename> option, the
+                            <filename>wic</filename> command creates an empty
+                            partition.
+                            Consequently, you must use the
+                            <filename>--size</filename> option to specify the
+                            size of the empty partition.
                             </para></listitem>
                         <listitem><para><emphasis><filename>--ondisk</filename> or <filename>--ondrive</filename>:</emphasis>
                             Forces the partition to be created on a particular
@@ -4604,6 +4612,49 @@
                             This option is a <filename>wic</filename>-specific
                             option that says to start a partition on an
                             x KBytes boundary.</para></listitem>
+                        <listitem><para><emphasis><filename>--no-table</filename>:</emphasis>
+                            This option is a <filename>wic</filename>-specific
+                            option.
+                            Using the option reserves space for the partition
+                            and causes it to become populated.
+                            However, the partition is not added to the
+                            partition table.
+                            </para></listitem>
+                        <listitem><para><emphasis><filename>--extra-space</filename>:</emphasis>
+                            This option is a <filename>wic</filename>-specific
+                            option that adds extra space after the space
+                            filled by the content of the partition.
+                            The final size can go beyond the size specified
+                            by the <filename>--size</filename> option.
+                            The default value is 10 Mbytes.
+                            </para></listitem>
+                        <listitem><para><emphasis><filename>--overhead-factor</filename>:</emphasis>
+                            This option is a <filename>wic</filename>-specific
+                            option that multiplies the size of the partition by
+                            the option's value.
+                            You must supply a value greater than or equal to
+                            "1".
+                            The default value is "1.3".
+                            </para></listitem>
+                        <listitem><para><emphasis><filename>--part-type</filename>:</emphasis>
+                            This option is a <filename>wic</filename>-specific
+                            option that specifies the partition type globally
+                            unique identifier (GUID) for GPT partitions.
+                            You can find the list of partition type GUIDs
+                            at
+                            <ulink url='http://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs'></ulink>.
+                            </para></listitem>
+                        <listitem><para><emphasis><filename>--use-uuid</filename>:</emphasis>
+                            This option is a <filename>wic</filename>-specific
+                            option that causes <filename>wic</filename> to
+                            generate a random GUID for the partition.
+                            The generated identifier is used in the bootloader
+                            configuration to specify the root partition.
+                            </para></listitem>
+                        <listitem><para><emphasis><filename>--uuid</filename>:</emphasis>
+                            This option is a <filename>wic</filename>-specific
+                            option that specifies the partition UUID.
+                            </para></listitem>
                     </itemizedlist>
                 </para>
             </section>
@@ -6683,26 +6734,29 @@
                 </para>
 
                 <para>
-                    If a committed change results in changing the package output,
-                    then the value of the PR variable needs to be increased
-                    (or "bumped") as part of that commit.
+                    If a committed change results in changing the package
+                    output, then the value of the PR variable needs to be
+                    increased (or "bumped") as part of that commit.
                     For new recipes you should add the <filename>PR</filename>
-                    variable and set its initial value equal to "r0", which is the default.
-                    Even though the default value is "r0", the practice of adding it to a new recipe makes
-                    it harder to forget to bump the variable when you make changes
-                    to the recipe in future.
+                    variable and set its initial value equal to "r0", which is
+                    the default.
+                    Even though the default value is "r0", the practice of
+                    adding it to a new recipe makes it harder to forget to bump
+                    the variable when you make changes to the recipe in future.
                 </para>
 
                 <para>
-                    If you are sharing a common <filename>.inc</filename> file with multiple recipes,
-                    you can also use the
+                    If you are sharing a common <filename>.inc</filename> file
+                    with multiple recipes, you can also use the
                     <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-INC_PR'>INC_PR</ulink></filename>
-                    variable to ensure that
-                    the recipes sharing the <filename>.inc</filename> file are rebuilt when the
+                    variable to ensure that the recipes sharing the
+                    <filename>.inc</filename> file are rebuilt when the
                     <filename>.inc</filename> file itself is changed.
-                    The <filename>.inc</filename> file must set <filename>INC_PR</filename>
-                    (initially to "r0"), and all recipes referring to it should set <filename>PR</filename>
-                    to "$(INC_PR).0" initially, incrementing the last number when the recipe is changed.
+                    The <filename>.inc</filename> file must set
+                    <filename>INC_PR</filename> (initially to "r0"), and all
+                    recipes referring to it should set <filename>PR</filename>
+                    to "${INC_PR}.0" initially, incrementing the last number
+                    when the recipe is changed.
                     If the <filename>.inc</filename> file is changed then its
                     <filename>INC_PR</filename> should be incremented.
                 </para>
@@ -6711,14 +6765,14 @@
                     When upgrading the version of a package, assuming the
                     <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PV'>PV</ulink></filename>
                     changes, the <filename>PR</filename> variable should be
-                    reset to "r0" (or "$(INC_PR).0" if you are using
+                    reset to "r0" (or "${INC_PR}.0" if you are using
                     <filename>INC_PR</filename>).
                 </para>
 
                 <para>
                     Usually, version increases occur only to packages.
-                    However, if for some reason <filename>PV</filename> changes but does not
-                    increase, you can increase the
+                    However, if for some reason <filename>PV</filename> changes
+                    but does not increase, you can increase the
                     <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PE'>PE</ulink></filename>
                     variable (Package Epoch).
                     The <filename>PE</filename> variable defaults to "0".
@@ -6728,7 +6782,8 @@
                     Version numbering strives to follow the
                     <ulink url='http://www.debian.org/doc/debian-policy/ch-controlfields.html'>
                     Debian Version Field Policy Guidelines</ulink>.
-                    These guidelines define how versions are compared and what "increasing" a version means.
+                    These guidelines define how versions are compared and what
+                    "increasing" a version means.
                 </para>
             </section>
         </section>
@@ -9890,6 +9945,28 @@
                 Adding these statements to the configuration file ensures
                 that the licenses collected during package generation
                 are included on your image.
+                <note>
+                    <para>Setting all three variables to "1" results in the
+                    image having two copies of the same license file.
+                    One copy resides in
+                    <filename>/usr/share/common-licenses</filename> and
+                    the other resides in
+                    <filename>/usr/share/license</filename>.</para>
+
+                    <para>The reason for this behavior is because
+                    <ulink url='&YOCTO_DOCS_REF_URL;#var-COPY_LIC_DIRS'><filename>COPY_LIC_DIRS</filename></ulink>
+                    and
+                    <ulink url='&YOCTO_DOCS_REF_URL;#var-COPY_LIC_MANIFEST'><filename>COPY_LIC_MANIFEST</filename></ulink>
+                    add a copy of the license when the image is built but do not
+                    offer a path for adding licenses for newly installed packages
+                    to an image.
+                    <ulink url='&YOCTO_DOCS_REF_URL;#var-LICENSE_CREATE_PACKAGE'><filename>LICENSE_CREATE_PACKAGE</filename></ulink>
+                    adds a separate package and an upgrade path for adding
+                    licenses to an image.</para>
+                </note>
+            </para>
+
+            <para>
                 As the source archiver has already archived the original
                 unmodified source that contains the license files,
                 you would have already met the requirements for inclusion

documentation/dev-manual/dev-manual-qemu.xml

@@ -197,28 +197,40 @@
                     but also is not as easy to use or comprehensive
                     as the default.
                     </para></listitem>
-                <listitem><para><filename>kvm</filename>:
+                <listitem><para id='kvm-cond'><filename>kvm</filename>:
                     Enables KVM when running "qemux86" or "qemux86-64"
                     QEMU architectures.
                     For KVM to work, all the following conditions must be met:
                     <itemizedlist>
                         <listitem><para>
                             Your <replaceable>MACHINE</replaceable> must be either
-                            "qemux86" or "qemux86-64".
+qemux86" or "qemux86-64".
                             </para></listitem>
                         <listitem><para>
                             Your build host has to have the KVM modules
                             installed, which are
                             <filename>/dev/kvm</filename>.
                             </para></listitem>
-                        <listitem><para>
-                            Your build host has to have virtio net device, which
-                            are <filename>/dev/vhost-net</filename>.
-                            </para></listitem>
                         <listitem><para>
                             The  build host <filename>/dev/kvm</filename>
                             directory has to be both writable and readable.
                             </para></listitem>
+                    </itemizedlist>
+                    </para></listitem>
+                <listitem><para><filename>kvm-vhost</filename>:
+                    Enables KVM with VHOST support when running "qemux86" or "qemux86-64"
+                    QEMU architectures.
+                    For KVM with VHOST to work, the following conditions must
+                    be met:
+                    <itemizedlist>
+                        <listitem><para>
+                            <link linkend='kvm-cond'>kvm</link> option
+                            conditions must be met.
+                            </para></listitem>
+                        <listitem><para>
+                            Your build host has to have virtio net device, which
+                            are <filename>/dev/vhost-net</filename>.
+                            </para></listitem>
                         <listitem><para>
                             The build host <filename>/dev/vhost-net</filename>
                             directory has to be either readable or writable

documentation/dev-manual/dev-manual.xml

@@ -81,6 +81,21 @@
                 <date>October 2015</date>
                 <revremark>Released with the Yocto Project 2.0 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.1</revnumber>
+                <date>March 2016</date>
+                <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
@@ -96,12 +111,46 @@
           Creative Commons.
       </para>
 
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_DEV_URL;'>Yocto Project Development Manual</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Development Manual</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
     </legalnotice>
 
     </bookinfo>

documentation/kernel-dev/kernel-dev-common.xml

@@ -383,9 +383,10 @@
 
             <para>
                 The resulting <filename>.config</filename> file is
-                located in
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}</filename> under the
-                <filename>linux-${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_ARCH'><filename>PACKAGE_ARCH</filename></ulink><filename>}-${<ulink url='&YOCTO_DOCS_REF_URL;#var-LINUX_KERNEL_TYPE'><filename>LINUX_KERNEL_TYPE</filename></ulink>}-build</filename> directory.
+                located in the build directory,
+                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-B'><filename>B</filename></ulink><filename>}</filename>,
+                which expands to
+                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}</filename><filename>/linux-</filename><filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_ARCH'><filename>PACKAGE_ARCH</filename></ulink><filename>}-${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-LINUX_KERNEL_TYPE'><filename>LINUX_KERNEL_TYPE</filename></ulink><filename>}-build</filename>.
                 You can use the entire <filename>.config</filename> file as the
                 <filename>defconfig</filename> file as described in the
                 "<link linkend='changing-the-configuration'>Changing the Configuration</link>" section.
@@ -393,6 +394,16 @@
                 see the
                 "<ulink url='&YOCTO_DOCS_DEV_URL;#using-menuconfig'>Using <filename>menuconfig</filename></ulink>"
                 section in the Yocto Project Development Manual.
+                <note>
+                    You can determine what a variable expands to by looking
+                    at the output of the <filename>bitbake -e</filename>
+                    command:
+                    <literallayout class='monospaced'>
+     $ bitbake -e virtual/kernel
+                    </literallayout>
+                    Search the output for the variable in which you are
+                    interested to see exactly how it is expanded and used.
+                </note>
             </para>
 
             <para>
@@ -511,8 +522,14 @@
                 </literallayout>
                 Taking this step ensures you have the sources prepared
                 and the configuration completed.
-                You can find the sources in the
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}/linux</filename> directory.
+                You can find the sources in the build directory within the
+                <filename>source/</filename> directory, which is a symlink
+                (i.e. <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-B'><filename>B</filename></ulink><filename>}/source</filename>).
+                The <filename>source/</filename> directory expands to
+                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}</filename><filename>/linux-</filename><filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_ARCH'><filename>PACKAGE_ARCH</filename></ulink><filename>}-${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-LINUX_KERNEL_TYPE'><filename>LINUX_KERNEL_TYPE</filename></ulink><filename>}-build/source</filename>.
+                The directory pointed to by the
+                <filename>source/</filename> symlink is also known as
+                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-STAGING_KERNEL_DIR'><filename>STAGING_KERNEL_DIR</filename></ulink><filename>}</filename>.
             </para>
 
             <para>

documentation/kernel-dev/kernel-dev.xml

@@ -66,6 +66,21 @@
                 <date>October 2015</date>
                 <revremark>Released with the Yocto Project 2.0 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.1</revnumber>
+                <date>March 2016</date>
+                <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
@@ -78,12 +93,46 @@
         Permission is granted to copy, distribute and/or modify this document under
         the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
       </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;'>Yocto Project Linux Kernel Development Manual</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Linux Kernel Development Manual</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
     </legalnotice>
 
     </bookinfo>

documentation/mega-manual/mega-manual.xml

@@ -50,6 +50,21 @@
                 <date>October 2015</date>
                 <revremark>Released with the Yocto Project 2.0 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.1</revnumber>
+                <date>March 2016</date>
+                <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>
@@ -62,12 +77,46 @@
         Permission is granted to copy, distribute and/or modify this document under
         the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
       </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_MM_URL;'>Yocto Project Mega-Manual</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Mega-Manual</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
 
     </legalnotice>
 

documentation/poky.ent

@@ -1,11 +1,12 @@
-<!ENTITY DISTRO "2.0">
-<!ENTITY DISTRO_COMPRESSED "20">
+<!ENTITY DISTRO "2.0.3">
+<!ENTITY DISTRO_COMPRESSED "203">
 <!ENTITY DISTRO_NAME "jethro">
-<!ENTITY YOCTO_DOC_VERSION "2.0">
-<!ENTITY POKYVERSION "15.0.0">
-<!ENTITY POKYVERSION_COMPRESSED "1400">
+<!ENTITY YOCTO_DOC_VERSION "2.0.3">
+<!ENTITY POKYVERSION "14.0.3">
+<!ENTITY POKYVERSION_COMPRESSED "1403">
+<!ENTITY DISTRO_NAME_NO_CAP "jethro">
 <!ENTITY YOCTO_POKY "poky-&DISTRO_NAME;-&POKYVERSION;">
-<!ENTITY COPYRIGHT_YEAR "2010-2015">
+<!ENTITY COPYRIGHT_YEAR "2010-2016">
 <!ENTITY YOCTO_DL_URL "http://downloads.yoctoproject.org">
 <!ENTITY YOCTO_HOME_URL "http://www.yoctoproject.org">
 <!ENTITY YOCTO_LISTS_URL "http://lists.yoctoproject.org">
@@ -67,4 +68,5 @@
 <!ENTITY OPENSUSE_HOST_PACKAGES_ESSENTIAL "python gcc gcc-c++ git chrpath make wget python-xml \
      diffstat makeinfo python-curses patch socat">
 <!ENTITY CENTOS_HOST_PACKAGES_ESSENTIAL "gawk make wget tar bzip2 gzip python unzip perl patch \
-     diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath socat">
+     diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath socat \
+     perl-Data-Dumper perl-Text-ParseWords perl-Thread-Queue">

documentation/profile-manual/profile-manual-intro.xml

@@ -67,8 +67,10 @@
                 By default, the Yocto build system strips symbols from the
                 binaries it packages, which makes it difficult to use some
                 of the tools.
-                </para><para>You can prevent that by putting the following
-                in your local.conf when you build the image:
+                </para><para>You can prevent that by setting the
+                <ulink url='&YOCTO_DOCS_REF_URL;#var-INHIBIT_PACKAGE_STRIP'><filename>INHIBIT_PACKAGE_STRIP</filename></ulink>
+                variable to "1" in your
+                <filename>local.conf</filename> when you build the image:
                 </para>
             </note>
             <literallayout class='monospaced'>

documentation/profile-manual/profile-manual-usage.xml

@@ -60,8 +60,11 @@
 
         <para>
             In particular, you'll get the most mileage out of perf if you
-            profile an image built with INHIBIT_PACKAGE_STRIP = "1" in your
-            local.conf.
+            profile an image built with the following in your
+            <filename>local.conf</filename> file:
+            <literallayout class='monospaced'>
+     <ulink url='&YOCTO_DOCS_REF_URL;#var-INHIBIT_PACKAGE_STRIP'>INHIBIT_PACKAGE_STRIP</ulink> = "1"
+            </literallayout>
         </para>
 
         <para>
@@ -355,10 +358,10 @@
             </para>
 
             <para>
-                One way around that is to put the following in your local.conf
-                when you build the image:
+                One way around that is to put the following in your
+                <filename>local.conf</filename> file when you build the image:
                 <literallayout class='monospaced'>
-     INHIBIT_PACKAGE_STRIP = "1"
+     <ulink url='&YOCTO_DOCS_REF_URL;#var-INHIBIT_PACKAGE_STRIP'>INHIBIT_PACKAGE_STRIP</ulink> = "1"
                 </literallayout>
                 However, we already have an image with the binaries stripped,
                 so what can we do to get perf to resolve the symbols? Basically

documentation/profile-manual/profile-manual.xml

@@ -66,6 +66,21 @@
                 <date>October 2015</date>
                 <revremark>Released with the Yocto Project 2.0 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.1</revnumber>
+                <date>March 2016</date>
+                <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
@@ -81,12 +96,46 @@
           Creative Commons.
       </para>
 
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_PROF_URL;'>Yocto Project Profiling and Tracing Manual</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Profiling and Tracing Manual</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
     </legalnotice>
 
     </bookinfo>

documentation/ref-manual/closer-look.xml

@@ -254,9 +254,24 @@
 
         <para>
             When you launch your build with the
-            <filename>bitbake <replaceable>target</replaceable></filename> command, BitBake
-            sorts out the configurations to ultimately define your build
-            environment.
+            <filename>bitbake <replaceable>target</replaceable></filename>
+            command, BitBake sorts out the configurations to ultimately
+            define your build environment.
+            It is important to understand that the OpenEmbedded build system
+            reads the configuration files in a specific order:
+            <filename>site.conf</filename>, <filename>auto.conf</filename>,
+            and <filename>local.conf</filename>.
+            And, the build system applies the normal assignment statement
+            rules.
+            Because the files are parsed in a specific order, variable
+            assignments for the same variable could be affected.
+            For example, if the <filename>auto.conf</filename> file and
+            the <filename>local.conf</filename> set
+            <replaceable>variable1</replaceable> to different values, because
+            the build system parses <filename>local.conf</filename> after
+            <filename>auto.conf</filename>,
+            <replaceable>variable1</replaceable> is assigned the value from
+            the <filename>local.conf</filename> file.
         </para>
     </section>
 

documentation/ref-manual/introduction.xml

@@ -154,11 +154,14 @@
                 <listitem><para>Ubuntu 13.10</para></listitem> -->
                 <listitem><para>Ubuntu 14.04 (LTS)</para></listitem>
                 <listitem><para>Ubuntu 14.10</para></listitem>
+                <listitem><para>Ubuntu 15.04</para></listitem>
+                <listitem><para>Ubuntu 15.10</para></listitem>
 <!--                <listitem><para>Fedora 16 (Verne)</para></listitem>
                 <listitem><para>Fedora 17 (Spherical)</para></listitem>
                 <listitem><para>Fedora release 19 (Schrödinger's Cat)</para></listitem>
                 <listitem><para>Fedora release 20 (Heisenbug)</para></listitem> -->
                 <listitem><para>Fedora release 21</para></listitem>
+                <listitem><para>Fedora release 22</para></listitem>
 <!--                <listitem><para>CentOS release 5.6 (Final)</para></listitem>
                 <listitem><para>CentOS release 5.7 (Final)</para></listitem>
                 <listitem><para>CentOS release 5.8 (Final)</para></listitem>
@@ -281,7 +284,7 @@
                         support or if you are going to use the Eclipse
                         IDE:
                         <literallayout class='monospaced'>
-     $ sudo dnf install SDL-devel xterm perl-Thread-Queue
+     $ sudo dnf install SDL-devel xterm
                         </literallayout></para></listitem>
                     <listitem><para><emphasis>Documentation:</emphasis>
                         Packages needed if you are going to build out the
@@ -356,14 +359,14 @@
                 The following list shows the required packages by function
                 given a supported CentOS Linux distribution:
                 <note>
-                    For CentOS 6.x, some of the versions of the components
-                    provided by the distribution are too old (e.g. Git, Python,
-                    and tar).
-                    It is recommended that you install the buildtools in order
-                    to provide versions that will work with the OpenEmbedded
-                    build system.
-                    For information on how to install the buildtools tarball,
-                    see the
+                    For CentOS 6.x, some of the versions
+                    of the components provided by the distribution are
+                    too old (e.g. Git, Python, and tar).
+                    It is recommended that you install the buildtools
+                    in order to provide versions that will work with
+                    the OpenEmbedded build system.
+                    For information on how to install the buildtools
+                    tarball, see the
                     "<link linkend='required-git-tar-and-python-versions'>Required Git, Tar, and Python Versions</link>"
                     section.
                 </note>
@@ -372,33 +375,42 @@
                         Packages needed to build an image for a headless
                         system:
                         <literallayout class='monospaced'>
-     $ sudo dnf install &CENTOS_HOST_PACKAGES_ESSENTIAL;
+     $ sudo yum install &CENTOS_HOST_PACKAGES_ESSENTIAL;
                         </literallayout></para></listitem>
                     <listitem><para><emphasis>Graphical and Eclipse Plug-In Extras:</emphasis>
                         Packages recommended if the host system has graphics
                         support or if you are going to use the Eclipse
                         IDE:
                         <literallayout class='monospaced'>
-     $ sudo dnf install SDL-devel xterm
+     $ sudo yum install SDL-devel xterm
                         </literallayout></para></listitem>
                     <listitem><para><emphasis>Documentation:</emphasis>
                         Packages needed if you are going to build out the
                         Yocto Project documentation manuals:
                         <literallayout class='monospaced'>
-     $ sudo dnf install make docbook-style-dsssl docbook-style-xsl \
+     $ sudo yum install make docbook-style-dsssl docbook-style-xsl \
      docbook-dtds docbook-utils fop libxslt dblatex xmlto xsltproc
                         </literallayout></para></listitem>
                     <listitem><para><emphasis>ADT Installer Extras:</emphasis>
                         Packages needed if you are going to be using the
                         <ulink url='&YOCTO_DOCS_ADT_URL;#using-the-adt-installer'>Application Development Toolkit (ADT) Installer</ulink>:
                         <literallayout class='monospaced'>
-     $ sudo dnf install autoconf automake libtool glib2-devel libarchive-devel
-                        </literallayout></para></listitem>
+     $ sudo yum install autoconf automake libtool glib2-devel libarchive-devel
+                        </literallayout>
+                        <note>
+                            For CentOS 6.x, in order for the
+                            ADT installer script to work, you must have
+                            installed the <filename>liblzma5</filename>,
+                            <filename>libarchive3.x</filename>, and
+                            <filename>libarchive-devel-3.1.3</filename>
+                            (or newer) packages, in that order.
+                        </note>
+                        </para></listitem>
                     <listitem><para><emphasis>OpenEmbedded Self-Test (<filename>oe-selftest</filename>):</emphasis>
                         Packages needed if you are going to run
                         <filename>oe-selftest</filename>:
                         <literallayout class='monospaced'>
-     $ sudo dnf install GitPython
+     $ sudo yum install GitPython
                         </literallayout>
                         </para></listitem>
                 </itemizedlist>

documentation/ref-manual/migration.xml

@@ -2343,8 +2343,10 @@
         </para>
 
         <para>
-            For further details, please see
-            <ulink url='https://gcc.gnu.org/gcc-5/changes.html'></ulink>.
+            For further details, see
+            <ulink url='https://gcc.gnu.org/gcc-5/changes.html'></ulink> and
+            the porting guide at
+            <ulink url='https://gcc.gnu.org/gcc-5/porting_to.html'></ulink>.
         </para>
 
         <para>

documentation/ref-manual/ref-classes.xml

@@ -3225,10 +3225,10 @@
     <title><filename>staging.bbclass</filename></title>
 
     <para>
-        The <filename>staging</filename> class provides support for staging
-        files into the sysroot during the
+        The <filename>staging</filename> class provides the
         <link linkend='ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></link>
-        task.
+        task, which stages files into the sysroot to make them available to
+        other recipes at build time.
         The class is enabled by default because it is inherited by the
         <link linkend='ref-classes-base'><filename>base</filename></link>
         class.

documentation/ref-manual/ref-manual.xml

@@ -97,6 +97,21 @@
                 <date>October 2015</date>
                 <revremark>Released with the Yocto Project 2.0 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.1</revnumber>
+                <date>March 2016</date>
+                <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
@@ -109,12 +124,46 @@
         Permission is granted to copy, distribute and/or modify this document under
         the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
       </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_REF_URL;'>Yocto Project Reference Manual</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Reference Manual</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
     </legalnotice>
 
     </bookinfo>

documentation/ref-manual/ref-variables.xml

@@ -2354,7 +2354,20 @@
                     <filename>/usr/share/common-licenses</filename>,
                     for each package.
                     The license files are placed
-                    in directories within the image itself.
+                    in directories within the image itself during build time.
+                    <note>
+                        The <filename>COPY_LIC_DIRS</filename> does not
+                        offer a path for adding licenses for newly installed
+                        packages to an image, which might be most suitable
+                        for read-only filesystems that cannot be upgraded.
+                        See the
+                        <link linkend='var-LICENSE_CREATE_PACKAGE'><filename>LICENSE_CREATE_PACKAGE</filename></link>
+                        variable for additional information.
+                        You can also reference the
+                        "<ulink url='&YOCTO_DOCS_DEV_URL;#providing-license-text'>Providing License Text</ulink>"
+                        section in the Yocto Project Development Manual for
+                        information on providing license text.
+                    </note>
                 </para>
             </glossdef>
         </glossentry>
@@ -2369,7 +2382,20 @@
                     If set to "1", the OpenEmbedded build system copies
                     the license manifest for the image to
                     <filename>/usr/share/common-licenses/license.manifest</filename>
-                    within the image itself.
+                    within the image itself during build time.
+                    <note>
+                        The <filename>COPY_LIC_MANIFEST</filename> does not
+                        offer a path for adding licenses for newly installed
+                        packages to an image, which might be most suitable
+                        for read-only filesystems that cannot be upgraded.
+                        See the
+                        <link linkend='var-LICENSE_CREATE_PACKAGE'><filename>LICENSE_CREATE_PACKAGE</filename></link>
+                        variable for additional information.
+                        You can also reference the
+                        "<ulink url='&YOCTO_DOCS_DEV_URL;#providing-license-text'>Providing License Text</ulink>"
+                        section in the Yocto Project Development Manual for
+                        information on providing license text.
+                    </note>
                 </para>
             </glossdef>
         </glossentry>
@@ -5768,32 +5794,45 @@
                     Specifies the complete list of supported image types
                     by default:
                     <literallayout class='monospaced'>
-     jffs2
-     jffs2.sum
-     cramfs
-     ext2
-     ext2.gz
-     ext2.bz2
-     ext3
-     ext3.gz
-     ext2.lzma
      btrfs
-     live
-     squashfs
-     squashfs-xz
-     ubi
-     ubifs
-     tar
-     tar.gz
-     tar.bz2
-     tar.xz
      cpio
      cpio.gz
-     cpio.xz
+     cpio.lz4
      cpio.lzma
+     cpio.xz
+     cramfs
+     elf
+     ext2
+     ext2.bz2
+     ext2.gz
+     ext2.lzma
+     ext3
+     ext3.gz
+     ext4
+     ext4.gz
+     hdddirect
+     hddimg
+     iso
+     jffs2
+     jffs2.sum
+     multiubi
+     qcow2
+     squashfs
+     squashfs-lzo
+     squashfs-xz
+     tar
+     tar.bz2
+     tar.gz
+     tar.lz4
+     tar.xz
+     ubi
+     ubifs
      vdi
      vmdk
-     elf
+     wic
+     wic.bz2
+     wic.gz
+     wic.lzma
                     </literallayout>
                 </para>
 
@@ -5926,7 +5965,7 @@ recipes-graphics/xorg-font/font-alias_1.0.3.bb:PR = "${INC_PR}.3"
 
         <glossentry id='var-INHIBIT_PACKAGE_DEBUG_SPLIT'><glossterm>INHIBIT_PACKAGE_DEBUG_SPLIT</glossterm>
             <info>
-                INHIBIT_PACKAGE_STRIP[doc] = "If set to "1", causes the build to not strip binaries in resulting packages."
+                INHIBIT_PACKAGE_DEBUG_SPLIT[doc] = "If set to "1", prevents the OpenEmbedded build system from splitting out debug information during packaging"
             </info>
             <glossdef>
                 <para role="glossdeffirst">
@@ -7166,6 +7205,49 @@ recipes-graphics/xorg-font/font-alias_1.0.3.bb:PR = "${INC_PR}.3"
             </glossdef>
         </glossentry>
 
+        <glossentry id='var-LICENSE_CREATE_PACKAGE'><glossterm>LICENSE_CREATE_PACKAGE</glossterm>
+            <info>
+                LICENSE_CREATE_PACKAGE[doc] = "Creates an extra package (i.e. ${PN}-lic) for each recipe and adds that package to the RRECOMMENDS+${PN}."
+            </info>
+            <glossdef>
+                <para role="glossdeffirst">
+<!--                <para role="glossdeffirst"><imagedata fileref="figures/define-generic.png" /> -->
+                        Setting <filename>LICENSE_CREATE_PACKAGE</filename>
+                        to "1" causes the OpenEmbedded build system to create
+                        an extra package (i.e.
+                        <filename>${</filename><link linkend='var-PN'><filename>PN</filename></link><filename>}-lic</filename>)
+                        for each recipe and to add those packages to the
+                        <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link><filename>_${PN}</filename>.
+                </para>
+
+                <para>
+                    The <filename>${PN}-lic</filename> package installs a
+                    directory in <filename>/usr/share/licenses</filename>
+                    named <filename>${PN}</filename>, which is the recipe's
+                    base name, and installs files in that directory that
+                    contain license and copyright information (i.e. copies of
+                    the appropriate license files from
+                    <filename>meta/common-licenses</filename> that match the
+                    licenses specified in the
+                    <link linkend='var-LICENSE'><filename>LICENSE</filename></link>
+                    variable of the recipe metadata and copies of files marked
+                    in
+                    <link linkend='var-LIC_FILES_CHKSUM'><filename>LIC_FILES_CHKSUM</filename></link>
+                    as containing license text).
+                </para>
+
+                <para>
+                    For related information on providing license text, see the
+                    <link linkend='var-COPY_LIC_DIRS'><filename>COPY_LIC_DIRS</filename></link>
+                    variable, the
+                    <link linkend='var-COPY_LIC_MANIFEST'><filename>COPY_LIC_MANIFEST</filename></link>
+                    variable, and the
+                    "<ulink url='&YOCTO_DOCS_DEV_URL;#providing-license-text'>Providing License Text</ulink>"
+                    section in the Yocto Project Development Manual.
+                </para>
+            </glossdef>
+        </glossentry>
+
         <glossentry id='var-LICENSE_FLAGS'><glossterm>LICENSE_FLAGS</glossterm>
             <info>
                 LICENSE_FLAGS[doc] = "Specifies additional flags for a recipe you must whitelist through LICENSE_FLAGS_WHITELIST in order to allow the recipe to be built."
@@ -10544,6 +10626,20 @@ recipes-graphics/xorg-font/font-alias_1.0.3.bb:PR = "${INC_PR}.3"
      poky/build/tmp/work/qemux86-poky-linux/db/5.1.19-r3/db-5.1.19
                     </literallayout>
                 </para>
+
+                <para>
+                    This next example assumes a Git repository.
+                    By default, Git repositories are cloned to
+                    <filename>${WORKDIR}/git</filename> during
+                    <link linkend='ref-tasks-fetch'><filename>do_fetch</filename></link>.
+                    Since this path is different from the default value of
+                    <filename>S</filename>, you must set it specifically
+                    so the source can be located:
+                    <literallayout class='monospaced'>
+     SRC_URI = "git://path/to/repo.git"
+     S = "${WORKDIR}/git"
+                    </literallayout>
+                </para>
             </glossdef>
         </glossentry>
 

documentation/toaster-manual/toaster-manual-reference.xml

@@ -662,7 +662,6 @@
          "IMAGE_FSTYPES": "ext3 jffs2 tar.bz2",
          "IMAGE_INSTALL_append": "",
          "PACKAGE_CLASSES": "package_rpm",
-         "SDKMACHINE"   : "x86_64"
      },
                     </literallayout>
                 </para>

documentation/toaster-manual/toaster-manual-setup-and-use.xml

@@ -318,6 +318,7 @@
              'PASSWORD': 'yourpasswordhere',
              'HOST': 'localhost',
              'PORT': '3306',
+        }
      }
                                 </literallayout>
                                 </para></listitem>
@@ -347,7 +348,7 @@
                         server defined earlier:
                         <literallayout class='monospaced'>
      $ mysql -u root -p
-     mysql> CREATE DATABASE toaster;
+     mysql> CREATE DATABASE toaster_data;
      mysql> CREATE USER 'toaster'@'localhost' identified by 'yourpasswordhere';
      mysql> GRANT all on toaster_data.* to 'toaster'@'localhost';
      mysql> quit
@@ -358,9 +359,9 @@
                         default data, and gather the statically-served files:
                         <literallayout class='monospaced'>
      $ cd  /var/www/toaster/poky/
-     $ ./bitbake/lib/toaster/manage.py syncdb --migrate
-     $ ./bitbake/lib/toaster/manage.py loadconf ./meta-yocto/conf/toasterconf.json
-     $ ./bitbake/lib/toaster/manage.py lsupdates
+     $ ./bitbake/lib/toaster/manage.py syncdb
+     $ ./bitbake/lib/toaster/manage.py migrate
+     $ TOASTER_DIR=`pwd` TOASTER_CONF=./meta-yocto/conf/toasterconf.json ./bitbake/lib/toaster/manage.py checksettings
      $ ./bitbake/lib/toaster/manage.py collectstatic
                         </literallayout>
                         </para>
@@ -368,33 +369,41 @@
                         <para>
                             For the above set of commands, after moving to the
                             <filename>poky</filename> directory,
-                            the <filename>syncdb</filename> command with the
-                            <filename>migrate</filename> option makes sure the database
+                            the <filename>syncdb</filename> and <filename>migrate</filename>
+                            commands ensure the database
                             schema has had changes propagated correctly (i.e.
                             migrations).
-                            See the
-                            <ulink url='https://south.readthedocs.org/en/latest/commands.html#syncdb'><filename>syncdb</filename></ulink>
-                            command for more information.
                         </para>
 
                         <para>
-                            The
-                            <link linkend='toaster-command-loadconf'><filename>loadconf</filename></link>
-                            command loads the
-                            <filename>./meta-yocto/conf/toasterconf.json</filename>
-                            JSON file.
+                            The next line sets the Toaster root directory
+                            <filename>TOASTER_DIR</filename> and the location of
+                            the Toaster configuration file
+                            <filename>TOASTER_CONF</filename>, which is
+                            relative to the Toaster root directory
+                            <filename>TOASTER_DIR</filename>.
+                            For more information on the Toaster configuration file
+                            <filename>TOASTER_CONF</filename>, see the
+                            <link linkend='toaster-json-files'>JSON Files</link>
+                            section of this manual.
                         </para>
 
                         <para>
-                            The <filename>lsupdates</filename> command fetches
-                            information about machines, recipes and
-                            layers available as part of OpenEmbedded.
-                            The information is fetched from the
-                            <ulink url='http://layers.openembedded.org/'>OpenEmbedded Metadata Index</ulink>.
-                            This information provides easy access to metadata
-                            from Toaster, and it is key for Toaster's usability.
-                            It is not recommended that you use Toaster without
-                            fetching this information."
+                            This line also runs the <filename>checksettings</filename>
+                            command, which configures the location of the Toaster
+                            <ulink url='&YOCTO_DOCS_DEV_URL;#build-directory'>Build directory</ulink>.
+                            The Toaster root directory <filename>TOASTER_DIR</filename>
+                            determines where the Toaster build directory
+                            is created on the file system.
+                            In the example above,
+                            <filename>TOASTER_DIR</filename> is set as follows:
+                            <literallayout class="monospaced">
+     /var/www/toaster/poky
+                            </literallayout>
+                            This setting causes the Toaster build directory to be:
+                            <literallayout class="monospaced">
+     /var/www/toaster/poky/build
+                            </literallayout>
                         </para>
 
                         <para>
@@ -402,8 +411,6 @@
                             is a Django framework command that collects all the
                             statically served files into a designated directory to
                             be served up by the Apache web server.
-                            For more information on this Django command, see
-                            <ulink url='https://docs.djangoproject.com/en/1.7/ref/contrib/staticfiles/'></ulink>.
                         </para></listitem>
                     <listitem><para>
                         Add an Apache configuration file for Toaster to your Apache web
@@ -438,6 +445,7 @@
                         <literallayout class='monospaced'>
      $ sudo a2enmod wsgi
      $ sudo a2enconf toaster
+     $ chmod +x bitbake/lib/toaster/toastermain/wsgi.py
                         </literallayout>
                         Finally, restart Apache to make sure all new configuration
                         is loaded.

documentation/toaster-manual/toaster-manual.xml

@@ -41,6 +41,21 @@
                 <date>October 2015</date>
                 <revremark>Released with the Yocto Project 2.0 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.1</revnumber>
+                <date>March 2016</date>
+                <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>
@@ -53,12 +68,46 @@
         Permission is granted to copy, distribute and/or modify this document under
         the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
       </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_TOAST_URL;'>Toaster User Manual</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Toaster User Manual</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
 
     </legalnotice>
 

documentation/tools/mega-manual.sed

@@ -2,32 +2,32 @@
 # This style is for manual folders like "yocto-project-qs" and "poky-ref-manual".
 # This is the old way that did it.  Can't do that now that we have "bitbake-user-manual" strings
 # in the mega-manual.
-# s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/[a-z]*-[a-z]*-[a-z]*\/[a-z]*-[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/yocto-project-qs\/yocto-project-qs.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/poky-ref-manual\/poky-ref-manual.html#/\"link\" href=\"#/g
+# s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/[a-z]*-[a-z]*-[a-z]*\/[a-z]*-[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/yocto-project-qs\/yocto-project-qs.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/poky-ref-manual\/poky-ref-manual.html#/\"link\" href=\"#/g
 
 # Processes all other manuals (<word>-<word> style) except for the BitBake User Manual because
 # it is not included in the mega-manual.
 # This style is for manual folders that use two word, which is the standard now (e.g. "ref-manual").
 # This was the one-liner that worked before we introduced the BitBake User Manual, which is
 # not in the mega-manual.
-# s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/[a-z]*-[a-z]*\/[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
+# s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/[a-z]*-[a-z]*\/[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
 
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/adt-manual\/adt-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/bsp-guide\/bsp-guide.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/dev-manual\/dev-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/kernel-dev\/kernel-dev.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/profile-manual\/profile-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/ref-manual\/ref-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/toaster-manual\/toaster-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/yocto-project-qs\/yocto-project-qs.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/adt-manual\/adt-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/bsp-guide\/bsp-guide.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/dev-manual\/dev-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/kernel-dev\/kernel-dev.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/profile-manual\/profile-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/ref-manual\/ref-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/toaster-manual\/toaster-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/yocto-project-qs\/yocto-project-qs.html#/\"link\" href=\"#/g
 
 # Process cases where just an external manual is referenced without an id anchor
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/yocto-project-qs\/yocto-project-qs.html\" target=\"_top\">Yocto Project Quick Start<\/a>/Yocto Project Quick Start/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/dev-manual\/dev-manual.html\" target=\"_top\">Yocto Project Development Manual<\/a>/Yocto Project Development Manual/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/adt-manual\/adt-manual.html\" target=\"_top\">Yocto Project Application Developer's Guide<\/a>/Yocto Project Application Developer's Guide/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/bsp-guide\/bsp-guide.html\" target=\"_top\">Yocto Project Board Support Package (BSP) Developer's Guide<\/a>/Yocto Project Board Support Package (BSP) Developer's Guide/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/profile-manual\/profile-manual.html\" target=\"_top\">Yocto Project Profiling and Tracing Manual<\/a>/Yocto Project Profiling and Tracing Manual/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/kernel-dev\/kernel-dev.html\" target=\"_top\">Yocto Project Linux Kernel Development Manual<\/a>/Yocto Project Linux Kernel Development Manual/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/ref-manual\/ref-manual.html\" target=\"_top\">Yocto Project Reference Manual<\/a>/Yocto Project Reference Manual/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0\/toaster-manual\/toaster-manual.html\" target=\"_top\">Toaster User Manual<\/a>/Toaster User Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/yocto-project-qs\/yocto-project-qs.html\" target=\"_top\">Yocto Project Quick Start<\/a>/Yocto Project Quick Start/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/dev-manual\/dev-manual.html\" target=\"_top\">Yocto Project Development Manual<\/a>/Yocto Project Development Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/adt-manual\/adt-manual.html\" target=\"_top\">Yocto Project Application Developer's Guide<\/a>/Yocto Project Application Developer's Guide/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/bsp-guide\/bsp-guide.html\" target=\"_top\">Yocto Project Board Support Package (BSP) Developer's Guide<\/a>/Yocto Project Board Support Package (BSP) Developer's Guide/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/profile-manual\/profile-manual.html\" target=\"_top\">Yocto Project Profiling and Tracing Manual<\/a>/Yocto Project Profiling and Tracing Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/kernel-dev\/kernel-dev.html\" target=\"_top\">Yocto Project Linux Kernel Development Manual<\/a>/Yocto Project Linux Kernel Development Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/ref-manual\/ref-manual.html\" target=\"_top\">Yocto Project Reference Manual<\/a>/Yocto Project Reference Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/toaster-manual\/toaster-manual.html\" target=\"_top\">Toaster User Manual<\/a>/Toaster User Manual/g

documentation/yocto-project-qs/yocto-project-qs.xml

@@ -16,12 +16,46 @@
                 Permission is granted to copy, distribute and/or modify this document under
                 the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
             </para>
-            <note>
-                For the latest version of this manual associated with this
-                Yocto Project release, see the
-                <ulink url='&YOCTO_DOCS_QS_URL;'>Yocto Project Quick Start</ulink>
-                from the Yocto Project website.
-            </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Quick Start</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
         </legalnotice>
 
 
@@ -310,6 +344,13 @@
                         <literallayout class='monospaced'>
      $ sudo dnf install &FEDORA_HOST_PACKAGES_ESSENTIAL; SDL-devel xterm
                         </literallayout>
+                        <note>
+                            This release of the Yocto Project does not support
+                            the Fedora23 distribution.
+                            If, however, you want to use that distribution,
+                            you must install <filename>perl-bignum</filename>
+                            as a required package.
+                        </note>
                         </para></listitem>
                     <listitem><para><emphasis>OpenSUSE</emphasis>
                         <literallayout class='monospaced'>
@@ -318,7 +359,7 @@
                         </para></listitem>
                     <listitem><para><emphasis>CentOS</emphasis>
                         <literallayout class='monospaced'>
-     $ sudo dnf install &CENTOS_HOST_PACKAGES_ESSENTIAL; SDL-devel xterm
+     $ sudo yum install &CENTOS_HOST_PACKAGES_ESSENTIAL; SDL-devel xterm
                         </literallayout>
                         <note>
                             CentOS 6.x users need to ensure that the required
@@ -587,7 +628,7 @@
             </orderedlist>
         </para>
 
-        <para>
+        <para id='qs-minnowboard-example'>
             The following steps show how easy it is to set up to build an
             image for a new machine.
             These steps build an image for the MinnowBoard MAX, which is
@@ -610,16 +651,35 @@
                     Building an image for the MinnowBoard MAX requires the
                     <filename>meta-intel</filename> layer.
                     Use the <filename>git clone</filename> command to create
-                    a local copy of the repository:
+                    a local copy of the repository inside your
+                    <ulink url='&YOCTO_DOCS_DEV_URL;#source-directory'>Source Directory</ulink>,
+                    which is <filename>poky</filename> in this example:
                     <literallayout class='monospaced'>
+     $ cd $HOME/poky
      $ git clone git://git.yoctoproject.org/meta-intel
      Cloning into 'meta-intel'...
-     remote: Counting objects: 10824, done.
-     remote: Compressing objects: 100% (3508/3508), done.
-     remote: Total 10824 (delta 6219), reused 10580 (delta 5975)
-     Receiving objects: 100% (10824/10824), 2.72 MiB | 482.00 KiB/s, done.
-     Resolving deltas: 100% (6219/6219), done.
+     remote: Counting objects: 11988, done.
+     remote: Compressing objects: 100% (3884/3884), done.
+     Receiving objects: 100% (11988/11988), 2.93 MiB | 2.51 MiB/s, done.
+     remote: Total 11988 (delta 6881), reused 11752 (delta 6645)
+     Resolving deltas: 100% (6881/6881), done.
      Checking connectivity... done.
+                    </literallayout>
+                    By default when you clone a Git repository, the
+                    "master" branch is checked out.
+                    Before you build your image that uses the
+                    <filename>meta-intel</filename> layer, you must be
+                    sure that both repositories
+                    (<filename>meta-intel</filename> and
+                    <filename>poky</filename>) are using the same releases.
+                    Consequently, you need to checkout out the
+                    "&DISTRO_NAME_NO_CAP;" release after cloning
+                    <filename>meta-intel</filename>:
+                    <literallayout class='monospaced'>
+     $ cd $HOME/poky/meta-intel
+     $ git checkout &DISTRO_NAME_NO_CAP;
+     Branch &DISTRO_NAME_NO_CAP; set up to track remote branch &DISTRO_NAME_NO_CAP; from origin.
+     Switched to a new branch '&DISTRO_NAME_NO_CAP;'
                     </literallayout>
                     </para></listitem>
                 <listitem><para><emphasis>Configure the Build:</emphasis>
@@ -639,7 +699,8 @@
                     <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
                     variable.
                     <literallayout class='monospaced'>
-     $ bitbake-layers add-layer "$HOME/source/poky/meta-intel"
+     $ cd $HOME/poky/build
+     $ bitbake-layers add-layer "$HOME/poky/meta-intel"
      $ echo 'MACHINE = "intel-corei7-64"' >> conf/local.conf
                     </literallayout>
                     <note><title>Notes</title>

meta-yocto-bsp/conf/machine/include/genericx86-common.inc

@@ -13,7 +13,7 @@ XSERVER ?= "${XSERVER_X86_BASE} \
             ${XSERVER_X86_MODESETTING} \
            "
 
-MACHINE_EXTRA_RRECOMMENDS += "linux-firmware v86d eee-acpi-scripts"
+MACHINE_EXTRA_RRECOMMENDS += "linux-firmware eee-acpi-scripts"
 
 GLIBC_ADDONS = "nptl"
 

meta-yocto-bsp/recipes-kernel/linux/linux-yocto_3.14.bbappend

@@ -7,8 +7,8 @@ KBRANCH_mpc8315e-rdb = "standard/fsl-mpc8315e-rdb"
 KMACHINE_genericx86 ?= "common-pc"
 KMACHINE_genericx86-64 ?= "common-pc-64"
 
-SRCREV_machine_genericx86 ?= "af1f7f586bd32d39c057f17606991b887eadb389"
-SRCREV_machine_genericx86-64 ?= "578602a722dbfb260801f3b37c6eafd2abb2340d"
+SRCREV_machine_genericx86 ?= "d9bf859dfae6f88b88b157119c20ae4d5e51420a"
+SRCREV_machine_genericx86-64 ?= "93b2b800d85c1565af7d96f3776dc38c85ae1902"
 SRCREV_machine_edgerouter ?= "578602a722dbfb260801f3b37c6eafd2abb2340d"
 SRCREV_machine_beaglebone ?= "578602a722dbfb260801f3b37c6eafd2abb2340d"
 SRCREV_machine_mpc8315e-rdb ?= "1cb1bbaf63cecc918cf36c89819a7464af4c4b13"
@@ -18,3 +18,6 @@ COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
 COMPATIBLE_MACHINE_edgerouter = "edgerouter"
 COMPATIBLE_MACHINE_beaglebone = "beaglebone"
 COMPATIBLE_MACHINE_mpc8315e-rdb = "mpc8315e-rdb"
+
+LINUX_VERSION_genericx86 = "3.14.39"
+LINUX_VERSION_genericx86-64 = "3.14.39"

meta-yocto-bsp/recipes-kernel/linux/linux-yocto_3.19.bbappend

@@ -7,8 +7,8 @@ KBRANCH_mpc8315e-rdb = "standard/fsl-mpc8315e-rdb"
 KMACHINE_genericx86 ?= "common-pc"
 KMACHINE_genericx86-64 ?= "common-pc-64"
 
-SRCREV_machine_genericx86 ?= "e152349de59b43b2a75f2c332b44171df461d5a0"
-SRCREV_machine_genericx86-64 ?= "e152349de59b43b2a75f2c332b44171df461d5a0"
+SRCREV_machine_genericx86 ?= "1583bf79b946cd5581d84d8c369b819a5ecb94b4"
+SRCREV_machine_genericx86-64 ?= "1583bf79b946cd5581d84d8c369b819a5ecb94b4"
 SRCREV_machine_edgerouter ?= "e152349de59b43b2a75f2c332b44171df461d5a0"
 SRCREV_machine_beaglebone ?= "e152349de59b43b2a75f2c332b44171df461d5a0"
 SRCREV_machine_mpc8315e-rdb ?= "2893f3e8ece72f6f47329714d6afe4c9c545bbf9"

meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.1.bbappend

@@ -7,8 +7,8 @@ KBRANCH_mpc8315e-rdb = "standard/fsl-mpc8315e-rdb"
 KMACHINE_genericx86 ?= "common-pc"
 KMACHINE_genericx86-64 ?= "common-pc-64"
 
-SRCREV_machine_genericx86 ?= "dbe692d91c8e55d1430f2c45fd578c8e4e71e482"
-SRCREV_machine_genericx86-64 ?= "dbe692d91c8e55d1430f2c45fd578c8e4e71e482"
+SRCREV_machine_genericx86 ?= "2e0ac7b6c4e3ada23a84756287e9b7051ace939a"
+SRCREV_machine_genericx86-64 ?= "2e0ac7b6c4e3ada23a84756287e9b7051ace939a"
 SRCREV_machine_edgerouter ?= "79a31b9d23db126f8a6be3eb88fd683056a213f1"
 SRCREV_machine_beaglebone ?= "efb6ffb2ca96a364f916c9890ad023fc595e0e6e"
 SRCREV_machine_mpc8315e-rdb ?= "79a31b9d23db126f8a6be3eb88fd683056a213f1"
@@ -18,3 +18,6 @@ COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
 COMPATIBLE_MACHINE_edgerouter = "edgerouter"
 COMPATIBLE_MACHINE_beaglebone = "beaglebone"
 COMPATIBLE_MACHINE_mpc8315e-rdb = "mpc8315e-rdb"
+
+LINUX_VERSION_genericx86 = "4.1.17"
+LINUX_VERSION_genericx86-64 = "4.1.17"

meta-yocto/conf/distro/poky.conf

@@ -1,6 +1,6 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "2.0"
+DISTRO_VERSION = "2.0.3"
 DISTRO_CODENAME = "jethro"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION := "${@'${DISTRO_VERSION}'.replace('snapshot-${DATE}','snapshot')}"
@@ -64,10 +64,7 @@ https://.*/.*    http://downloads.yoctoproject.org/mirror/sources/ \n"
 # fetch from the network (and warn you if not). To disable the test set
 # the variable to be empty.
 # Git example url: git://git.yoctoproject.org/yocto-firewall-test;protocol=git;rev=master
-
-CONNECTIVITY_CHECK_URIS ?= " \
-             https://eula-downloads.yoctoproject.org/index.php \
-             http://bugzilla.yoctoproject.org/report.cgi"
+CONNECTIVITY_CHECK_URIS ?= "https://www.example.com/"
 
 SANITY_TESTED_DISTROS ?= " \
             poky-1.7 \n \

meta-yocto/conf/local.conf.sample

@@ -225,11 +225,12 @@ BB_DISKMON_DIRS = "\
 # Qemu configuration
 #
 # By default qemu will build with a builtin VNC server where graphical output can be
-# seen. The two lines below enable the SDL backend too. This assumes there is a
-# libsdl library available on your build system.
+# seen. The two lines below enable the SDL backend too. By default libsdl-native will
+# be built, if you want to use your host's libSDL instead of the minimal libsdl built
+# by libsdl-native then uncomment the ASSUME_PROVIDED line below.
 PACKAGECONFIG_append_pn-qemu-native = " sdl"
 PACKAGECONFIG_append_pn-nativesdk-qemu = " sdl"
-ASSUME_PROVIDED += "libsdl-native"
+#ASSUME_PROVIDED += "libsdl-native"
 
 
 # CONF_VERSION is increased each time build/conf/ changes incompatibly and is used to

meta/classes/allarch.bbclass

@@ -27,6 +27,10 @@ python () {
         d.setVar("PACKAGE_EXTRA_ARCHS", "")
         d.setVar("SDK_ARCH", "none")
         d.setVar("SDK_CC_ARCH", "none")
+        d.setVar("TARGET_CPPFLAGS", "none")
+        d.setVar("TARGET_CFLAGS", "none")
+        d.setVar("TARGET_CXXFLAGS", "none")
+        d.setVar("TARGET_LDFLAGS", "none")
 
         # Avoid this being unnecessarily different due to nuances of
         # the target machine that aren't important for "all" arch

meta/classes/autotools.bbclass

@@ -77,16 +77,20 @@ CONFIGUREOPTS = " --build=${BUILD_SYS} \
 		  ${@append_libtool_sysroot(d)}"
 CONFIGUREOPT_DEPTRACK ?= "--disable-dependency-tracking"
 
+AUTOTOOLS_SCRIPT_PATH ?= "${S}"
+CONFIGURE_SCRIPT ?= "${AUTOTOOLS_SCRIPT_PATH}/configure"
+
+AUTOTOOLS_AUXDIR ?= "${AUTOTOOLS_SCRIPT_PATH}"
 
 oe_runconf () {
-	cfgscript="${S}/configure"
+	cfgscript="${CONFIGURE_SCRIPT}"
 	if [ -x "$cfgscript" ] ; then
 		bbnote "Running $cfgscript ${CONFIGUREOPTS} ${EXTRA_OECONF} $@"
 		set +e
 		${CACHED_CONFIGUREVARS} $cfgscript ${CONFIGUREOPTS} ${EXTRA_OECONF} "$@"
 		if [ "$?" != "0" ]; then
 			echo "Configure failed. The contents of all config.log files follows to aid debugging"
-			find ${S} -ignore_readdir_race -name config.log -print -exec cat {} \;
+			find ${B} -ignore_readdir_race -name config.log -print -exec cat {} \;
 			die "oe_runconf failed"
 		fi
 		set -e
@@ -95,8 +99,6 @@ oe_runconf () {
 	fi
 }
 
-AUTOTOOLS_AUXDIR ?= "${S}"
-
 CONFIGURESTAMPFILE = "${WORKDIR}/configure.sstate"
 
 autotools_preconfigure() {
@@ -134,7 +136,7 @@ do_configure[postfuncs] += "autotools_postconfigure"
 ACLOCALDIR = "${B}/aclocal-copy"
 
 python autotools_copy_aclocals () {
-    s = d.getVar("S", True)
+    s = d.getVar("AUTOTOOLS_SCRIPT_PATH", True)
     if not os.path.exists(s + "/configure.in") and not os.path.exists(s + "/configure.ac"):
         if not d.getVar("AUTOTOOLS_COPYACLOCAL", False):
             return
@@ -228,13 +230,13 @@ autotools_do_configure() {
 	( for ac in `find ${S} -ignore_readdir_race -name configure.in -o -name configure.ac`; do
 		rm -f `dirname $ac`/configure
 		done )
-	if [ -e ${S}/configure.in -o -e ${S}/configure.ac ]; then
+	if [ -e ${AUTOTOOLS_SCRIPT_PATH}/configure.in -o -e ${AUTOTOOLS_SCRIPT_PATH}/configure.ac ]; then
 		olddir=`pwd`
-		cd ${S}
+		cd ${AUTOTOOLS_SCRIPT_PATH}
 		ACLOCAL="aclocal --system-acdir=${ACLOCALDIR}/"
 		if [ x"${acpaths}" = xdefault ]; then
 			acpaths=
-			for i in `find ${S} -ignore_readdir_race -maxdepth 2 -name \*.m4|grep -v 'aclocal.m4'| \
+			for i in `find ${AUTOTOOLS_SCRIPT_PATH} -ignore_readdir_race -maxdepth 2 -name \*.m4|grep -v 'aclocal.m4'| \
 				grep -v 'acinclude.m4' | grep -v 'aclocal-copy' | sed -e 's,\(.*/\).*$,\1,'|sort -u`; do
 				acpaths="$acpaths -I $i"
 			done
@@ -265,21 +267,20 @@ autotools_do_configure() {
 				bbnote Executing glib-gettextize --force --copy
 				echo "no" | glib-gettextize --force --copy
 			fi
-		else if grep "^[[:space:]]*AM_GNU_GETTEXT" $CONFIGURE_AC >/dev/null; then
+		elif grep "^[[:space:]]*AM_GNU_GETTEXT" $CONFIGURE_AC >/dev/null; then
 			# We'd call gettextize here if it wasn't so broken...
-				cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/
-				if [ -d ${S}/po/ ]; then
-					cp -f ${STAGING_DATADIR_NATIVE}/gettext/po/Makefile.in.in ${S}/po/
-					if [ ! -e ${S}/po/remove-potcdate.sin ]; then
-						cp ${STAGING_DATADIR_NATIVE}/gettext/po/remove-potcdate.sin ${S}/po/
-					fi
+			cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/
+			if [ -d ${S}/po/ ]; then
+				cp -f ${STAGING_DATADIR_NATIVE}/gettext/po/Makefile.in.in ${S}/po/
+				if [ ! -e ${S}/po/remove-potcdate.sin ]; then
+					cp ${STAGING_DATADIR_NATIVE}/gettext/po/remove-potcdate.sin ${S}/po/
 				fi
-				for i in gettext.m4 iconv.m4 lib-ld.m4 lib-link.m4 lib-prefix.m4 nls.m4 po.m4 progtest.m4; do
-					for j in `find ${S} -ignore_readdir_race -name $i | grep -v aclocal-copy`; do
-						rm $j
-					done
-				done
 			fi
+			for i in gettext.m4 iconv.m4 lib-ld.m4 lib-link.m4 lib-prefix.m4 nls.m4 po.m4 progtest.m4; do
+				for j in `find ${S} -ignore_readdir_race -name $i | grep -v aclocal-copy`; do
+					rm $j
+				done
+			done
 		fi
 		mkdir -p m4
 		if grep "^[[:space:]]*[AI][CT]_PROG_INTLTOOL" $CONFIGURE_AC >/dev/null; then
@@ -290,7 +291,7 @@ autotools_do_configure() {
 		ACLOCAL="$ACLOCAL" autoreconf -Wcross --verbose --install --force ${EXTRA_AUTORECONF} $acpaths || die "autoreconf execution failed."
 		cd $olddir
 	fi
-	if [ -e ${S}/configure ]; then
+	if [ -e ${CONFIGURE_SCRIPT} ]; then
 		oe_runconf
 	else
 		bbnote "nothing to configure"

meta/classes/base.bbclass

@@ -363,7 +363,10 @@ python () {
                     newappends.append(a)
                 elif a.startswith("virtual/"):
                     subs = a.split("/", 1)[1]
-                    newappends.append("virtual/" + prefix + subs + extension)
+                    if subs.startswith(prefix):
+                        newappends.append(a + extension)
+                    else:
+                        newappends.append("virtual/" + prefix + subs + extension)
                 else:
                     if a.startswith(prefix):
                         newappends.append(a + extension)

meta/classes/boot-directdisk.bbclass

@@ -121,6 +121,8 @@ build_boot_dd() {
 	# done in blocks, thus the mod by 16 instead of 32.
 	BLOCKS=$(expr $BLOCKS + $(expr 16 - $(expr $BLOCKS % 16)))
 
+	# Remove it since mkdosfs would fail when it exists
+	rm -f $HDDIMG
 	mkdosfs -n ${BOOTDD_VOLUME_ID} -S 512 -C $HDDIMG $BLOCKS 
 	mcopy -i $HDDIMG -s $HDDDIR/* ::/
 

meta/classes/buildhistory.bbclass

@@ -521,7 +521,7 @@ POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_list_installed_sdk_targ
 POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_list_installed_sdk_host ;\
                                           buildhistory_get_sdk_installed_host ; "
 
-SDK_POSTPROCESS_COMMAND += "buildhistory_get_sdkinfo ; "
+SDK_POSTPROCESS_COMMAND_append = " buildhistory_get_sdkinfo ; "
 
 def buildhistory_get_build_id(d):
     if d.getVar('BB_WORKERCONTEXT', True) != '1':

meta/classes/distrodata.bbclass

@@ -271,9 +271,9 @@ python do_checkpkg() {
         from bb.fetch2 import FetchError, NoMethodError, decodeurl
 
         """first check whether a uri is provided"""
-        src_uri = d.getVar('SRC_URI', True)
+        src_uri = (d.getVar('SRC_URI', True) or '').split()
         if src_uri:
-            uri_type, _, _, _, _, _ = decodeurl(src_uri)
+            uri_type, _, _, _, _, _ = decodeurl(src_uri[0])
         else:
             uri_type = "none"
 

meta/classes/image_types.bbclass

@@ -170,15 +170,38 @@ IMAGE_CMD_ubi () {
 
 IMAGE_CMD_ubifs = "mkfs.ubifs -r ${IMAGE_ROOTFS} -o ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.ubifs ${MKUBIFS_ARGS}"
 
+WKS_FILE ?= "${IMAGE_BASENAME}.${MACHINE}.wks"
+WKS_FILES ?= "${WKS_FILE} ${IMAGE_BASENAME}.wks"
+WKS_SEARCH_PATH ?= "${THISDIR}:${@':'.join('%s/scripts/lib/wic/canned-wks' % l for l in '${BBPATH}:${COREBASE}'.split(':'))}"
+WKS_FULL_PATH = "${@wks_search('${WKS_FILES}'.split(), '${WKS_SEARCH_PATH}') or ''}"
+
+def wks_search(files, search_path):
+    for f in files:
+        if os.path.isabs(f):
+            if os.path.exists(f):
+                return f
+        else:
+            searched = bb.utils.which(search_path, f)
+            if searched:
+                return searched
+
 IMAGE_CMD_wic () {
-	out=${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}
-	wks=${FILE_DIRNAME}/${IMAGE_BASENAME}.${MACHINE}.wks
-	[ -e $wks ] || wks=${FILE_DIRNAME}/${IMAGE_BASENAME}.wks
-	[ -e $wks ] || bbfatal "Kiskstart file $wks doesn't exist"
-	BUILDDIR=${TOPDIR} wic create $wks --vars ${STAGING_DIR_TARGET}/imgdata/ -e ${IMAGE_BASENAME} -o $out/
-	mv $out/build/${IMAGE_BASENAME}*.direct $out.rootfs.wic
-	rm -rf $out/
+	out="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}"
+	wks="${WKS_FULL_PATH}"
+	if [ -z "$wks" ]; then
+		bbfatal "No kickstart files from WKS_FILES were found: ${WKS_FILES}. Please set WKS_FILE or WKS_FILES appropriately."
+	fi
+
+	BUILDDIR="${TOPDIR}" wic create "$wks" --vars "${STAGING_DIR_TARGET}/imgdata/" -e "${IMAGE_BASENAME}" -o "$out/"
+	mv "$out/build/$(basename "${wks%.wks}")"*.direct "$out.rootfs.wic"
+	rm -rf "$out/"
 }
+IMAGE_CMD_wic[vardepsexclude] = "WKS_FULL_PATH WKS_FILES"
+
+# Rebuild when the wks file or vars in WICVARS change
+USING_WIC = "${@bb.utils.contains_any('IMAGE_FSTYPES', 'wic ' + ' '.join('wic.%s' % c for c in '${COMPRESSIONTYPES}'.split()), '1', '', d)}"
+do_rootfs[file-checksums] += "${@'${WKS_FULL_PATH}:%s' % os.path.exists('${WKS_FULL_PATH}') if '${USING_WIC}' else ''}"
+do_rootfs[vardeps] += "${@bb.utils.contains("USING_WIC", "1", "${WICVARS}", "", d)}"
 
 EXTRA_IMAGECMD = ""
 

meta/classes/image_types_uboot.bbclass

@@ -22,5 +22,5 @@ COMPRESS_CMD_bz2.u-boot      = "${COMPRESS_CMD_bz2}; oe_mkimage ${IMAGE_NAME}.ro
 COMPRESS_DEPENDS_lzma.u-boot = "u-boot-mkimage-native"
 COMPRESS_CMD_lzma.u-boot      = "${COMPRESS_CMD_lzma}; oe_mkimage ${IMAGE_NAME}.rootfs.${type}.lzma lzma clean"
 
-IMAGE_TYPES += "ext2.u-boot ext2.gz.u-boot ext2.bz2.u-boot ext2.lzma.u-boot ext3.gz.u-boot ext4.gz.u-boot"
+IMAGE_TYPES += "ext2.u-boot ext2.gz.u-boot ext2.bz2.u-boot ext2.lzma.u-boot ext3.gz.u-boot ext4.gz.u-boot cpio.gz.u-boot"
 

meta/classes/kernel-yocto.bbclass

@@ -184,11 +184,18 @@ do_kernel_checkout() {
 	source_dir=`echo ${S} | sed 's%/$%%'`
 	source_workdir="${WORKDIR}/git"
 	if [ -d "${WORKDIR}/git/" ]; then
-		# case: git repository (bare or non-bare)
+		# case: git repository
 		# if S is WORKDIR/git, then we shouldn't be moving or deleting the tree.
 		if [ "${source_dir}" != "${source_workdir}" ]; then
-			rm -rf ${S}
-			mv ${WORKDIR}/git ${S}
+			if [ -d "${source_workdir}/.git" ]; then
+				# regular git repository with .git
+				rm -rf ${S}
+				mv ${WORKDIR}/git ${S}
+			else
+				# create source for bare cloned git repository
+				git clone ${WORKDIR}/git ${S}
+				rm -rf ${WORKDIR}/git
+			fi
 		fi
 		cd ${S}
 	else

meta/classes/license.bbclass

@@ -185,6 +185,18 @@ def copy_license_files(lic_files_paths, destdir):
                 os.remove(dst)
             if os.access(src, os.W_OK) and (os.stat(src).st_dev == os.stat(destdir).st_dev):
                 os.link(src, dst)
+                try:
+                    os.chown(dst,0,0)
+                except OSError as err:
+                    import errno
+                    if err.errno in (errno.EPERM, errno.EINVAL):
+                        # Suppress "Operation not permitted" error, as
+                        # sometimes this function is not executed under pseudo.
+                        # Also ignore "Invalid argument" errors that happen in
+                        # some (unprivileged) container environments (no root).
+                        pass
+                    else:
+                        raise
             else:
                 shutil.copyfile(src, dst)
         except Exception as e:
@@ -474,6 +486,7 @@ do_populate_lic[sstate-inputdirs] = "${LICSSTATEDIR}"
 do_populate_lic[sstate-outputdirs] = "${LICENSE_DIRECTORY}/"
 
 ROOTFS_POSTPROCESS_COMMAND_prepend = "write_package_manifest; license_create_manifest; "
+do_rootfs[recrdeptask] += "do_populate_lic"
 
 do_populate_lic_setscene[dirs] = "${LICSSTATEDIR}/${PN}"
 do_populate_lic_setscene[cleandirs] = "${LICSSTATEDIR}"

meta/classes/metadata_scm.bbclass

@@ -65,19 +65,19 @@ def base_get_metadata_svn_revision(path, d):
     return revision
 
 def base_get_metadata_git_branch(path, d):
-    import subprocess
+    import bb.process
 
     try:
-        return subprocess.check_output(["git", "rev-parse", "--abbrev-ref", "HEAD"],
-                                       cwd=path).strip()
-    except:
-        return "<unknown>"
+        rev, _ = bb.process.run('git rev-parse --abbrev-ref HEAD', cwd=path)
+    except bb.process.ExecutionError:
+        rev = '<unknown>'
+    return rev.strip()
 
 def base_get_metadata_git_revision(path, d):
-    import subprocess
+    import bb.process
 
     try:
-        return subprocess.check_output(["git", "rev-parse", "HEAD"],
-                                       cwd=path).strip()
-    except:
-        return "<unknown>"
+        rev, _ = bb.process.run('git rev-parse HEAD', cwd=path)
+    except bb.process.ExecutionError:
+        rev = '<unknown>'
+    return rev.strip()

meta/classes/populate_sdk_ext.bbclass

@@ -51,7 +51,7 @@ python copy_buildsystem () {
     core_meta_subdir = ''
 
     # Copy in all metadata layers + bitbake (as repositories)
-    buildsystem = oe.copy_buildsystem.BuildSystem(d)
+    buildsystem = oe.copy_buildsystem.BuildSystem('extensible SDK', d)
     baseoutpath = d.getVar('SDK_OUTPUT', True) + '/' + d.getVar('SDKPATH', True)
     layers_copied = buildsystem.copy_bitbake_and_layers(baseoutpath + '/layers')
 
@@ -155,7 +155,7 @@ python copy_buildsystem () {
         f.write('NATIVELSBSTRING_forcevariable = "%s"\n\n' % fixedlsbstring)
 
         # Ensure locked sstate cache objects are re-used without error
-        f.write('SIGGEN_LOCKEDSIGS_CHECK_LEVEL = "warn"\n\n')
+        f.write('SIGGEN_LOCKEDSIGS_CHECK_LEVEL = "none"\n\n')
 
         # If you define a sdk_extraconf() function then it can contain additional config
         extraconf = (d.getVar('sdk_extraconf', True) or '').strip()
@@ -187,10 +187,7 @@ python copy_buildsystem () {
 }
 
 def extsdk_get_buildtools_filename(d):
-    # This is somewhat of a hack
-    localdata = bb.data.createCopy(d)
-    localdata.setVar('PN', 'buildtools-tarball')
-    return localdata.expand('${SDK_NAME}-buildtools-nativesdk-standalone-*.sh')
+    return '*-buildtools-nativesdk-standalone-*.sh'
 
 install_tools() {
 	install -d ${SDK_OUTPUT}/${SDKPATHNATIVE}${bindir_nativesdk}
@@ -222,7 +219,7 @@ SDK_PRE_INSTALL_COMMAND_task-populate-sdk-ext = "${sdk_ext_preinst}"
 sdk_ext_postinst() {
 	printf "\nExtracting buildtools...\n"
 	cd $target_sdk_dir
-	printf "buildtools\ny" | ./*buildtools-nativesdk-standalone* > /dev/null
+	printf "buildtools\ny" | ./*buildtools-nativesdk-standalone* > /dev/null || ( printf 'ERROR: buildtools installation failed\n' ; exit 1 )
 
 	# Make sure when the user sets up the environment, they also get
 	# the buildtools-tarball tools in their path.
@@ -249,7 +246,8 @@ sdk_ext_postinst() {
 		# dash which is /bin/sh on Ubuntu will not preserve the
 		# current working directory when first ran, nor will it set $1 when
 		# sourcing a script. That is why this has to look so ugly.
-		sh -c ". buildtools/environment-setup* > preparing_build_system.log && cd $target_sdk_dir/`dirname ${oe_init_build_env_path}` && set $target_sdk_dir && . $target_sdk_dir/${oe_init_build_env_path} $target_sdk_dir >> preparing_build_system.log && $target_sdk_dir/ext-sdk-prepare.sh $target_sdk_dir '${SDK_TARGETS}' >> preparing_build_system.log 2>&1" || { echo "SDK preparation failed: see `pwd`/preparing_build_system.log" ; exit 1 ; }
+		LOGFILE="$target_sdk_dir/preparing_build_system.log"
+		sh -c ". buildtools/environment-setup* > $LOGFILE && cd $target_sdk_dir/`dirname ${oe_init_build_env_path}` && set $target_sdk_dir && . $target_sdk_dir/${oe_init_build_env_path} $target_sdk_dir >> $LOGFILE && $target_sdk_dir/ext-sdk-prepare.sh $target_sdk_dir '${SDK_TARGETS}' >> $LOGFILE 2>&1" || { echo "ERROR: SDK preparation failed: see $LOGFILE"; echo "printf 'ERROR: this SDK was not fully installed and needs reinstalling\n'" >> $env_setup_script ; exit 1 ; }
 	fi
 	rm -f $target_sdk_dir/ext-sdk-prepare.sh
 	echo done
@@ -260,6 +258,11 @@ SDK_POST_INSTALL_COMMAND_task-populate-sdk-ext = "${sdk_ext_postinst}"
 SDK_POSTPROCESS_COMMAND_prepend_task-populate-sdk-ext = "copy_buildsystem; install_tools; "
 
 fakeroot python do_populate_sdk_ext() {
+    # FIXME hopefully we can remove this restriction at some point, but uninative
+    # currently forces this upon us
+    if d.getVar('SDK_ARCH', True) != d.getVar('BUILD_ARCH', True):
+        bb.fatal('The extensible SDK can currently only be built for the same architecture as the machine being built on - SDK_ARCH is set to %s (likely via setting SDKMACHINE) which is different from the architecture of the build machine (%s). Unable to continue.' % (d.getVar('SDK_ARCH', True), d.getVar('BUILD_ARCH', True)))
+
     bb.build.exec_func("do_populate_sdk", d)
 }
 

meta/classes/toolchain-scripts.bbclass

@@ -32,6 +32,7 @@ toolchain_create_sdk_env_script () {
 	echo 'export OECORE_TARGET_SYSROOT="$SDKTARGETSYSROOT"' >> $script
 	echo "export OECORE_ACLOCAL_OPTS=\"-I $sdkpathnative/usr/share/aclocal\"" >> $script
 	echo "export PYTHONHOME=$sdkpathnative$prefix" >> $script
+	echo 'unset command_not_found_handle' >> $script
 
 	toolchain_shared_env_script
 }

meta/classes/uninative.bbclass

@@ -1,6 +1,6 @@
 NATIVELSBSTRING = "universal"
 
-UNINATIVE_LOADER = "${STAGING_DIR_NATIVE}/lib/ld-linux-x86-64.so.2"
+UNINATIVE_LOADER ?= "${@bb.utils.contains('BUILD_ARCH', 'x86_64', '${STAGING_DIR_NATIVE}/lib/ld-linux-x86-64.so.2', '${STAGING_DIR_NATIVE}/lib/ld-linux.so.2', d)}"
 
 addhandler uninative_eventhandler
 uninative_eventhandler[eventmask] = "bb.event.BuildStarted"

meta/conf/machine/include/tune-corei7.inc

@@ -20,7 +20,7 @@ AVAILTUNES += "corei7-32"
 TUNE_FEATURES_tune-corei7-32 = "${TUNE_FEATURES_tune-x86} corei7"
 BASE_LIB_tune-corei7-32 = "lib"
 TUNE_PKGARCH_tune-corei7-32 = "corei7-32"
-PACKAGE_EXTRA_ARCHS_tune-corei7-32 = "${PACKAGE_EXTRA_ARCHS_tune-core2} corei7-32"
+PACKAGE_EXTRA_ARCHS_tune-corei7-32 = "${PACKAGE_EXTRA_ARCHS_tune-core2-32} corei7-32"
 
 AVAILTUNES += "corei7-64"
 TUNE_FEATURES_tune-corei7-64 = "${TUNE_FEATURES_tune-x86-64} corei7"

meta/conf/toasterconf.json

@@ -1,7 +1,7 @@
 {
     "config": {
         "MACHINE"      : "qemux86",
-        "DISTRO"       : "poky",
+        "DISTRO"       : "nodistro",
         "IMAGE_FSTYPES": "ext3 jffs2 tar.bz2",
         "IMAGE_INSTALL_append": "",
         "PACKAGE_CLASSES": "package_rpm",
@@ -12,7 +12,7 @@
             "name": "Local OpenEmbedded",
             "sourcetype": "local",
             "apiurl": "../../",
-            "branches": ["HEAD", "master", "fido", "dizzy"],
+            "branches": ["HEAD", "jethro", "fido"],
             "layers": [
                 {
                     "name": "openembedded-core",
@@ -26,21 +26,21 @@
             "name": "OpenEmbedded",
             "sourcetype": "layerindex",
             "apiurl": "http://layers.openembedded.org/layerindex/api/",
-            "branches": ["master", "fido", "dizzy"]
+            "branches": ["jethro", "fido"]
         },
         {
             "name": "Imported layers",
             "sourcetype": "imported",
             "apiurl": "",
-            "branches": ["master", "fido", "dizzy", "HEAD"]
+            "branches": ["jethro", "fido", "HEAD"]
 
         }
     ],
     "bitbake" : [
         {
-            "name": "master",
+            "name": "jethro",
             "giturl": "git://git.openembedded.org/bitbake",
-            "branch": "master",
+            "branch": "1.28",
             "dirpath": ""
         },
         {
@@ -49,12 +49,6 @@
             "branch": "1.26",
             "dirpath": ""
         },
-        {
-            "name": "dizzy",
-            "giturl": "git://git.openembedded.org/bitbake",
-            "branch": "1.24",
-            "dirpath": ""
-        },
         {
             "name": "HEAD",
             "giturl": "git://git.openembedded.org/bitbake",
@@ -63,17 +57,17 @@
         }
     ],
 
-    "defaultrelease": "master",
+    "defaultrelease": "jethro",
 
     "releases": [
         {
-            "name": "master",
-            "description": "OpenEmbedded master",
-            "bitbake": "master",
-            "branch": "master",
+            "name": "jethro",
+            "description": "OpenEmbedded Jethro",
+            "bitbake": "jethro",
+            "branch": "jethro",
             "defaultlayers": [ "openembedded-core" ],
             "layersourcepriority": { "Imported layers": 99, "Local OpenEmbedded" : 10, "OpenEmbedded" :  0 },
-            "helptext": "Toaster will run your builds using the tip of the <a href=\"http://cgit.openembedded.org/openembedded-core/log/\">OpenEmbedded master</a> branch, where active development takes place. This is not a stable branch, so your builds might not work as expected."
+            "helptext": "Toaster will run your builds using the tip of the <a href=\"http://cgit.openembedded.org/openembedded-core/log/?h=jethro\">OpenEmbedded \"Jethro\"</a> branch"
         },
         {
             "name": "fido",
@@ -84,15 +78,6 @@
             "layersourcepriority": { "Imported layers": 99, "Local OpenEmbedded" : 10, "OpenEmbedded" :  0 },
             "helptext": "Toaster will run your builds with the tip of the <a href=\"http://cgit.openembedded.org/openembedded-core/log/?h=fido\">OpenEmbedded \"Fido\"</a> branch"
         },
-        {
-            "name": "dizzy",
-            "description": "OpenEmbedded Dizzy",
-            "bitbake": "dizzy",
-            "branch": "dizzy",
-            "defaultlayers": [ "openembedded-core" ],
-            "layersourcepriority": { "Imported layers": 99, "Local OpenEmbedded" : 10, "OpenEmbedded" :  0 },
-            "helptext": "Toaster will run your builds with the tip of the <a href=\"http://cgit.openembedded.org/openembedded-core/log/?h=dizzy\">OpenEmbedded \"Dizzy\"</a> branch"
-        },
         {
             "name": "local",
             "description": "Local OpenEmbedded",

meta/files/toolchain-shar-extract.sh

@@ -101,9 +101,9 @@ fi
 
 if [ "$SDK_EXTENSIBLE" = "1" ]; then
 	# We're going to be running the build system, additional restrictions apply
-	if echo "$target_sdk_dir" | grep -q '[+\ @]'; then
+	if echo "$target_sdk_dir" | grep -q '[+\ @$]'; then
 		echo "The target directory path ($target_sdk_dir) contains illegal" \
-		     "characters such as spaces, @ or +. Abort!"
+		     "characters such as spaces, @, \$ or +. Abort!"
 		exit 1
 	fi
 else
@@ -169,9 +169,20 @@ echo "done"
 
 printf "Setting it up..."
 # fix environment paths
+real_env_setup_script=""
 for env_setup_script in `ls $target_sdk_dir/environment-setup-*`; do
+	if grep -q 'OECORE_NATIVE_SYSROOT=' $env_setup_script; then
+		# Handle custom env setup scripts that are only named
+		# environment-setup-* so that they have relocation
+		# applied - what we want beyond here is the main one
+		# rather than the one that simply sorts last
+		real_env_setup_script="$env_setup_script"
+	fi
 	$SUDO_EXEC sed -e "s:@SDKPATH@:$target_sdk_dir:g" -i $env_setup_script
 done
+if [ -n "$real_env_setup_script" ] ; then
+	env_setup_script="$real_env_setup_script"
+fi
 
 @SDK_POST_INSTALL_COMMAND@
 

meta/lib/oe/copy_buildsystem.py

@@ -14,8 +14,9 @@ def _smart_copy(src, dest):
         shutil.copymode(src, dest)
 
 class BuildSystem(object):
-    def __init__(self, d):
+    def __init__(self, context, d):
         self.d = d
+        self.context = context
         self.layerdirs = d.getVar('BBLAYERS', True).split()
 
     def copy_bitbake_and_layers(self, destdir):
@@ -38,7 +39,7 @@ class BuildSystem(object):
             if os.path.exists(layerconf):
                 with open(layerconf, 'r') as f:
                     if f.readline().startswith("# ### workspace layer auto-generated by devtool ###"):
-                        bb.warn("Skipping local workspace layer %s" % layer)
+                        bb.plain("NOTE: Excluding local workspace layer %s from %s" % (layer, self.context))
                         continue
 
             # If the layer was already under corebase, leave it there

meta/lib/oe/package_manager.py

@@ -1471,6 +1471,16 @@ class OpkgPM(PackageManager):
                                         self.d.getVar('FEED_DEPLOYDIR_BASE_URI', True),
                                         arch))
 
+            if self.opkg_dir != '/var/lib/opkg':
+                # There is no command line option for this anymore, we need to add
+                # info_dir and status_file to config file, if OPKGLIBDIR doesn't have
+                # the default value of "/var/lib" as defined in opkg:
+                # libopkg/opkg_conf.h:#define OPKG_CONF_DEFAULT_INFO_DIR      "/var/lib/opkg/info"
+                # libopkg/opkg_conf.h:#define OPKG_CONF_DEFAULT_STATUS_FILE   "/var/lib/opkg/status"
+                cfg_file.write("option info_dir     %s\n" % os.path.join(self.d.getVar('OPKGLIBDIR', True), 'opkg', 'info'))
+                cfg_file.write("option status_file  %s\n" % os.path.join(self.d.getVar('OPKGLIBDIR', True), 'opkg', 'status'))
+
+
     def _create_config(self):
         with open(self.config_file, "w+") as config_file:
             priority = 1
@@ -1486,6 +1496,15 @@ class OpkgPM(PackageManager):
                     config_file.write("src oe-%s file:%s\n" %
                                       (arch, pkgs_dir))
 
+            if self.opkg_dir != '/var/lib/opkg':
+                # There is no command line option for this anymore, we need to add
+                # info_dir and status_file to config file, if OPKGLIBDIR doesn't have
+                # the default value of "/var/lib" as defined in opkg:
+                # libopkg/opkg_conf.h:#define OPKG_CONF_DEFAULT_INFO_DIR      "/var/lib/opkg/info"
+                # libopkg/opkg_conf.h:#define OPKG_CONF_DEFAULT_STATUS_FILE   "/var/lib/opkg/status"
+                config_file.write("option info_dir     %s\n" % os.path.join(self.d.getVar('OPKGLIBDIR', True), 'opkg', 'info'))
+                config_file.write("option status_file  %s\n" % os.path.join(self.d.getVar('OPKGLIBDIR', True), 'opkg', 'status'))
+
     def insert_feeds_uris(self):
         if self.feed_uris == "":
             return

meta/lib/oe/patch.py

@@ -383,14 +383,15 @@ class GitApplyTree(PatchTree):
         reporoot = (runcmd("git rev-parse --show-toplevel".split(), self.dir) or '').strip()
         if not reporoot:
             raise Exception("Cannot get repository root for directory %s" % self.dir)
-        commithook = os.path.join(reporoot, '.git', 'hooks', 'commit-msg')
-        commithook_backup = commithook + '.devtool-orig'
-        applyhook = os.path.join(reporoot, '.git', 'hooks', 'applypatch-msg')
-        applyhook_backup = applyhook + '.devtool-orig'
-        if os.path.exists(commithook):
-            shutil.move(commithook, commithook_backup)
-        if os.path.exists(applyhook):
-            shutil.move(applyhook, applyhook_backup)
+        hooks_dir = os.path.join(reporoot, '.git', 'hooks')
+        hooks_dir_backup = hooks_dir + '.devtool-orig'
+        if os.path.lexists(hooks_dir_backup):
+            raise Exception("Git hooks backup directory already exists: %s" % hooks_dir_backup)
+        if os.path.lexists(hooks_dir):
+            shutil.move(hooks_dir, hooks_dir_backup)
+        os.mkdir(hooks_dir)
+        commithook = os.path.join(hooks_dir, 'commit-msg')
+        applyhook = os.path.join(hooks_dir, 'applypatch-msg')
         with open(commithook, 'w') as f:
             # NOTE: the formatting here is significant; if you change it you'll also need to
             # change other places which read it back
@@ -439,12 +440,9 @@ class GitApplyTree(PatchTree):
                     os.remove(tmpfile)
                 return output
         finally:
-            os.remove(commithook)
-            os.remove(applyhook)
-            if os.path.exists(commithook_backup):
-                shutil.move(commithook_backup, commithook)
-            if os.path.exists(applyhook_backup):
-                shutil.move(applyhook_backup, applyhook)
+            shutil.rmtree(hooks_dir)
+            if os.path.lexists(hooks_dir_backup):
+                shutil.move(hooks_dir_backup, hooks_dir)
 
 
 class QuiltTree(PatchSet):

meta/lib/oeqa/selftest/devtool.py

@@ -582,7 +582,7 @@ class DevtoolTests(DevtoolBase):
         # Now try with auto mode
         runCmd('cd %s; git checkout %s %s' % (os.path.dirname(recipefile), testrecipe, os.path.basename(recipefile)))
         result = runCmd('devtool update-recipe %s' % testrecipe)
-        result = runCmd('git rev-parse --show-toplevel')
+        result = runCmd('git rev-parse --show-toplevel', cwd=os.path.dirname(recipefile))
         topleveldir = result.output.strip()
         relpatchpath = os.path.join(os.path.relpath(os.path.dirname(recipefile), topleveldir), testrecipe)
         expected_status = [(' M', os.path.relpath(recipefile, topleveldir)),

meta/lib/oeqa/selftest/layerappend.py

@@ -46,10 +46,11 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 
 SRC_URI_append += "file://appendtest.txt"
 """
-    layerappend = "BBLAYERS += \"COREBASE/meta-layertest0 COREBASE/meta-layertest1 COREBASE/meta-layertest2\""
+    layerappend = ''
 
     def tearDownLocal(self):
-        ftools.remove_from_file(self.builddir + "/conf/bblayers.conf", self.layerappend.replace("COREBASE", self.builddir + "/.."))
+        if self.layerappend:
+            ftools.remove_from_file(self.builddir + "/conf/bblayers.conf", self.layerappend)
 
     @testcase(1196)
     def test_layer_appends(self):
@@ -79,7 +80,9 @@ SRC_URI_append += "file://appendtest.txt"
                 with open(layer + "/recipes-test/layerappendtest/appendtest.txt", "w") as f:
                     f.write("Layer 2 test")
             self.track_for_cleanup(layer)
-        ftools.append_file(self.builddir + "/conf/bblayers.conf", self.layerappend.replace("COREBASE", self.builddir + "/.."))
+
+        self.layerappend = "BBLAYERS += \"{0}/meta-layertest0 {0}/meta-layertest1 {0}/meta-layertest2\"".format(corebase)
+        ftools.append_file(self.builddir + "/conf/bblayers.conf", self.layerappend)
         bitbake("layerappendtest")
         data = ftools.read_file(stagingdir + "/appendtest.txt")
         self.assertEqual(data, "Layer 2 test")

meta/recipes-bsp/grub/files/CVE-2015-8370.patch

@@ -0,0 +1,59 @@
+From 451d80e52d851432e109771bb8febafca7a5f1f2 Mon Sep 17 00:00:00 2001
+From: Hector Marco-Gisbert <hecmargi@upv.es>
+Date: Wed, 16 Dec 2015 07:57:18 +0300
+Subject: [PATCH] Fix security issue when reading username and password
+
+This patch fixes two integer underflows at:
+  * grub-core/lib/crypto.c
+  * grub-core/normal/auth.c
+
+CVE-2015-8370
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
+Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
+Also-By: Andrey Borzenkov <arvidjaar@gmail.com>
+
+Upstream-Status: Backport
+
+http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2
+
+CVE: CVE-2015-8370
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ grub-core/lib/crypto.c  | 3 ++-
+ grub-core/normal/auth.c | 7 +++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+Index: git/grub-core/lib/crypto.c
+===================================================================
+--- git.orig/grub-core/lib/crypto.c
++++ git/grub-core/lib/crypto.c
+@@ -458,7 +458,8 @@ grub_password_get (char buf[], unsigned
+ 
+       if (key == '\b')
+ 	{
+-	  cur_len--;
++	  if (cur_len)
++	    cur_len--;
+ 	  continue;
+ 	}
+ 
+Index: git/grub-core/normal/auth.c
+===================================================================
+--- git.orig/grub-core/normal/auth.c
++++ git/grub-core/normal/auth.c
+@@ -174,8 +174,11 @@ grub_username_get (char buf[], unsigned
+ 
+       if (key == '\b')
+ 	{
+-	  cur_len--;
+-	  grub_printf ("\b");
++	  if (cur_len)
++	    {
++	      cur_len--;
++	      grub_printf ("\b");
++	    }
+ 	  continue;
+ 	}
+ 

meta/recipes-bsp/grub/grub2.inc

@@ -27,6 +27,7 @@ SRC_URI = "ftp://ftp.gnu.org/gnu/grub/grub-${PV}.tar.gz \
            file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0001-parse_dhcp_vendor-Add-missing-const-qualifiers.patch \
            file://grub2-fix-initrd-size-bug.patch \
+           file://CVE-2015-8370.patch \
             "
 
 DEPENDS = "flex-native bison-native xz"

meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch

@@ -0,0 +1,278 @@
+From 8259daad7242ab2af8731681177ef7e948a15ece Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Mon, 16 Nov 2015 13:12:20 +1100
+Subject: [PATCH] 4260.   [security]      Insufficient testing when parsing a
+ message allowed                         records with an incorrect class to be
+ be accepted,                         triggering a REQUIRE failure when those
+ records                         were subsequently cached. (CVE-2015-8000) [RT
+ #4098]
+
+(cherry picked from commit c8821d124c532e0a65752b378f924d4259499fd3)
+(cherry picked from commit 3a4c24c4a52d4a2d21d2decbde3d4e514e27d51c)
+
+
+Upstream-Status: Backport
+
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=8259daad7242ab2af8731681177ef7e948a15ece
+
+CVE: CVE-2015-8000
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ CHANGES                       |  5 +++++
+ bin/tests/system/start.pl     |  5 ++++-
+ doc/arm/notes.xml             |  9 +++++++++
+ lib/dns/include/dns/message.h | 13 +++++++++++--
+ lib/dns/message.c             | 45 ++++++++++++++++++++++++++++++++++++++-----
+ lib/dns/resolver.c            |  9 +++++++++
+ lib/dns/xfrin.c               |  2 ++
+ 7 files changed, 80 insertions(+), 8 deletions(-)
+
+Index: bind-9.10.2-P4/bin/tests/system/start.pl
+===================================================================
+--- bind-9.10.2-P4.orig/bin/tests/system/start.pl
++++ bind-9.10.2-P4/bin/tests/system/start.pl
+@@ -68,6 +68,7 @@ my $NAMED = $ENV{'NAMED'};
+ my $LWRESD = $ENV{'LWRESD'};
+ my $DIG = $ENV{'DIG'};
+ my $PERL = $ENV{'PERL'};
++my $PYTHON = $ENV{'PYTHON'};
+ 
+ # Start the server(s)
+ 
+@@ -213,7 +214,9 @@ sub start_server {
+ 		$pid_file = "lwresd.pid";
+ 	} elsif ($server =~ /^ans/) {
+ 		$cleanup_files = "{ans.run}";
+-                if (-e "$testdir/$server/ans.pl") {
++                if (-e "$testdir/$server/ans.py") {
++                        $command = "$PYTHON ans.py 10.53.0.$' 5300";
++                } elsif (-e "$testdir/$server/ans.pl") {
+                         $command = "$PERL ans.pl";
+                 } else {
+                         $command = "$PERL $topdir/ans.pl 10.53.0.$'";
+Index: bind-9.10.2-P4/doc/arm/notes.xml
+===================================================================
+--- bind-9.10.2-P4.orig/doc/arm/notes.xml
++++ bind-9.10.2-P4/doc/arm/notes.xml
+@@ -62,6 +62,15 @@
+     <itemizedlist>
+       <listitem>
+ 	<para>
++	  Insufficient testing when parsing a message allowed
++	  records with an incorrect class to be be accepted,
++	  triggering a REQUIRE failure when those records
++	  were subsequently cached.  This flaw is disclosed
++	  in CVE-2015-8000. [RT #4098]
++	</para>
++      </listitem>
++      <listitem>
++	<para>
+ 	  An incorrect boundary check in the OPENPGPKEY rdatatype
+ 	  could trigger an assertion failure. This flaw is disclosed
+ 	  in CVE-2015-5986. [RT #40286]
+Index: bind-9.10.2-P4/lib/dns/include/dns/message.h
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/include/dns/message.h
++++ bind-9.10.2-P4/lib/dns/include/dns/message.h
+@@ -15,8 +15,6 @@
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
+-/* $Id$ */
+-
+ #ifndef DNS_MESSAGE_H
+ #define DNS_MESSAGE_H 1
+ 
+@@ -221,6 +219,8 @@ struct dns_message {
+ 	unsigned int			free_saved : 1;
+ 	unsigned int			sitok : 1;
+ 	unsigned int			sitbad : 1;
++	unsigned int			tkey : 1;
++	unsigned int			rdclass_set : 1;
+ 
+ 	unsigned int			opt_reserved;
+ 	unsigned int			sig_reserved;
+@@ -1400,6 +1400,15 @@ dns_message_buildopt(dns_message_t *msg,
+  * \li	 other.
+  */
+ 
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
++/*%<
++ * Set the expected class of records in the response.
++ *
++ * Requires:
++ * \li   msg be a valid message with parsing intent.
++ */
++
+ ISC_LANG_ENDDECLS
+ 
+ #endif /* DNS_MESSAGE_H */
+Index: bind-9.10.2-P4/lib/dns/message.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/message.c
++++ bind-9.10.2-P4/lib/dns/message.c
+@@ -439,6 +439,8 @@ msginit(dns_message_t *m) {
+ 	m->free_saved = 0;
+ 	m->sitok = 0;
+ 	m->sitbad = 0;
++	m->tkey = 0;
++	m->rdclass_set = 0;
+ 	m->querytsig = NULL;
+ }
+ 
+@@ -1091,13 +1093,19 @@ getquestions(isc_buffer_t *source, dns_m
+ 		 * If this class is different than the one we already read,
+ 		 * this is an error.
+ 		 */
+-		if (msg->state == DNS_SECTION_ANY) {
+-			msg->state = DNS_SECTION_QUESTION;
++		if (msg->rdclass_set == 0) {
+ 			msg->rdclass = rdclass;
++			msg->rdclass_set = 1;
+ 		} else if (msg->rdclass != rdclass)
+ 			DO_FORMERR;
+ 
+ 		/*
++		 * Is this a TKEY query?
++		 */
++		if (rdtype == dns_rdatatype_tkey)
++			msg->tkey = 1;
++
++		/*
+ 		 * Can't ask the same question twice.
+ 		 */
+ 		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
+@@ -1241,12 +1249,12 @@ getsection(isc_buffer_t *source, dns_mes
+ 		 * If there was no question section, we may not yet have
+ 		 * established a class.  Do so now.
+ 		 */
+-		if (msg->state == DNS_SECTION_ANY &&
++		if (msg->rdclass_set == 0 &&
+ 		    rdtype != dns_rdatatype_opt &&	/* class is UDP SIZE */
+ 		    rdtype != dns_rdatatype_tsig &&	/* class is ANY */
+ 		    rdtype != dns_rdatatype_tkey) {	/* class is undefined */
+ 			msg->rdclass = rdclass;
+-			msg->state = DNS_SECTION_QUESTION;
++			msg->rdclass_set = 1;
+ 		}
+ 
+ 		/*
+@@ -1256,7 +1264,7 @@ getsection(isc_buffer_t *source, dns_mes
+ 		if (msg->opcode != dns_opcode_update
+ 		    && rdtype != dns_rdatatype_tsig
+ 		    && rdtype != dns_rdatatype_opt
+-		    && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
++		    && rdtype != dns_rdatatype_key /* in a TKEY query */
+ 		    && rdtype != dns_rdatatype_sig /* SIG(0) */
+ 		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
+ 		    && msg->rdclass != dns_rdataclass_any
+@@ -1264,6 +1272,16 @@ getsection(isc_buffer_t *source, dns_mes
+ 			DO_FORMERR;
+ 
+ 		/*
++		 * If this is not a TKEY query/response then the KEY
++		 * record's class needs to match.
++		 */
++		if (msg->opcode != dns_opcode_update && !msg->tkey &&
++		    rdtype == dns_rdatatype_key &&
++		    msg->rdclass != dns_rdataclass_any &&
++		    msg->rdclass != rdclass)
++			DO_FORMERR;
++
++		/*
+ 		 * Special type handling for TSIG, OPT, and TKEY.
+ 		 */
+ 		if (rdtype == dns_rdatatype_tsig) {
+@@ -1377,6 +1395,10 @@ getsection(isc_buffer_t *source, dns_mes
+ 				skip_name_search = ISC_TRUE;
+ 				skip_type_search = ISC_TRUE;
+ 				issigzero = ISC_TRUE;
++			} else {
++				if (msg->rdclass != dns_rdataclass_any &&
++				    msg->rdclass != rdclass)
++					DO_FORMERR;
+ 			}
+ 		} else
+ 			covers = 0;
+@@ -1625,6 +1647,7 @@ dns_message_parse(dns_message_t *msg, is
+ 	msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
+ 
+ 	msg->header_ok = 1;
++	msg->state = DNS_SECTION_QUESTION;
+ 
+ 	/*
+ 	 * -1 means no EDNS.
+@@ -3706,3 +3729,15 @@ dns_message_buildopt(dns_message_t *mess
+ 		dns_message_puttemprdatalist(message, &rdatalist);
+ 	return (result);
+ }
++
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
++
++	REQUIRE(DNS_MESSAGE_VALID(msg));
++	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
++	REQUIRE(msg->state == DNS_SECTION_ANY);
++	REQUIRE(msg->rdclass_set == 0);
++
++	msg->rdclass = rdclass;
++	msg->rdclass_set = 1;
++}
+Index: bind-9.10.2-P4/lib/dns/resolver.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/resolver.c
++++ bind-9.10.2-P4/lib/dns/resolver.c
+@@ -7309,6 +7309,8 @@ resquery_response(isc_task_t *task, isc_
+ 			goto done;
+ 	}
+ 
++	dns_message_setclass(message, fctx->res->rdclass);
++
+ 	if ((options & DNS_FETCHOPT_TCP) == 0) {
+ 		if ((options & DNS_FETCHOPT_NOEDNS0) == 0)
+ 			dns_adb_setudpsize(fctx->adb, query->addrinfo,
+@@ -7391,6 +7393,13 @@ resquery_response(isc_task_t *task, isc_
+ 				 &dns_master_style_comment,
+ 				 ISC_LOG_DEBUG(10),
+ 				 fctx->res->mctx);
++
++	if (message->rdclass != fctx->res->rdclass) {
++		resend = ISC_TRUE;
++		FCTXTRACE("bad class");
++		goto done;
++	}
++
+ 	/*
+ 	 * Process receive opt record.
+ 	 */
+Index: bind-9.10.2-P4/lib/dns/xfrin.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/xfrin.c
++++ bind-9.10.2-P4/lib/dns/xfrin.c
+@@ -1225,6 +1225,8 @@ xfrin_recv_done(isc_task_t *task, isc_ev
+ 	msg->tsigctx = xfr->tsigctx;
+ 	xfr->tsigctx = NULL;
+ 
++	dns_message_setclass(msg, xfr->rdclass);
++
+ 	if (xfr->nmsg > 0)
+ 		msg->tcp_continuation = 1;
+ 
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,4 +1,9 @@
+-	--- 9.10.2-P4 released ---
++4260.  [security]      Insufficient testing when parsing a message allowed
++                       records with an incorrect class to be be accepted,
++                       triggering a REQUIRE failure when those records
++                       were subsequently cached. (CVE-2015-8000) [RT #4098]
++
++    --- 9.10.2-P4 released ---
+ 
+ 4170.	[security]	An incorrect boundary check in the OPENPGPKEY
+ 			rdatatype could trigger an assertion failure.

meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch

@@ -0,0 +1,44 @@
+From adbf81335b67be0cebdcf9f1f4fcb38ef4814f4d Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 25 Jun 2015 18:36:27 +1000
+Subject: [PATCH] 4146.   [bug]           Address reference leak that could
+ prevent a clean                         shutdown. [RT #37125]
+
+Upstream-Status: Backport
+
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=adbf81335b67be0cebdcf9f1f4fcb38ef4814f4d
+
+CVE: CVE-2015-8461
+Signed-off-by:  Armin Kuster <akuster@mvista.com>
+---
+ CHANGES            | 3 +++
+ lib/dns/resolver.c | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,6 @@
++4146.  [bug]           Address reference leak that could prevent a clean
++                       shutdown. [RT #37125]
++
+ 4260.  [security]      Insufficient testing when parsing a message allowed
+                        records with an incorrect class to be be accepted,
+                        triggering a REQUIRE failure when those records
+Index: bind-9.10.2-P4/lib/dns/resolver.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/resolver.c
++++ bind-9.10.2-P4/lib/dns/resolver.c
+@@ -1649,6 +1649,11 @@ fctx_query(fetchctx_t *fctx, dns_adbaddr
+ 	if (query->dispatch != NULL)
+ 		dns_dispatch_detach(&query->dispatch);
+ 
++	LOCK(&res->buckets[fctx->bucketnum].lock);
++	INSIST(fctx->references > 1);
++	fctx->references--;
++	UNLOCK(&res->buckets[fctx->bucketnum].lock);
++
+  cleanup_query:
+ 	if (query->connects == 0) {
+ 		query->magic = 0;

meta/recipes-connectivity/bind/bind/CVE-2015-8704.patch

@@ -0,0 +1,28 @@
+a buffer size check can cause denial of service under certain circumstances 
+
+[security]
+The following flaw in BIND was reported by ISC:
+
+A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c.
+
+A server could exit due to an INSIST failure in apl_42.c when performing certain string formatting operations.
+
+Upstream-Status: Backport
+CVE: CVE-2015-8704
+
+[The patch is taken from BIND 9.10.3:
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8704]
+
+Signed-off-by: Derek Straka <derek@asterius.io>
+diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c
+index bedd38e..28eb7f2 100644
+--- a/lib/dns/rdata/in_1/apl_42.c
++++ b/lib/dns/rdata/in_1/apl_42.c
+@@ -116,7 +116,7 @@ totext_in_apl(ARGS_TOTEXT) {
+	isc_uint8_t len;
+	isc_boolean_t neg;
+	unsigned char buf[16];
+-	char txt[sizeof(" !64000")];
++	char txt[sizeof(" !64000:")];
+	const char *sep = "";
+	int n;

meta/recipes-connectivity/bind/bind/CVE-2015-8705.patch

@@ -0,0 +1,44 @@
+a crash or assertion failure can during format processing 
+
+[security]
+The following flaw in BIND was reported by ISC:
+
+In versions of BIND 9.10, errors can occur when OPT pseudo-RR data or ECS options are formatted to text. In 9.10.3 through 9.10.3-P2, the issue may result in a REQUIRE assertion failure in buffer.c.
+
+This issue can affect both authoritative and recursive servers if they are performing debug logging. (It may also crash related tools which use the same code, such as dig or delv.)
+
+A server could exit due to an INSIST failure in apl_42.c when performing certain string formatting operations.
+
+Upstream-Status: Backport
+CVE: CVE-2015-8705
+
+[The patch is taken from BIND 9.10.3:
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8705]
+
+Signed-off-by: Derek Straka <derek@asterius.io>
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index ea7b93a..810c58e 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -3310,9 +3310,19 @@
+ 			} else if (optcode == DNS_OPT_SIT) {
+ 				ADD_STRING(target, "; SIT");
+ 			} else if (optcode == DNS_OPT_CLIENT_SUBNET) {
++				isc_buffer_t ecsbuf;
+ 				ADD_STRING(target, "; CLIENT-SUBNET: ");
+-				render_ecs(&optbuf, target);
+-				ADD_STRING(target, "\n");
++				isc_buffer_init(&ecsbuf,
++							isc_buffer_current(&optbuf),
++							optlen);
++				isc_buffer_add(&ecsbuf, optlen);
++				result = render_ecs(&ecsbuf, target);
++				if (result == ISC_R_NOSPACE)
++					return (result);
++				if (result == ISC_R_SUCCESS) {
++					isc_buffer_forward(&optbuf, optlen);
++                                        ADD_STRING(target, "\n");
++                }
+ 				continue;
+ 			} else if (optcode == DNS_OPT_EXPIRE) {
+ 				if (optlen == 4) {

meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch

@@ -0,0 +1,138 @@
+From e7e15d1302b26a96fa0a5307d6f2cb0d8ad4ea63 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 18 Feb 2016 12:11:27 +1100
+Subject: [PATCH] 4318. [security] Malformed control messages can
+trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666]
+
+(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
+
+Hand applied Changelog changes.
+
+CVE: CVE-2016-1285
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/bin/named/control.c b/bin/named/control.c
+--- a/bin/named/control.c	2015-08-15 02:28:49.000000000 +0200
++++ b/bin/named/control.c	2016-04-11 09:38:20.940827528 +0200
+@@ -69,7 +69,7 @@
+ #endif
+ 
+ 	data = isccc_alist_lookup(message, "_data");
+-	if (data == NULL) {
++	if (!isccc_alist_alistp(data)) {
+ 		/*
+ 		 * No data section.
+ 		 */
+diff -ruN a/bin/named/controlconf.c b/bin/named/controlconf.c
+--- a/bin/named/controlconf.c	2015-08-15 02:28:49.000000000 +0200
++++ b/bin/named/controlconf.c	2016-04-11 09:38:20.944827355 +0200
+@@ -402,7 +402,7 @@
+ 	 * Limit exposure to replay attacks.
+ 	 */
+ 	_ctrl = isccc_alist_lookup(request, "_ctrl");
+-	if (_ctrl == NULL) {
++	if (!isccc_alist_alistp(_ctrl)) {
+ 		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
+ 		goto cleanup_request;
+ 	}
+diff -ruN a/bin/rndc/rndc.c b/bin/rndc/rndc.c
+--- a/bin/rndc/rndc.c	2015-08-15 02:28:49.000000000 +0200
++++ b/bin/rndc/rndc.c	2016-04-11 09:38:20.944827355 +0200
+@@ -254,8 +254,8 @@
+ 	   isccc_cc_fromwire(&source, &response, algorithm, &secret));
+ 
+ 	data = isccc_alist_lookup(response, "_data");
+-	if (data == NULL)
+-		fatal("no data section in response");
++	if (!isccc_alist_alistp(data))
++		fatal("bad or missing data section in response");
+ 	result = isccc_cc_lookupstring(data, "err", &errormsg);
+ 	if (result == ISC_R_SUCCESS) {
+ 		failed = ISC_TRUE;
+@@ -320,8 +320,8 @@
+ 	   isccc_cc_fromwire(&source, &response, algorithm, &secret));
+ 
+ 	_ctrl = isccc_alist_lookup(response, "_ctrl");
+-	if (_ctrl == NULL)
+-		fatal("_ctrl section missing");
++	if (!isccc_alist_alistp(_ctrl))
++		fatal("bad or missing ctrl section in response");
+ 	nonce = 0;
+ 	if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
+ 		nonce = 0;
+diff -ruN a/CHANGES b/CHANGES
+--- a/CHANGES	2016-04-11 09:36:08.546578759 +0200
++++ b/CHANGES	2016-04-11 09:39:59.356552273 +0200
+@@ -1,3 +1,6 @@
++4318.  [security]      Malformed control messages can trigger assertions
++                       in named and rndc. (CVE-2016-1285) [RT #41666]
++
+ 4146.  [bug]           Address reference leak that could prevent a clean
+                        shutdown. [RT #37125]
+ 
+diff -ruN a/lib/isccc/cc.c b/lib/isccc/cc.c
+--- a/lib/isccc/cc.c	2015-08-15 02:28:49.000000000 +0200
++++ b/lib/isccc/cc.c	2016-04-11 09:38:20.944827355 +0200
+@@ -403,13 +403,13 @@
+ 	 * Extract digest.
+ 	 */
+ 	_auth = isccc_alist_lookup(alist, "_auth");
+-	if (_auth == NULL)
++	if (!isccc_alist_alistp(_auth))
+ 		return (ISC_R_FAILURE);
+ 	if (algorithm == ISCCC_ALG_HMACMD5)
+ 		hmac = isccc_alist_lookup(_auth, "hmd5");
+ 	else
+ 		hmac = isccc_alist_lookup(_auth, "hsha");
+-	if (hmac == NULL)
++	if (!isccc_sexpr_binaryp(hmac))
+ 		return (ISC_R_FAILURE);
+ 	/*
+ 	 * Compute digest.
+@@ -728,7 +728,7 @@
+ 	REQUIRE(ackp != NULL && *ackp == NULL);
+ 
+ 	_ctrl = isccc_alist_lookup(message, "_ctrl");
+-	if (_ctrl == NULL ||
++	if (!isccc_alist_alistp(_ctrl) ||
+ 	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
+ 	    isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
+ 		return (ISC_R_FAILURE);
+@@ -773,7 +773,7 @@
+ 	isccc_sexpr_t *_ctrl;
+ 
+ 	_ctrl = isccc_alist_lookup(message, "_ctrl");
+-	if (_ctrl == NULL)
++	if (!isccc_alist_alistp(_ctrl))
+ 		return (ISC_FALSE);
+ 	if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
+ 		return (ISC_TRUE);
+@@ -786,7 +786,7 @@
+ 	isccc_sexpr_t *_ctrl;
+ 
+ 	_ctrl = isccc_alist_lookup(message, "_ctrl");
+-	if (_ctrl == NULL)
++	if (!isccc_alist_alistp(_ctrl))
+ 		return (ISC_FALSE);
+ 	if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
+ 		return (ISC_TRUE);
+@@ -806,7 +806,7 @@
+ 
+ 	_ctrl = isccc_alist_lookup(message, "_ctrl");
+ 	_data = isccc_alist_lookup(message, "_data");
+-	if (_ctrl == NULL || _data == NULL ||
++	if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
+ 	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
+ 	    isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
+ 		return (ISC_R_FAILURE);
+@@ -995,7 +995,7 @@
+ 	isccc_sexpr_t *_ctrl;
+ 
+ 	_ctrl = isccc_alist_lookup(message, "_ctrl");
+-	if (_ctrl == NULL ||
++	if (!isccc_alist_alistp(_ctrl) ||
+ 	    isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
+ 	    isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
+ 		return (ISC_R_FAILURE);

meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch

@@ -0,0 +1,79 @@
+From 456e1eadd2a3a2fb9617e60d4db90ef4ba7c6ba3 Mon Sep 17 00:00:00 2001
+From: Mukund Sivaraman <muks@isc.org>
+Date: Mon, 22 Feb 2016 12:22:43 +0530
+Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling
+ (CVE-2016-1286) (#41753)
+
+(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673)
+
+Hand applied Changelog changes.
+
+CVE: CVE-2016-1286
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/CHANGES b/CHANGES
+--- a/CHANGES	2016-04-11 09:46:42.075057394 +0200
++++ b/CHANGES	2016-04-11 09:44:21.857148819 +0200
+@@ -1,3 +1,7 @@
++4319.  [security]      Fix resolver assertion failure due to improper
++                       DNAME handling when parsing fetch reply messages.
++                       (CVE-2016-1286) [RT #41753]
++
+ 4318.  [security]      Malformed control messages can trigger assertions
+                        in named and rndc. (CVE-2016-1285) [RT #41666]
+ 
+diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c
+--- a/lib/dns/resolver.c	2016-04-11 09:36:08.550578585 +0200
++++ b/lib/dns/resolver.c	2016-04-11 09:43:23.091701714 +0200
+@@ -6634,21 +6634,26 @@
+ 				isc_boolean_t found_dname = ISC_FALSE;
+ 				dns_name_t *dname_name;
+ 
++				/*
++				 * Only pass DNAME or RRSIG(DNAME).
++				 */
++				if (rdataset->type != dns_rdatatype_dname &&
++				    (rdataset->type != dns_rdatatype_rrsig ||
++				     rdataset->covers != dns_rdatatype_dname))
++					continue;
++
++				/*
++				 * If we're not chaining, then the DNAME and
++				 * its signature should not be external.
++				 */
++				if (!chaining && external) {
++					log_formerr(fctx, "external DNAME");
++					return (DNS_R_FORMERR);
++				}
++
+ 				found = ISC_FALSE;
+ 				aflag = 0;
+ 				if (rdataset->type == dns_rdatatype_dname) {
+-					/*
+-					 * We're looking for something else,
+-					 * but we found a DNAME.
+-					 *
+-					 * If we're not chaining, then the
+-					 * DNAME should not be external.
+-					 */
+-					if (!chaining && external) {
+-						log_formerr(fctx,
+-							    "external DNAME");
+-						return (DNS_R_FORMERR);
+-					}
+ 					found = ISC_TRUE;
+ 					want_chaining = ISC_TRUE;
+ 					POST(want_chaining);
+@@ -6677,9 +6682,7 @@
+ 							&fctx->domain)) {
+ 						return (DNS_R_SERVFAIL);
+ 					}
+-				} else if (rdataset->type == dns_rdatatype_rrsig
+-					   && rdataset->covers ==
+-					   dns_rdatatype_dname) {
++				} else {
+ 					/*
+ 					 * We've found a signature that
+ 					 * covers the DNAME.

meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch

@@ -0,0 +1,318 @@
+From 499952eb459c9a41d2092f1d98899c131f9103b2 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Mon, 29 Feb 2016 07:16:48 +1100
+Subject: [PATCH] Part 2 of: 4319.[security] Fix resolver assertion
+failure due to improper DNAME handling when parsing fetch reply messages.
+(CVE-2016-1286) [RT #41753]
+
+(cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374)
+
+CVE: CVE-2016-1286 [part 2]
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/dns/resolver.c | 192 ++++++++++++++++++++++++++---------------------------
+ 1 file changed, 93 insertions(+), 99 deletions(-)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 23d636b..fbc0af0 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -6088,14 +6088,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
+ }
+ 
+ static inline isc_result_t
+-dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
+-	     dns_name_t *oname, dns_fixedname_t *fixeddname)
++dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
++	     unsigned int nlabels, dns_fixedname_t *fixeddname)
+ {
+ 	isc_result_t result;
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+-	unsigned int nlabels;
+-	int order;
+-	dns_namereln_t namereln;
+ 	dns_rdata_dname_t dname;
+ 	dns_fixedname_t prefix;
+ 
+@@ -6110,21 +6107,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
+ 	if (result != ISC_R_SUCCESS)
+ 		return (result);
+ 
+-	/*
+-	 * Get the prefix of qname.
+-	 */
+-	namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
+-	if (namereln != dns_namereln_subdomain) {
+-		char qbuf[DNS_NAME_FORMATSIZE];
+-		char obuf[DNS_NAME_FORMATSIZE];
+-
+-		dns_rdata_freestruct(&dname);
+-		dns_name_format(qname, qbuf, sizeof(qbuf));
+-		dns_name_format(oname, obuf, sizeof(obuf));
+-		log_formerr(fctx, "unrelated DNAME in answer: "
+-				   "%s is not in %s", qbuf, obuf);
+-		return (DNS_R_FORMERR);
+-	}
+ 	dns_fixedname_init(&prefix);
+ 	dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
+ 	dns_fixedname_init(fixeddname);
+@@ -6750,13 +6732,13 @@ static isc_result_t
+ answer_response(fetchctx_t *fctx) {
+ 	isc_result_t result;
+ 	dns_message_t *message;
+-	dns_name_t *name, *qname, tname, *ns_name;
++	dns_name_t *name, *dname, *qname, tname, *ns_name;
+ 	dns_rdataset_t *rdataset, *ns_rdataset;
+ 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
+ 	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
+ 	unsigned int aflag;
+ 	dns_rdatatype_t type;
+-	dns_fixedname_t dname, fqname;
++	dns_fixedname_t fdname, fqname;
+ 	dns_view_t *view;
+ 
+ 	FCTXTRACE("answer_response");
+@@ -6784,10 +6766,15 @@ answer_response(fetchctx_t *fctx) {
+ 	view = fctx->res->view;
+ 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ 	while (!done && result == ISC_R_SUCCESS) {
++		dns_namereln_t namereln;
++		int order;
++		unsigned int nlabels;
++
+ 		name = NULL;
+ 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+-		if (dns_name_equal(name, qname)) {
++		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
++		if (namereln == dns_namereln_equal) {
+ 			wanted_chaining = ISC_FALSE;
+ 			for (rdataset = ISC_LIST_HEAD(name->list);
+ 			     rdataset != NULL;
+@@ -6912,10 +6899,11 @@ answer_response(fetchctx_t *fctx) {
+ 						 */
+ 						INSIST(!external);
+ 						if (aflag ==
+-						    DNS_RDATASETATTR_ANSWER)
++						    DNS_RDATASETATTR_ANSWER) {
+ 							have_answer = ISC_TRUE;
+-						name->attributes |=
+-							DNS_NAMEATTR_ANSWER;
++							name->attributes |=
++								DNS_NAMEATTR_ANSWER;
++						}
+ 						rdataset->attributes |= aflag;
+ 						if (aa)
+ 							rdataset->trust =
+@@ -6970,6 +6958,8 @@ answer_response(fetchctx_t *fctx) {
+ 			if (wanted_chaining)
+ 				chaining = ISC_TRUE;
+ 		} else {
++			dns_rdataset_t *dnameset = NULL;
++
+ 			/*
+ 			 * Look for a DNAME (or its SIG).  Anything else is
+ 			 * ignored.
+@@ -6977,10 +6967,8 @@ answer_response(fetchctx_t *fctx) {
+ 			wanted_chaining = ISC_FALSE;
+ 			for (rdataset = ISC_LIST_HEAD(name->list);
+ 			     rdataset != NULL;
+-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+-				isc_boolean_t found_dname = ISC_FALSE;
+-				dns_name_t *dname_name;
+-
++			     rdataset = ISC_LIST_NEXT(rdataset, link))
++			{
+ 				/*
+ 				 * Only pass DNAME or RRSIG(DNAME).
+ 				 */
+@@ -6994,20 +6982,41 @@ answer_response(fetchctx_t *fctx) {
+ 				 * its signature should not be external.
+ 				 */
+ 				if (!chaining && external) {
+-					log_formerr(fctx, "external DNAME");
++					char qbuf[DNS_NAME_FORMATSIZE];
++					char obuf[DNS_NAME_FORMATSIZE];
++
++					dns_name_format(name, qbuf,
++							sizeof(qbuf));
++					dns_name_format(&fctx->domain, obuf,
++							sizeof(obuf));
++					log_formerr(fctx, "external DNAME or "
++						    "RRSIG covering DNAME "
++						    "in answer: %s is "
++						    "not in %s", qbuf, obuf);
++					return (DNS_R_FORMERR);
++				}
++
++				if (namereln != dns_namereln_subdomain) {
++					char qbuf[DNS_NAME_FORMATSIZE];
++					char obuf[DNS_NAME_FORMATSIZE];
++
++					dns_name_format(qname, qbuf,
++							sizeof(qbuf));
++					dns_name_format(name, obuf,
++							sizeof(obuf));
++					log_formerr(fctx, "unrelated DNAME "
++						    "in answer: %s is "
++						    "not in %s", qbuf, obuf);
+ 					return (DNS_R_FORMERR);
+ 				}
+ 
+-				found = ISC_FALSE;
+ 				aflag = 0;
+ 				if (rdataset->type == dns_rdatatype_dname) {
+-					found = ISC_TRUE;
+ 					want_chaining = ISC_TRUE;
+ 					POST(want_chaining);
+ 					aflag = DNS_RDATASETATTR_ANSWER;
+-					result = dname_target(fctx, rdataset,
+-							      qname, name,
+-							      &dname);
++					result = dname_target(rdataset, qname,
++							      nlabels, &fdname);
+ 					if (result == ISC_R_NOSPACE) {
+ 						/*
+ 						 * We can't construct the
+@@ -7019,14 +7028,12 @@ answer_response(fetchctx_t *fctx) {
+ 					} else if (result != ISC_R_SUCCESS)
+ 						return (result);
+ 					else
+-						found_dname = ISC_TRUE;
++						dnameset = rdataset;
+ 
+-					dname_name = dns_fixedname_name(&dname);
++					dname = dns_fixedname_name(&fdname);
+ 					if (!is_answertarget_allowed(view,
+-							qname,
+-							rdataset->type,
+-							dname_name,
+-							&fctx->domain)) {
++							qname, rdataset->type,
++							dname, &fctx->domain)) {
+ 						return (DNS_R_SERVFAIL);
+ 					}
+ 				} else {
+@@ -7034,73 +7041,60 @@ answer_response(fetchctx_t *fctx) {
+ 					 * We've found a signature that
+ 					 * covers the DNAME.
+ 					 */
+-					found = ISC_TRUE;
+ 					aflag = DNS_RDATASETATTR_ANSWERSIG;
+ 				}
+ 
+-				if (found) {
++				/*
++				 * We've found an answer to our
++				 * question.
++				 */
++				name->attributes |= DNS_NAMEATTR_CACHE;
++				rdataset->attributes |= DNS_RDATASETATTR_CACHE;
++				rdataset->trust = dns_trust_answer;
++				if (!chaining) {
+ 					/*
+-					 * We've found an answer to our
+-					 * question.
++					 * This data is "the" answer to
++					 * our question only if we're
++					 * not chaining.
+ 					 */
+-					name->attributes |=
+-						DNS_NAMEATTR_CACHE;
+-					rdataset->attributes |=
+-						DNS_RDATASETATTR_CACHE;
+-					rdataset->trust = dns_trust_answer;
+-					if (!chaining) {
+-						/*
+-						 * This data is "the" answer
+-						 * to our question only if
+-						 * we're not chaining.
+-						 */
+-						INSIST(!external);
+-						if (aflag ==
+-						    DNS_RDATASETATTR_ANSWER)
+-							have_answer = ISC_TRUE;
++					INSIST(!external);
++					if (aflag == DNS_RDATASETATTR_ANSWER) {
++						have_answer = ISC_TRUE;
+ 						name->attributes |=
+ 							DNS_NAMEATTR_ANSWER;
+-						rdataset->attributes |= aflag;
+-						if (aa)
+-							rdataset->trust =
+-							  dns_trust_authanswer;
+-					} else if (external) {
+-						rdataset->attributes |=
+-						    DNS_RDATASETATTR_EXTERNAL;
+-					}
+-
+-					/*
+-					 * DNAME chaining.
+-					 */
+-					if (found_dname) {
+-						/*
+-						 * Copy the dname into the
+-						 * qname fixed name.
+-						 *
+-						 * Although we check for
+-						 * failure of the copy
+-						 * operation, in practice it
+-						 * should never fail since
+-						 * we already know that the
+-						 * result fits in a fixedname.
+-						 */
+-						dns_fixedname_init(&fqname);
+-						result = dns_name_copy(
+-						  dns_fixedname_name(&dname),
+-						  dns_fixedname_name(&fqname),
+-						  NULL);
+-						if (result != ISC_R_SUCCESS)
+-							return (result);
+-						wanted_chaining = ISC_TRUE;
+-						name->attributes |=
+-							DNS_NAMEATTR_CHAINING;
+-						rdataset->attributes |=
+-						    DNS_RDATASETATTR_CHAINING;
+-						qname = dns_fixedname_name(
+-								   &fqname);
+ 					}
++					rdataset->attributes |= aflag;
++					if (aa)
++						rdataset->trust =
++						  dns_trust_authanswer;
++				} else if (external) {
++					rdataset->attributes |=
++					    DNS_RDATASETATTR_EXTERNAL;
+ 				}
+ 			}
++
++			/*
++			 * DNAME chaining.
++			 */
++			if (dnameset != NULL) {
++				/*
++				 * Copy the dname into the qname fixed name.
++				 *
++				 * Although we check for failure of the copy
++				 * operation, in practice it should never fail
++				 * since we already know that the  result fits
++				 * in a fixedname.
++				 */
++				dns_fixedname_init(&fqname);
++				qname = dns_fixedname_name(&fqname);
++				result = dns_name_copy(dname, qname, NULL);
++				if (result != ISC_R_SUCCESS)
++					return (result);
++				wanted_chaining = ISC_TRUE;
++				name->attributes |= DNS_NAMEATTR_CHAINING;
++				dnameset->attributes |=
++					    DNS_RDATASETATTR_CHAINING;
++			}
+ 			if (wanted_chaining)
+ 				chaining = ISC_TRUE;
+ 		}
+-- 
+1.9.1
+

meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch

@@ -0,0 +1,216 @@
+From d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Sat, 27 Feb 2016 11:23:50 +1100
+Subject: [PATCH] 4322.   [security]      Duplicate EDNS COOKIE options in a
+ response could                         trigger an assertion failure.
+ (CVE-2016-2088)                         [RT #41809]
+
+(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
+(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
+
+Upstream-Status: Backport
+CVE: CVE-2016-2088
+minor fixup to get to apply.
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ CHANGES            |  5 +++++
+ bin/dig/dighost.c  |  9 +++++++++
+ bin/named/client.c | 33 +++++++++++++++++++++++----------
+ doc/arm/notes.xml  |  7 +++++++
+ lib/dns/resolver.c | 14 +++++++++++++-
+ 5 files changed, 57 insertions(+), 11 deletions(-)
+
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,7 @@
++4322.  [security]      Duplicate EDNS COOKIE options in a response could
++                       trigger an assertion failure. (CVE-2016-2088)
++                       [RT #41809]
++
+ 4319.  [security]      Fix resolver assertion failure due to improper
+                        DNAME handling when parsing fetch reply messages.
+                        (CVE-2016-1286) [RT #41753]
+Index: bind-9.10.2-P4/bin/dig/dighost.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/dig/dighost.c
++++ bind-9.10.2-P4/bin/dig/dighost.c
+@@ -3349,6 +3349,7 @@ process_opt(dig_lookup_t *l, dns_message
+ 	isc_buffer_t optbuf;
+ 	isc_uint16_t optcode, optlen;
+ 	dns_rdataset_t *opt = msg->opt;
++	isc_boolean_t seen_cookie = ISC_FALSE;
+ 
+ 	result = dns_rdataset_first(opt);
+ 	if (result == ISC_R_SUCCESS) {
+@@ -3360,8 +3361,16 @@ process_opt(dig_lookup_t *l, dns_message
+ 			optcode = isc_buffer_getuint16(&optbuf);
+ 			optlen = isc_buffer_getuint16(&optbuf);
+ 			switch (optcode) {
+-			case DNS_OPT_SIT:
++ 			case DNS_OPT_SIT:
++                                /*
++                                 * Only process the first cookie option.
++                                 */
++                                if (seen_cookie) {
++                                        isc_buffer_forward(&optbuf, optlen);
++                                        break;
++                                }
+ 				process_sit(l, msg, &optbuf, optlen);
++                                seen_cookie = ISC_TRUE;
+ 				break;
+ 			default:
+ 				isc_buffer_forward(&optbuf, optlen);
+Index: bind-9.10.2-P4/bin/named/client.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/named/client.c
++++ bind-9.10.2-P4/bin/named/client.c
+@@ -121,7 +121,10 @@
+  */
+ #endif
+ 
+-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
++#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
++
++#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
++#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
+ 
+ /*% nameserver client manager structure */
+ struct ns_clientmgr {
+@@ -1391,7 +1394,7 @@ ns_client_addopt(ns_client_t *client, dn
+ {
+ 	char nsid[BUFSIZ], *nsidp;
+ #ifdef ISC_PLATFORM_USESIT
+-	unsigned char sit[SIT_SIZE];
++	unsigned char sit[COOKIE_SIZE];
+ #endif
+ 	isc_result_t result;
+ 	dns_view_t *view;
+@@ -1416,7 +1419,7 @@ ns_client_addopt(ns_client_t *client, dn
+ 	flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
+ 
+ 	/* Set EDNS options if applicable */
+-	if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
++	if (WANTNSID(client) &&
+ 	    (ns_g_server->server_id != NULL ||
+ 	     ns_g_server->server_usehostname)) {
+ 		if (ns_g_server->server_usehostname) {
+@@ -1449,7 +1452,7 @@ ns_client_addopt(ns_client_t *client, dn
+ 
+ 		INSIST(count < DNS_EDNSOPTIONS);
+ 		ednsopts[count].code = DNS_OPT_SIT;
+-		ednsopts[count].length = SIT_SIZE;
++		ednsopts[count].length = COOKIE_SIZE;
+ 		ednsopts[count].value = sit;
+ 		count++;
+ 	}
+@@ -1657,19 +1660,26 @@ compute_sit(ns_client_t *client, isc_uin
+ 
+ static void
+ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+-	unsigned char dbuf[SIT_SIZE];
++	unsigned char dbuf[COOKIE_SIZE];
+ 	unsigned char *old;
+ 	isc_stdtime_t now;
+ 	isc_uint32_t when;
+ 	isc_uint32_t nonce;
+ 	isc_buffer_t db;
+ 
++	/*
++	 * If we have already seen a ECS option skip this ECS option.
++	 */
++	if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
++		isc_buffer_forward(buf, optlen);
++		return;
++	}
+ 	client->attributes |= NS_CLIENTATTR_WANTSIT;
+ 
+ 	isc_stats_increment(ns_g_server->nsstats,
+ 			    dns_nsstatscounter_sitopt);
+ 
+-	if (optlen != SIT_SIZE) {
++	if (optlen != COOKIE_SIZE) {
+ 		/*
+ 		 * Not our token.
+ 		 */
+@@ -1713,7 +1723,7 @@ process_sit(ns_client_t *client, isc_buf
+ 	isc_buffer_init(&db, dbuf, sizeof(dbuf));
+ 	compute_sit(client, when, nonce, &db);
+ 
+-	if (memcmp(old, dbuf, SIT_SIZE) != 0) {
++	if (memcmp(old, dbuf, COOKIE_SIZE) != 0) {
+ 		isc_stats_increment(ns_g_server->nsstats,
+ 				    dns_nsstatscounter_sitnomatch);
+ 		return;
+@@ -1779,7 +1789,9 @@ process_opt(ns_client_t *client, dns_rda
+ 			optlen = isc_buffer_getuint16(&optbuf);
+ 			switch (optcode) {
+ 			case DNS_OPT_NSID:
+-				isc_stats_increment(ns_g_server->nsstats,
++				if (!WANTNSID(client))
++					isc_stats_increment(
++						    ns_g_server->nsstats,
+ 						    dns_nsstatscounter_nsidopt);
+ 				client->attributes |= NS_CLIENTATTR_WANTNSID;
+ 				isc_buffer_forward(&optbuf, optlen);
+@@ -1790,7 +1802,9 @@ process_opt(ns_client_t *client, dns_rda
+ 				break;
+ #endif
+ 			case DNS_OPT_EXPIRE:
+-				isc_stats_increment(ns_g_server->nsstats,
++				if (!WANTEXPIRE(client))
++					isc_stats_increment(
++						  ns_g_server->nsstats,
+ 						  dns_nsstatscounter_expireopt);
+ 				client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
+ 				isc_buffer_forward(&optbuf, optlen);
+Index: bind-9.10.2-P4/lib/dns/resolver.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/resolver.c
++++ bind-9.10.2-P4/lib/dns/resolver.c
+@@ -7144,7 +7144,9 @@ process_opt(resquery_t *query, dns_rdata
+ 	unsigned char *sit;
+ 	dns_adbaddrinfo_t *addrinfo;
+ 	unsigned char cookie[8];
++	isc_boolean_t seen_cookie = ISC_FALSE;
+ #endif
++	isc_boolean_t seen_nsid = ISC_FALSE;
+ 
+ 	result = dns_rdataset_first(opt);
+ 	if (result == ISC_R_SUCCESS) {
+@@ -7158,14 +7160,23 @@ process_opt(resquery_t *query, dns_rdata
+ 			INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
+ 			switch (optcode) {
+ 			case DNS_OPT_NSID:
+-				if (query->options & DNS_FETCHOPT_WANTNSID)
++				if (!seen_nsid &&
++                                    query->options & DNS_FETCHOPT_WANTNSID)
+ 					log_nsid(&optbuf, optlen, query,
+ 						 ISC_LOG_DEBUG(3),
+ 						 query->fctx->res->mctx);
+ 				isc_buffer_forward(&optbuf, optlen);
++	                        seen_nsid = ISC_TRUE;
+ 				break;
+ #ifdef ISC_PLATFORM_USESIT
+ 			case DNS_OPT_SIT:
++                                /*
++                                 * Only process the first cookie option.
++                                 */
++                                if (seen_cookie) {
++                                        isc_buffer_forward(&optbuf, optlen);
++                                        break;
++                                }
+ 				sit = isc_buffer_current(&optbuf);
+ 				compute_cc(query, cookie, sizeof(cookie));
+ 				INSIST(query->fctx->rmessage->sitbad == 0 &&
+@@ -7183,6 +7194,7 @@ process_opt(resquery_t *query, dns_rdata
+ 				isc_buffer_forward(&optbuf, optlen);
+ 				inc_stats(query->fctx->res,
+ 					  dns_resstatscounter_sitin);
++				seen_cookie = ISC_TRUE;
+ 				break;
+ #endif
+ 			default:

meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch

@@ -0,0 +1,84 @@
+From 390c5183af79861fcf07a44014912788744e85de Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 7 Jul 2016 12:52:47 +1000
+Subject: [PATCH] 4406.   [bug]           getrrsetbyname with a non absolute
+ name could                         trigger a infinite recursion bug in lwresd
+                         and named with lwres configured if when combined     
+                    with a search list entry the resulting name is            
+             too long. [RT #42694]
+
+(cherry picked from commit 38cc2d14e218e536e0102fa70deef99461354232)
+
+Upstream-Status: Backport
+CVE: CVE-2016-2775
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ CHANGES                          |  6 ++++++
+ bin/named/lwdgrbn.c              | 16 ++++++++++------
+ bin/tests/system/lwresd/lwtest.c |  8 ++++++++
+ 3 files changed, 24 insertions(+), 6 deletions(-)
+
+Index: bind-9.10.2-P4/bin/named/lwdgrbn.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/named/lwdgrbn.c
++++ bind-9.10.2-P4/bin/named/lwdgrbn.c
+@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
+ 	INSIST(client->lookup == NULL);
+ 
+ 	dns_fixedname_init(&absname);
+-	result = ns_lwsearchctx_current(&client->searchctx,
+-					dns_fixedname_name(&absname));
++
+ 	/*
+-	 * This will return failure if relative name + suffix is too long.
+-	 * In this case, just go on to the next entry in the search path.
++	 * Perform search across all search domains until success
++	 * is returned. Return in case of failure.
+ 	 */
+-	if (result != ISC_R_SUCCESS)
+-		start_lookup(client);
++	while (ns_lwsearchctx_current(&client->searchctx,
++			dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
++		if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
++			ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
++			return;
++		}
++	}
+ 
+ 	result = dns_lookup_create(cm->mctx,
+ 				   dns_fixedname_name(&absname),
+Index: bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/tests/system/lwresd/lwtest.c
++++ bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
+@@ -768,6 +768,14 @@ main(void) {
+ 	test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
+ 	test_getrrsetbyname("", 1, 1, 0, 0, 0);
+ 
++	test_getrrsetbyname("123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789", 1, 1, 0, 0, 0);
++
+ 	if (fails == 0)
+ 		printf("I:ok\n");
+ 	return (fails);
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,9 @@
++4406.  [bug]           getrrsetbyname with a non absolute name could
++                       trigger a infinite recursion bug in lwresd
++                       and named with lwres configured if when combined
++                       with a search list entry the resulting name is
++                       too long. [RT #42694]
++
+ 4322.  [security]      Duplicate EDNS COOKIE options in a response could
+                        trigger an assertion failure. (CVE-2016-2088)
+                        [RT #41809]

meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch

@@ -0,0 +1,112 @@
+From 060b6137eee62bc6d2eb77aeaeb1ad2292ca8ed7 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 9 Sep 2016 11:29:48 +1000
+Subject: [PATCH] 4467.   [security]      It was possible to trigger a
+ assertion when rendering                         a message. [RT #43139]
+
+(cherry picked from commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12)
+---
+ CHANGES           |  3 +++
+ lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
+ 2 files changed, 34 insertions(+), 11 deletions(-)
+
+Index: bind-9.10.2-P4/lib/dns/message.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/message.c
++++ bind-9.10.2-P4/lib/dns/message.c
+@@ -1751,7 +1751,7 @@ dns_message_renderbegin(dns_message_t *m
+ 	if (r.length < DNS_MESSAGE_HEADERLEN)
+ 		return (ISC_R_NOSPACE);
+ 
+-	if (r.length < msg->reserved)
++	if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
+ 		return (ISC_R_NOSPACE);
+ 
+ 	/*
+@@ -1878,8 +1878,29 @@ norender_rdataset(const dns_rdataset_t *
+ 
+ 	return (ISC_TRUE);
+ }
+-
+ #endif
++
++static isc_result_t
++renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
++	  dns_compress_t *cctx, isc_buffer_t *target,
++	  unsigned int reserved, unsigned int options, unsigned int *countp)
++{
++	isc_result_t result;
++
++	/*
++	 * Shrink the space in the buffer by the reserved amount.
++	 */
++	if (target->length - target->used < reserved)
++		return (ISC_R_NOSPACE);
++
++	target->length -= reserved;
++	result = dns_rdataset_towire(rdataset, owner_name,
++				     cctx, target, options, countp);
++	target->length += reserved;
++
++	return (result);
++}
++
+ isc_result_t
+ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+ 			  unsigned int options)
+@@ -1922,6 +1943,8 @@ dns_message_rendersection(dns_message_t
+ 	/*
+ 	 * Shrink the space in the buffer by the reserved amount.
+ 	 */
++	if (msg->buffer->length - msg->buffer->used < msg->reserved)
++		return (ISC_R_NOSPACE);
+ 	msg->buffer->length -= msg->reserved;
+ 
+ 	total = 0;
+@@ -2198,9 +2221,8 @@ dns_message_renderend(dns_message_t *msg
+ 		 * Render.
+ 		 */
+ 		count = 0;
+-		result = dns_rdataset_towire(msg->opt, dns_rootname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->opt, dns_rootname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+@@ -2216,9 +2238,8 @@ dns_message_renderend(dns_message_t *msg
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+ 		count = 0;
+-		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->tsig, msg->tsigname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+@@ -2239,9 +2260,8 @@ dns_message_renderend(dns_message_t *msg
+ 		 * the owner name of a SIG(0) is irrelevant, and will not
+ 		 * be set in a message being rendered.
+ 		 */
+-		result = dns_rdataset_towire(msg->sig0, dns_rootname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->sig0, dns_rootname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,6 @@
++4467.  [security]      It was possible to trigger a assertion when rendering
++                       a message. [RT #43139]
++
+ 4406.  [bug]           getrrsetbyname with a non absolute name could
+                        trigger a infinite recursion bug in lwresd
+                        and named with lwres configured if when combined

meta/recipes-connectivity/bind/bind_9.10.2-P4.bb

@@ -21,6 +21,16 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
            file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \
            file://0001-lib-dns-gen.c-fix-too-long-error.patch \
+           file://CVE-2015-8704.patch \
+           file://CVE-2015-8705.patch \
+           file://CVE-2015-8000.patch \
+           file://CVE-2015-8461.patch \
+           file://CVE-2016-1285.patch \
+           file://CVE-2016-1286_1.patch \
+           file://CVE-2016-1286_2.patch \
+           file://CVE-2016-2088.patch \
+           file://CVE-2016-2775.patch \
+           file://CVE-2016-2776.patch \
            "
 
 SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"

meta/recipes-connectivity/bluez5/bluez5.inc

@@ -18,6 +18,7 @@ PACKAGECONFIG[experimental] = "--enable-experimental,--disable-experimental,"
 
 SRC_URI = "\
     ${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
 "
 S = "${WORKDIR}/bluez-${PV}"
 

meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch

@@ -0,0 +1,63 @@
+From: Giovanni Campagna <gcampagna-cNUdlRotFMnNLxjTenLetw@public.gmane.org>
+Date: Sat, 12 Oct 2013 17:45:25 +0200
+Subject: [PATCH] Allow using obexd without systemd in the user session
+
+Not all sessions run systemd --user (actually, the majority
+doesn't), so the dbus daemon must be able to spawn obexd
+directly, and to do so it needs the full path of the daemon.
+
+Upstream-Status: Denied
+
+Not accepted by upstream maintainer for being a distro specific
+configuration. See thread:
+
+http://thread.gmane.org/gmane.linux.bluez.kernel/38725/focus=38843
+
+Signed-off-by: Javier Viguera <javier.viguera@digi.com>
+---
+ Makefile.obexd                      | 4 ++--
+ obexd/src/org.bluez.obex.service    | 4 ----
+ obexd/src/org.bluez.obex.service.in | 4 ++++
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+ delete mode 100644 obexd/src/org.bluez.obex.service
+ create mode 100644 obexd/src/org.bluez.obex.service.in
+
+diff --git a/Makefile.obexd b/Makefile.obexd
+index 2e33cbc72f2b..d5d858c857b4 100644
+--- a/Makefile.obexd
++++ b/Makefile.obexd
+@@ -2,12 +2,12 @@
+ if SYSTEMD
+ systemduserunitdir = @SYSTEMD_USERUNITDIR@
+ systemduserunit_DATA = obexd/src/obex.service
++endif
+ 
+ dbussessionbusdir = @DBUS_SESSIONBUSDIR@
+ dbussessionbus_DATA = obexd/src/org.bluez.obex.service
+-endif
+ 
+-EXTRA_DIST += obexd/src/obex.service.in obexd/src/org.bluez.obex.service
++EXTRA_DIST += obexd/src/obex.service.in obexd/src/org.bluez.obex.service.in
+ 
+ obex_plugindir = $(libdir)/obex/plugins
+ 
+diff --git a/obexd/src/org.bluez.obex.service b/obexd/src/org.bluez.obex.service
+deleted file mode 100644
+index a53808884554..000000000000
+--- a/obexd/src/org.bluez.obex.service
++++ /dev/null
+@@ -1,4 +0,0 @@
+-[D-BUS Service]
+-Name=org.bluez.obex
+-Exec=/bin/false
+-SystemdService=dbus-org.bluez.obex.service
+diff --git a/obexd/src/org.bluez.obex.service.in b/obexd/src/org.bluez.obex.service.in
+new file mode 100644
+index 000000000000..9c815f246b77
+--- /dev/null
++++ b/obexd/src/org.bluez.obex.service.in
+@@ -0,0 +1,4 @@
++[D-BUS Service]
++Name=org.bluez.obex
++Exec=@libexecdir@/obexd
++SystemdService=dbus-org.bluez.obex.service

meta/recipes-connectivity/bluez5/bluez5_5.33.bb

@@ -10,6 +10,7 @@ NOINST_TOOLS_READLINE ?= " \
     tools/obex-server-tool \
     tools/bluetooth-player \
     tools/obexctl \
+    tools/btmgmt \
 "
 
 # noinst programs in Makefile.tools that are conditional on EXPERIMENTAL
@@ -34,7 +35,6 @@ NOINST_TOOLS_EXPERIMENTAL ?= " \
     tools/hwdb \
     tools/hcieventmask \
     tools/hcisecfilter \
-    tools/btmgmt \
     tools/btinfo \
     tools/btattach \
     tools/btsnoop \

meta/recipes-connectivity/dhcp/dhcp/CVE-2015-8605.patch

@@ -0,0 +1,99 @@
+Solves CVE-2015-8605 that caused DoS when an invalid lenght field in IPv4 UDP
+was recived by the server.
+
+Upstream-Status: Backport
+CVE: CVE-2015-8605
+
+Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
+
+=======================================================================
+diff --git a/common/packet.c b/common/packet.c
+index b530432..e600e37 100644
+--- a/common/packet.c
++++ b/common/packet.c
+@@ -220,7 +220,28 @@ ssize_t decode_hw_header (interface, buf, bufix, from)
+ 	}
+ }
+ 
+-/* UDP header and IP header decoded together for convenience. */
++/*!
++ *
++ * \brief UDP header and IP header decoded together for convenience.
++ *
++ * Attempt to decode the UDP and IP headers and, if necessary, checksum
++ * the packet.
++ *
++ * \param inteface - the interface on which the packet was recevied
++ * \param buf - a pointer to the buffer for the received packet
++ * \param bufix - where to start processing the buffer, previous
++ *                routines may have processed parts of the buffer already
++ * \param from - space to return the address of the packet sender
++ * \param buflen - remaining length of the buffer, this will have been
++ *                 decremented by bufix by the caller
++ * \param rbuflen - space to return the length of the payload from the udp
++ *                  header
++ * \param csum_ready - indication if the checksum is valid for use
++ *                     non-zero indicates the checksum should be validated
++ *
++ * \return - the index to the first byte of the udp payload (that is the
++ *           start of the DHCP packet
++ */
+ 
+ ssize_t
+ decode_udp_ip_header(struct interface_info *interface,
+@@ -231,7 +252,7 @@ decode_udp_ip_header(struct interface_info *interface,
+   unsigned char *data;
+   struct ip ip;
+   struct udphdr udp;
+-  unsigned char *upp, *endbuf;
++  unsigned char *upp;
+   u_int32_t ip_len, ulen, pkt_len;
+   static unsigned int ip_packets_seen = 0;
+   static unsigned int ip_packets_bad_checksum = 0;
+@@ -241,11 +262,8 @@ decode_udp_ip_header(struct interface_info *interface,
+   static unsigned int udp_packets_length_overflow = 0;
+   unsigned len;
+ 
+-  /* Designate the end of the input buffer for bounds checks. */
+-  endbuf = buf + bufix + buflen;
+-
+   /* Assure there is at least an IP header there. */
+-  if ((buf + bufix + sizeof(ip)) > endbuf)
++  if (sizeof(ip) > buflen)
+ 	  return -1;
+ 
+   /* Copy the IP header into a stack aligned structure for inspection.
+@@ -257,13 +275,17 @@ decode_udp_ip_header(struct interface_info *interface,
+   ip_len = (*upp & 0x0f) << 2;
+   upp += ip_len;
+ 
+-  /* Check the IP packet length. */
++  /* Check packet lengths are within the buffer:
++   * first the ip header (ip_len)
++   * then the packet length from the ip header (pkt_len)
++   * then the udp header (ip_len + sizeof(udp)
++   * We are liberal in what we accept, the udp payload should fit within
++   * pkt_len, but we only check against the full buffer size.
++   */
+   pkt_len = ntohs(ip.ip_len);
+-  if (pkt_len > buflen)
+-	return -1;
+-
+-  /* Assure after ip_len bytes that there is enough room for a UDP header. */
+-  if ((upp + sizeof(udp)) > endbuf)
++  if ((ip_len > buflen) ||
++      (pkt_len > buflen) ||
++      ((ip_len + sizeof(udp)) > buflen))
+ 	  return -1;
+ 
+   /* Copy the UDP header into a stack aligned structure for inspection. */
+@@ -284,7 +306,8 @@ decode_udp_ip_header(struct interface_info *interface,
+ 	return -1;
+ 
+   udp_packets_length_checked++;
+-  if ((upp + ulen) > endbuf) {
++  /* verify that the payload length from the udp packet fits in the buffer */
++  if ((ip_len + ulen) > buflen) {
+ 	udp_packets_length_overflow++;
+ 	if (((udp_packets_length_checked > 4) &&
+ 	     (udp_packets_length_overflow != 0)) &&

meta/recipes-connectivity/dhcp/dhcp_4.3.2.bb

@@ -6,6 +6,7 @@ SRC_URI += "file://dhcp-3.0.3-dhclient-dbus.patch;striplevel=0 \
             file://fixsepbuild.patch \
             file://dhclient-script-drop-resolv.conf.dhclient.patch \
             file://replace-ifconfig-route.patch \
+            file://CVE-2015-8605.patch \
            "
 
 SRC_URI[md5sum] = "5a284875dd2c12ddd388416d69156a67"

meta/recipes-connectivity/nfs-utils/files/bugfix-adjust-statd-service-name.patch

@@ -0,0 +1,34 @@
+From 398fed3bb0350cb1229e54e7020ae0e044c206d1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ulrich=20=C3=96lmann?= <u.oelmann@pengutronix.de>
+Date: Wed, 17 Feb 2016 08:33:45 +0100
+Subject: bugfix: adjust statd service name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream uses 'rpc-statd.service' and Yocto introduced 'nfs-statd.service'
+instead but forgot to update the mount.nfs helper 'start-statd' accordingly.
+
+Upstream-Status: Inappropriate [other]
+
+Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
+---
+ utils/statd/start-statd | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/statd/start-statd b/utils/statd/start-statd
+index 8211a90..3c2aa6f 100755
+--- a/utils/statd/start-statd
++++ b/utils/statd/start-statd
+@@ -16,7 +16,7 @@ fi
+ # First try systemd if it's installed.
+ if [ -d /run/systemd/system ]; then
+     # Quit only if the call worked.
+-    systemctl start rpc-statd.service && exit
++    systemctl start nfs-statd.service && exit
+ fi
+ 
+ # Fall back to launching it ourselves.
+-- 
+2.1.4
+

meta/recipes-connectivity/nfs-utils/nfs-utils_1.3.1.bb

@@ -31,6 +31,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x
            file://proc-fs-nfsd.mount \
            file://nfs-utils-Do-not-pass-CFLAGS-to-gcc-while-building.patch \
            file://nfs-utils-debianize-start-statd.patch \
+           file://bugfix-adjust-statd-service-name.patch \
 "
 
 SRC_URI[md5sum] = "8de676b9ff34b8f9addc1d0800fabdf8"

meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch

@@ -0,0 +1,33 @@
+From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Wed, 13 Apr 2016 10:39:57 +1000
+Subject: [PATCH] ignore PAM environment vars when UseLogin=yes
+
+If PAM is configured to read user-specified environment variables
+and UseLogin=yes in sshd_config, then a hostile local user may
+attack /bin/login via LD_PRELOAD or similar environment variables
+set via PAM.
+
+CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
+
+Upstream-Status: Backport
+CVE: CVE-2015-8325
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: openssh-7.1p2/session.c
+===================================================================
+--- openssh-7.1p2.orig/session.c
++++ openssh-7.1p2/session.c
+@@ -1315,7 +1315,7 @@ do_setup_env(Session *s, const char *she
+ 	 * Pull in any environment variables that may have
+ 	 * been set by PAM.
+ 	 */
+-	if (options.use_pam) {
++	if (options.use_pam && !options.use_login) {
+ 		char **p;
+ 
+ 		p = fetch_pam_child_environment();

meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch

@@ -0,0 +1,65 @@
+From f98a09cacff7baad8748c9aa217afd155a4d493f Mon Sep 17 00:00:00 2001
+From: "mmcc@openbsd.org" <mmcc@openbsd.org>
+Date: Tue, 20 Oct 2015 03:36:35 +0000
+Subject: [PATCH] upstream commit
+
+Replace a function-local allocation with stack memory.
+
+ok djm@
+
+Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e
+Upstream-Status: Backport
+CVE: CVE-2016-1907
+
+[YOCTO #8935]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ clientloop.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/clientloop.c b/clientloop.c
+index 87ceb3d..1e05cba 100644
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */
++/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -311,11 +311,10 @@ client_x11_get_proto(const char *display, const char *xauth_path,
+ 	static char proto[512], data[512];
+ 	FILE *f;
+ 	int got_data = 0, generated = 0, do_unlink = 0, i;
+-	char *xauthdir, *xauthfile;
++	char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = "";
+ 	struct stat st;
+ 	u_int now, x11_timeout_real;
+ 
+-	xauthdir = xauthfile = NULL;
+ 	*_proto = proto;
+ 	*_data = data;
+ 	proto[0] = data[0] = '\0';
+@@ -343,8 +342,6 @@ client_x11_get_proto(const char *display, const char *xauth_path,
+ 			display = xdisplay;
+ 		}
+ 		if (trusted == 0) {
+-			xauthdir = xmalloc(PATH_MAX);
+-			xauthfile = xmalloc(PATH_MAX);
+ 			mktemp_proto(xauthdir, PATH_MAX);
+ 			/*
+ 			 * The authentication cookie should briefly outlive
+@@ -407,8 +404,6 @@ client_x11_get_proto(const char *display, const char *xauth_path,
+ 		unlink(xauthfile);
+ 		rmdir(xauthdir);
+ 	}
+-	free(xauthdir);
+-	free(xauthfile);
+ 
+ 	/*
+ 	 * If we didn't get authentication data, just make up some
+-- 
+1.9.1
+

meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch

@@ -0,0 +1,329 @@
+From ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 13 Jan 2016 23:04:47 +0000
+Subject: [PATCH] upstream commit
+
+eliminate fallback from untrusted X11 forwarding to trusted
+ forwarding when the X server disables the SECURITY extension; Reported by
+ Thomas Hoger; ok deraadt@
+
+Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
+Upstream-Status: Backport
+CVE: CVE-2016-1907
+
+[YOCTO #8935]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ clientloop.c | 114 ++++++++++++++++++++++++++++++++++++-----------------------
+ clientloop.h |   4 +--
+ mux.c        |  22 ++++++------
+ ssh.c        |  23 +++++-------
+ 4 files changed, 93 insertions(+), 70 deletions(-)
+
+Index: openssh-7.1p2/clientloop.c
+===================================================================
+--- openssh-7.1p2.orig/clientloop.c
++++ openssh-7.1p2/clientloop.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */
++/* $OpenBSD: clientloop.c,v 1.279 2016/01/13 23:04:47 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -288,6 +288,9 @@ client_x11_display_valid(const char *dis
+ {
+ 	size_t i, dlen;
+ 
++	if (display == NULL)
++		return 0;
++
+ 	dlen = strlen(display);
+ 	for (i = 0; i < dlen; i++) {
+ 		if (!isalnum((u_char)display[i]) &&
+@@ -301,34 +304,33 @@ client_x11_display_valid(const char *dis
+ 
+ #define SSH_X11_PROTO		"MIT-MAGIC-COOKIE-1"
+ #define X11_TIMEOUT_SLACK	60
+-void
++int
+ client_x11_get_proto(const char *display, const char *xauth_path,
+     u_int trusted, u_int timeout, char **_proto, char **_data)
+ {
+-	char cmd[1024];
+-	char line[512];
+-	char xdisplay[512];
++	char cmd[1024], line[512], xdisplay[512];
++	char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
+ 	static char proto[512], data[512];
+ 	FILE *f;
+-	int got_data = 0, generated = 0, do_unlink = 0, i;
+-	char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = "";
++	int got_data = 0, generated = 0, do_unlink = 0, i, r;
+ 	struct stat st;
+ 	u_int now, x11_timeout_real;
+ 
+ 	*_proto = proto;
+ 	*_data = data;
+-	proto[0] = data[0] = '\0';
++	proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
+ 
+-	if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
+-		debug("No xauth program.");
+-	} else if (!client_x11_display_valid(display)) {
+-		logit("DISPLAY '%s' invalid, falling back to fake xauth data",
++	if (!client_x11_display_valid(display)) {
++		logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
+ 		    display);
+-	} else {
+-		if (display == NULL) {
+-			debug("x11_get_proto: DISPLAY not set");
+-			return;
+-		}
++		return -1;
++	}
++	if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
++		debug("No xauth program.");
++		xauth_path = NULL;
++	}
++
++	if (xauth_path != NULL) {
+ 		/*
+ 		 * Handle FamilyLocal case where $DISPLAY does
+ 		 * not match an authorization entry.  For this we
+@@ -337,43 +339,60 @@ client_x11_get_proto(const char *display
+ 		 *      is not perfect.
+ 		 */
+ 		if (strncmp(display, "localhost:", 10) == 0) {
+-			snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
+-			    display + 10);
++			if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
++			    display + 10)) < 0 ||
++			    (size_t)r >= sizeof(xdisplay)) {
++				error("%s: display name too long", __func__);
++				return -1;
++			}
+ 			display = xdisplay;
+ 		}
+ 		if (trusted == 0) {
+-			mktemp_proto(xauthdir, PATH_MAX);
+ 			/*
++			 * Generate an untrusted X11 auth cookie.
++			 *
+ 			 * The authentication cookie should briefly outlive
+ 			 * ssh's willingness to forward X11 connections to
+ 			 * avoid nasty fail-open behaviour in the X server.
+ 			 */
++			mktemp_proto(xauthdir, sizeof(xauthdir));
++			if (mkdtemp(xauthdir) == NULL) {
++				error("%s: mkdtemp: %s",
++				    __func__, strerror(errno));
++				return -1;
++			}
++			do_unlink = 1;
++			if ((r = snprintf(xauthfile, sizeof(xauthfile),
++			    "%s/xauthfile", xauthdir)) < 0 ||
++			    (size_t)r >= sizeof(xauthfile)) {
++				error("%s: xauthfile path too long", __func__);
++				unlink(xauthfile);
++				rmdir(xauthdir);
++				return -1;
++			}
++
+ 			if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
+ 				x11_timeout_real = UINT_MAX;
+ 			else
+ 				x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
+-			if (mkdtemp(xauthdir) != NULL) {
+-				do_unlink = 1;
+-				snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
+-				    xauthdir);
+-				snprintf(cmd, sizeof(cmd),
+-				    "%s -f %s generate %s " SSH_X11_PROTO
+-				    " untrusted timeout %u 2>" _PATH_DEVNULL,
+-				    xauth_path, xauthfile, display,
+-				    x11_timeout_real);
+-				debug2("x11_get_proto: %s", cmd);
+-				if (x11_refuse_time == 0) {
+-					now = monotime() + 1;
+-					if (UINT_MAX - timeout < now)
+-						x11_refuse_time = UINT_MAX;
+-					else
+-						x11_refuse_time = now + timeout;
+-					channel_set_x11_refuse_time(
+-					    x11_refuse_time);
+-				}
+-				if (system(cmd) == 0)
+-					generated = 1;
++			if ((r = snprintf(cmd, sizeof(cmd),
++			    "%s -f %s generate %s " SSH_X11_PROTO
++			    " untrusted timeout %u 2>" _PATH_DEVNULL,
++			    xauth_path, xauthfile, display,
++			    x11_timeout_real)) < 0 ||
++			    (size_t)r >= sizeof(cmd))
++				fatal("%s: cmd too long", __func__);
++			debug2("%s: %s", __func__, cmd);
++			if (x11_refuse_time == 0) {
++				now = monotime() + 1;
++				if (UINT_MAX - timeout < now)
++					x11_refuse_time = UINT_MAX;
++				else
++					x11_refuse_time = now + timeout;
++				channel_set_x11_refuse_time(x11_refuse_time);
+ 			}
++			if (system(cmd) == 0)
++				generated = 1;
+ 		}
+ 
+ 		/*
+@@ -395,9 +414,7 @@ client_x11_get_proto(const char *display
+ 				got_data = 1;
+ 			if (f)
+ 				pclose(f);
+-		} else
+-			error("Warning: untrusted X11 forwarding setup failed: "
+-			    "xauth key data not generated");
++		}
+ 	}
+ 
+ 	if (do_unlink) {
+@@ -405,6 +422,13 @@ client_x11_get_proto(const char *display
+ 		rmdir(xauthdir);
+ 	}
+ 
++	/* Don't fall back to fake X11 data for untrusted forwarding */
++	if (!trusted && !got_data) {
++		error("Warning: untrusted X11 forwarding setup failed: "
++		    "xauth key data not generated");
++		return -1;
++	}
++
+ 	/*
+ 	 * If we didn't get authentication data, just make up some
+ 	 * data.  The forwarding code will check the validity of the
+@@ -427,6 +451,8 @@ client_x11_get_proto(const char *display
+ 			rnd >>= 8;
+ 		}
+ 	}
++
++	return 0;
+ }
+ 
+ /*
+Index: openssh-7.1p2/clientloop.h
+===================================================================
+--- openssh-7.1p2.orig/clientloop.h
++++ openssh-7.1p2/clientloop.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */
++/* $OpenBSD: clientloop.h,v 1.32 2016/01/13 23:04:47 djm Exp $ */
+ 
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+@@ -39,7 +39,7 @@
+ 
+ /* Client side main loop for the interactive session. */
+ int	 client_loop(int, int, int);
+-void	 client_x11_get_proto(const char *, const char *, u_int, u_int,
++int	 client_x11_get_proto(const char *, const char *, u_int, u_int,
+ 	    char **, char **);
+ void	 client_global_request_reply_fwd(int, u_int32_t, void *);
+ void	 client_session2_setup(int, int, int, const char *, struct termios *,
+Index: openssh-7.1p2/mux.c
+===================================================================
+--- openssh-7.1p2.orig/mux.c
++++ openssh-7.1p2/mux.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: mux.c,v 1.54 2015/08/19 23:18:26 djm Exp $ */
++/* $OpenBSD: mux.c,v 1.58 2016/01/13 23:04:47 djm Exp $ */
+ /*
+  * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
+  *
+@@ -1354,16 +1354,18 @@ mux_session_confirm(int id, int success,
+ 		char *proto, *data;
+ 
+ 		/* Get reasonable local authentication information. */
+-		client_x11_get_proto(display, options.xauth_location,
++		if (client_x11_get_proto(display, options.xauth_location,
+ 		    options.forward_x11_trusted, options.forward_x11_timeout,
+-		    &proto, &data);
+-		/* Request forwarding with authentication spoofing. */
+-		debug("Requesting X11 forwarding with authentication "
+-		    "spoofing.");
+-		x11_request_forwarding_with_spoofing(id, display, proto,
+-		    data, 1);
+-		client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN);
+-		/* XXX exit_on_forward_failure */
++		    &proto, &data) == 0) {
++			/* Request forwarding with authentication spoofing. */
++			debug("Requesting X11 forwarding with authentication "
++			    "spoofing.");
++			x11_request_forwarding_with_spoofing(id, display, proto,
++			    data, 1);
++			/* XXX exit_on_forward_failure */
++			client_expect_confirm(id, "X11 forwarding",
++			    CONFIRM_WARN);
++		}
+ 	}
+ 
+ 	if (cctx->want_agent_fwd && options.forward_agent) {
+Index: openssh-7.1p2/ssh.c
+===================================================================
+--- openssh-7.1p2.orig/ssh.c
++++ openssh-7.1p2/ssh.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh.c,v 1.420 2015/07/30 00:01:34 djm Exp $ */
++/* $OpenBSD: ssh.c,v 1.433 2016/01/13 23:04:47 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -1604,6 +1604,7 @@ ssh_session(void)
+ 	struct winsize ws;
+ 	char *cp;
+ 	const char *display;
++	char *proto = NULL, *data = NULL;
+ 
+ 	/* Enable compression if requested. */
+ 	if (options.compression) {
+@@ -1674,13 +1675,9 @@ ssh_session(void)
+ 	display = getenv("DISPLAY");
+ 	if (display == NULL && options.forward_x11)
+ 		debug("X11 forwarding requested but DISPLAY not set");
+-	if (options.forward_x11 && display != NULL) {
+-		char *proto, *data;
+-		/* Get reasonable local authentication information. */
+-		client_x11_get_proto(display, options.xauth_location,
+-		    options.forward_x11_trusted,
+-		    options.forward_x11_timeout,
+-		    &proto, &data);
++	if (options.forward_x11 && client_x11_get_proto(display,
++	    options.xauth_location, options.forward_x11_trusted,
++	    options.forward_x11_timeout, &proto, &data) == 0) {
+ 		/* Request forwarding with authentication spoofing. */
+ 		debug("Requesting X11 forwarding with authentication "
+ 		    "spoofing.");
+@@ -1770,6 +1767,7 @@ ssh_session2_setup(int id, int success,
+ 	extern char **environ;
+ 	const char *display;
+ 	int interactive = tty_flag;
++	char *proto = NULL, *data = NULL;
+ 
+ 	if (!success)
+ 		return; /* No need for error message, channels code sens one */
+@@ -1777,12 +1775,9 @@ ssh_session2_setup(int id, int success,
+ 	display = getenv("DISPLAY");
+ 	if (display == NULL && options.forward_x11)
+ 		debug("X11 forwarding requested but DISPLAY not set");
+-	if (options.forward_x11 && display != NULL) {
+-		char *proto, *data;
+-		/* Get reasonable local authentication information. */
+-		client_x11_get_proto(display, options.xauth_location,
+-		    options.forward_x11_trusted,
+-		    options.forward_x11_timeout, &proto, &data);
++	if (options.forward_x11 && client_x11_get_proto(display,
++	    options.xauth_location, options.forward_x11_trusted,
++	    options.forward_x11_timeout, &proto, &data) == 0) {
+ 		/* Request forwarding with authentication spoofing. */
+ 		debug("Requesting X11 forwarding with authentication "
+ 		    "spoofing.");

meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch

@@ -0,0 +1,33 @@
+From d77148e3a3ef6c29b26ec74331455394581aa257 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 8 Nov 2015 21:59:11 +0000
+Subject: [PATCH] upstream commit
+
+fix OOB read in packet code caused by missing return
+ statement found by Ben Hawkes; ok markus@ deraadt@
+
+Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
+
+Upstream-Status: Backport
+CVE: CVE-2016-1907
+
+[YOCTO #8935]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ packet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: openssh-7.1p2/packet.c
+===================================================================
+--- openssh-7.1p2.orig/packet.c
++++ openssh-7.1p2/packet.c
+@@ -1855,6 +1855,7 @@ ssh_packet_process_incoming(struct ssh *
+ 		if (len >= state->packet_discard) {
+ 			if ((r = ssh_packet_stop_discard(ssh)) != 0)
+ 				return r;
++			return SSH_ERR_CONN_CORRUPT;
+ 		}
+ 		state->packet_discard -= len;
+ 		return 0;

meta/recipes-connectivity/openssh/openssh/CVE-2016-3115.patch

@@ -0,0 +1,84 @@
+From 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 10 Mar 2016 11:47:57 +0000
+Subject: [PATCH] upstream commit
+
+sanitise characters destined for xauth reported by
+ github.com/tintinweb feedback and ok deraadt and markus
+
+Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
+
+Upstream-Status: Backport
+CVE: CVE-2016-3115
+https://anongit.mindrot.org/openssh.git/commit/?id=4b4bfb01cd40b9ddb948e6026ddd287cc303d871
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ session.c | 34 +++++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+
+Index: openssh-7.1p2/session.c
+===================================================================
+--- openssh-7.1p2.orig/session.c
++++ openssh-7.1p2/session.c
+@@ -46,6 +46,7 @@
+ 
+ #include <arpa/inet.h>
+ 
++#include <ctype.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
+@@ -273,6 +274,21 @@ do_authenticated(Authctxt *authctxt)
+ 	do_cleanup(authctxt);
+ }
+ 
++/* Check untrusted xauth strings for metacharacters */
++static int
++xauth_valid_string(const char *s)
++{
++	size_t i;
++
++	for (i = 0; s[i] != '\0'; i++) {
++		if (!isalnum((u_char)s[i]) &&
++		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
++		    s[i] != '-' && s[i] != '_')
++		return 0;
++	}
++	return 1;
++}
++
+ /*
+  * Prepares for an interactive session.  This is called after the user has
+  * been successfully authenticated.  During this message exchange, pseudo
+@@ -346,7 +362,13 @@ do_authenticated1(Authctxt *authctxt)
+ 				s->screen = 0;
+ 			}
+ 			packet_check_eom();
+-			success = session_setup_x11fwd(s);
++			if (xauth_valid_string(s->auth_proto) &&
++			    xauth_valid_string(s->auth_data))
++				success = session_setup_x11fwd(s);
++			else {
++				success = 0;
++				error("Invalid X11 forwarding data");
++			}
+ 			if (!success) {
+ 				free(s->auth_proto);
+ 				free(s->auth_data);
+@@ -2181,7 +2203,13 @@ session_x11_req(Session *s)
+ 	s->screen = packet_get_int();
+ 	packet_check_eom();
+ 
+-	success = session_setup_x11fwd(s);
++	if (xauth_valid_string(s->auth_proto) &&
++	    xauth_valid_string(s->auth_data))
++		success = session_setup_x11fwd(s);
++	else {
++		success = 0;
++		error("Invalid X11 forwarding data");
++	}
+ 	if (!success) {
+ 		free(s->auth_proto);
+ 		free(s->auth_data);

meta/recipes-connectivity/openssh/openssh/CVE-2016-6210.patch

@@ -0,0 +1,114 @@
+From 9286875a73b2de7736b5e50692739d314cd8d9dc Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@zip.com.au>
+Date: Fri, 15 Jul 2016 13:32:45 +1000
+Subject: [PATCH] Determine appropriate salt for invalid users.
+
+When sshd is processing a non-PAM login for a non-existent user it uses
+the string from the fakepw structure as the salt for crypt(3)ing the
+password supplied by the client.  That string has a Blowfish prefix, so on
+systems that don't understand that crypt will fail fast due to an invalid
+salt, and even on those that do it may have significantly different timing
+from the hash methods used for real accounts (eg sha512).  This allows
+user enumeration by, eg, sending large password strings.  This was noted
+by EddieEzra.Harari at verint.com (CVE-2016-6210).
+
+To mitigate, use the same hash algorithm that root uses for hashing
+passwords for users that do not exist on the system.  ok djm@
+
+Upstream-Status: Backport
+OpenSSH  < 7.3
+CVE: CVE-2016-6210 patch1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ auth-passwd.c           | 12 ++++++++----
+ openbsd-compat/xcrypt.c | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 42 insertions(+), 4 deletions(-)
+
+Index: openssh-7.1p2/auth-passwd.c
+===================================================================
+--- openssh-7.1p2.orig/auth-passwd.c
++++ openssh-7.1p2/auth-passwd.c
+@@ -198,7 +198,7 @@ int
+ sys_auth_passwd(Authctxt *authctxt, const char *password)
+ {
+ 	struct passwd *pw = authctxt->pw;
+-	char *encrypted_password;
++	char *encrypted_password, *salt = NULL;
+ 
+ 	/* Just use the supplied fake password if authctxt is invalid */
+ 	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
+@@ -207,9 +207,13 @@ sys_auth_passwd(Authctxt *authctxt, cons
+ 	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
+ 		return (1);
+ 
+-	/* Encrypt the candidate password using the proper salt. */
+-	encrypted_password = xcrypt(password,
+-	    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
++	/*
++	 * Encrypt the candidate password using the proper salt, or pass a
++	 * NULL and let xcrypt pick one.
++	 */
++	if (authctxt->valid && pw_password[0] && pw_password[1])
++		salt = pw_password;
++	encrypted_password = xcrypt(password, salt);
+ 
+ 	/*
+ 	 * Authentication is accepted if the encrypted passwords
+Index: openssh-7.1p2/openbsd-compat/xcrypt.c
+===================================================================
+--- openssh-7.1p2.orig/openbsd-compat/xcrypt.c
++++ openssh-7.1p2/openbsd-compat/xcrypt.c
+@@ -25,6 +25,7 @@
+ #include "includes.h"
+ 
+ #include <sys/types.h>
++#include <string.h>
+ #include <unistd.h>
+ #include <pwd.h>
+ 
+@@ -62,11 +63,44 @@
+ #  define crypt DES_crypt
+ # endif
+ 
++/*
++ * Pick an appropriate password encryption type and salt for the running
++ * system.
++ */
++static const char *
++pick_salt(void)
++{
++	struct passwd *pw;
++	char *passwd, *p;
++	size_t typelen;
++	static char salt[32];
++
++	if (salt[0] != '\0')
++		return salt;
++	strlcpy(salt, "xx", sizeof(salt));
++	if ((pw = getpwuid(0)) == NULL)
++		return salt;
++	passwd = shadow_pw(pw);
++	if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
++		return salt;  /* no $, DES */
++	typelen = p - passwd + 1;
++	strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
++	explicit_bzero(passwd, strlen(passwd));
++	return salt;
++}
++
+ char *
+ xcrypt(const char *password, const char *salt)
+ {
+ 	char *crypted;
+ 
++	/*
++	 * If we don't have a salt we are encrypting a fake password for
++	 * for timing purposes.  Pick an appropriate salt.
++	 */
++	if (salt == NULL)
++		salt = pick_salt();
++
+ # ifdef HAVE_MD5_PASSWORDS
+         if (is_md5_salt(salt))
+                 crypted = md5_crypt(password, salt);

meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p2.patch

@@ -0,0 +1,110 @@
+From 283b97ff33ea2c641161950849931bd578de6946 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@zip.com.au>
+Date: Fri, 15 Jul 2016 13:49:44 +1000
+Subject: [PATCH] Mitigate timing of disallowed users PAM logins.
+
+When sshd decides to not allow a login (eg PermitRootLogin=no) and
+it's using PAM, it sends a fake password to PAM so that the timing for
+the failure is not noticeably different whether or not the password
+is correct.  This behaviour can be detected by sending a very long
+password string which is slower to hash than the fake password.
+
+Mitigate by constructing an invalid password that is the same length
+as the one from the client and thus takes the same time to hash.
+Diff from djm@
+
+Upstream-Status: Backport
+CVE: CVE-2016-6210 patch2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ auth-pam.c | 35 +++++++++++++++++++++++++++++++----
+ 1 file changed, 31 insertions(+), 4 deletions(-)
+
+Index: openssh-7.1p2/auth-pam.c
+===================================================================
+--- openssh-7.1p2.orig/auth-pam.c
++++ openssh-7.1p2/auth-pam.c
+@@ -231,7 +231,6 @@ static int sshpam_account_status = -1;
+ static char **sshpam_env = NULL;
+ static Authctxt *sshpam_authctxt = NULL;
+ static const char *sshpam_password = NULL;
+-static char badpw[] = "\b\n\r\177INCORRECT";
+ 
+ /* Some PAM implementations don't implement this */
+ #ifndef HAVE_PAM_GETENVLIST
+@@ -809,12 +808,35 @@ sshpam_query(void *ctx, char **name, cha
+ 	return (-1);
+ }
+ 
++/*
++ * Returns a junk password of identical length to that the user supplied.
++ * Used to mitigate timing attacks against crypt(3)/PAM stacks that
++ * vary processing time in proportion to password length.
++ */
++static char *
++fake_password(const char *wire_password)
++{
++	const char junk[] = "\b\n\r\177INCORRECT";
++	char *ret = NULL;
++	size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
++
++	if (l >= INT_MAX)
++		fatal("%s: password length too long: %zu", __func__, l);
++
++	ret = malloc(l + 1);
++	for (i = 0; i < l; i++)
++		ret[i] = junk[i % (sizeof(junk) - 1)];
++	ret[i] = '\0';
++	return ret;
++}
++
+ /* XXX - see also comment in auth-chall.c:verify_response */
+ static int
+ sshpam_respond(void *ctx, u_int num, char **resp)
+ {
+ 	Buffer buffer;
+ 	struct pam_ctxt *ctxt = ctx;
++	char *fake;
+ 
+ 	debug2("PAM: %s entering, %u responses", __func__, num);
+ 	switch (ctxt->pam_done) {
+@@ -835,8 +857,11 @@ sshpam_respond(void *ctx, u_int num, cha
+ 	    (sshpam_authctxt->pw->pw_uid != 0 ||
+ 	    options.permit_root_login == PERMIT_YES))
+ 		buffer_put_cstring(&buffer, *resp);
+-	else
+-		buffer_put_cstring(&buffer, badpw);
++	else {
++		fake = fake_password(*resp);
++		buffer_put_cstring(&buffer, fake);
++		free(fake);
++	}
+ 	if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
+ 		buffer_free(&buffer);
+ 		return (-1);
+@@ -1180,6 +1205,7 @@ sshpam_auth_passwd(Authctxt *authctxt, c
+ {
+ 	int flags = (options.permit_empty_passwd == 0 ?
+ 	    PAM_DISALLOW_NULL_AUTHTOK : 0);
++	char *fake = NULL;
+ 
+ 	if (!options.use_pam || sshpam_handle == NULL)
+ 		fatal("PAM: %s called when PAM disabled or failed to "
+@@ -1195,7 +1221,7 @@ sshpam_auth_passwd(Authctxt *authctxt, c
+ 	 */
+ 	if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
+ 	    options.permit_root_login != PERMIT_YES))
+-		sshpam_password = badpw;
++		sshpam_password = fake = fake_password(password);
+ 
+ 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
+ 	    (const void *)&passwd_conv);
+@@ -1205,6 +1231,7 @@ sshpam_auth_passwd(Authctxt *authctxt, c
+ 
+ 	sshpam_err = pam_authenticate(sshpam_handle, flags);
+ 	sshpam_password = NULL;
++	free(fake);
+ 	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
+ 		debug("PAM: password authentication accepted for %.100s",
+ 		    authctxt->user);

meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch

@@ -0,0 +1,62 @@
+From dbf788b4d9d9490a5fff08a7b09888272bb10fcc Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@zip.com.au>
+Date: Thu, 21 Jul 2016 14:17:31 +1000
+Subject: [PATCH] Search users for one with a valid salt.
+
+If the root account is locked (eg password "!!" or "*LK*") keep looking
+until we find a user with a valid salt to use for crypting passwords of
+invalid users.  ok djm@
+
+Upstream-Status: Backport
+CVE: CVE-2016-6210
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ openbsd-compat/xcrypt.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
+index 8913bb8..cf6a9b9 100644
+--- a/openbsd-compat/xcrypt.c
++++ b/openbsd-compat/xcrypt.c
+@@ -65,7 +65,9 @@
+ 
+ /*
+  * Pick an appropriate password encryption type and salt for the running
+- * system.
++ * system by searching through accounts until we find one that has a valid
++ * salt.  Usually this will be root unless the root account is locked out.
++ * If we don't find one we return a traditional DES-based salt.
+  */
+ static const char *
+ pick_salt(void)
+@@ -78,14 +80,18 @@ pick_salt(void)
+ 	if (salt[0] != '\0')
+ 		return salt;
+ 	strlcpy(salt, "xx", sizeof(salt));
+-	if ((pw = getpwuid(0)) == NULL)
+-		return salt;
+-	passwd = shadow_pw(pw);
+-	if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
+-		return salt;  /* no $, DES */
+-	typelen = p - passwd + 1;
+-	strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+-	explicit_bzero(passwd, strlen(passwd));
++	setpwent();
++	while ((pw = getpwent()) != NULL) {
++		passwd = shadow_pw(pw);
++		if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
++			typelen = p - passwd + 1;
++			strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
++			explicit_bzero(passwd, strlen(passwd));
++			goto out;
++		}
++	}
++ out:
++	endpwent();
+ 	return salt;
+ }
+ 
+-- 
+2.7.4
+

meta/recipes-connectivity/openssh/openssh/CVE-2016-6515.patch

@@ -0,0 +1,54 @@
+From fcd135c9df440bcd2d5870405ad3311743d78d97 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Thu, 21 Jul 2016 01:39:35 +0000
+Subject: [PATCH] upstream commit
+
+Skip passwords longer than 1k in length so clients can't
+easily DoS sshd by sending very long passwords, causing it to spend CPU
+hashing them. feedback djm@, ok markus@.
+
+Brought to our attention by tomas.kuthan at oracle.com, shilei-c at
+360.cn and coredump at autistici.org
+
+Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333
+
+Upstream-Status: Backport
+CVE: CVE-2016-6515
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ auth-passwd.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/auth-passwd.c b/auth-passwd.c
+index 530b5d4..996c2cf 100644
+--- a/auth-passwd.c
++++ b/auth-passwd.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: auth-passwd.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
++/* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -66,6 +66,8 @@ extern login_cap_t *lc;
+ #define DAY		(24L * 60 * 60) /* 1 day in seconds */
+ #define TWO_WEEKS	(2L * 7 * DAY)	/* 2 weeks in seconds */
+ 
++#define MAX_PASSWORD_LEN	1024
++
+ void
+ disable_forwarding(void)
+ {
+@@ -87,6 +89,9 @@ auth_password(Authctxt *authctxt, const char *password)
+ 	static int expire_checked = 0;
+ #endif
+ 
++	if (strlen(password) > MAX_PASSWORD_LEN)
++		return 0;
++
+ #ifndef HAVE_CYGWIN
+ 	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
+ 		ok = 0;
+-- 
+2.7.4
+

meta/recipes-connectivity/openssh/openssh_7.1p2.bb

@@ -20,12 +20,22 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
            file://sshdgenkeys.service \
            file://volatiles.99_sshd \
            file://add-test-support-for-busybox.patch \
-           file://run-ptest"
+           file://run-ptest \
+           file://CVE-2016-1907_upstream_commit.patch \
+           file://CVE-2016-1907_2.patch \
+           file://CVE-2016-1907_3.patch \
+           file://CVE-2016-3115.patch \
+           file://CVE-2016-6210.patch \
+           file://CVE-2016-6210_p2.patch \
+           file://CVE-2016-6210_p3.patch \
+           file://CVE-2016-6515.patch \
+           file://CVE-2015-8325.patch \
+           "
 
 PAM_SRC_URI = "file://sshd"
 
-SRC_URI[md5sum] = "8709736bc8a8c253bc4eeb4829888ca5"
-SRC_URI[sha256sum] = "fc0a6d2d1d063d5c66dffd952493d0cda256cad204f681de0f84ef85b2ad8428"
+SRC_URI[md5sum] = "4d8547670e2a220d5ef805ad9e47acf2"
+SRC_URI[sha256sum] = "dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd"
 
 inherit useradd update-rc.d update-alternatives systemd
 

meta/recipes-connectivity/openssl/openssl/CVE-2016-2177.patch

@@ -0,0 +1,286 @@
+From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 5 May 2016 11:10:26 +0100
+Subject: [PATCH] Avoid some undefined pointer arithmetic
+
+A common idiom in the codebase is:
+
+if (p + len > limit)
+{
+    return; /* Too long */
+}
+
+Where "p" points to some malloc'd data of SIZE bytes and
+limit == p + SIZE
+
+"len" here could be from some externally supplied data (e.g. from a TLS
+message).
+
+The rules of C pointer arithmetic are such that "p + len" is only well
+defined where len <= SIZE. Therefore the above idiom is actually
+undefined behaviour.
+
+For example this could cause problems if some malloc implementation
+provides an address for "p" such that "p + len" actually overflows for
+values of len that are too big and therefore p + len < limit!
+
+Issue reported by Guido Vranken.
+
+CVE-2016-2177
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2177
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+
+---
+ ssl/s3_srvr.c  | 14 +++++++-------
+ ssl/ssl_sess.c |  2 +-
+ ssl/t1_lib.c   | 56 ++++++++++++++++++++++++++++++--------------------------
+ 3 files changed, 38 insertions(+), 34 deletions(-)
+
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index ab28702..ab7f690 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s)
+ 
+         session_length = *(p + SSL3_RANDOM_SIZE);
+ 
+-        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
++        if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+             goto f_err;
+@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
+     /* get the session-id */
+     j = *(p++);
+ 
+-    if (p + j > d + n) {
++    if ((d + n) - p < j) {
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+         goto f_err;
+@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s)
+ 
+     if (SSL_IS_DTLS(s)) {
+         /* cookie stuff */
+-        if (p + 1 > d + n) {
++        if ((d + n) - p < 1) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+             goto f_err;
+         }
+         cookie_len = *(p++);
+ 
+-        if (p + cookie_len > d + n) {
++        if ((d + n ) - p < cookie_len) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+             goto f_err;
+@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s)
+         }
+     }
+ 
+-    if (p + 2 > d + n) {
++    if ((d + n ) - p < 2) {
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+         goto f_err;
+@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s)
+     }
+ 
+     /* i bytes of cipher data + 1 byte for compression length later */
+-    if ((p + i + 1) > (d + n)) {
++    if ((d + n) - p < i + 1) {
+         /* not enough data */
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s)
+ 
+     /* compression */
+     i = *(p++);
+-    if ((p + i) > (d + n)) {
++    if ((d + n) - p < i) {
+         /* not enough data */
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
+index b182998..54ee783 100644
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
+     int r;
+ #endif
+ 
+-    if (session_id + len > limit) {
++    if (limit - session_id < len) {
+         fatal = 1;
+         goto err;
+     }
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index fb64607..cdac011 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+         0x02, 0x03,             /* SHA-1/ECDSA */
+     };
+ 
+-    if (data >= (limit - 2))
++    if (limit - data <= 2)
+         return;
+     data += 2;
+ 
+-    if (data > (limit - 4))
++    if (limit - data < 4)
+         return;
+     n2s(data, type);
+     n2s(data, size);
+@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+     if (type != TLSEXT_TYPE_server_name)
+         return;
+ 
+-    if (data + size > limit)
++    if (limit - data < size)
+         return;
+     data += size;
+ 
+@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+         const size_t len1 = sizeof(kSafariExtensionsBlock);
+         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
+ 
+-        if (data + len1 + len2 != limit)
++        if (limit - data != (int)(len1 + len2))
+             return;
+         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+             return;
+@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+     } else {
+         const size_t len = sizeof(kSafariExtensionsBlock);
+ 
+-        if (data + len != limit)
++        if (limit - data != (int)(len))
+             return;
+         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+             return;
+@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
+     if (data == limit)
+         goto ri_check;
+ 
+-    if (data > (limit - 2))
++    if (limit - data < 2)
+         goto err;
+ 
+     n2s(data, len);
+ 
+-    if (data + len != limit)
++    if (limit - data != len)
+         goto err;
+ 
+-    while (data <= (limit - 4)) {
++    while (limit - data >= 4) {
+         n2s(data, type);
+         n2s(data, size);
+ 
+-        if (data + size > (limit))
++        if (limit - data < size)
+             goto err;
+ # if 0
+         fprintf(stderr, "Received extension type %d size %d\n", type, size);
+@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s,
+     if (s->hit || s->cert->srv_ext.meths_count == 0)
+         return 1;
+ 
+-    if (data >= limit - 2)
++    if (limit - data <= 2)
+         return 1;
+     n2s(data, len);
+ 
+-    if (data > limit - len)
++    if (limit - data < len)
+         return 1;
+ 
+-    while (data <= limit - 4) {
++    while (limit - data >= 4) {
+         n2s(data, type);
+         n2s(data, size);
+ 
+-        if (data + size > limit)
++        if (limit - data < size)
+             return 1;
+         if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
+             return 0;
+@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
+                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
+ # endif
+ 
+-    if (data >= (d + n - 2))
++    if ((d + n) - data <= 2)
+         goto ri_check;
+ 
+     n2s(data, length);
+-    if (data + length != d + n) {
++    if ((d + n) - data != length) {
+         *al = SSL_AD_DECODE_ERROR;
+         return 0;
+     }
+ 
+-    while (data <= (d + n - 4)) {
++    while ((d + n) - data >= 4) {
+         n2s(data, type);
+         n2s(data, size);
+ 
+-        if (data + size > (d + n))
++        if ((d + n) - data < size)
+             goto ri_check;
+ 
+         if (s->tlsext_debug_cb)
+@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
+     /* Skip past DTLS cookie */
+     if (SSL_IS_DTLS(s)) {
+         i = *(p++);
+-        p += i;
+-        if (p >= limit)
++
++        if (limit - p <= i)
+             return -1;
++
++        p += i;
+     }
+     /* Skip past cipher list */
+     n2s(p, i);
+-    p += i;
+-    if (p >= limit)
++    if (limit - p <= i)
+         return -1;
++    p += i;
++
+     /* Skip past compression algorithm list */
+     i = *(p++);
+-    p += i;
+-    if (p > limit)
++    if (limit - p < i)
+         return -1;
++    p += i;
++
+     /* Now at start of extensions */
+-    if ((p + 2) >= limit)
++    if (limit - p <= 2)
+         return 0;
+     n2s(p, i);
+-    while ((p + 4) <= limit) {
++    while (limit - p >= 4) {
+         unsigned short type, size;
+         n2s(p, type);
+         n2s(p, size);
+-        if (p + size > limit)
++        if (limit - p < size)
+             return 0;
+         if (type == TLSEXT_TYPE_session_ticket) {
+             int r;
+-- 
+2.3.5
+

meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch

@@ -0,0 +1,51 @@
+From 399944622df7bd81af62e67ea967c470534090e2 Mon Sep 17 00:00:00 2001
+From: Cesar Pereida <cesar.pereida@aalto.fi>
+Date: Mon, 23 May 2016 12:45:25 +0300
+Subject: [PATCH] Fix DSA, preserve BN_FLG_CONSTTIME
+
+Operations in the DSA signing algorithm should run in constant time in
+order to avoid side channel attacks. A flaw in the OpenSSL DSA
+implementation means that a non-constant time codepath is followed for
+certain operations. This has been demonstrated through a cache-timing
+attack to be sufficient for an attacker to recover the private DSA key.
+
+CVE-2016-2178
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2178
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/dsa/dsa_ossl.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+Index: openssl-1.0.2h/crypto/dsa/dsa_ossl.c
+===================================================================
+--- openssl-1.0.2h.orig/crypto/dsa/dsa_ossl.c
++++ openssl-1.0.2h/crypto/dsa/dsa_ossl.c
+@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_C
+         if (!BN_rand_range(&k, dsa->q))
+             goto err;
+     while (BN_is_zero(&k)) ;
+-    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+-        BN_set_flags(&k, BN_FLG_CONSTTIME);
+-    }
+ 
+     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
+         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
+@@ -282,6 +279,11 @@ static int dsa_sign_setup(DSA *dsa, BN_C
+     } else {
+         K = &k;
+     }
++
++    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
++        BN_set_flags(K, BN_FLG_CONSTTIME);
++    }
++
+     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
+                    dsa->method_mont_p);
+     if (!BN_mod(r, r, dsa->q, ctx))

meta/recipes-connectivity/openssl/openssl/CVE-2016-2179.patch

@@ -0,0 +1,255 @@
+From 00a4c1421407b6ac796688871b0a49a179c694d9 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 30 Jun 2016 13:17:08 +0100
+Subject: [PATCH] Fix DTLS buffered message DoS attack
+
+DTLS can handle out of order record delivery. Additionally since
+handshake messages can be bigger than will fit into a single packet, the
+messages can be fragmented across multiple records (as with normal TLS).
+That means that the messages can arrive mixed up, and we have to
+reassemble them. We keep a queue of buffered messages that are "from the
+future", i.e. messages we're not ready to deal with yet but have arrived
+early. The messages held there may not be full yet - they could be one
+or more fragments that are still in the process of being reassembled.
+
+The code assumes that we will eventually complete the reassembly and
+when that occurs the complete message is removed from the queue at the
+point that we need to use it.
+
+However, DTLS is also tolerant of packet loss. To get around that DTLS
+messages can be retransmitted. If we receive a full (non-fragmented)
+message from the peer after previously having received a fragment of
+that message, then we ignore the message in the queue and just use the
+non-fragmented version. At that point the queued message will never get
+removed.
+
+Additionally the peer could send "future" messages that we never get to
+in order to complete the handshake. Each message has a sequence number
+(starting from 0). We will accept a message fragment for the current
+message sequence number, or for any sequence up to 10 into the future.
+However if the Finished message has a sequence number of 2, anything
+greater than that in the queue is just left there.
+
+So, in those two ways we can end up with "orphaned" data in the queue
+that will never get removed - except when the connection is closed. At
+that point all the queues are flushed.
+
+An attacker could seek to exploit this by filling up the queues with
+lots of large messages that are never going to be used in order to
+attempt a DoS by memory exhaustion.
+
+I will assume that we are only concerned with servers here. It does not
+seem reasonable to be concerned about a memory exhaustion attack on a
+client. They are unlikely to process enough connections for this to be
+an issue.
+
+A "long" handshake with many messages might be 5 messages long (in the
+incoming direction), e.g. ClientHello, Certificate, ClientKeyExchange,
+CertificateVerify, Finished. So this would be message sequence numbers 0
+to 4. Additionally we can buffer up to 10 messages in the future.
+Therefore the maximum number of messages that an attacker could send
+that could get orphaned would typically be 15.
+
+The maximum size that a DTLS message is allowed to be is defined by
+max_cert_list, which by default is 100k. Therefore the maximum amount of
+"orphaned" memory per connection is 1500k.
+
+Message sequence numbers get reset after the Finished message, so
+renegotiation will not extend the maximum number of messages that can be
+orphaned per connection.
+
+As noted above, the queues do get cleared when the connection is closed.
+Therefore in order to mount an effective attack, an attacker would have
+to open many simultaneous connections.
+
+Issue reported by Quan Luo.
+
+CVE-2016-2179
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2106-2179
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ssl/d1_both.c  | 32 ++++++++++++++++----------------
+ ssl/d1_clnt.c  |  1 +
+ ssl/d1_lib.c   | 37 ++++++++++++++++++++++++++-----------
+ ssl/d1_srvr.c  |  3 ++-
+ ssl/ssl_locl.h |  3 ++-
+ 5 files changed, 47 insertions(+), 29 deletions(-)
+
+Index: openssl-1.0.2h/ssl/d1_both.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/d1_both.c
++++ openssl-1.0.2h/ssl/d1_both.c
+@@ -618,11 +618,23 @@ static int dtls1_retrieve_buffered_fragm
+     int al;
+ 
+     *ok = 0;
+-    item = pqueue_peek(s->d1->buffered_messages);
+-    if (item == NULL)
+-        return 0;
++    do {
++        item = pqueue_peek(s->d1->buffered_messages);
++        if (item == NULL)
++            return 0;
++
++        frag = (hm_fragment *)item->data;
++
++        if (frag->msg_header.seq < s->d1->handshake_read_seq) {
++            /* This is a stale message that has been buffered so clear it */
++            pqueue_pop(s->d1->buffered_messages);
++            dtls1_hm_fragment_free(frag);
++            pitem_free(item);
++            item = NULL;
++            frag = NULL;
++        }
++    } while (item == NULL);
+ 
+-    frag = (hm_fragment *)item->data;
+ 
+     /* Don't return if reassembly still in progress */
+     if (frag->reassembly != NULL)
+@@ -1296,18 +1308,6 @@ dtls1_retransmit_message(SSL *s, unsigne
+     return ret;
+ }
+ 
+-/* call this function when the buffered messages are no longer needed */
+-void dtls1_clear_record_buffer(SSL *s)
+-{
+-    pitem *item;
+-
+-    for (item = pqueue_pop(s->d1->sent_messages);
+-         item != NULL; item = pqueue_pop(s->d1->sent_messages)) {
+-        dtls1_hm_fragment_free((hm_fragment *)item->data);
+-        pitem_free(item);
+-    }
+-}
+-
+ unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
+                                         unsigned char mt, unsigned long len,
+                                         unsigned long frag_off,
+Index: openssl-1.0.2h/ssl/d1_clnt.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/d1_clnt.c
++++ openssl-1.0.2h/ssl/d1_clnt.c
+@@ -769,6 +769,7 @@ int dtls1_connect(SSL *s)
+             /* done with handshaking */
+             s->d1->handshake_read_seq = 0;
+             s->d1->next_handshake_write_seq = 0;
++            dtls1_clear_received_buffer(s);
+             goto end;
+             /* break; */
+ 
+Index: openssl-1.0.2h/ssl/d1_lib.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/d1_lib.c
++++ openssl-1.0.2h/ssl/d1_lib.c
+@@ -170,7 +170,6 @@ int dtls1_new(SSL *s)
+ static void dtls1_clear_queues(SSL *s)
+ {
+     pitem *item = NULL;
+-    hm_fragment *frag = NULL;
+     DTLS1_RECORD_DATA *rdata;
+ 
+     while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) {
+@@ -191,28 +190,44 @@ static void dtls1_clear_queues(SSL *s)
+         pitem_free(item);
+     }
+ 
++    while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
++        rdata = (DTLS1_RECORD_DATA *)item->data;
++        if (rdata->rbuf.buf) {
++            OPENSSL_free(rdata->rbuf.buf);
++        }
++        OPENSSL_free(item->data);
++        pitem_free(item);
++    }
++
++    dtls1_clear_received_buffer(s);
++    dtls1_clear_sent_buffer(s);
++}
++
++void dtls1_clear_received_buffer(SSL *s)
++{
++    pitem *item = NULL;
++    hm_fragment *frag = NULL;
++
+     while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
+         frag = (hm_fragment *)item->data;
+         dtls1_hm_fragment_free(frag);
+         pitem_free(item);
+     }
++}
++
++void dtls1_clear_sent_buffer(SSL *s)
++{
++    pitem *item = NULL;
++    hm_fragment *frag = NULL;
+ 
+     while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
+         frag = (hm_fragment *)item->data;
+         dtls1_hm_fragment_free(frag);
+         pitem_free(item);
+     }
+-
+-    while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
+-        rdata = (DTLS1_RECORD_DATA *)item->data;
+-        if (rdata->rbuf.buf) {
+-            OPENSSL_free(rdata->rbuf.buf);
+-        }
+-        OPENSSL_free(item->data);
+-        pitem_free(item);
+-    }
+ }
+ 
++
+ void dtls1_free(SSL *s)
+ {
+     ssl3_free(s);
+@@ -456,7 +471,7 @@ void dtls1_stop_timer(SSL *s)
+     BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
+              &(s->d1->next_timeout));
+     /* Clear retransmission buffer */
+-    dtls1_clear_record_buffer(s);
++    dtls1_clear_sent_buffer(s);
+ }
+ 
+ int dtls1_check_timeout_num(SSL *s)
+Index: openssl-1.0.2h/ssl/d1_srvr.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/d1_srvr.c
++++ openssl-1.0.2h/ssl/d1_srvr.c
+@@ -313,7 +313,7 @@ int dtls1_accept(SSL *s)
+         case SSL3_ST_SW_HELLO_REQ_B:
+ 
+             s->shutdown = 0;
+-            dtls1_clear_record_buffer(s);
++            dtls1_clear_sent_buffer(s);
+             dtls1_start_timer(s);
+             ret = ssl3_send_hello_request(s);
+             if (ret <= 0)
+@@ -894,6 +894,7 @@ int dtls1_accept(SSL *s)
+             /* next message is server hello */
+             s->d1->handshake_write_seq = 0;
+             s->d1->next_handshake_write_seq = 0;
++            dtls1_clear_received_buffer(s);
+             goto end;
+             /* break; */
+ 
+Index: openssl-1.0.2h/ssl/ssl_locl.h
+===================================================================
+--- openssl-1.0.2h.orig/ssl/ssl_locl.h
++++ openssl-1.0.2h/ssl/ssl_locl.h
+@@ -1242,7 +1242,8 @@ int dtls1_retransmit_message(SSL *s, uns
+                              unsigned long frag_off, int *found);
+ int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
+ int dtls1_retransmit_buffered_messages(SSL *s);
+-void dtls1_clear_record_buffer(SSL *s);
++void dtls1_clear_received_buffer(SSL *s);
++void dtls1_clear_sent_buffer(SSL *s);
+ void dtls1_get_message_header(unsigned char *data,
+                               struct hm_header_st *msg_hdr);
+ void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);

meta/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch

@@ -0,0 +1,44 @@
+From b746aa3fe05b5b5f7126df247ac3eceeb995e2a0 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Thu, 21 Jul 2016 15:24:16 +0100
+Subject: [PATCH] Fix OOB read in TS_OBJ_print_bio().
+
+TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
+as a null terminated buffer. The length value returned is the total
+length the complete text reprsentation would need not the amount of
+data written.
+
+CVE-2016-2180
+
+Thanks to Shi Lei for reporting this bug.
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a)
+
+Upstream-Status: Backport
+CVE: CVE-2016-2180
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/ts/ts_lib.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c
+index c51538a..e0f1063 100644
+--- a/crypto/ts/ts_lib.c
++++ b/crypto/ts/ts_lib.c
+@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
+ {
+     char obj_txt[128];
+ 
+-    int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
+-    BIO_write(bio, obj_txt, len);
+-    BIO_write(bio, "\n", 1);
++    OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
++    BIO_printf(bio, "%s\n", obj_txt);
+ 
+     return 1;
+ }
+-- 
+2.7.4
+

meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch

@@ -0,0 +1,91 @@
+From 20744f6b40b5ded059a848f66d6ba922f2a62eb3 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 5 Jul 2016 11:46:26 +0100
+Subject: [PATCH] Fix DTLS unprocessed records bug
+
+During a DTLS handshake we may get records destined for the next epoch
+arrive before we have processed the CCS. In that case we can't decrypt or
+verify the record yet, so we buffer it for later use. When we do receive
+the CCS we work through the queue of unprocessed records and process them.
+
+Unfortunately the act of processing wipes out any existing packet data
+that we were still working through. This includes any records from the new
+epoch that were in the same packet as the CCS. We should only process the
+buffered records if we've not got any data left.
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2180 patch 1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ssl/d1_pkt.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
+index fe30ec7..1fb119d 100644
+--- a/ssl/d1_pkt.c
++++ b/ssl/d1_pkt.c
+@@ -319,6 +319,7 @@ static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
+ static int dtls1_process_buffered_records(SSL *s)
+ {
+     pitem *item;
++    SSL3_BUFFER *rb;
+ 
+     item = pqueue_peek(s->d1->unprocessed_rcds.q);
+     if (item) {
+@@ -326,6 +327,19 @@ static int dtls1_process_buffered_records(SSL *s)
+         if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
+             return (1);         /* Nothing to do. */
+ 
++        rb = &s->s3->rbuf;
++
++        if (rb->left > 0) {
++            /*
++             * We've still got data from the current packet to read. There could
++             * be a record from the new epoch in it - so don't overwrite it
++             * with the unprocessed records yet (we'll do it when we've
++             * finished reading the current packet).
++             */
++            return 1;
++        }
++
++
+         /* Process all the records. */
+         while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
+             dtls1_get_unprocessed_record(s);
+@@ -581,6 +595,7 @@ int dtls1_get_record(SSL *s)
+ 
+     rr = &(s->s3->rrec);
+ 
++ again:
+     /*
+      * The epoch may have changed.  If so, process all the pending records.
+      * This is a non-blocking operation.
+@@ -593,7 +608,6 @@ int dtls1_get_record(SSL *s)
+         return 1;
+ 
+     /* get something from the wire */
+- again:
+     /* check if we have the header */
+     if ((s->rstate != SSL_ST_READ_BODY) ||
+         (s->packet_length < DTLS1_RT_HEADER_LENGTH)) {
+@@ -1830,8 +1844,13 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
+     if (rr->epoch == s->d1->r_epoch)
+         return &s->d1->bitmap;
+ 
+-    /* Only HM and ALERT messages can be from the next epoch */
++    /*
++     * Only HM and ALERT messages can be from the next epoch and only if we
++     * have already processed all of the unprocessed records from the last
++     * epoch
++     */
+     else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
++             s->d1->unprocessed_rcds.epoch != s->d1->r_epoch &&
+              (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
+         *is_next_epoch = 1;
+         return &s->d1->next_bitmap;
+-- 
+2.7.4
+