documentation: Updated title page notes

Fixed the title page notes to help the user get the exact
set of documentation for the appropriate YP release.

(From yocto-docs rev: 09bcec491f9edf5a4e7dac8b6818ce22b5df163f)

Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

bitbake/doc/bitbake-user-manual/bitbake-user-manual-hello.xml

@@ -135,7 +135,7 @@
                     <ulink url="http://www.mail-archive.com/yocto@yoctoproject.org/msg09379.html">Mailing List post - The BitBake equivalent of "Hello, World!"</ulink>
                     </para></listitem>
                 <listitem><para>
-                    <ulink url="http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/">Hambedded Linux blog post - From Bitbake Hello World to an Image</ulink>
+                    <ulink url="https://web.archive.org/web/20150325165911/http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/">Hambedded Linux blog post - From Bitbake Hello World to an Image</ulink>
                     </para></listitem>
             </itemizedlist>
         </note>
@@ -270,7 +270,7 @@
                 and define some key BitBake variables.
                 For more information on the <filename>bitbake.conf</filename>,
                 see
-                <ulink url='http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/#an-overview-of-bitbakeconf'></ulink>
+                <ulink url='https://web.archive.org/web/20150325165911/http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/#an-overview-of-bitbakeconf'></ulink>
                 </para>
                 <para>Use the following commands to create the <filename>conf</filename>
                 directory in the project directory:
@@ -355,7 +355,7 @@ ERROR: Unable to parse base: ParseError in configuration INHERITs: Could not inh
                 supporting.
                 For more information on the <filename>base.bbclass</filename> file,
                 you can look at
-                <ulink url='http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/#tasks'></ulink>.
+                <ulink url='https://web.archive.org/web/20150325165911/http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/#tasks'></ulink>.
                 </para></listitem>
             <listitem><para><emphasis>Run Bitbake:</emphasis>
                 After making sure that the <filename>classes/base.bbclass</filename>
@@ -377,7 +377,7 @@ ERROR: Unable to parse base: ParseError in configuration INHERITs: Could not inh
                 Thus, this example creates and uses a layer called "mylayer".
                 <note>
                     You can find additional information on adding a layer at
-                    <ulink url='http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/#adding-an-example-layer'></ulink>.
+                    <ulink url='https://web.archive.org/web/20150325165911/http://hambedded.org/blog/2012/11/24/from-bitbake-hello-world-to-an-image/#adding-an-example-layer'></ulink>.
                 </note>
                 </para>
                 <para>Minimally, you need a recipe file and a layer configuration

bitbake/lib/bb/fetch2/git.py

@@ -289,7 +289,7 @@ class Git(FetchMethod):
                 branchname =  ud.branches[ud.names[0]]
                 runfetchcmd("%s checkout -B %s %s" % (ud.basecmd, branchname, \
                             ud.revisions[ud.names[0]]), d)
-                runfetchcmd("%s branch --set-upstream %s origin/%s" % (ud.basecmd, branchname, \
+                runfetchcmd("%s branch %s --set-upstream-to origin/%s" % (ud.basecmd, branchname, \
                             branchname), d)
             else:
                 runfetchcmd("%s checkout %s" % (ud.basecmd, ud.revisions[ud.names[0]]), d)

bitbake/lib/bb/fetch2/gitsm.py

@@ -110,8 +110,7 @@ class GitSM(Git):
         os.chdir(tmpclonedir)
         runfetchcmd(ud.basecmd + " reset --hard", d)
         runfetchcmd(ud.basecmd + " checkout " + ud.revisions[ud.names[0]], d)
-        runfetchcmd(ud.basecmd + " submodule init", d)
-        runfetchcmd(ud.basecmd + " submodule update", d)
+        runfetchcmd(ud.basecmd + " submodule update --init --recursive", d)
         self._set_relative_paths(tmpclonedir)
         runfetchcmd("sed " + gitdir + "/config -i -e 's/bare.*=.*false/bare = true/'", d)
         os.rename(gitdir, ud.clonedir,)
@@ -131,7 +130,5 @@ class GitSM(Git):
         os.chdir(ud.destdir)
         submodules = self.uses_submodules(ud, d)
         if submodules:
-            runfetchcmd("cp -r " + ud.clonedir + "/modules " + ud.destdir + "/.git/", d)
-            runfetchcmd(ud.basecmd + " submodule init", d)
-            runfetchcmd(ud.basecmd + " submodule update", d)
-
+            runfetchcmd(ud.basecmd + " checkout " + ud.revisions[ud.names[0]], d)
+            runfetchcmd(ud.basecmd + " submodule update --init --recursive", d)

bitbake/lib/bb/fetch2/wget.py

@@ -234,38 +234,64 @@ class Wget(FetchMethod):
 
             return exported
 
-        def head_method(self):
-            return "HEAD"
+        class HTTPMethodFallback(urllib2.BaseHandler):
+            """
+            Fallback to GET if HEAD is not allowed (405 HTTP error)
+            """
+            def http_error_405(self, req, fp, code, msg, headers):
+                fp.read()
+                fp.close()
 
+                newheaders = dict((k,v) for k,v in req.headers.items()
+                                  if k.lower() not in ("content-length", "content-type"))
+                return self.parent.open(urllib2.Request(req.get_full_url(),
+                                                        headers=newheaders,
+                                                        origin_req_host=req.get_origin_req_host(),
+                                                        unverifiable=True))
+
+            """
+            Some servers (e.g. GitHub archives, hosted on Amazon S3) return 403
+            Forbidden when they actually mean 405 Method Not Allowed.
+            """
+            http_error_403 = http_error_405
+
+            """
+            Some servers (e.g. FusionForge) returns 406 Not Acceptable when they
+            actually mean 405 Method Not Allowed.
+            """
+            http_error_406 = http_error_405
+
+        class FixedHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
+            """
+            urllib2.HTTPRedirectHandler resets the method to GET on redirect,
+            when we want to follow redirects using the original method.
+            """
+            def redirect_request(self, req, fp, code, msg, headers, newurl):
+                newreq = urllib2.HTTPRedirectHandler.redirect_request(self, req, fp, code, msg, headers, newurl)
+                newreq.get_method = lambda: req.get_method()
+                return newreq
         exported_proxies = export_proxies(d)
 
+        handlers = [FixedHTTPRedirectHandler, HTTPMethodFallback]
+        if export_proxies:
+            handlers.append(urllib2.ProxyHandler())
+        handlers.append(CacheHTTPHandler())
         # XXX: Since Python 2.7.9 ssl cert validation is enabled by default
         # see PEP-0476, this causes verification errors on some https servers
         # so disable by default.
         import ssl
-        ssl_context = None
         if hasattr(ssl, '_create_unverified_context'):
-            ssl_context = ssl._create_unverified_context()
-
-        if exported_proxies == True and ssl_context is not None:
-            opener = urllib2.build_opener(urllib2.ProxyHandler, CacheHTTPHandler,
-                    urllib2.HTTPSHandler(context=ssl_context))
-        elif exported_proxies == False and ssl_context is not None:
-            opener = urllib2.build_opener(CacheHTTPHandler,
-                    urllib2.HTTPSHandler(context=ssl_context))
-        elif exported_proxies == True and ssl_context is None:
-            opener = urllib2.build_opener(urllib2.ProxyHandler, CacheHTTPHandler)
-        else:
-            opener = urllib2.build_opener(CacheHTTPHandler)
-
-        urllib2.Request.get_method = head_method
-        urllib2.install_opener(opener)
-
-        uri = ud.url.split(";")[0]
+            handlers.append(urllib2.HTTPSHandler(context=ssl._create_unverified_context()))
+        opener = urllib2.build_opener(*handlers)
 
         try:
-            urllib2.urlopen(uri)
-        except:
+            uri = ud.url.split(";")[0]
+            r = urllib2.Request(uri)
+            r.get_method = lambda: "HEAD"
+            opener.open(r)
+        except urllib2.URLError as e:
+            # debug for now to avoid spamming the logs in e.g. remote sstate searches
+            logger.debug(2, "checkstatus() urlopen failed: %s" % e)
             return False
         return True
 

bitbake/lib/bb/tests/fetch.py

@@ -692,8 +692,8 @@ class FetchLatestVersionTest(FetcherTest):
             : "5.0",
         ("xserver-xorg", "http://xorg.freedesktop.org/releases/individual/xserver/xorg-server-1.15.1.tar.bz2", "", "")
             : "1.15.1",
-        # packages with valid REGEX_URI and REGEX
-        ("cups", "http://www.cups.org/software/1.7.2/cups-1.7.2-source.tar.bz2", "http://www.cups.org/software.php", "(?P<name>cups\-)(?P<pver>((\d+[\.\-_]*)+))\-source\.tar\.gz")
+        # packages with valid UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX
+        ("cups", "http://www.cups.org/software/1.7.2/cups-1.7.2-source.tar.bz2", "https://github.com/apple/cups/releases", "(?P<name>cups\-)(?P<pver>((\d+[\.\-_]*)+))\-source\.tar\.gz")
             : "2.0.0",
         ("db", "http://download.oracle.com/berkeley-db/db-5.3.21.tar.gz", "http://www.oracle.com/technetwork/products/berkeleydb/downloads/index-082944.html", "http://download.oracle.com/otn/berkeley-db/(?P<name>db-)(?P<pver>((\d+[\.\-_]*)+))\.tar\.gz")
             : "6.1.19",
@@ -726,7 +726,6 @@ class FetchLatestVersionTest(FetcherTest):
 
 class FetchCheckStatusTest(FetcherTest):
     test_wget_uris = ["http://www.cups.org/software/1.7.2/cups-1.7.2-source.tar.bz2",
-                      "http://www.cups.org/software/ipptool/ipptool-20130731-linux-ubuntu-i686.tar.gz",
                       "http://www.cups.org/",
                       "http://downloads.yoctoproject.org/releases/sato/sato-engine-0.1.tar.gz",
                       "http://downloads.yoctoproject.org/releases/sato/sato-engine-0.2.tar.gz",
@@ -738,6 +737,8 @@ class FetchCheckStatusTest(FetcherTest):
                       "ftp://ftp.gnu.org/gnu/autoconf/autoconf-2.60.tar.gz",
                       "ftp://ftp.gnu.org/gnu/chess/gnuchess-5.08.tar.gz",
                       "ftp://ftp.gnu.org/gnu/gmp/gmp-4.0.tar.gz",
+                      # GitHub releases are hosted on Amazon S3, which doesn't support HEAD
+                      "https://github.com/kergoth/tslib/releases/download/1.1/tslib-1.1.tar.xz"
                       ]
 
     if os.environ.get("BB_SKIP_NETTESTS") == "yes":

bitbake/lib/bs4/builder/_html5lib.py

@@ -11,7 +11,14 @@ from bs4.builder import (
     )
 from bs4.element import NamespacedAttribute
 import html5lib
+try:
+    # html5lib >= 0.99999999/1.0b9
+    from html5lib.treebuilders import base as treebuildersbase
+except ImportError:
+    # html5lib <= 0.9999999/1.0b8
+    from html5lib.treebuilders import _base as treebuildersbase
 from html5lib.constants import namespaces
+
 from bs4.element import (
     Comment,
     Doctype,
@@ -54,7 +61,7 @@ class HTML5TreeBuilder(HTMLTreeBuilder):
         return u'<html><head></head><body>%s</body></html>' % fragment
 
 
-class TreeBuilderForHtml5lib(html5lib.treebuilders._base.TreeBuilder):
+class TreeBuilderForHtml5lib(treebuildersbase.TreeBuilder):
 
     def __init__(self, soup, namespaceHTMLElements):
         self.soup = soup
@@ -92,7 +99,7 @@ class TreeBuilderForHtml5lib(html5lib.treebuilders._base.TreeBuilder):
         return self.soup
 
     def getFragment(self):
-        return html5lib.treebuilders._base.TreeBuilder.getFragment(self).element
+        return treebuildersbase.TreeBuilder.getFragment(self).element
 
 class AttrList(object):
     def __init__(self, element):
@@ -115,9 +122,9 @@ class AttrList(object):
         return name in list(self.attrs.keys())
 
 
-class Element(html5lib.treebuilders._base.Node):
+class Element(treebuildersbase.Node):
     def __init__(self, element, soup, namespace):
-        html5lib.treebuilders._base.Node.__init__(self, element.name)
+        treebuildersbase.Node.__init__(self, element.name)
         self.element = element
         self.soup = soup
         self.namespace = namespace
@@ -277,7 +284,7 @@ class Element(html5lib.treebuilders._base.Node):
 
 class TextNode(Element):
     def __init__(self, element, soup):
-        html5lib.treebuilders._base.Node.__init__(self, None)
+        treebuildersbase.Node.__init__(self, None)
         self.element = element
         self.soup = soup
 

documentation/adt-manual/adt-manual.xml

@@ -96,6 +96,16 @@
                 <date>March 2016</date>
                 <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>
@@ -108,12 +118,46 @@
         Permission is granted to copy, distribute and/or modify this document under
         the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
       </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_ADT_URL;'>Yocto Project Application Developer's Guide</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Application Developer's Guide</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
 
     </legalnotice>
 

documentation/bsp-guide/bsp-guide.xml

@@ -108,6 +108,16 @@
                 <date>March 2016</date>
                 <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
@@ -120,12 +130,46 @@
         Permission is granted to copy, distribute and/or modify this document under
         the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-nc-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
       </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_BSP_URL;'>Yocto Project Board Support Package (BSP) Developer's Guide</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Board Support Package (BSP) Developer's Guide</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
     </legalnotice>
 
     </bookinfo>

documentation/dev-manual/dev-manual-common-tasks.xml

@@ -6734,26 +6734,29 @@
                 </para>
 
                 <para>
-                    If a committed change results in changing the package output,
-                    then the value of the PR variable needs to be increased
-                    (or "bumped") as part of that commit.
+                    If a committed change results in changing the package
+                    output, then the value of the PR variable needs to be
+                    increased (or "bumped") as part of that commit.
                     For new recipes you should add the <filename>PR</filename>
-                    variable and set its initial value equal to "r0", which is the default.
-                    Even though the default value is "r0", the practice of adding it to a new recipe makes
-                    it harder to forget to bump the variable when you make changes
-                    to the recipe in future.
+                    variable and set its initial value equal to "r0", which is
+                    the default.
+                    Even though the default value is "r0", the practice of
+                    adding it to a new recipe makes it harder to forget to bump
+                    the variable when you make changes to the recipe in future.
                 </para>
 
                 <para>
-                    If you are sharing a common <filename>.inc</filename> file with multiple recipes,
-                    you can also use the
+                    If you are sharing a common <filename>.inc</filename> file
+                    with multiple recipes, you can also use the
                     <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-INC_PR'>INC_PR</ulink></filename>
-                    variable to ensure that
-                    the recipes sharing the <filename>.inc</filename> file are rebuilt when the
+                    variable to ensure that the recipes sharing the
+                    <filename>.inc</filename> file are rebuilt when the
                     <filename>.inc</filename> file itself is changed.
-                    The <filename>.inc</filename> file must set <filename>INC_PR</filename>
-                    (initially to "r0"), and all recipes referring to it should set <filename>PR</filename>
-                    to "$(INC_PR).0" initially, incrementing the last number when the recipe is changed.
+                    The <filename>.inc</filename> file must set
+                    <filename>INC_PR</filename> (initially to "r0"), and all
+                    recipes referring to it should set <filename>PR</filename>
+                    to "${INC_PR}.0" initially, incrementing the last number
+                    when the recipe is changed.
                     If the <filename>.inc</filename> file is changed then its
                     <filename>INC_PR</filename> should be incremented.
                 </para>
@@ -6762,14 +6765,14 @@
                     When upgrading the version of a package, assuming the
                     <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PV'>PV</ulink></filename>
                     changes, the <filename>PR</filename> variable should be
-                    reset to "r0" (or "$(INC_PR).0" if you are using
+                    reset to "r0" (or "${INC_PR}.0" if you are using
                     <filename>INC_PR</filename>).
                 </para>
 
                 <para>
                     Usually, version increases occur only to packages.
-                    However, if for some reason <filename>PV</filename> changes but does not
-                    increase, you can increase the
+                    However, if for some reason <filename>PV</filename> changes
+                    but does not increase, you can increase the
                     <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PE'>PE</ulink></filename>
                     variable (Package Epoch).
                     The <filename>PE</filename> variable defaults to "0".
@@ -6779,7 +6782,8 @@
                     Version numbering strives to follow the
                     <ulink url='http://www.debian.org/doc/debian-policy/ch-controlfields.html'>
                     Debian Version Field Policy Guidelines</ulink>.
-                    These guidelines define how versions are compared and what "increasing" a version means.
+                    These guidelines define how versions are compared and what
+                    "increasing" a version means.
                 </para>
             </section>
         </section>

documentation/dev-manual/dev-manual.xml

@@ -86,6 +86,16 @@
                 <date>March 2016</date>
                 <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
@@ -101,12 +111,46 @@
           Creative Commons.
       </para>
 
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_DEV_URL;'>Yocto Project Development Manual</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Development Manual</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
     </legalnotice>
 
     </bookinfo>

documentation/kernel-dev/kernel-dev-common.xml

@@ -383,9 +383,10 @@
 
             <para>
                 The resulting <filename>.config</filename> file is
-                located in
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}</filename> under the
-                <filename>linux-${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_ARCH'><filename>PACKAGE_ARCH</filename></ulink><filename>}-${<ulink url='&YOCTO_DOCS_REF_URL;#var-LINUX_KERNEL_TYPE'><filename>LINUX_KERNEL_TYPE</filename></ulink>}-build</filename> directory.
+                located in the build directory,
+                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-B'><filename>B</filename></ulink><filename>}</filename>,
+                which expands to
+                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}</filename><filename>/linux-</filename><filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_ARCH'><filename>PACKAGE_ARCH</filename></ulink><filename>}-${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-LINUX_KERNEL_TYPE'><filename>LINUX_KERNEL_TYPE</filename></ulink><filename>}-build</filename>.
                 You can use the entire <filename>.config</filename> file as the
                 <filename>defconfig</filename> file as described in the
                 "<link linkend='changing-the-configuration'>Changing the Configuration</link>" section.
@@ -393,6 +394,16 @@
                 see the
                 "<ulink url='&YOCTO_DOCS_DEV_URL;#using-menuconfig'>Using <filename>menuconfig</filename></ulink>"
                 section in the Yocto Project Development Manual.
+                <note>
+                    You can determine what a variable expands to by looking
+                    at the output of the <filename>bitbake -e</filename>
+                    command:
+                    <literallayout class='monospaced'>
+     $ bitbake -e virtual/kernel
+                    </literallayout>
+                    Search the output for the variable in which you are
+                    interested to see exactly how it is expanded and used.
+                </note>
             </para>
 
             <para>
@@ -511,8 +522,14 @@
                 </literallayout>
                 Taking this step ensures you have the sources prepared
                 and the configuration completed.
-                You can find the sources in the
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}/linux</filename> directory.
+                You can find the sources in the build directory within the
+                <filename>source/</filename> directory, which is a symlink
+                (i.e. <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-B'><filename>B</filename></ulink><filename>}/source</filename>).
+                The <filename>source/</filename> directory expands to
+                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}</filename><filename>/linux-</filename><filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_ARCH'><filename>PACKAGE_ARCH</filename></ulink><filename>}-${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-LINUX_KERNEL_TYPE'><filename>LINUX_KERNEL_TYPE</filename></ulink><filename>}-build/source</filename>.
+                The directory pointed to by the
+                <filename>source/</filename> symlink is also known as
+                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-STAGING_KERNEL_DIR'><filename>STAGING_KERNEL_DIR</filename></ulink><filename>}</filename>.
             </para>
 
             <para>

documentation/kernel-dev/kernel-dev.xml

@@ -71,6 +71,16 @@
                 <date>March 2016</date>
                 <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
@@ -83,12 +93,46 @@
         Permission is granted to copy, distribute and/or modify this document under
         the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
       </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;'>Yocto Project Linux Kernel Development Manual</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Linux Kernel Development Manual</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
     </legalnotice>
 
     </bookinfo>

documentation/mega-manual/mega-manual.xml

@@ -55,6 +55,16 @@
                 <date>March 2016</date>
                 <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>
@@ -67,12 +77,46 @@
         Permission is granted to copy, distribute and/or modify this document under
         the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
       </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_MM_URL;'>Yocto Project Mega-Manual</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Mega-Manual</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
 
     </legalnotice>
 

documentation/poky.ent

@@ -1,9 +1,9 @@
-<!ENTITY DISTRO "2.0.1">
-<!ENTITY DISTRO_COMPRESSED "201">
+<!ENTITY DISTRO "2.0.3">
+<!ENTITY DISTRO_COMPRESSED "203">
 <!ENTITY DISTRO_NAME "jethro">
-<!ENTITY YOCTO_DOC_VERSION "2.0.1">
-<!ENTITY POKYVERSION "14.0.1">
-<!ENTITY POKYVERSION_COMPRESSED "1401">
+<!ENTITY YOCTO_DOC_VERSION "2.0.3">
+<!ENTITY POKYVERSION "14.0.3">
+<!ENTITY POKYVERSION_COMPRESSED "1403">
 <!ENTITY DISTRO_NAME_NO_CAP "jethro">
 <!ENTITY YOCTO_POKY "poky-&DISTRO_NAME;-&POKYVERSION;">
 <!ENTITY COPYRIGHT_YEAR "2010-2016">

documentation/profile-manual/profile-manual-intro.xml

@@ -67,8 +67,10 @@
                 By default, the Yocto build system strips symbols from the
                 binaries it packages, which makes it difficult to use some
                 of the tools.
-                </para><para>You can prevent that by putting the following
-                in your local.conf when you build the image:
+                </para><para>You can prevent that by setting the
+                <ulink url='&YOCTO_DOCS_REF_URL;#var-INHIBIT_PACKAGE_STRIP'><filename>INHIBIT_PACKAGE_STRIP</filename></ulink>
+                variable to "1" in your
+                <filename>local.conf</filename> when you build the image:
                 </para>
             </note>
             <literallayout class='monospaced'>

documentation/profile-manual/profile-manual-usage.xml

@@ -60,8 +60,11 @@
 
         <para>
             In particular, you'll get the most mileage out of perf if you
-            profile an image built with INHIBIT_PACKAGE_STRIP = "1" in your
-            local.conf.
+            profile an image built with the following in your
+            <filename>local.conf</filename> file:
+            <literallayout class='monospaced'>
+     <ulink url='&YOCTO_DOCS_REF_URL;#var-INHIBIT_PACKAGE_STRIP'>INHIBIT_PACKAGE_STRIP</ulink> = "1"
+            </literallayout>
         </para>
 
         <para>
@@ -355,10 +358,10 @@
             </para>
 
             <para>
-                One way around that is to put the following in your local.conf
-                when you build the image:
+                One way around that is to put the following in your
+                <filename>local.conf</filename> file when you build the image:
                 <literallayout class='monospaced'>
-     INHIBIT_PACKAGE_STRIP = "1"
+     <ulink url='&YOCTO_DOCS_REF_URL;#var-INHIBIT_PACKAGE_STRIP'>INHIBIT_PACKAGE_STRIP</ulink> = "1"
                 </literallayout>
                 However, we already have an image with the binaries stripped,
                 so what can we do to get perf to resolve the symbols? Basically

documentation/profile-manual/profile-manual.xml

@@ -71,6 +71,16 @@
                 <date>March 2016</date>
                 <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
@@ -86,12 +96,46 @@
           Creative Commons.
       </para>
 
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_PROF_URL;'>Yocto Project Profiling and Tracing Manual</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Profiling and Tracing Manual</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
     </legalnotice>
 
     </bookinfo>

documentation/ref-manual/ref-manual.xml

@@ -102,6 +102,16 @@
                 <date>March 2016</date>
                 <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
@@ -114,12 +124,46 @@
         Permission is granted to copy, distribute and/or modify this document under
         the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
       </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_REF_URL;'>Yocto Project Reference Manual</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Reference Manual</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
     </legalnotice>
 
     </bookinfo>

documentation/ref-manual/ref-variables.xml

@@ -5965,7 +5965,7 @@ recipes-graphics/xorg-font/font-alias_1.0.3.bb:PR = "${INC_PR}.3"
 
         <glossentry id='var-INHIBIT_PACKAGE_DEBUG_SPLIT'><glossterm>INHIBIT_PACKAGE_DEBUG_SPLIT</glossterm>
             <info>
-                INHIBIT_PACKAGE_STRIP[doc] = "If set to "1", causes the build to not strip binaries in resulting packages."
+                INHIBIT_PACKAGE_DEBUG_SPLIT[doc] = "If set to "1", prevents the OpenEmbedded build system from splitting out debug information during packaging"
             </info>
             <glossdef>
                 <para role="glossdeffirst">

documentation/toaster-manual/toaster-manual.xml

@@ -46,6 +46,16 @@
                 <date>March 2016</date>
                 <revremark>Released with the Yocto Project 2.0.1 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.0.2</revnumber>
+                <date>June 2016</date>
+                <revremark>Released with the Yocto Project 2.0.2 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.0.3</revnumber>
+                <date>December 2016</date>
+                <revremark>Released with the Yocto Project 2.0.3 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>
@@ -58,12 +68,46 @@
         Permission is granted to copy, distribute and/or modify this document under
         the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
       </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_TOAST_URL;'>Toaster User Manual</ulink>
-          from the Yocto Project website.
-      </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Toaster User Manual</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
 
     </legalnotice>
 

documentation/tools/mega-manual.sed

@@ -2,32 +2,32 @@
 # This style is for manual folders like "yocto-project-qs" and "poky-ref-manual".
 # This is the old way that did it.  Can't do that now that we have "bitbake-user-manual" strings
 # in the mega-manual.
-# s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/[a-z]*-[a-z]*-[a-z]*\/[a-z]*-[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/yocto-project-qs\/yocto-project-qs.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/poky-ref-manual\/poky-ref-manual.html#/\"link\" href=\"#/g
+# s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/[a-z]*-[a-z]*-[a-z]*\/[a-z]*-[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/yocto-project-qs\/yocto-project-qs.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/poky-ref-manual\/poky-ref-manual.html#/\"link\" href=\"#/g
 
 # Processes all other manuals (<word>-<word> style) except for the BitBake User Manual because
 # it is not included in the mega-manual.
 # This style is for manual folders that use two word, which is the standard now (e.g. "ref-manual").
 # This was the one-liner that worked before we introduced the BitBake User Manual, which is
 # not in the mega-manual.
-# s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/[a-z]*-[a-z]*\/[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
+# s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/[a-z]*-[a-z]*\/[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
 
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/adt-manual\/adt-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/bsp-guide\/bsp-guide.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/dev-manual\/dev-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/kernel-dev\/kernel-dev.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/profile-manual\/profile-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/ref-manual\/ref-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/toaster-manual\/toaster-manual.html#/\"link\" href=\"#/g
-s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/yocto-project-qs\/yocto-project-qs.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/adt-manual\/adt-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/bsp-guide\/bsp-guide.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/dev-manual\/dev-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/kernel-dev\/kernel-dev.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/profile-manual\/profile-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/ref-manual\/ref-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/toaster-manual\/toaster-manual.html#/\"link\" href=\"#/g
+s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/yocto-project-qs\/yocto-project-qs.html#/\"link\" href=\"#/g
 
 # Process cases where just an external manual is referenced without an id anchor
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/yocto-project-qs\/yocto-project-qs.html\" target=\"_top\">Yocto Project Quick Start<\/a>/Yocto Project Quick Start/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/dev-manual\/dev-manual.html\" target=\"_top\">Yocto Project Development Manual<\/a>/Yocto Project Development Manual/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/adt-manual\/adt-manual.html\" target=\"_top\">Yocto Project Application Developer's Guide<\/a>/Yocto Project Application Developer's Guide/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/bsp-guide\/bsp-guide.html\" target=\"_top\">Yocto Project Board Support Package (BSP) Developer's Guide<\/a>/Yocto Project Board Support Package (BSP) Developer's Guide/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/profile-manual\/profile-manual.html\" target=\"_top\">Yocto Project Profiling and Tracing Manual<\/a>/Yocto Project Profiling and Tracing Manual/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/kernel-dev\/kernel-dev.html\" target=\"_top\">Yocto Project Linux Kernel Development Manual<\/a>/Yocto Project Linux Kernel Development Manual/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/ref-manual\/ref-manual.html\" target=\"_top\">Yocto Project Reference Manual<\/a>/Yocto Project Reference Manual/g
-s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.1\/toaster-manual\/toaster-manual.html\" target=\"_top\">Toaster User Manual<\/a>/Toaster User Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/yocto-project-qs\/yocto-project-qs.html\" target=\"_top\">Yocto Project Quick Start<\/a>/Yocto Project Quick Start/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/dev-manual\/dev-manual.html\" target=\"_top\">Yocto Project Development Manual<\/a>/Yocto Project Development Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/adt-manual\/adt-manual.html\" target=\"_top\">Yocto Project Application Developer's Guide<\/a>/Yocto Project Application Developer's Guide/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/bsp-guide\/bsp-guide.html\" target=\"_top\">Yocto Project Board Support Package (BSP) Developer's Guide<\/a>/Yocto Project Board Support Package (BSP) Developer's Guide/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/profile-manual\/profile-manual.html\" target=\"_top\">Yocto Project Profiling and Tracing Manual<\/a>/Yocto Project Profiling and Tracing Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/kernel-dev\/kernel-dev.html\" target=\"_top\">Yocto Project Linux Kernel Development Manual<\/a>/Yocto Project Linux Kernel Development Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/ref-manual\/ref-manual.html\" target=\"_top\">Yocto Project Reference Manual<\/a>/Yocto Project Reference Manual/g
+s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/2.0.3\/toaster-manual\/toaster-manual.html\" target=\"_top\">Toaster User Manual<\/a>/Toaster User Manual/g

documentation/yocto-project-qs/yocto-project-qs.xml

@@ -16,12 +16,46 @@
                 Permission is granted to copy, distribute and/or modify this document under
                 the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
             </para>
-            <note>
-                For the latest version of this manual associated with this
-                Yocto Project release, see the
-                <ulink url='&YOCTO_DOCS_QS_URL;'>Yocto Project Quick Start</ulink>
-                from the Yocto Project website.
-            </note>
+           <note><title>Manual Notes</title>
+               <itemizedlist>
+                   <listitem><para>
+                       This version of the
+                       <emphasis>Yocto Project Quick Start</emphasis>
+                       is for the &YOCTO_DOC_VERSION; release of the
+                       Yocto Project.
+                       To be sure you have the latest version of the manual
+                       for this release, go to the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual from that site.
+                       Manuals from the site are more up-to-date than manuals
+                       derived from the Yocto Project released TAR files.
+                       </para></listitem>
+                   <listitem><para>
+                       If you located this manual through a web search, the
+                       version of the manual might not be the one you want
+                       (e.g. the search might have returned a manual much
+                       older than the Yocto Project version with which you
+                       are working).
+                       You can see all Yocto Project major releases by
+                       visiting the
+                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
+                       page.
+                       If you need a version of this manual for a different
+                       Yocto Project release, visit the
+                       <ulink url='&YOCTO_HOME_URL;/documentation'>Yocto Project documentation page</ulink>
+                       and select the manual set by using the
+                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
+                       pull-down menus.
+                       </para></listitem>
+                   <listitem><para>
+                       To report any inaccuracies or problems with this
+                       manual, send an email to the Yocto Project
+                       discussion group at
+                       <filename>yocto@yoctoproject.com</filename> or log into
+                       the freenode <filename>#yocto</filename> channel.
+                       </para></listitem>
+               </itemizedlist>
+           </note>
         </legalnotice>
 
 
@@ -310,6 +344,13 @@
                         <literallayout class='monospaced'>
      $ sudo dnf install &FEDORA_HOST_PACKAGES_ESSENTIAL; SDL-devel xterm
                         </literallayout>
+                        <note>
+                            This release of the Yocto Project does not support
+                            the Fedora23 distribution.
+                            If, however, you want to use that distribution,
+                            you must install <filename>perl-bignum</filename>
+                            as a required package.
+                        </note>
                         </para></listitem>
                     <listitem><para><emphasis>OpenSUSE</emphasis>
                         <literallayout class='monospaced'>

meta-yocto/conf/distro/poky.conf

@@ -1,6 +1,6 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "2.0.2"
+DISTRO_VERSION = "2.0.3"
 DISTRO_CODENAME = "jethro"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION := "${@'${DISTRO_VERSION}'.replace('snapshot-${DATE}','snapshot')}"

meta/conf/toasterconf.json

@@ -1,7 +1,7 @@
 {
     "config": {
         "MACHINE"      : "qemux86",
-        "DISTRO"       : "poky",
+        "DISTRO"       : "nodistro",
         "IMAGE_FSTYPES": "ext3 jffs2 tar.bz2",
         "IMAGE_INSTALL_append": "",
         "PACKAGE_CLASSES": "package_rpm",
@@ -12,7 +12,7 @@
             "name": "Local OpenEmbedded",
             "sourcetype": "local",
             "apiurl": "../../",
-            "branches": ["HEAD", "master", "fido", "dizzy"],
+            "branches": ["HEAD", "jethro", "fido"],
             "layers": [
                 {
                     "name": "openembedded-core",
@@ -26,21 +26,21 @@
             "name": "OpenEmbedded",
             "sourcetype": "layerindex",
             "apiurl": "http://layers.openembedded.org/layerindex/api/",
-            "branches": ["master", "fido", "dizzy"]
+            "branches": ["jethro", "fido"]
         },
         {
             "name": "Imported layers",
             "sourcetype": "imported",
             "apiurl": "",
-            "branches": ["master", "fido", "dizzy", "HEAD"]
+            "branches": ["jethro", "fido", "HEAD"]
 
         }
     ],
     "bitbake" : [
         {
-            "name": "master",
+            "name": "jethro",
             "giturl": "git://git.openembedded.org/bitbake",
-            "branch": "master",
+            "branch": "1.28",
             "dirpath": ""
         },
         {
@@ -49,12 +49,6 @@
             "branch": "1.26",
             "dirpath": ""
         },
-        {
-            "name": "dizzy",
-            "giturl": "git://git.openembedded.org/bitbake",
-            "branch": "1.24",
-            "dirpath": ""
-        },
         {
             "name": "HEAD",
             "giturl": "git://git.openembedded.org/bitbake",
@@ -63,17 +57,17 @@
         }
     ],
 
-    "defaultrelease": "master",
+    "defaultrelease": "jethro",
 
     "releases": [
         {
-            "name": "master",
-            "description": "OpenEmbedded master",
-            "bitbake": "master",
-            "branch": "master",
+            "name": "jethro",
+            "description": "OpenEmbedded Jethro",
+            "bitbake": "jethro",
+            "branch": "jethro",
             "defaultlayers": [ "openembedded-core" ],
             "layersourcepriority": { "Imported layers": 99, "Local OpenEmbedded" : 10, "OpenEmbedded" :  0 },
-            "helptext": "Toaster will run your builds using the tip of the <a href=\"http://cgit.openembedded.org/openembedded-core/log/\">OpenEmbedded master</a> branch, where active development takes place. This is not a stable branch, so your builds might not work as expected."
+            "helptext": "Toaster will run your builds using the tip of the <a href=\"http://cgit.openembedded.org/openembedded-core/log/?h=jethro\">OpenEmbedded \"Jethro\"</a> branch"
         },
         {
             "name": "fido",
@@ -84,15 +78,6 @@
             "layersourcepriority": { "Imported layers": 99, "Local OpenEmbedded" : 10, "OpenEmbedded" :  0 },
             "helptext": "Toaster will run your builds with the tip of the <a href=\"http://cgit.openembedded.org/openembedded-core/log/?h=fido\">OpenEmbedded \"Fido\"</a> branch"
         },
-        {
-            "name": "dizzy",
-            "description": "OpenEmbedded Dizzy",
-            "bitbake": "dizzy",
-            "branch": "dizzy",
-            "defaultlayers": [ "openembedded-core" ],
-            "layersourcepriority": { "Imported layers": 99, "Local OpenEmbedded" : 10, "OpenEmbedded" :  0 },
-            "helptext": "Toaster will run your builds with the tip of the <a href=\"http://cgit.openembedded.org/openembedded-core/log/?h=dizzy\">OpenEmbedded \"Dizzy\"</a> branch"
-        },
         {
             "name": "local",
             "description": "Local OpenEmbedded",

meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch

@@ -0,0 +1,216 @@
+From d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Sat, 27 Feb 2016 11:23:50 +1100
+Subject: [PATCH] 4322.   [security]      Duplicate EDNS COOKIE options in a
+ response could                         trigger an assertion failure.
+ (CVE-2016-2088)                         [RT #41809]
+
+(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
+(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
+
+Upstream-Status: Backport
+CVE: CVE-2016-2088
+minor fixup to get to apply.
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ CHANGES            |  5 +++++
+ bin/dig/dighost.c  |  9 +++++++++
+ bin/named/client.c | 33 +++++++++++++++++++++++----------
+ doc/arm/notes.xml  |  7 +++++++
+ lib/dns/resolver.c | 14 +++++++++++++-
+ 5 files changed, 57 insertions(+), 11 deletions(-)
+
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,7 @@
++4322.  [security]      Duplicate EDNS COOKIE options in a response could
++                       trigger an assertion failure. (CVE-2016-2088)
++                       [RT #41809]
++
+ 4319.  [security]      Fix resolver assertion failure due to improper
+                        DNAME handling when parsing fetch reply messages.
+                        (CVE-2016-1286) [RT #41753]
+Index: bind-9.10.2-P4/bin/dig/dighost.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/dig/dighost.c
++++ bind-9.10.2-P4/bin/dig/dighost.c
+@@ -3349,6 +3349,7 @@ process_opt(dig_lookup_t *l, dns_message
+ 	isc_buffer_t optbuf;
+ 	isc_uint16_t optcode, optlen;
+ 	dns_rdataset_t *opt = msg->opt;
++	isc_boolean_t seen_cookie = ISC_FALSE;
+ 
+ 	result = dns_rdataset_first(opt);
+ 	if (result == ISC_R_SUCCESS) {
+@@ -3360,8 +3361,16 @@ process_opt(dig_lookup_t *l, dns_message
+ 			optcode = isc_buffer_getuint16(&optbuf);
+ 			optlen = isc_buffer_getuint16(&optbuf);
+ 			switch (optcode) {
+-			case DNS_OPT_SIT:
++ 			case DNS_OPT_SIT:
++                                /*
++                                 * Only process the first cookie option.
++                                 */
++                                if (seen_cookie) {
++                                        isc_buffer_forward(&optbuf, optlen);
++                                        break;
++                                }
+ 				process_sit(l, msg, &optbuf, optlen);
++                                seen_cookie = ISC_TRUE;
+ 				break;
+ 			default:
+ 				isc_buffer_forward(&optbuf, optlen);
+Index: bind-9.10.2-P4/bin/named/client.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/named/client.c
++++ bind-9.10.2-P4/bin/named/client.c
+@@ -121,7 +121,10 @@
+  */
+ #endif
+ 
+-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
++#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
++
++#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
++#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
+ 
+ /*% nameserver client manager structure */
+ struct ns_clientmgr {
+@@ -1391,7 +1394,7 @@ ns_client_addopt(ns_client_t *client, dn
+ {
+ 	char nsid[BUFSIZ], *nsidp;
+ #ifdef ISC_PLATFORM_USESIT
+-	unsigned char sit[SIT_SIZE];
++	unsigned char sit[COOKIE_SIZE];
+ #endif
+ 	isc_result_t result;
+ 	dns_view_t *view;
+@@ -1416,7 +1419,7 @@ ns_client_addopt(ns_client_t *client, dn
+ 	flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
+ 
+ 	/* Set EDNS options if applicable */
+-	if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
++	if (WANTNSID(client) &&
+ 	    (ns_g_server->server_id != NULL ||
+ 	     ns_g_server->server_usehostname)) {
+ 		if (ns_g_server->server_usehostname) {
+@@ -1449,7 +1452,7 @@ ns_client_addopt(ns_client_t *client, dn
+ 
+ 		INSIST(count < DNS_EDNSOPTIONS);
+ 		ednsopts[count].code = DNS_OPT_SIT;
+-		ednsopts[count].length = SIT_SIZE;
++		ednsopts[count].length = COOKIE_SIZE;
+ 		ednsopts[count].value = sit;
+ 		count++;
+ 	}
+@@ -1657,19 +1660,26 @@ compute_sit(ns_client_t *client, isc_uin
+ 
+ static void
+ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+-	unsigned char dbuf[SIT_SIZE];
++	unsigned char dbuf[COOKIE_SIZE];
+ 	unsigned char *old;
+ 	isc_stdtime_t now;
+ 	isc_uint32_t when;
+ 	isc_uint32_t nonce;
+ 	isc_buffer_t db;
+ 
++	/*
++	 * If we have already seen a ECS option skip this ECS option.
++	 */
++	if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
++		isc_buffer_forward(buf, optlen);
++		return;
++	}
+ 	client->attributes |= NS_CLIENTATTR_WANTSIT;
+ 
+ 	isc_stats_increment(ns_g_server->nsstats,
+ 			    dns_nsstatscounter_sitopt);
+ 
+-	if (optlen != SIT_SIZE) {
++	if (optlen != COOKIE_SIZE) {
+ 		/*
+ 		 * Not our token.
+ 		 */
+@@ -1713,7 +1723,7 @@ process_sit(ns_client_t *client, isc_buf
+ 	isc_buffer_init(&db, dbuf, sizeof(dbuf));
+ 	compute_sit(client, when, nonce, &db);
+ 
+-	if (memcmp(old, dbuf, SIT_SIZE) != 0) {
++	if (memcmp(old, dbuf, COOKIE_SIZE) != 0) {
+ 		isc_stats_increment(ns_g_server->nsstats,
+ 				    dns_nsstatscounter_sitnomatch);
+ 		return;
+@@ -1779,7 +1789,9 @@ process_opt(ns_client_t *client, dns_rda
+ 			optlen = isc_buffer_getuint16(&optbuf);
+ 			switch (optcode) {
+ 			case DNS_OPT_NSID:
+-				isc_stats_increment(ns_g_server->nsstats,
++				if (!WANTNSID(client))
++					isc_stats_increment(
++						    ns_g_server->nsstats,
+ 						    dns_nsstatscounter_nsidopt);
+ 				client->attributes |= NS_CLIENTATTR_WANTNSID;
+ 				isc_buffer_forward(&optbuf, optlen);
+@@ -1790,7 +1802,9 @@ process_opt(ns_client_t *client, dns_rda
+ 				break;
+ #endif
+ 			case DNS_OPT_EXPIRE:
+-				isc_stats_increment(ns_g_server->nsstats,
++				if (!WANTEXPIRE(client))
++					isc_stats_increment(
++						  ns_g_server->nsstats,
+ 						  dns_nsstatscounter_expireopt);
+ 				client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
+ 				isc_buffer_forward(&optbuf, optlen);
+Index: bind-9.10.2-P4/lib/dns/resolver.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/resolver.c
++++ bind-9.10.2-P4/lib/dns/resolver.c
+@@ -7144,7 +7144,9 @@ process_opt(resquery_t *query, dns_rdata
+ 	unsigned char *sit;
+ 	dns_adbaddrinfo_t *addrinfo;
+ 	unsigned char cookie[8];
++	isc_boolean_t seen_cookie = ISC_FALSE;
+ #endif
++	isc_boolean_t seen_nsid = ISC_FALSE;
+ 
+ 	result = dns_rdataset_first(opt);
+ 	if (result == ISC_R_SUCCESS) {
+@@ -7158,14 +7160,23 @@ process_opt(resquery_t *query, dns_rdata
+ 			INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
+ 			switch (optcode) {
+ 			case DNS_OPT_NSID:
+-				if (query->options & DNS_FETCHOPT_WANTNSID)
++				if (!seen_nsid &&
++                                    query->options & DNS_FETCHOPT_WANTNSID)
+ 					log_nsid(&optbuf, optlen, query,
+ 						 ISC_LOG_DEBUG(3),
+ 						 query->fctx->res->mctx);
+ 				isc_buffer_forward(&optbuf, optlen);
++	                        seen_nsid = ISC_TRUE;
+ 				break;
+ #ifdef ISC_PLATFORM_USESIT
+ 			case DNS_OPT_SIT:
++                                /*
++                                 * Only process the first cookie option.
++                                 */
++                                if (seen_cookie) {
++                                        isc_buffer_forward(&optbuf, optlen);
++                                        break;
++                                }
+ 				sit = isc_buffer_current(&optbuf);
+ 				compute_cc(query, cookie, sizeof(cookie));
+ 				INSIST(query->fctx->rmessage->sitbad == 0 &&
+@@ -7183,6 +7194,7 @@ process_opt(resquery_t *query, dns_rdata
+ 				isc_buffer_forward(&optbuf, optlen);
+ 				inc_stats(query->fctx->res,
+ 					  dns_resstatscounter_sitin);
++				seen_cookie = ISC_TRUE;
+ 				break;
+ #endif
+ 			default:

meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch

@@ -0,0 +1,84 @@
+From 390c5183af79861fcf07a44014912788744e85de Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 7 Jul 2016 12:52:47 +1000
+Subject: [PATCH] 4406.   [bug]           getrrsetbyname with a non absolute
+ name could                         trigger a infinite recursion bug in lwresd
+                         and named with lwres configured if when combined     
+                    with a search list entry the resulting name is            
+             too long. [RT #42694]
+
+(cherry picked from commit 38cc2d14e218e536e0102fa70deef99461354232)
+
+Upstream-Status: Backport
+CVE: CVE-2016-2775
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ CHANGES                          |  6 ++++++
+ bin/named/lwdgrbn.c              | 16 ++++++++++------
+ bin/tests/system/lwresd/lwtest.c |  8 ++++++++
+ 3 files changed, 24 insertions(+), 6 deletions(-)
+
+Index: bind-9.10.2-P4/bin/named/lwdgrbn.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/named/lwdgrbn.c
++++ bind-9.10.2-P4/bin/named/lwdgrbn.c
+@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
+ 	INSIST(client->lookup == NULL);
+ 
+ 	dns_fixedname_init(&absname);
+-	result = ns_lwsearchctx_current(&client->searchctx,
+-					dns_fixedname_name(&absname));
++
+ 	/*
+-	 * This will return failure if relative name + suffix is too long.
+-	 * In this case, just go on to the next entry in the search path.
++	 * Perform search across all search domains until success
++	 * is returned. Return in case of failure.
+ 	 */
+-	if (result != ISC_R_SUCCESS)
+-		start_lookup(client);
++	while (ns_lwsearchctx_current(&client->searchctx,
++			dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
++		if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
++			ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
++			return;
++		}
++	}
+ 
+ 	result = dns_lookup_create(cm->mctx,
+ 				   dns_fixedname_name(&absname),
+Index: bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/tests/system/lwresd/lwtest.c
++++ bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
+@@ -768,6 +768,14 @@ main(void) {
+ 	test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
+ 	test_getrrsetbyname("", 1, 1, 0, 0, 0);
+ 
++	test_getrrsetbyname("123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789.123456789.123456789.123456789."
++			    "123456789", 1, 1, 0, 0, 0);
++
+ 	if (fails == 0)
+ 		printf("I:ok\n");
+ 	return (fails);
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,9 @@
++4406.  [bug]           getrrsetbyname with a non absolute name could
++                       trigger a infinite recursion bug in lwresd
++                       and named with lwres configured if when combined
++                       with a search list entry the resulting name is
++                       too long. [RT #42694]
++
+ 4322.  [security]      Duplicate EDNS COOKIE options in a response could
+                        trigger an assertion failure. (CVE-2016-2088)
+                        [RT #41809]

meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch

@@ -0,0 +1,112 @@
+From 060b6137eee62bc6d2eb77aeaeb1ad2292ca8ed7 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 9 Sep 2016 11:29:48 +1000
+Subject: [PATCH] 4467.   [security]      It was possible to trigger a
+ assertion when rendering                         a message. [RT #43139]
+
+(cherry picked from commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12)
+---
+ CHANGES           |  3 +++
+ lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
+ 2 files changed, 34 insertions(+), 11 deletions(-)
+
+Index: bind-9.10.2-P4/lib/dns/message.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/message.c
++++ bind-9.10.2-P4/lib/dns/message.c
+@@ -1751,7 +1751,7 @@ dns_message_renderbegin(dns_message_t *m
+ 	if (r.length < DNS_MESSAGE_HEADERLEN)
+ 		return (ISC_R_NOSPACE);
+ 
+-	if (r.length < msg->reserved)
++	if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
+ 		return (ISC_R_NOSPACE);
+ 
+ 	/*
+@@ -1878,8 +1878,29 @@ norender_rdataset(const dns_rdataset_t *
+ 
+ 	return (ISC_TRUE);
+ }
+-
+ #endif
++
++static isc_result_t
++renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
++	  dns_compress_t *cctx, isc_buffer_t *target,
++	  unsigned int reserved, unsigned int options, unsigned int *countp)
++{
++	isc_result_t result;
++
++	/*
++	 * Shrink the space in the buffer by the reserved amount.
++	 */
++	if (target->length - target->used < reserved)
++		return (ISC_R_NOSPACE);
++
++	target->length -= reserved;
++	result = dns_rdataset_towire(rdataset, owner_name,
++				     cctx, target, options, countp);
++	target->length += reserved;
++
++	return (result);
++}
++
+ isc_result_t
+ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+ 			  unsigned int options)
+@@ -1922,6 +1943,8 @@ dns_message_rendersection(dns_message_t
+ 	/*
+ 	 * Shrink the space in the buffer by the reserved amount.
+ 	 */
++	if (msg->buffer->length - msg->buffer->used < msg->reserved)
++		return (ISC_R_NOSPACE);
+ 	msg->buffer->length -= msg->reserved;
+ 
+ 	total = 0;
+@@ -2198,9 +2221,8 @@ dns_message_renderend(dns_message_t *msg
+ 		 * Render.
+ 		 */
+ 		count = 0;
+-		result = dns_rdataset_towire(msg->opt, dns_rootname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->opt, dns_rootname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+@@ -2216,9 +2238,8 @@ dns_message_renderend(dns_message_t *msg
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+ 		count = 0;
+-		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->tsig, msg->tsigname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+@@ -2239,9 +2260,8 @@ dns_message_renderend(dns_message_t *msg
+ 		 * the owner name of a SIG(0) is irrelevant, and will not
+ 		 * be set in a message being rendered.
+ 		 */
+-		result = dns_rdataset_towire(msg->sig0, dns_rootname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->sig0, dns_rootname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,6 @@
++4467.  [security]      It was possible to trigger a assertion when rendering
++                       a message. [RT #43139]
++
+ 4406.  [bug]           getrrsetbyname with a non absolute name could
+                        trigger a infinite recursion bug in lwresd
+                        and named with lwres configured if when combined

meta/recipes-connectivity/bind/bind_9.10.2-P4.bb

@@ -28,6 +28,9 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://CVE-2016-1285.patch \
            file://CVE-2016-1286_1.patch \
            file://CVE-2016-1286_2.patch \
+           file://CVE-2016-2088.patch \
+           file://CVE-2016-2775.patch \
+           file://CVE-2016-2776.patch \
            "
 
 SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"

meta/recipes-connectivity/bluez5/bluez5_5.33.bb

@@ -10,6 +10,7 @@ NOINST_TOOLS_READLINE ?= " \
     tools/obex-server-tool \
     tools/bluetooth-player \
     tools/obexctl \
+    tools/btmgmt \
 "
 
 # noinst programs in Makefile.tools that are conditional on EXPERIMENTAL
@@ -34,7 +35,6 @@ NOINST_TOOLS_EXPERIMENTAL ?= " \
     tools/hwdb \
     tools/hcieventmask \
     tools/hcisecfilter \
-    tools/btmgmt \
     tools/btinfo \
     tools/btattach \
     tools/btsnoop \

meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch

@@ -0,0 +1,33 @@
+From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Wed, 13 Apr 2016 10:39:57 +1000
+Subject: [PATCH] ignore PAM environment vars when UseLogin=yes
+
+If PAM is configured to read user-specified environment variables
+and UseLogin=yes in sshd_config, then a hostile local user may
+attack /bin/login via LD_PRELOAD or similar environment variables
+set via PAM.
+
+CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
+
+Upstream-Status: Backport
+CVE: CVE-2015-8325
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: openssh-7.1p2/session.c
+===================================================================
+--- openssh-7.1p2.orig/session.c
++++ openssh-7.1p2/session.c
+@@ -1315,7 +1315,7 @@ do_setup_env(Session *s, const char *she
+ 	 * Pull in any environment variables that may have
+ 	 * been set by PAM.
+ 	 */
+-	if (options.use_pam) {
++	if (options.use_pam && !options.use_login) {
+ 		char **p;
+ 
+ 		p = fetch_pam_child_environment();

meta/recipes-connectivity/openssh/openssh/CVE-2016-6210.patch

@@ -0,0 +1,114 @@
+From 9286875a73b2de7736b5e50692739d314cd8d9dc Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@zip.com.au>
+Date: Fri, 15 Jul 2016 13:32:45 +1000
+Subject: [PATCH] Determine appropriate salt for invalid users.
+
+When sshd is processing a non-PAM login for a non-existent user it uses
+the string from the fakepw structure as the salt for crypt(3)ing the
+password supplied by the client.  That string has a Blowfish prefix, so on
+systems that don't understand that crypt will fail fast due to an invalid
+salt, and even on those that do it may have significantly different timing
+from the hash methods used for real accounts (eg sha512).  This allows
+user enumeration by, eg, sending large password strings.  This was noted
+by EddieEzra.Harari at verint.com (CVE-2016-6210).
+
+To mitigate, use the same hash algorithm that root uses for hashing
+passwords for users that do not exist on the system.  ok djm@
+
+Upstream-Status: Backport
+OpenSSH  < 7.3
+CVE: CVE-2016-6210 patch1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ auth-passwd.c           | 12 ++++++++----
+ openbsd-compat/xcrypt.c | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 42 insertions(+), 4 deletions(-)
+
+Index: openssh-7.1p2/auth-passwd.c
+===================================================================
+--- openssh-7.1p2.orig/auth-passwd.c
++++ openssh-7.1p2/auth-passwd.c
+@@ -198,7 +198,7 @@ int
+ sys_auth_passwd(Authctxt *authctxt, const char *password)
+ {
+ 	struct passwd *pw = authctxt->pw;
+-	char *encrypted_password;
++	char *encrypted_password, *salt = NULL;
+ 
+ 	/* Just use the supplied fake password if authctxt is invalid */
+ 	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
+@@ -207,9 +207,13 @@ sys_auth_passwd(Authctxt *authctxt, cons
+ 	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
+ 		return (1);
+ 
+-	/* Encrypt the candidate password using the proper salt. */
+-	encrypted_password = xcrypt(password,
+-	    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
++	/*
++	 * Encrypt the candidate password using the proper salt, or pass a
++	 * NULL and let xcrypt pick one.
++	 */
++	if (authctxt->valid && pw_password[0] && pw_password[1])
++		salt = pw_password;
++	encrypted_password = xcrypt(password, salt);
+ 
+ 	/*
+ 	 * Authentication is accepted if the encrypted passwords
+Index: openssh-7.1p2/openbsd-compat/xcrypt.c
+===================================================================
+--- openssh-7.1p2.orig/openbsd-compat/xcrypt.c
++++ openssh-7.1p2/openbsd-compat/xcrypt.c
+@@ -25,6 +25,7 @@
+ #include "includes.h"
+ 
+ #include <sys/types.h>
++#include <string.h>
+ #include <unistd.h>
+ #include <pwd.h>
+ 
+@@ -62,11 +63,44 @@
+ #  define crypt DES_crypt
+ # endif
+ 
++/*
++ * Pick an appropriate password encryption type and salt for the running
++ * system.
++ */
++static const char *
++pick_salt(void)
++{
++	struct passwd *pw;
++	char *passwd, *p;
++	size_t typelen;
++	static char salt[32];
++
++	if (salt[0] != '\0')
++		return salt;
++	strlcpy(salt, "xx", sizeof(salt));
++	if ((pw = getpwuid(0)) == NULL)
++		return salt;
++	passwd = shadow_pw(pw);
++	if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
++		return salt;  /* no $, DES */
++	typelen = p - passwd + 1;
++	strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
++	explicit_bzero(passwd, strlen(passwd));
++	return salt;
++}
++
+ char *
+ xcrypt(const char *password, const char *salt)
+ {
+ 	char *crypted;
+ 
++	/*
++	 * If we don't have a salt we are encrypting a fake password for
++	 * for timing purposes.  Pick an appropriate salt.
++	 */
++	if (salt == NULL)
++		salt = pick_salt();
++
+ # ifdef HAVE_MD5_PASSWORDS
+         if (is_md5_salt(salt))
+                 crypted = md5_crypt(password, salt);

meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p2.patch

@@ -0,0 +1,110 @@
+From 283b97ff33ea2c641161950849931bd578de6946 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@zip.com.au>
+Date: Fri, 15 Jul 2016 13:49:44 +1000
+Subject: [PATCH] Mitigate timing of disallowed users PAM logins.
+
+When sshd decides to not allow a login (eg PermitRootLogin=no) and
+it's using PAM, it sends a fake password to PAM so that the timing for
+the failure is not noticeably different whether or not the password
+is correct.  This behaviour can be detected by sending a very long
+password string which is slower to hash than the fake password.
+
+Mitigate by constructing an invalid password that is the same length
+as the one from the client and thus takes the same time to hash.
+Diff from djm@
+
+Upstream-Status: Backport
+CVE: CVE-2016-6210 patch2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ auth-pam.c | 35 +++++++++++++++++++++++++++++++----
+ 1 file changed, 31 insertions(+), 4 deletions(-)
+
+Index: openssh-7.1p2/auth-pam.c
+===================================================================
+--- openssh-7.1p2.orig/auth-pam.c
++++ openssh-7.1p2/auth-pam.c
+@@ -231,7 +231,6 @@ static int sshpam_account_status = -1;
+ static char **sshpam_env = NULL;
+ static Authctxt *sshpam_authctxt = NULL;
+ static const char *sshpam_password = NULL;
+-static char badpw[] = "\b\n\r\177INCORRECT";
+ 
+ /* Some PAM implementations don't implement this */
+ #ifndef HAVE_PAM_GETENVLIST
+@@ -809,12 +808,35 @@ sshpam_query(void *ctx, char **name, cha
+ 	return (-1);
+ }
+ 
++/*
++ * Returns a junk password of identical length to that the user supplied.
++ * Used to mitigate timing attacks against crypt(3)/PAM stacks that
++ * vary processing time in proportion to password length.
++ */
++static char *
++fake_password(const char *wire_password)
++{
++	const char junk[] = "\b\n\r\177INCORRECT";
++	char *ret = NULL;
++	size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
++
++	if (l >= INT_MAX)
++		fatal("%s: password length too long: %zu", __func__, l);
++
++	ret = malloc(l + 1);
++	for (i = 0; i < l; i++)
++		ret[i] = junk[i % (sizeof(junk) - 1)];
++	ret[i] = '\0';
++	return ret;
++}
++
+ /* XXX - see also comment in auth-chall.c:verify_response */
+ static int
+ sshpam_respond(void *ctx, u_int num, char **resp)
+ {
+ 	Buffer buffer;
+ 	struct pam_ctxt *ctxt = ctx;
++	char *fake;
+ 
+ 	debug2("PAM: %s entering, %u responses", __func__, num);
+ 	switch (ctxt->pam_done) {
+@@ -835,8 +857,11 @@ sshpam_respond(void *ctx, u_int num, cha
+ 	    (sshpam_authctxt->pw->pw_uid != 0 ||
+ 	    options.permit_root_login == PERMIT_YES))
+ 		buffer_put_cstring(&buffer, *resp);
+-	else
+-		buffer_put_cstring(&buffer, badpw);
++	else {
++		fake = fake_password(*resp);
++		buffer_put_cstring(&buffer, fake);
++		free(fake);
++	}
+ 	if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
+ 		buffer_free(&buffer);
+ 		return (-1);
+@@ -1180,6 +1205,7 @@ sshpam_auth_passwd(Authctxt *authctxt, c
+ {
+ 	int flags = (options.permit_empty_passwd == 0 ?
+ 	    PAM_DISALLOW_NULL_AUTHTOK : 0);
++	char *fake = NULL;
+ 
+ 	if (!options.use_pam || sshpam_handle == NULL)
+ 		fatal("PAM: %s called when PAM disabled or failed to "
+@@ -1195,7 +1221,7 @@ sshpam_auth_passwd(Authctxt *authctxt, c
+ 	 */
+ 	if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
+ 	    options.permit_root_login != PERMIT_YES))
+-		sshpam_password = badpw;
++		sshpam_password = fake = fake_password(password);
+ 
+ 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
+ 	    (const void *)&passwd_conv);
+@@ -1205,6 +1231,7 @@ sshpam_auth_passwd(Authctxt *authctxt, c
+ 
+ 	sshpam_err = pam_authenticate(sshpam_handle, flags);
+ 	sshpam_password = NULL;
++	free(fake);
+ 	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
+ 		debug("PAM: password authentication accepted for %.100s",
+ 		    authctxt->user);

meta/recipes-connectivity/openssh/openssh/CVE-2016-6210_p3.patch

@@ -0,0 +1,62 @@
+From dbf788b4d9d9490a5fff08a7b09888272bb10fcc Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@zip.com.au>
+Date: Thu, 21 Jul 2016 14:17:31 +1000
+Subject: [PATCH] Search users for one with a valid salt.
+
+If the root account is locked (eg password "!!" or "*LK*") keep looking
+until we find a user with a valid salt to use for crypting passwords of
+invalid users.  ok djm@
+
+Upstream-Status: Backport
+CVE: CVE-2016-6210
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ openbsd-compat/xcrypt.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
+index 8913bb8..cf6a9b9 100644
+--- a/openbsd-compat/xcrypt.c
++++ b/openbsd-compat/xcrypt.c
+@@ -65,7 +65,9 @@
+ 
+ /*
+  * Pick an appropriate password encryption type and salt for the running
+- * system.
++ * system by searching through accounts until we find one that has a valid
++ * salt.  Usually this will be root unless the root account is locked out.
++ * If we don't find one we return a traditional DES-based salt.
+  */
+ static const char *
+ pick_salt(void)
+@@ -78,14 +80,18 @@ pick_salt(void)
+ 	if (salt[0] != '\0')
+ 		return salt;
+ 	strlcpy(salt, "xx", sizeof(salt));
+-	if ((pw = getpwuid(0)) == NULL)
+-		return salt;
+-	passwd = shadow_pw(pw);
+-	if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
+-		return salt;  /* no $, DES */
+-	typelen = p - passwd + 1;
+-	strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+-	explicit_bzero(passwd, strlen(passwd));
++	setpwent();
++	while ((pw = getpwent()) != NULL) {
++		passwd = shadow_pw(pw);
++		if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
++			typelen = p - passwd + 1;
++			strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
++			explicit_bzero(passwd, strlen(passwd));
++			goto out;
++		}
++	}
++ out:
++	endpwent();
+ 	return salt;
+ }
+ 
+-- 
+2.7.4
+

meta/recipes-connectivity/openssh/openssh/CVE-2016-6515.patch

@@ -0,0 +1,54 @@
+From fcd135c9df440bcd2d5870405ad3311743d78d97 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Thu, 21 Jul 2016 01:39:35 +0000
+Subject: [PATCH] upstream commit
+
+Skip passwords longer than 1k in length so clients can't
+easily DoS sshd by sending very long passwords, causing it to spend CPU
+hashing them. feedback djm@, ok markus@.
+
+Brought to our attention by tomas.kuthan at oracle.com, shilei-c at
+360.cn and coredump at autistici.org
+
+Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333
+
+Upstream-Status: Backport
+CVE: CVE-2016-6515
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ auth-passwd.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/auth-passwd.c b/auth-passwd.c
+index 530b5d4..996c2cf 100644
+--- a/auth-passwd.c
++++ b/auth-passwd.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: auth-passwd.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
++/* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -66,6 +66,8 @@ extern login_cap_t *lc;
+ #define DAY		(24L * 60 * 60) /* 1 day in seconds */
+ #define TWO_WEEKS	(2L * 7 * DAY)	/* 2 weeks in seconds */
+ 
++#define MAX_PASSWORD_LEN	1024
++
+ void
+ disable_forwarding(void)
+ {
+@@ -87,6 +89,9 @@ auth_password(Authctxt *authctxt, const char *password)
+ 	static int expire_checked = 0;
+ #endif
+ 
++	if (strlen(password) > MAX_PASSWORD_LEN)
++		return 0;
++
+ #ifndef HAVE_CYGWIN
+ 	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
+ 		ok = 0;
+-- 
+2.7.4
+

meta/recipes-connectivity/openssh/openssh_7.1p2.bb

@@ -25,6 +25,11 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
            file://CVE-2016-1907_2.patch \
            file://CVE-2016-1907_3.patch \
            file://CVE-2016-3115.patch \
+           file://CVE-2016-6210.patch \
+           file://CVE-2016-6210_p2.patch \
+           file://CVE-2016-6210_p3.patch \
+           file://CVE-2016-6515.patch \
+           file://CVE-2015-8325.patch \
            "
 
 PAM_SRC_URI = "file://sshd"

meta/recipes-connectivity/openssl/openssl/CVE-2016-2177.patch

@@ -0,0 +1,286 @@
+From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 5 May 2016 11:10:26 +0100
+Subject: [PATCH] Avoid some undefined pointer arithmetic
+
+A common idiom in the codebase is:
+
+if (p + len > limit)
+{
+    return; /* Too long */
+}
+
+Where "p" points to some malloc'd data of SIZE bytes and
+limit == p + SIZE
+
+"len" here could be from some externally supplied data (e.g. from a TLS
+message).
+
+The rules of C pointer arithmetic are such that "p + len" is only well
+defined where len <= SIZE. Therefore the above idiom is actually
+undefined behaviour.
+
+For example this could cause problems if some malloc implementation
+provides an address for "p" such that "p + len" actually overflows for
+values of len that are too big and therefore p + len < limit!
+
+Issue reported by Guido Vranken.
+
+CVE-2016-2177
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2177
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+
+---
+ ssl/s3_srvr.c  | 14 +++++++-------
+ ssl/ssl_sess.c |  2 +-
+ ssl/t1_lib.c   | 56 ++++++++++++++++++++++++++++++--------------------------
+ 3 files changed, 38 insertions(+), 34 deletions(-)
+
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index ab28702..ab7f690 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s)
+ 
+         session_length = *(p + SSL3_RANDOM_SIZE);
+ 
+-        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
++        if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+             goto f_err;
+@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
+     /* get the session-id */
+     j = *(p++);
+ 
+-    if (p + j > d + n) {
++    if ((d + n) - p < j) {
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+         goto f_err;
+@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s)
+ 
+     if (SSL_IS_DTLS(s)) {
+         /* cookie stuff */
+-        if (p + 1 > d + n) {
++        if ((d + n) - p < 1) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+             goto f_err;
+         }
+         cookie_len = *(p++);
+ 
+-        if (p + cookie_len > d + n) {
++        if ((d + n ) - p < cookie_len) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+             goto f_err;
+@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s)
+         }
+     }
+ 
+-    if (p + 2 > d + n) {
++    if ((d + n ) - p < 2) {
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+         goto f_err;
+@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s)
+     }
+ 
+     /* i bytes of cipher data + 1 byte for compression length later */
+-    if ((p + i + 1) > (d + n)) {
++    if ((d + n) - p < i + 1) {
+         /* not enough data */
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s)
+ 
+     /* compression */
+     i = *(p++);
+-    if ((p + i) > (d + n)) {
++    if ((d + n) - p < i) {
+         /* not enough data */
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
+index b182998..54ee783 100644
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
+     int r;
+ #endif
+ 
+-    if (session_id + len > limit) {
++    if (limit - session_id < len) {
+         fatal = 1;
+         goto err;
+     }
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index fb64607..cdac011 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+         0x02, 0x03,             /* SHA-1/ECDSA */
+     };
+ 
+-    if (data >= (limit - 2))
++    if (limit - data <= 2)
+         return;
+     data += 2;
+ 
+-    if (data > (limit - 4))
++    if (limit - data < 4)
+         return;
+     n2s(data, type);
+     n2s(data, size);
+@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+     if (type != TLSEXT_TYPE_server_name)
+         return;
+ 
+-    if (data + size > limit)
++    if (limit - data < size)
+         return;
+     data += size;
+ 
+@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+         const size_t len1 = sizeof(kSafariExtensionsBlock);
+         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
+ 
+-        if (data + len1 + len2 != limit)
++        if (limit - data != (int)(len1 + len2))
+             return;
+         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+             return;
+@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+     } else {
+         const size_t len = sizeof(kSafariExtensionsBlock);
+ 
+-        if (data + len != limit)
++        if (limit - data != (int)(len))
+             return;
+         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+             return;
+@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
+     if (data == limit)
+         goto ri_check;
+ 
+-    if (data > (limit - 2))
++    if (limit - data < 2)
+         goto err;
+ 
+     n2s(data, len);
+ 
+-    if (data + len != limit)
++    if (limit - data != len)
+         goto err;
+ 
+-    while (data <= (limit - 4)) {
++    while (limit - data >= 4) {
+         n2s(data, type);
+         n2s(data, size);
+ 
+-        if (data + size > (limit))
++        if (limit - data < size)
+             goto err;
+ # if 0
+         fprintf(stderr, "Received extension type %d size %d\n", type, size);
+@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s,
+     if (s->hit || s->cert->srv_ext.meths_count == 0)
+         return 1;
+ 
+-    if (data >= limit - 2)
++    if (limit - data <= 2)
+         return 1;
+     n2s(data, len);
+ 
+-    if (data > limit - len)
++    if (limit - data < len)
+         return 1;
+ 
+-    while (data <= limit - 4) {
++    while (limit - data >= 4) {
+         n2s(data, type);
+         n2s(data, size);
+ 
+-        if (data + size > limit)
++        if (limit - data < size)
+             return 1;
+         if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
+             return 0;
+@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
+                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
+ # endif
+ 
+-    if (data >= (d + n - 2))
++    if ((d + n) - data <= 2)
+         goto ri_check;
+ 
+     n2s(data, length);
+-    if (data + length != d + n) {
++    if ((d + n) - data != length) {
+         *al = SSL_AD_DECODE_ERROR;
+         return 0;
+     }
+ 
+-    while (data <= (d + n - 4)) {
++    while ((d + n) - data >= 4) {
+         n2s(data, type);
+         n2s(data, size);
+ 
+-        if (data + size > (d + n))
++        if ((d + n) - data < size)
+             goto ri_check;
+ 
+         if (s->tlsext_debug_cb)
+@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
+     /* Skip past DTLS cookie */
+     if (SSL_IS_DTLS(s)) {
+         i = *(p++);
+-        p += i;
+-        if (p >= limit)
++
++        if (limit - p <= i)
+             return -1;
++
++        p += i;
+     }
+     /* Skip past cipher list */
+     n2s(p, i);
+-    p += i;
+-    if (p >= limit)
++    if (limit - p <= i)
+         return -1;
++    p += i;
++
+     /* Skip past compression algorithm list */
+     i = *(p++);
+-    p += i;
+-    if (p > limit)
++    if (limit - p < i)
+         return -1;
++    p += i;
++
+     /* Now at start of extensions */
+-    if ((p + 2) >= limit)
++    if (limit - p <= 2)
+         return 0;
+     n2s(p, i);
+-    while ((p + 4) <= limit) {
++    while (limit - p >= 4) {
+         unsigned short type, size;
+         n2s(p, type);
+         n2s(p, size);
+-        if (p + size > limit)
++        if (limit - p < size)
+             return 0;
+         if (type == TLSEXT_TYPE_session_ticket) {
+             int r;
+-- 
+2.3.5
+

meta/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch

@@ -0,0 +1,51 @@
+From 399944622df7bd81af62e67ea967c470534090e2 Mon Sep 17 00:00:00 2001
+From: Cesar Pereida <cesar.pereida@aalto.fi>
+Date: Mon, 23 May 2016 12:45:25 +0300
+Subject: [PATCH] Fix DSA, preserve BN_FLG_CONSTTIME
+
+Operations in the DSA signing algorithm should run in constant time in
+order to avoid side channel attacks. A flaw in the OpenSSL DSA
+implementation means that a non-constant time codepath is followed for
+certain operations. This has been demonstrated through a cache-timing
+attack to be sufficient for an attacker to recover the private DSA key.
+
+CVE-2016-2178
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2178
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/dsa/dsa_ossl.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+Index: openssl-1.0.2h/crypto/dsa/dsa_ossl.c
+===================================================================
+--- openssl-1.0.2h.orig/crypto/dsa/dsa_ossl.c
++++ openssl-1.0.2h/crypto/dsa/dsa_ossl.c
+@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_C
+         if (!BN_rand_range(&k, dsa->q))
+             goto err;
+     while (BN_is_zero(&k)) ;
+-    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+-        BN_set_flags(&k, BN_FLG_CONSTTIME);
+-    }
+ 
+     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
+         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
+@@ -282,6 +279,11 @@ static int dsa_sign_setup(DSA *dsa, BN_C
+     } else {
+         K = &k;
+     }
++
++    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
++        BN_set_flags(K, BN_FLG_CONSTTIME);
++    }
++
+     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
+                    dsa->method_mont_p);
+     if (!BN_mod(r, r, dsa->q, ctx))

meta/recipes-connectivity/openssl/openssl/CVE-2016-2179.patch

@@ -0,0 +1,255 @@
+From 00a4c1421407b6ac796688871b0a49a179c694d9 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 30 Jun 2016 13:17:08 +0100
+Subject: [PATCH] Fix DTLS buffered message DoS attack
+
+DTLS can handle out of order record delivery. Additionally since
+handshake messages can be bigger than will fit into a single packet, the
+messages can be fragmented across multiple records (as with normal TLS).
+That means that the messages can arrive mixed up, and we have to
+reassemble them. We keep a queue of buffered messages that are "from the
+future", i.e. messages we're not ready to deal with yet but have arrived
+early. The messages held there may not be full yet - they could be one
+or more fragments that are still in the process of being reassembled.
+
+The code assumes that we will eventually complete the reassembly and
+when that occurs the complete message is removed from the queue at the
+point that we need to use it.
+
+However, DTLS is also tolerant of packet loss. To get around that DTLS
+messages can be retransmitted. If we receive a full (non-fragmented)
+message from the peer after previously having received a fragment of
+that message, then we ignore the message in the queue and just use the
+non-fragmented version. At that point the queued message will never get
+removed.
+
+Additionally the peer could send "future" messages that we never get to
+in order to complete the handshake. Each message has a sequence number
+(starting from 0). We will accept a message fragment for the current
+message sequence number, or for any sequence up to 10 into the future.
+However if the Finished message has a sequence number of 2, anything
+greater than that in the queue is just left there.
+
+So, in those two ways we can end up with "orphaned" data in the queue
+that will never get removed - except when the connection is closed. At
+that point all the queues are flushed.
+
+An attacker could seek to exploit this by filling up the queues with
+lots of large messages that are never going to be used in order to
+attempt a DoS by memory exhaustion.
+
+I will assume that we are only concerned with servers here. It does not
+seem reasonable to be concerned about a memory exhaustion attack on a
+client. They are unlikely to process enough connections for this to be
+an issue.
+
+A "long" handshake with many messages might be 5 messages long (in the
+incoming direction), e.g. ClientHello, Certificate, ClientKeyExchange,
+CertificateVerify, Finished. So this would be message sequence numbers 0
+to 4. Additionally we can buffer up to 10 messages in the future.
+Therefore the maximum number of messages that an attacker could send
+that could get orphaned would typically be 15.
+
+The maximum size that a DTLS message is allowed to be is defined by
+max_cert_list, which by default is 100k. Therefore the maximum amount of
+"orphaned" memory per connection is 1500k.
+
+Message sequence numbers get reset after the Finished message, so
+renegotiation will not extend the maximum number of messages that can be
+orphaned per connection.
+
+As noted above, the queues do get cleared when the connection is closed.
+Therefore in order to mount an effective attack, an attacker would have
+to open many simultaneous connections.
+
+Issue reported by Quan Luo.
+
+CVE-2016-2179
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2106-2179
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ssl/d1_both.c  | 32 ++++++++++++++++----------------
+ ssl/d1_clnt.c  |  1 +
+ ssl/d1_lib.c   | 37 ++++++++++++++++++++++++++-----------
+ ssl/d1_srvr.c  |  3 ++-
+ ssl/ssl_locl.h |  3 ++-
+ 5 files changed, 47 insertions(+), 29 deletions(-)
+
+Index: openssl-1.0.2h/ssl/d1_both.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/d1_both.c
++++ openssl-1.0.2h/ssl/d1_both.c
+@@ -618,11 +618,23 @@ static int dtls1_retrieve_buffered_fragm
+     int al;
+ 
+     *ok = 0;
+-    item = pqueue_peek(s->d1->buffered_messages);
+-    if (item == NULL)
+-        return 0;
++    do {
++        item = pqueue_peek(s->d1->buffered_messages);
++        if (item == NULL)
++            return 0;
++
++        frag = (hm_fragment *)item->data;
++
++        if (frag->msg_header.seq < s->d1->handshake_read_seq) {
++            /* This is a stale message that has been buffered so clear it */
++            pqueue_pop(s->d1->buffered_messages);
++            dtls1_hm_fragment_free(frag);
++            pitem_free(item);
++            item = NULL;
++            frag = NULL;
++        }
++    } while (item == NULL);
+ 
+-    frag = (hm_fragment *)item->data;
+ 
+     /* Don't return if reassembly still in progress */
+     if (frag->reassembly != NULL)
+@@ -1296,18 +1308,6 @@ dtls1_retransmit_message(SSL *s, unsigne
+     return ret;
+ }
+ 
+-/* call this function when the buffered messages are no longer needed */
+-void dtls1_clear_record_buffer(SSL *s)
+-{
+-    pitem *item;
+-
+-    for (item = pqueue_pop(s->d1->sent_messages);
+-         item != NULL; item = pqueue_pop(s->d1->sent_messages)) {
+-        dtls1_hm_fragment_free((hm_fragment *)item->data);
+-        pitem_free(item);
+-    }
+-}
+-
+ unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
+                                         unsigned char mt, unsigned long len,
+                                         unsigned long frag_off,
+Index: openssl-1.0.2h/ssl/d1_clnt.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/d1_clnt.c
++++ openssl-1.0.2h/ssl/d1_clnt.c
+@@ -769,6 +769,7 @@ int dtls1_connect(SSL *s)
+             /* done with handshaking */
+             s->d1->handshake_read_seq = 0;
+             s->d1->next_handshake_write_seq = 0;
++            dtls1_clear_received_buffer(s);
+             goto end;
+             /* break; */
+ 
+Index: openssl-1.0.2h/ssl/d1_lib.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/d1_lib.c
++++ openssl-1.0.2h/ssl/d1_lib.c
+@@ -170,7 +170,6 @@ int dtls1_new(SSL *s)
+ static void dtls1_clear_queues(SSL *s)
+ {
+     pitem *item = NULL;
+-    hm_fragment *frag = NULL;
+     DTLS1_RECORD_DATA *rdata;
+ 
+     while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) {
+@@ -191,28 +190,44 @@ static void dtls1_clear_queues(SSL *s)
+         pitem_free(item);
+     }
+ 
++    while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
++        rdata = (DTLS1_RECORD_DATA *)item->data;
++        if (rdata->rbuf.buf) {
++            OPENSSL_free(rdata->rbuf.buf);
++        }
++        OPENSSL_free(item->data);
++        pitem_free(item);
++    }
++
++    dtls1_clear_received_buffer(s);
++    dtls1_clear_sent_buffer(s);
++}
++
++void dtls1_clear_received_buffer(SSL *s)
++{
++    pitem *item = NULL;
++    hm_fragment *frag = NULL;
++
+     while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
+         frag = (hm_fragment *)item->data;
+         dtls1_hm_fragment_free(frag);
+         pitem_free(item);
+     }
++}
++
++void dtls1_clear_sent_buffer(SSL *s)
++{
++    pitem *item = NULL;
++    hm_fragment *frag = NULL;
+ 
+     while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
+         frag = (hm_fragment *)item->data;
+         dtls1_hm_fragment_free(frag);
+         pitem_free(item);
+     }
+-
+-    while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
+-        rdata = (DTLS1_RECORD_DATA *)item->data;
+-        if (rdata->rbuf.buf) {
+-            OPENSSL_free(rdata->rbuf.buf);
+-        }
+-        OPENSSL_free(item->data);
+-        pitem_free(item);
+-    }
+ }
+ 
++
+ void dtls1_free(SSL *s)
+ {
+     ssl3_free(s);
+@@ -456,7 +471,7 @@ void dtls1_stop_timer(SSL *s)
+     BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
+              &(s->d1->next_timeout));
+     /* Clear retransmission buffer */
+-    dtls1_clear_record_buffer(s);
++    dtls1_clear_sent_buffer(s);
+ }
+ 
+ int dtls1_check_timeout_num(SSL *s)
+Index: openssl-1.0.2h/ssl/d1_srvr.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/d1_srvr.c
++++ openssl-1.0.2h/ssl/d1_srvr.c
+@@ -313,7 +313,7 @@ int dtls1_accept(SSL *s)
+         case SSL3_ST_SW_HELLO_REQ_B:
+ 
+             s->shutdown = 0;
+-            dtls1_clear_record_buffer(s);
++            dtls1_clear_sent_buffer(s);
+             dtls1_start_timer(s);
+             ret = ssl3_send_hello_request(s);
+             if (ret <= 0)
+@@ -894,6 +894,7 @@ int dtls1_accept(SSL *s)
+             /* next message is server hello */
+             s->d1->handshake_write_seq = 0;
+             s->d1->next_handshake_write_seq = 0;
++            dtls1_clear_received_buffer(s);
+             goto end;
+             /* break; */
+ 
+Index: openssl-1.0.2h/ssl/ssl_locl.h
+===================================================================
+--- openssl-1.0.2h.orig/ssl/ssl_locl.h
++++ openssl-1.0.2h/ssl/ssl_locl.h
+@@ -1242,7 +1242,8 @@ int dtls1_retransmit_message(SSL *s, uns
+                              unsigned long frag_off, int *found);
+ int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
+ int dtls1_retransmit_buffered_messages(SSL *s);
+-void dtls1_clear_record_buffer(SSL *s);
++void dtls1_clear_received_buffer(SSL *s);
++void dtls1_clear_sent_buffer(SSL *s);
+ void dtls1_get_message_header(unsigned char *data,
+                               struct hm_header_st *msg_hdr);
+ void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);

meta/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch

@@ -0,0 +1,44 @@
+From b746aa3fe05b5b5f7126df247ac3eceeb995e2a0 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Thu, 21 Jul 2016 15:24:16 +0100
+Subject: [PATCH] Fix OOB read in TS_OBJ_print_bio().
+
+TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
+as a null terminated buffer. The length value returned is the total
+length the complete text reprsentation would need not the amount of
+data written.
+
+CVE-2016-2180
+
+Thanks to Shi Lei for reporting this bug.
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a)
+
+Upstream-Status: Backport
+CVE: CVE-2016-2180
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/ts/ts_lib.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c
+index c51538a..e0f1063 100644
+--- a/crypto/ts/ts_lib.c
++++ b/crypto/ts/ts_lib.c
+@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
+ {
+     char obj_txt[128];
+ 
+-    int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
+-    BIO_write(bio, obj_txt, len);
+-    BIO_write(bio, "\n", 1);
++    OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
++    BIO_printf(bio, "%s\n", obj_txt);
+ 
+     return 1;
+ }
+-- 
+2.7.4
+

meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch

@@ -0,0 +1,91 @@
+From 20744f6b40b5ded059a848f66d6ba922f2a62eb3 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 5 Jul 2016 11:46:26 +0100
+Subject: [PATCH] Fix DTLS unprocessed records bug
+
+During a DTLS handshake we may get records destined for the next epoch
+arrive before we have processed the CCS. In that case we can't decrypt or
+verify the record yet, so we buffer it for later use. When we do receive
+the CCS we work through the queue of unprocessed records and process them.
+
+Unfortunately the act of processing wipes out any existing packet data
+that we were still working through. This includes any records from the new
+epoch that were in the same packet as the CCS. We should only process the
+buffered records if we've not got any data left.
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2180 patch 1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ssl/d1_pkt.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
+index fe30ec7..1fb119d 100644
+--- a/ssl/d1_pkt.c
++++ b/ssl/d1_pkt.c
+@@ -319,6 +319,7 @@ static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
+ static int dtls1_process_buffered_records(SSL *s)
+ {
+     pitem *item;
++    SSL3_BUFFER *rb;
+ 
+     item = pqueue_peek(s->d1->unprocessed_rcds.q);
+     if (item) {
+@@ -326,6 +327,19 @@ static int dtls1_process_buffered_records(SSL *s)
+         if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
+             return (1);         /* Nothing to do. */
+ 
++        rb = &s->s3->rbuf;
++
++        if (rb->left > 0) {
++            /*
++             * We've still got data from the current packet to read. There could
++             * be a record from the new epoch in it - so don't overwrite it
++             * with the unprocessed records yet (we'll do it when we've
++             * finished reading the current packet).
++             */
++            return 1;
++        }
++
++
+         /* Process all the records. */
+         while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
+             dtls1_get_unprocessed_record(s);
+@@ -581,6 +595,7 @@ int dtls1_get_record(SSL *s)
+ 
+     rr = &(s->s3->rrec);
+ 
++ again:
+     /*
+      * The epoch may have changed.  If so, process all the pending records.
+      * This is a non-blocking operation.
+@@ -593,7 +608,6 @@ int dtls1_get_record(SSL *s)
+         return 1;
+ 
+     /* get something from the wire */
+- again:
+     /* check if we have the header */
+     if ((s->rstate != SSL_ST_READ_BODY) ||
+         (s->packet_length < DTLS1_RT_HEADER_LENGTH)) {
+@@ -1830,8 +1844,13 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
+     if (rr->epoch == s->d1->r_epoch)
+         return &s->d1->bitmap;
+ 
+-    /* Only HM and ALERT messages can be from the next epoch */
++    /*
++     * Only HM and ALERT messages can be from the next epoch and only if we
++     * have already processed all of the unprocessed records from the last
++     * epoch
++     */
+     else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
++             s->d1->unprocessed_rcds.epoch != s->d1->r_epoch &&
+              (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
+         *is_next_epoch = 1;
+         return &s->d1->next_bitmap;
+-- 
+2.7.4
+

meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch

@@ -0,0 +1,239 @@
+From 3884b47b7c255c2e94d9b387ee83c7e8bb981258 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 5 Jul 2016 12:04:37 +0100
+Subject: [PATCH] Fix DTLS replay protection
+
+The DTLS implementation provides some protection against replay attacks
+in accordance with RFC6347 section 4.1.2.6.
+
+A sliding "window" of valid record sequence numbers is maintained with
+the "right" hand edge of the window set to the highest sequence number we
+have received so far. Records that arrive that are off the "left" hand
+edge of the window are rejected. Records within the window are checked
+against a list of records received so far. If we already received it then
+we also reject the new record.
+
+If we have not already received the record, or the sequence number is off
+the right hand edge of the window then we verify the MAC of the record.
+If MAC verification fails then we discard the record. Otherwise we mark
+the record as received. If the sequence number was off the right hand edge
+of the window, then we slide the window along so that the right hand edge
+is in line with the newly received sequence number.
+
+Records may arrive for future epochs, i.e. a record from after a CCS being
+sent, can arrive before the CCS does if the packets get re-ordered. As we
+have not yet received the CCS we are not yet in a position to decrypt or
+validate the MAC of those records. OpenSSL places those records on an
+unprocessed records queue. It additionally updates the window immediately,
+even though we have not yet verified the MAC. This will only occur if
+currently in a handshake/renegotiation.
+
+This could be exploited by an attacker by sending a record for the next
+epoch (which does not have to decrypt or have a valid MAC), with a very
+large sequence number. This means the right hand edge of the window is
+moved very far to the right, and all subsequent legitimate packets are
+dropped causing a denial of service.
+
+A similar effect can be achieved during the initial handshake. In this
+case there is no MAC key negotiated yet. Therefore an attacker can send a
+message for the current epoch with a very large sequence number. The code
+will process the record as normal. If the hanshake message sequence number
+(as opposed to the record sequence number that we have been talking about
+so far) is in the future then the injected message is bufferred to be
+handled later, but the window is still updated. Therefore all subsequent
+legitimate handshake records are dropped. This aspect is not considered a
+security issue because there are many ways for an attacker to disrupt the
+initial handshake and prevent it from completing successfully (e.g.
+injection of a handshake message will cause the Finished MAC to fail and
+the handshake to be aborted). This issue comes about as a result of trying
+to do replay protection, but having no integrity mechanism in place yet.
+Does it even make sense to have replay protection in epoch 0? That
+issue isn't addressed here though.
+
+This addressed an OCAP Audit issue.
+
+CVE-2016-2181
+
+Upstream-Status: Backport
+CVE: CVE-2016-2181 patch2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+---
+ ssl/d1_pkt.c  | 60 +++++++++++++++++++++++++++++++++++++++++++++++------------
+ ssl/ssl.h     |  1 +
+ ssl/ssl_err.c |  4 +++-
+ 3 files changed, 52 insertions(+), 13 deletions(-)
+
+Index: openssl-1.0.2h/ssl/d1_pkt.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/d1_pkt.c
++++ openssl-1.0.2h/ssl/d1_pkt.c
+@@ -194,7 +194,7 @@ static int dtls1_record_needs_buffering(
+ #endif
+ static int dtls1_buffer_record(SSL *s, record_pqueue *q,
+                                unsigned char *priority);
+-static int dtls1_process_record(SSL *s);
++static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap);
+ 
+ /* copy buffered record into SSL structure */
+ static int dtls1_copy_record(SSL *s, pitem *item)
+@@ -320,13 +320,18 @@ static int dtls1_process_buffered_record
+ {
+     pitem *item;
+     SSL3_BUFFER *rb;
++    SSL3_RECORD *rr;
++    DTLS1_BITMAP *bitmap;
++    unsigned int is_next_epoch;
++    int replayok = 1;
+ 
+     item = pqueue_peek(s->d1->unprocessed_rcds.q);
+     if (item) {
+         /* Check if epoch is current. */
+         if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
+-            return (1);         /* Nothing to do. */
++            return 1;         /* Nothing to do. */
+ 
++        rr = &s->s3->rrec;
+         rb = &s->s3->rbuf;
+ 
+         if (rb->left > 0) {
+@@ -343,11 +348,41 @@ static int dtls1_process_buffered_record
+         /* Process all the records. */
+         while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
+             dtls1_get_unprocessed_record(s);
+-            if (!dtls1_process_record(s))
+-                return (0);
++            bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
++            if (bitmap == NULL) {
++                /*
++                 * Should not happen. This will only ever be NULL when the
++                 * current record is from a different epoch. But that cannot
++                 * be the case because we already checked the epoch above
++                 */
++                 SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS,
++                        ERR_R_INTERNAL_ERROR);
++                 return 0;
++            }
++#ifndef OPENSSL_NO_SCTP
++            /* Only do replay check if no SCTP bio */
++            if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
++#endif
++            {
++                /*
++                 * Check whether this is a repeat, or aged record. We did this
++                 * check once already when we first received the record - but
++                 * we might have updated the window since then due to
++                 * records we subsequently processed.
++                 */
++                replayok = dtls1_record_replay_check(s, bitmap);
++            }
++
++            if (!replayok || !dtls1_process_record(s, bitmap)) {
++                /* dump this record */
++                rr->length = 0;
++                s->packet_length = 0;
++                continue;
++            }
++
+             if (dtls1_buffer_record(s, &(s->d1->processed_rcds),
+                                     s->s3->rrec.seq_num) < 0)
+-                return -1;
++                return 0;
+         }
+     }
+ 
+@@ -358,7 +393,7 @@ static int dtls1_process_buffered_record
+     s->d1->processed_rcds.epoch = s->d1->r_epoch;
+     s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
+ 
+-    return (1);
++    return 1;
+ }
+ 
+ #if 0
+@@ -405,7 +440,7 @@ static int dtls1_get_buffered_record(SSL
+ 
+ #endif
+ 
+-static int dtls1_process_record(SSL *s)
++static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
+ {
+     int i, al;
+     int enc_err;
+@@ -565,6 +600,10 @@ static int dtls1_process_record(SSL *s)
+ 
+     /* we have pulled in a full packet so zero things */
+     s->packet_length = 0;
++
++    /* Mark receipt of record. */
++    dtls1_record_bitmap_update(s, bitmap);
++
+     return (1);
+ 
+  f_err:
+@@ -600,7 +639,7 @@ int dtls1_get_record(SSL *s)
+      * The epoch may have changed.  If so, process all the pending records.
+      * This is a non-blocking operation.
+      */
+-    if (dtls1_process_buffered_records(s) < 0)
++    if (!dtls1_process_buffered_records(s))
+         return -1;
+ 
+     /* if we're renegotiating, then there may be buffered records */
+@@ -735,20 +774,17 @@ int dtls1_get_record(SSL *s)
+             if (dtls1_buffer_record
+                 (s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0)
+                 return -1;
+-            /* Mark receipt of record. */
+-            dtls1_record_bitmap_update(s, bitmap);
+         }
+         rr->length = 0;
+         s->packet_length = 0;
+         goto again;
+     }
+ 
+-    if (!dtls1_process_record(s)) {
++    if (!dtls1_process_record(s, bitmap)) {
+         rr->length = 0;
+         s->packet_length = 0;   /* dump this record */
+         goto again;             /* get another record */
+     }
+-    dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */
+ 
+     return (1);
+ 
+Index: openssl-1.0.2h/ssl/ssl.h
+===================================================================
+--- openssl-1.0.2h.orig/ssl/ssl.h
++++ openssl-1.0.2h/ssl/ssl.h
+@@ -2623,6 +2623,7 @@ void ERR_load_SSL_strings(void);
+ # define SSL_F_DTLS1_HEARTBEAT                            305
+ # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN                    255
+ # define SSL_F_DTLS1_PREPROCESS_FRAGMENT                  288
++# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS             404
+ # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE           256
+ # define SSL_F_DTLS1_PROCESS_RECORD                       257
+ # define SSL_F_DTLS1_READ_BYTES                           258
+Index: openssl-1.0.2h/ssl/ssl_err.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/ssl_err.c
++++ openssl-1.0.2h/ssl/ssl_err.c
+@@ -1,6 +1,6 @@
+ /* ssl/ssl_err.c */
+ /* ====================================================================
+- * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
++ * Copyright (c) 1999-2016 The OpenSSL Project.  All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
+@@ -93,6 +93,8 @@ static ERR_STRING_DATA SSL_str_functs[]
+     {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "dtls1_heartbeat"},
+     {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "dtls1_output_cert_chain"},
+     {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
++    {ERR_FUNC(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS),
++     "DTLS1_PROCESS_BUFFERED_RECORDS"},
+     {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE),
+      "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
+     {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"},

meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch

@@ -0,0 +1,30 @@
+From 26aebca74e38ae09f673c2045cc8e2ef762d265a Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 17 Aug 2016 17:55:36 +0100
+Subject: [PATCH] Update function error code
+
+A function error code needed updating due to merge issues.
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2181 patch 3
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ssl/ssl.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: openssl-1.0.2h/ssl/ssl.h
+===================================================================
+--- openssl-1.0.2h.orig/ssl/ssl.h
++++ openssl-1.0.2h/ssl/ssl.h
+@@ -2623,7 +2623,7 @@ void ERR_load_SSL_strings(void);
+ # define SSL_F_DTLS1_HEARTBEAT                            305
+ # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN                    255
+ # define SSL_F_DTLS1_PREPROCESS_FRAGMENT                  288
+-# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS             404
++# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS             424
+ # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE           256
+ # define SSL_F_DTLS1_PROCESS_RECORD                       257
+ # define SSL_F_DTLS1_READ_BYTES                           258

meta/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch

@@ -0,0 +1,70 @@
+From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Fri, 5 Aug 2016 14:26:03 +0100
+Subject: [PATCH] Check for errors in BN_bn2dec()
+
+If an oversize BIGNUM is presented to BN_bn2dec() it can cause
+BN_div_word() to fail and not reduce the value of 't' resulting
+in OOB writes to the bn_data buffer and eventually crashing.
+
+Fix by checking return value of BN_div_word() and checking writes
+don't overflow buffer.
+
+Thanks to Shi Lei for reporting this bug.
+
+CVE-2016-2182
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)
+
+Conflicts:
+	crypto/bn/bn_print.c
+
+Upstream-Status: Backport
+CVE: CVE-2016-2182
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/bn/bn_print.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
+index bfa31ef..b44403e 100644
+--- a/crypto/bn/bn_print.c
++++ b/crypto/bn/bn_print.c
+@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a)
+     char *p;
+     BIGNUM *t = NULL;
+     BN_ULONG *bn_data = NULL, *lp;
++    int bn_data_num;
+ 
+     /*-
+      * get an upper bound for the length of the decimal integer
+@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a)
+      */
+     i = BN_num_bits(a) * 3;
+     num = (i / 10 + i / 1000 + 1) + 1;
+-    bn_data =
+-        (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
+-    buf = (char *)OPENSSL_malloc(num + 3);
++    bn_data_num = num / BN_DEC_NUM + 1;
++    bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
++    buf = OPENSSL_malloc(num + 3);
+     if ((buf == NULL) || (bn_data == NULL)) {
+         BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
+         goto err;
+@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a)
+         i = 0;
+         while (!BN_is_zero(t)) {
+             *lp = BN_div_word(t, BN_DEC_CONV);
++            if (*lp == (BN_ULONG)-1)
++                goto err;
+             lp++;
++            if (lp - bn_data >= bn_data_num)
++                goto err;
+         }
+         lp--;
+         /*
+-- 
+2.7.4
+

meta/recipes-connectivity/openssl/openssl/CVE-2016-6302.patch

@@ -0,0 +1,53 @@
+From baaabfd8fdcec04a691695fad9a664bea43202b6 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Tue, 23 Aug 2016 18:14:54 +0100
+Subject: [PATCH] Sanity check ticket length.
+
+If a ticket callback changes the HMAC digest to SHA512 the existing
+sanity checks are not sufficient and an attacker could perform a DoS
+attack with a malformed ticket. Add additional checks based on
+HMAC size.
+
+Thanks to Shi Lei for reporting this bug.
+
+CVE-2016-6302
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2016-6302
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ssl/t1_lib.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+Index: openssl-1.0.2h/ssl/t1_lib.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/t1_lib.c
++++ openssl-1.0.2h/ssl/t1_lib.c
+@@ -3397,9 +3397,7 @@ static int tls_decrypt_ticket(SSL *s, co
+     HMAC_CTX hctx;
+     EVP_CIPHER_CTX ctx;
+     SSL_CTX *tctx = s->initial_ctx;
+-    /* Need at least keyname + iv + some encrypted data */
+-    if (eticklen < 48)
+-        return 2;
++
+     /* Initialize session ticket encryption and HMAC contexts */
+     HMAC_CTX_init(&hctx);
+     EVP_CIPHER_CTX_init(&ctx);
+@@ -3433,6 +3431,13 @@ static int tls_decrypt_ticket(SSL *s, co
+     if (mlen < 0) {
+         goto err;
+     }
++    /* Sanity check ticket length: must exceed keyname + IV + HMAC */
++    if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
++        HMAC_CTX_cleanup(&hctx);
++        EVP_CIPHER_CTX_cleanup(&ctx);
++        return 2;
++    }
++
+     eticklen -= mlen;
+     /* Check HMAC of encrypted ticket */
+     if (HMAC_Update(&hctx, etick, eticklen) <= 0

meta/recipes-connectivity/openssl/openssl/CVE-2016-6303.patch

@@ -0,0 +1,36 @@
+From 1027ad4f34c30b8585592764b9a670ba36888269 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Fri, 19 Aug 2016 23:28:29 +0100
+Subject: [PATCH] Avoid overflow in MDC2_Update()
+
+Thanks to Shi Lei for reporting this issue.
+
+CVE-2016-6303
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(cherry picked from commit 55d83bf7c10c7b205fffa23fa7c3977491e56c07)
+
+Upstream-Status: Backport
+CVE: CVE-2016-6303
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/mdc2/mdc2dgst.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c
+index 6615cf8..2dce493 100644
+--- a/crypto/mdc2/mdc2dgst.c
++++ b/crypto/mdc2/mdc2dgst.c
+@@ -91,7 +91,7 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t len)
+ 
+     i = c->num;
+     if (i != 0) {
+-        if (i + len < MDC2_BLOCK) {
++        if (len < MDC2_BLOCK - i) {
+             /* partial block */
+             memcpy(&(c->data[i]), in, len);
+             c->num += (int)len;
+-- 
+2.7.4
+

meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch

@@ -0,0 +1,75 @@
+From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 9 Sep 2016 10:08:45 +0100
+Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth
+
+A malicious client can send an excessively large OCSP Status Request
+extension. If that client continually requests renegotiation,
+sending a large OCSP Status Request extension each time, then there will
+be unbounded memory growth on the server. This will eventually lead to a
+Denial Of Service attack through memory exhaustion. Servers with a
+default configuration are vulnerable even if they do not support OCSP.
+Builds using the "no-ocsp" build time option are not affected.
+
+I have also checked other extensions to see if they suffer from a similar
+problem but I could not find any other issues.
+
+CVE-2016-6304
+
+Issue reported by Shi Lei.
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2016-6304
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ssl/t1_lib.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index fbcf2e6..e4b4e27 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
+                 size -= 2;
+                 if (dsize > size)
+                     goto err;
++
++                /*
++                 * We remove any OCSP_RESPIDs from a previous handshake
++                 * to prevent unbounded memory growth - CVE-2016-6304
++                 */
++                sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
++                                        OCSP_RESPID_free);
++                if (dsize > 0) {
++                    s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
++                    if (s->tlsext_ocsp_ids == NULL) {
++                        *al = SSL_AD_INTERNAL_ERROR;
++                        return 0;
++                    }
++                } else {
++                    s->tlsext_ocsp_ids = NULL;
++                }
++
+                 while (dsize > 0) {
+                     OCSP_RESPID *id;
+                     int idsize;
+@@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
+                         OCSP_RESPID_free(id);
+                         goto err;
+                     }
+-                    if (!s->tlsext_ocsp_ids
+-                        && !(s->tlsext_ocsp_ids =
+-                             sk_OCSP_RESPID_new_null())) {
+-                        OCSP_RESPID_free(id);
+-                        *al = SSL_AD_INTERNAL_ERROR;
+-                        return 0;
+-                    }
+                     if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
+                         OCSP_RESPID_free(id);
+                         *al = SSL_AD_INTERNAL_ERROR;
+-- 
+2.7.4
+

meta/recipes-connectivity/openssl/openssl/CVE-2016-6306.patch

@@ -0,0 +1,71 @@
+From ff553f837172ecb2b5c8eca257ec3c5619a4b299 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Sat, 17 Sep 2016 12:36:58 +0100
+Subject: [PATCH] Fix small OOB reads.
+
+In ssl3_get_client_certificate, ssl3_get_server_certificate and
+ssl3_get_certificate_request check we have enough room
+before reading a length.
+
+Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.
+
+CVE-2016-6306
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2016-6306
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ssl/s3_clnt.c | 11 +++++++++++
+ ssl/s3_srvr.c |  6 ++++++
+ 2 files changed, 17 insertions(+)
+
+Index: openssl-1.0.2h/ssl/s3_clnt.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/s3_clnt.c
++++ openssl-1.0.2h/ssl/s3_clnt.c
+@@ -1216,6 +1216,12 @@ int ssl3_get_server_certificate(SSL *s)
+         goto f_err;
+     }
+     for (nc = 0; nc < llen;) {
++        if (nc + 3 > llen) {
++            al = SSL_AD_DECODE_ERROR;
++            SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
++                   SSL_R_CERT_LENGTH_MISMATCH);
++            goto f_err;
++        }
+         n2l3(p, l);
+         if ((l + nc + 3) > llen) {
+             al = SSL_AD_DECODE_ERROR;
+@@ -2167,6 +2173,11 @@ int ssl3_get_certificate_request(SSL *s)
+     }
+ 
+     for (nc = 0; nc < llen;) {
++        if (nc + 2 > llen) {
++            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
++            SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
++            goto err;
++        }
+         n2s(p, l);
+         if ((l + nc + 2) > llen) {
+             if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
+Index: openssl-1.0.2h/ssl/s3_srvr.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/s3_srvr.c
++++ openssl-1.0.2h/ssl/s3_srvr.c
+@@ -3213,6 +3213,12 @@ int ssl3_get_client_certificate(SSL *s)
+         goto f_err;
+     }
+     for (nc = 0; nc < llen;) {
++        if (nc + 3 > llen) {
++            al = SSL_AD_DECODE_ERROR;
++            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
++                   SSL_R_CERT_LENGTH_MISMATCH);
++            goto f_err;
++        }
+         n2l3(p, l);
+         if ((l + nc + 3) > llen) {
+             al = SSL_AD_DECODE_ERROR;

meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch

@@ -0,0 +1,124 @@
+From 22646a075e75991b4e8f5d67171e45a6aead5b48 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 21 Sep 2016 14:48:16 +0100
+Subject: [PATCH] Don't allow too many consecutive warning alerts
+
+Certain warning alerts are ignored if they are received. This can mean that
+no progress will be made if one peer continually sends those warning alerts.
+Implement a count so that we abort the connection if we receive too many.
+
+Issue reported by Shi Lei.
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+
+Upstream-Status: Backport
+CVE: CVE-2016-8610
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ssl/d1_pkt.c   | 15 +++++++++++++++
+ ssl/s3_pkt.c   | 15 +++++++++++++++
+ ssl/ssl.h      |  1 +
+ ssl/ssl_locl.h |  4 ++++
+ 4 files changed, 35 insertions(+)
+
+Index: openssl-1.0.2h/ssl/d1_pkt.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/d1_pkt.c
++++ openssl-1.0.2h/ssl/d1_pkt.c
+@@ -928,6 +928,13 @@ int dtls1_read_bytes(SSL *s, int type, u
+         goto start;
+     }
+ 
++    /*
++     * Reset the count of consecutive warning alerts if we've got a non-empty
++     * record that isn't an alert.
++     */
++    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++        s->cert->alert_count = 0;
++
+     /* we now have a packet which can be read and processed */
+ 
+     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1194,6 +1201,14 @@ int dtls1_read_bytes(SSL *s, int type, u
+ 
+         if (alert_level == SSL3_AL_WARNING) {
+             s->s3->warn_alert = alert_descr;
++
++            s->cert->alert_count++;
++            if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) {
++                al = SSL_AD_UNEXPECTED_MESSAGE;
++                SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++                goto f_err;
++            }
++
+             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ #ifndef OPENSSL_NO_SCTP
+                 /*
+Index: openssl-1.0.2h/ssl/s3_pkt.c
+===================================================================
+--- openssl-1.0.2h.orig/ssl/s3_pkt.c
++++ openssl-1.0.2h/ssl/s3_pkt.c
+@@ -1229,6 +1229,13 @@ int ssl3_read_bytes(SSL *s, int type, un
+             return (ret);
+     }
+ 
++    /*
++     * Reset the count of consecutive warning alerts if we've got a non-empty
++     * record that isn't an alert.
++     */
++    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++        s->cert->alert_count = 0;
++
+     /* we now have a packet which can be read and processed */
+ 
+     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1443,6 +1450,14 @@ int ssl3_read_bytes(SSL *s, int type, un
+ 
+         if (alert_level == SSL3_AL_WARNING) {
+             s->s3->warn_alert = alert_descr;
++
++            s->cert->alert_count++;
++            if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) {
++                al = SSL_AD_UNEXPECTED_MESSAGE;
++                SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++                goto f_err;
++            }
++
+             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+                 return (0);
+Index: openssl-1.0.2h/ssl/ssl.h
+===================================================================
+--- openssl-1.0.2h.orig/ssl/ssl.h
++++ openssl-1.0.2h/ssl/ssl.h
+@@ -3115,6 +3115,7 @@ void ERR_load_SSL_strings(void);
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST             157
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    234
++# define SSL_R_TOO_MANY_WARN_ALERTS                       409
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER            235
+ # define SSL_R_UNABLE_TO_DECODE_DH_CERTS                  236
+ # define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS                313
+Index: openssl-1.0.2h/ssl/ssl_locl.h
+===================================================================
+--- openssl-1.0.2h.orig/ssl/ssl_locl.h
++++ openssl-1.0.2h/ssl/ssl_locl.h
+@@ -585,6 +585,8 @@ typedef struct {
+  */
+ # define SSL_EXT_FLAG_SENT       0x2
+ 
++# define MAX_WARN_ALERT_COUNT    5
++
+ typedef struct {
+     custom_ext_method *meths;
+     size_t meths_count;
+@@ -692,6 +694,8 @@ typedef struct cert_st {
+     unsigned char *alpn_proposed;   /* server */
+     unsigned int alpn_proposed_len;
+     int alpn_sent;                  /* client */
++    /* Count of the number of consecutive warning alerts received */
++    unsigned int alert_count;
+ } CERT;
+ 
+ typedef struct sess_cert_st {

meta/recipes-connectivity/openssl/openssl/parallel.patch

@@ -0,0 +1,326 @@
+Fix the parallel races in the Makefiles.
+
+This patch was taken from the Gentoo packaging:
+https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch
+
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+--- openssl-1.0.2g/crypto/Makefile
++++ openssl-1.0.2g/crypto/Makefile
+@@ -85,11 +85,11 @@
+ 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
+ 
+ subdirs:
+-	@target=all; $(RECURSIVE_MAKE)
++	+@target=all; $(RECURSIVE_MAKE)
+ 
+ files:
+ 	$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
+-	@target=files; $(RECURSIVE_MAKE)
++	+@target=files; $(RECURSIVE_MAKE)
+ 
+ links:
+ 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+@@ -100,7 +100,7 @@
+ # lib: $(LIB): are splitted to avoid end-less loop
+ lib:	$(LIB)
+ 	@touch lib
+-$(LIB):	$(LIBOBJ)
++$(LIB):	$(LIBOBJ) | subdirs
+ 	$(AR) $(LIB) $(LIBOBJ)
+ 	test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
+ 	$(RANLIB) $(LIB) || echo Never mind.
+@@ -111,7 +111,7 @@
+ 	fi
+ 
+ libs:
+-	@target=lib; $(RECURSIVE_MAKE)
++	+@target=lib; $(RECURSIVE_MAKE)
+ 
+ install:
+ 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+@@ -120,7 +120,7 @@
+ 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ 	done;
+-	@target=install; $(RECURSIVE_MAKE)
++	+@target=install; $(RECURSIVE_MAKE)
+ 
+ lint:
+ 	@target=lint; $(RECURSIVE_MAKE)
+--- openssl-1.0.2g/engines/Makefile
++++ openssl-1.0.2g/engines/Makefile
+@@ -72,7 +72,7 @@
+ 
+ all:	lib subdirs
+ 
+-lib:	$(LIBOBJ)
++lib:	$(LIBOBJ) | subdirs
+ 	@if [ -n "$(SHARED_LIBS)" ]; then \
+ 		set -e; \
+ 		for l in $(LIBNAMES); do \
+@@ -89,7 +89,7 @@
+ 
+ subdirs:
+ 	echo $(EDIRS)
+-	@target=all; $(RECURSIVE_MAKE)
++	+@target=all; $(RECURSIVE_MAKE)
+ 
+ files:
+ 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+@@ -128,7 +128,7 @@
+ 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+ 		done; \
+ 	fi
+-	@target=install; $(RECURSIVE_MAKE)
++	+@target=install; $(RECURSIVE_MAKE)
+ 
+ tags:
+ 	ctags $(SRC)
+--- openssl-1.0.2g/Makefile.org
++++ openssl-1.0.2g/Makefile.org
+@@ -279,17 +279,17 @@
+ build_libssl: build_ssl libssl.pc
+ 
+ build_crypto:
+-	@dir=crypto; target=all; $(BUILD_ONE_CMD)
++	+@dir=crypto; target=all; $(BUILD_ONE_CMD)
+ build_ssl: build_crypto
+-	@dir=ssl; target=all; $(BUILD_ONE_CMD)
++	+@dir=ssl; target=all; $(BUILD_ONE_CMD)
+ build_engines: build_crypto
+-	@dir=engines; target=all; $(BUILD_ONE_CMD)
++	+@dir=engines; target=all; $(BUILD_ONE_CMD)
+ build_apps: build_libs
+-	@dir=apps; target=all; $(BUILD_ONE_CMD)
++	+@dir=apps; target=all; $(BUILD_ONE_CMD)
+ build_tests: build_libs
+-	@dir=test; target=all; $(BUILD_ONE_CMD)
++	+@dir=test; target=all; $(BUILD_ONE_CMD)
+ build_tools: build_libs
+-	@dir=tools; target=all; $(BUILD_ONE_CMD)
++	+@dir=tools; target=all; $(BUILD_ONE_CMD)
+ 
+ all_testapps: build_libs build_testapps
+ build_testapps:
+@@ -544,7 +544,7 @@
+ 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ 	done;
+-	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
++	+@set -e; target=install; $(RECURSIVE_BUILD_CMD)
+ 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
+ 	do \
+ 		if [ -f "$$i" ]; then \
+--- openssl-1.0.2g/Makefile.shared
++++ openssl-1.0.2g/Makefile.shared
+@@ -105,6 +105,7 @@
+     SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
+     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
+     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
++    [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
+     LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+     $${SHAREDCMD} $${SHAREDFLAGS} \
+ 	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
+@@ -122,6 +123,7 @@
+ 			done; \
+ 		fi; \
+ 		if [ -n "$$SHLIB_SOVER" ]; then \
++			[ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
+ 			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
+ 			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
+ 		fi; \
+--- openssl-1.0.2g/test/Makefile
++++ openssl-1.0.2g/test/Makefile
+@@ -139,7 +139,7 @@
+ tags:
+ 	ctags $(SRC)
+ 
+-tests:	exe apps $(TESTS)
++tests:	exe $(TESTS)
+ 
+ apps:
+ 	@(cd ..; $(MAKE) DIRS=apps all)
+@@ -421,130 +421,130 @@
+ 		link_app.$${shlib_target}
+ 
+ $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
+-	@target=$(RSATEST); $(BUILD_CMD)
++	+@target=$(RSATEST); $(BUILD_CMD)
+ 
+ $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
+-	@target=$(BNTEST); $(BUILD_CMD)
++	+@target=$(BNTEST); $(BUILD_CMD)
+ 
+ $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
+-	@target=$(ECTEST); $(BUILD_CMD)
++	+@target=$(ECTEST); $(BUILD_CMD)
+ 
+ $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
+-	@target=$(EXPTEST); $(BUILD_CMD)
++	+@target=$(EXPTEST); $(BUILD_CMD)
+ 
+ $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
+-	@target=$(IDEATEST); $(BUILD_CMD)
++	+@target=$(IDEATEST); $(BUILD_CMD)
+ 
+ $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
+-	@target=$(MD2TEST); $(BUILD_CMD)
++	+@target=$(MD2TEST); $(BUILD_CMD)
+ 
+ $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
+-	@target=$(SHATEST); $(BUILD_CMD)
++	+@target=$(SHATEST); $(BUILD_CMD)
+ 
+ $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
+-	@target=$(SHA1TEST); $(BUILD_CMD)
++	+@target=$(SHA1TEST); $(BUILD_CMD)
+ 
+ $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
+-	@target=$(SHA256TEST); $(BUILD_CMD)
++	+@target=$(SHA256TEST); $(BUILD_CMD)
+ 
+ $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
+-	@target=$(SHA512TEST); $(BUILD_CMD)
++	+@target=$(SHA512TEST); $(BUILD_CMD)
+ 
+ $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
+-	@target=$(RMDTEST); $(BUILD_CMD)
++	+@target=$(RMDTEST); $(BUILD_CMD)
+ 
+ $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
+-	@target=$(MDC2TEST); $(BUILD_CMD)
++	+@target=$(MDC2TEST); $(BUILD_CMD)
+ 
+ $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
+-	@target=$(MD4TEST); $(BUILD_CMD)
++	+@target=$(MD4TEST); $(BUILD_CMD)
+ 
+ $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
+-	@target=$(MD5TEST); $(BUILD_CMD)
++	+@target=$(MD5TEST); $(BUILD_CMD)
+ 
+ $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
+-	@target=$(HMACTEST); $(BUILD_CMD)
++	+@target=$(HMACTEST); $(BUILD_CMD)
+ 
+ $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
+-	@target=$(WPTEST); $(BUILD_CMD)
++	+@target=$(WPTEST); $(BUILD_CMD)
+ 
+ $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
+-	@target=$(RC2TEST); $(BUILD_CMD)
++	+@target=$(RC2TEST); $(BUILD_CMD)
+ 
+ $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
+-	@target=$(BFTEST); $(BUILD_CMD)
++	+@target=$(BFTEST); $(BUILD_CMD)
+ 
+ $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
+-	@target=$(CASTTEST); $(BUILD_CMD)
++	+@target=$(CASTTEST); $(BUILD_CMD)
+ 
+ $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
+-	@target=$(RC4TEST); $(BUILD_CMD)
++	+@target=$(RC4TEST); $(BUILD_CMD)
+ 
+ $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
+-	@target=$(RC5TEST); $(BUILD_CMD)
++	+@target=$(RC5TEST); $(BUILD_CMD)
+ 
+ $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
+-	@target=$(DESTEST); $(BUILD_CMD)
++	+@target=$(DESTEST); $(BUILD_CMD)
+ 
+ $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
+-	@target=$(RANDTEST); $(BUILD_CMD)
++	+@target=$(RANDTEST); $(BUILD_CMD)
+ 
+ $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
+-	@target=$(DHTEST); $(BUILD_CMD)
++	+@target=$(DHTEST); $(BUILD_CMD)
+ 
+ $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
+-	@target=$(DSATEST); $(BUILD_CMD)
++	+@target=$(DSATEST); $(BUILD_CMD)
+ 
+ $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
+-	@target=$(METHTEST); $(BUILD_CMD)
++	+@target=$(METHTEST); $(BUILD_CMD)
+ 
+ $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
+-	@target=$(SSLTEST); $(FIPS_BUILD_CMD)
++	+@target=$(SSLTEST); $(FIPS_BUILD_CMD)
+ 
+ $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
+-	@target=$(ENGINETEST); $(BUILD_CMD)
++	+@target=$(ENGINETEST); $(BUILD_CMD)
+ 
+ $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
+-	@target=$(EVPTEST); $(BUILD_CMD)
++	+@target=$(EVPTEST); $(BUILD_CMD)
+ 
+ $(EVPEXTRATEST)$(EXE_EXT): $(EVPEXTRATEST).o $(DLIBCRYPTO)
+-	@target=$(EVPEXTRATEST); $(BUILD_CMD)
++	+@target=$(EVPEXTRATEST); $(BUILD_CMD)
+ 
+ $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
+-	@target=$(ECDSATEST); $(BUILD_CMD)
++	+@target=$(ECDSATEST); $(BUILD_CMD)
+ 
+ $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
+-	@target=$(ECDHTEST); $(BUILD_CMD)
++	+@target=$(ECDHTEST); $(BUILD_CMD)
+ 
+ $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
+-	@target=$(IGETEST); $(BUILD_CMD)
++	+@target=$(IGETEST); $(BUILD_CMD)
+ 
+ $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
+-	@target=$(JPAKETEST); $(BUILD_CMD)
++	+@target=$(JPAKETEST); $(BUILD_CMD)
+ 
+ $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
+-	@target=$(ASN1TEST); $(BUILD_CMD)
++	+@target=$(ASN1TEST); $(BUILD_CMD)
+ 
+ $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
+-	@target=$(SRPTEST); $(BUILD_CMD)
++	+@target=$(SRPTEST); $(BUILD_CMD)
+ 
+ $(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
+-	@target=$(V3NAMETEST); $(BUILD_CMD)
++	+@target=$(V3NAMETEST); $(BUILD_CMD)
+ 
+ $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO)
+-	@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
++	+@target=$(HEARTBEATTEST); $(BUILD_CMD_STATIC)
+ 
+ $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
+-	@target=$(CONSTTIMETEST) $(BUILD_CMD)
++	+@target=$(CONSTTIMETEST) $(BUILD_CMD)
+ 
+ $(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEXTRATEST).o
+-	@target=$(VERIFYEXTRATEST) $(BUILD_CMD)
++	+@target=$(VERIFYEXTRATEST) $(BUILD_CMD)
+ 
+ $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o
+-	@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
++	+@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
+ 
+ $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o
+-	@target=$(SSLV2CONFTEST) $(BUILD_CMD)
++	+@target=$(SSLV2CONFTEST) $(BUILD_CMD)
+ 
+ #$(AESTEST).o: $(AESTEST).c
+ #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
+@@ -557,7 +557,7 @@
+ #	fi
+ 
+ dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
+-	@target=dummytest; $(BUILD_CMD)
++	+@target=dummytest; $(BUILD_CMD)
+ 
+ # DO NOT DELETE THIS LINE -- make depend depends on it.
+ 

meta/recipes-connectivity/openssl/openssl_1.0.2h.bb

@@ -37,6 +37,20 @@ SRC_URI += "file://configure-targets.patch \
             file://crypto_use_bigint_in_x86-64_perl.patch \
             file://openssl-1.0.2a-x32-asm.patch \
             file://ptest_makefile_deps.patch  \
+            file://parallel.patch \
+            file://CVE-2016-2177.patch \
+            file://CVE-2016-2178.patch \
+            file://CVE-2016-2180.patch \
+            file://CVE-2016-2181_p1.patch \
+            file://CVE-2016-2181_p2.patch \
+            file://CVE-2016-2181_p3.patch \
+            file://CVE-2016-2182.patch \
+            file://CVE-2016-6302.patch \
+            file://CVE-2016-6303.patch \
+            file://CVE-2016-6304.patch \
+            file://CVE-2016-6306.patch \
+            file://CVE-2016-2179.patch \
+            file://CVE-2016-8610.patch \
            "
 
 SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch

@@ -0,0 +1,943 @@
+The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
+result in unauthenticated clients gaining access to the network.
+
+Backport a number of patches from upstream to fix this.
+
+CVE: CVE-2017-13077
+CVE: CVE-2017-13078
+CVE: CVE-2017-13079
+CVE: CVE-2017-13080
+CVE: CVE-2017-13081
+CVE: CVE-2017-13082
+CVE: CVE-2017-13086
+CVE: CVE-2017-13087
+CVE: CVE-2017-13088
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 859e243137203d2389e20103a9947cf76082022e Mon Sep 17 00:00:00 2001
+From: Haiqing Bai <Haiqing.Bai@windriver.com>
+Date: Fri, 13 Oct 2017 09:37:06 +0800
+Subject: [PATCH 1/7] hostapd: Avoid key reinstallation in FT handshake
+
+Do not reinstall TK to the driver during Reassociation Response frame
+processing if the first attempt of setting the TK succeeded. This avoids
+issues related to clearing the TX/RX PN that could result in reusing
+same PN values for transmitted frames (e.g., due to CCM nonce reuse and
+also hitting replay protection on the receiver) and accepting replayed
+frames on RX side.
+
+This issue was introduced by the commit
+0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
+authenticator') which allowed wpa_ft_install_ptk() to be called multiple
+times with the same PTK. While the second configuration attempt is
+needed with some drivers, it must be done only if the first attempt
+failed.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+
+Upstream-Status: Backport
+
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/ap/wpa_auth.c    | 11 ++++++++++-
+ src/ap/wpa_auth.h    |  3 ++-
+ src/ap/wpa_auth_ft.c | 10 ++++++++++
+ src/ap/wpa_auth_i.h  |  1 +
+ 4 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+index 9c5f609..0ebbdb5 100644
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -1715,6 +1715,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event)
+ #else /* CONFIG_IEEE80211R */
+ 		break;
+ #endif /* CONFIG_IEEE80211R */
++	case WPA_DRV_STA_REMOVED:
++		sm->tk_already_set = FALSE;
++		return 0;
+ 	}
+ 
+ #ifdef CONFIG_IEEE80211R
+@@ -3168,7 +3171,13 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
+ 	return sm->wpa;
+ }
+ 
+-
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
++{
++	if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
++		return 0;
++	return sm->tk_already_set;
++}
++ 
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+ 			     struct rsn_pmksa_cache_entry *entry)
+ {
+diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
+index 2788e65..8dee180 100644
+--- a/src/ap/wpa_auth.h
++++ b/src/ap/wpa_auth.h
+@@ -253,7 +253,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
+ 		 u8 *data, size_t data_len);
+ typedef enum {
+ 	WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
+-	WPA_REAUTH_EAPOL, WPA_ASSOC_FT
++	WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED
+ } wpa_event;
+ void wpa_remove_ptk(struct wpa_state_machine *sm);
+ int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event);
+@@ -266,6 +266,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
+ int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
+ int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
+ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+ 			     struct rsn_pmksa_cache_entry *entry);
+ struct rsn_pmksa_cache_entry *
+diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
+index ef3249a..17e6039 100644
+--- a/src/ap/wpa_auth_ft.c
++++ b/src/ap/wpa_auth_ft.c
+@@ -779,6 +779,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
+ 		return;
+ 	}
+ 
++	if (sm->tk_already_set) {
++		/* Must avoid TK reconfiguration to prevent clearing of TX/RX
++		 * PN in the driver */
++		wpa_printf(MSG_DEBUG,
++			   "FT: Do not re-install same PTK to the driver");
++		return;
++	}
++
+ 	/* FIX: add STA entry to kernel/driver here? The set_key will fail
+ 	 * most likely without this.. At the moment, STA entry is added only
+ 	 * after association has been completed. This function will be called
+@@ -791,6 +799,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
+ 
+ 	/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
+ 	sm->pairwise_set = TRUE;
++	sm->tk_already_set = TRUE;
+ }
+ 
+ 
+@@ -897,6 +906,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
+ 
+ 	sm->pairwise = pairwise;
+ 	sm->PTK_valid = TRUE;
++	sm->tk_already_set = FALSE;
+ 	wpa_ft_install_ptk(sm);
+ 
+ 	buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
+index 7b2cd3e..0f3d504 100644
+--- a/src/ap/wpa_auth_i.h
++++ b/src/ap/wpa_auth_i.h
+@@ -64,6 +64,7 @@ struct wpa_state_machine {
+ 	struct wpa_ptk PTK;
+ 	Boolean PTK_valid;
+ 	Boolean pairwise_set;
++	Boolean tk_already_set;
+ 	int keycount;
+ 	Boolean Pair;
+ 	struct wpa_key_replay_counter {
+-- 
+1.9.1
+
+From 0779537c11d18045d0f09ce3dd7f535bdb245de3 Mon Sep 17 00:00:00 2001
+From: Haiqing Bai <Haiqing.Bai@windriver.com>
+Date: Fri, 13 Oct 2017 10:00:48 +0800
+Subject: [PATCH 2/7] Prevent reinstallation of an already in-use group key
+
+Track the current GTK and IGTK that is in use and when receiving a
+(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
+not install the given key if it is already in use. This prevents an
+attacker from trying to trick the client into resetting or lowering the
+sequence counter associated to the group key.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+
+Upstream-Status: Backport
+
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/common/wpa_common.h |  11 +++++
+ src/rsn_supp/wpa.c      | 118 +++++++++++++++++++++++++++++-------------------
+ src/rsn_supp/wpa_i.h    |   4 ++
+ 3 files changed, 87 insertions(+), 46 deletions(-)
+
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
+index 091e317..66f9977 100644
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -224,6 +224,17 @@ struct wpa_ptk {
+ 	size_t tk_len;
+ };
+ 
++struct wpa_gtk {
++	u8 gtk[WPA_GTK_MAX_LEN];
++	size_t gtk_len;
++};
++
++#ifdef CONFIG_IEEE80211W
++struct wpa_igtk {
++	u8 igtk[WPA_IGTK_MAX_LEN];
++	size_t igtk_len;
++};
++#endif /* CONFIG_IEEE80211W */
+ 
+ /* WPA IE version 1
+  * 00-50-f2:1 (OUI:OUI type)
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 8adeef4..2c4d9a4 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -686,6 +686,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 	const u8 *_gtk = gd->gtk;
+ 	u8 gtk_buf[32];
+ 
++	/* Detect possible key reinstallation */
++	if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
++	    os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
++		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++			"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
++			gd->keyidx, gd->tx, gd->gtk_len);
++		return 0;
++	}
++
+ 	wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
+ 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 		"WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
+@@ -720,6 +729,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 	}
+ 	os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ 
++	sm->gtk.gtk_len = gd->gtk_len;
++	os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++
+ 	return 0;
+ }
+ 
+@@ -790,6 +802,46 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ 	return 0;
+ }
+ 
++#ifdef CONFIG_IEEE80211W
++static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
++				       const struct wpa_igtk_kde *igtk)
++{
++	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
++	u16 keyidx = WPA_GET_LE16(igtk->keyid);
++
++	/* Detect possible key reinstallation */
++	if (sm->igtk.igtk_len == len &&
++	    os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
++		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++			"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
++			keyidx);
++		return  0;
++	}
++
++	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++		"WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
++		keyidx, MAC2STR(igtk->pn));
++	wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
++	if (keyidx > 4095) {
++		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++			"WPA: Invalid IGTK KeyID %d", keyidx);
++		return -1;
++	}
++	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
++			   broadcast_ether_addr,
++			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
++			   igtk->igtk, len) < 0) {
++		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++			"WPA: Failed to configure IGTK to the driver");
++		return -1;
++	}
++
++	sm->igtk.igtk_len = len;
++	os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++
++	return 0;
++}
++#endif /* CONFIG_IEEE80211W */
+ 
+ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ 			       struct wpa_eapol_ie_parse *ie)
+@@ -801,30 +853,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ 	if (ie->igtk) {
+ 		size_t len;
+ 		const struct wpa_igtk_kde *igtk;
+-		u16 keyidx;
++
+ 		len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+ 		if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
+ 			return -1;
++
+ 		igtk = (const struct wpa_igtk_kde *) ie->igtk;
+-		keyidx = WPA_GET_LE16(igtk->keyid);
+-		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
+-			"pn %02x%02x%02x%02x%02x%02x",
+-			keyidx, MAC2STR(igtk->pn));
+-		wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
+-				igtk->igtk, len);
+-		if (keyidx > 4095) {
+-			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+-				"WPA: Invalid IGTK KeyID %d", keyidx);
+-			return -1;
+-		}
+-		if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+-				   broadcast_ether_addr,
+-				   keyidx, 0, igtk->pn, sizeof(igtk->pn),
+-				   igtk->igtk, len) < 0) {
+-			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+-				"WPA: Failed to configure IGTK to the driver");
+-			return -1;
+-		}
++		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++ 			return -1;
+ 	}
+ 
+ 	return 0;
+@@ -2228,7 +2264,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
+  */
+ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ {
+-	int clear_ptk = 1;
++	int clear_keys = 1;
+ 
+ 	if (sm == NULL)
+ 		return;
+@@ -2254,11 +2290,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ 		/* Prepare for the next transition */
+ 		wpa_ft_prepare_auth_request(sm, NULL);
+ 
+-		clear_ptk = 0;
++		clear_keys = 0;
+ 	}
+ #endif /* CONFIG_IEEE80211R */
+ 
+-	if (clear_ptk) {
++	if (clear_keys) {
+ 		/*
+ 		 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
+ 		 * this is not part of a Fast BSS Transition.
+@@ -2268,6 +2304,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ 		os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ 		sm->tptk_set = 0;
+ 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++		os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++#ifdef CONFIG_IEEE80211W
++		os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++#endif /* CONFIG_IEEE80211W */
+ 	}
+ 
+ #ifdef CONFIG_TDLS
+@@ -2784,6 +2824,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+ 	os_memset(sm->pmk, 0, sizeof(sm->pmk));
+ 	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++	os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++#ifdef CONFIG_IEEE80211W
++	os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++#endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+ 	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+ 	os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
+@@ -2856,29 +2900,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+ 		os_memset(&gd, 0, sizeof(gd));
+ #ifdef CONFIG_IEEE80211W
+ 	} else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
+-		struct wpa_igtk_kde igd;
+-		u16 keyidx;
+-
+-		os_memset(&igd, 0, sizeof(igd));
+-		keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
+-		os_memcpy(igd.keyid, buf + 2, 2);
+-		os_memcpy(igd.pn, buf + 4, 6);
+-
+-		keyidx = WPA_GET_LE16(igd.keyid);
+-		os_memcpy(igd.igtk, buf + 10, keylen);
+-
+-		wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
+-				igd.igtk, keylen);
+-		if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+-				   broadcast_ether_addr,
+-				   keyidx, 0, igd.pn, sizeof(igd.pn),
+-				   igd.igtk, keylen) < 0) {
+-			wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
+-				   "WNM mode");
+-			os_memset(&igd, 0, sizeof(igd));
+-			return -1;
+-		}
+-		os_memset(&igd, 0, sizeof(igd));
++		const struct wpa_igtk_kde *igtk;
++
++		igtk = (const struct wpa_igtk_kde *) (buf + 2);
++		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++ 			return -1;
+ #endif /* CONFIG_IEEE80211W */
+ 	} else {
+ 		wpa_printf(MSG_DEBUG, "Unknown element id");
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index 965a9c1..27b6123 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -30,6 +30,10 @@ struct wpa_sm {
+ 	u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
+ 	int rx_replay_counter_set;
+ 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
++	struct wpa_gtk gtk;
++#ifdef CONFIG_IEEE80211W
++	struct wpa_igtk igtk;
++#endif /* CONFIG_IEEE80211W */
+ 
+ 	struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
+ 
+-- 
+1.9.1
+
+From 6e891ae64e9ec9edb17be8ca26dcf109e3250541 Mon Sep 17 00:00:00 2001
+From: Haiqing Bai <Haiqing.Bai@windriver.com>
+Date: Fri, 13 Oct 2017 10:24:29 +0800
+Subject: [PATCH 3/7] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
+ Mode cases
+
+This extends the protection to track last configured GTK/IGTK value
+separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
+corner case where these two different mechanisms may get used when the
+GTK/IGTK has changed and tracking a single value is not sufficient to
+detect a possible key reconfiguration.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport
+
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/rsn_supp/wpa.c   | 56 ++++++++++++++++++++++++++++++++++++----------------
+ src/rsn_supp/wpa_i.h |  2 ++
+ 2 files changed, 41 insertions(+), 17 deletions(-)
+
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 2c4d9a4..19cc78b 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -681,14 +681,17 @@ struct wpa_gtk_data {
+ 
+ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 				      const struct wpa_gtk_data *gd,
+-				      const u8 *key_rsc)
++				      const u8 *key_rsc, int wnm_sleep)
+ {
+ 	const u8 *_gtk = gd->gtk;
+ 	u8 gtk_buf[32];
+ 
+ 	/* Detect possible key reinstallation */
+-	if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
+-	    os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
++	if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
++	     os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
++	    (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
++	     os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
++		       sm->gtk_wnm_sleep.gtk_len) == 0)) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
+ 			gd->keyidx, gd->tx, gd->gtk_len);
+@@ -729,13 +732,18 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 	}
+ 	os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ 
+-	sm->gtk.gtk_len = gd->gtk_len;
+-	os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++	if (wnm_sleep) {
++		sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
++		os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
++			  sm->gtk_wnm_sleep.gtk_len);
++	} else {
++		sm->gtk.gtk_len = gd->gtk_len;
++		os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++	}
+ 
+ 	return 0;
+ }
+ 
+-
+ static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
+ 						int tx)
+ {
+@@ -789,7 +797,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ 	    (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
+ 					       gtk_len, gtk_len,
+ 					       &gd.key_rsc_len, &gd.alg) ||
+-	     wpa_supplicant_install_gtk(sm, &gd, key->key_rsc))) {
++	     wpa_supplicant_install_gtk(sm, &gd, key->key_rsc, 0))) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"RSN: Failed to install GTK");
+ 		os_memset(&gd, 0, sizeof(gd));
+@@ -804,14 +812,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ 
+ #ifdef CONFIG_IEEE80211W
+ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+-				       const struct wpa_igtk_kde *igtk)
++				       const struct wpa_igtk_kde *igtk,
++				       int wnm_sleep)
+ {
+ 	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+ 	u16 keyidx = WPA_GET_LE16(igtk->keyid);
+ 
+ 	/* Detect possible key reinstallation */
+-	if (sm->igtk.igtk_len == len &&
+-	    os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
++	if ((sm->igtk.igtk_len == len &&
++	     os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
++	    (sm->igtk_wnm_sleep.igtk_len == len &&
++	     os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
++		       sm->igtk_wnm_sleep.igtk_len) == 0)) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
+ 			keyidx);
+@@ -836,9 +848,15 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+ 		return -1;
+ 	}
+ 
+-	sm->igtk.igtk_len = len;
+-	os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
+-
++	if (wnm_sleep) {
++		sm->igtk_wnm_sleep.igtk_len = len;
++		os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
++			  sm->igtk_wnm_sleep.igtk_len);
++	} else {
++		sm->igtk.igtk_len = len;
++		os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++	}
++ 
+ 	return 0;
+ }
+ #endif /* CONFIG_IEEE80211W */
+@@ -859,7 +877,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ 			return -1;
+ 
+ 		igtk = (const struct wpa_igtk_kde *) ie->igtk;
+-		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++		if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
+  			return -1;
+ 	}
+ 
+@@ -1502,7 +1520,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
+ 	if (ret)
+ 		goto failed;
+ 
+-	if (wpa_supplicant_install_gtk(sm, &gd, key->key_rsc) ||
++	if (wpa_supplicant_install_gtk(sm, &gd, key->key_rsc, 0) ||
+ 	    wpa_supplicant_send_2_of_2(sm, key, ver, key_info))
+ 		goto failed;
+ 	os_memset(&gd, 0, sizeof(gd));
+@@ -2305,8 +2323,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ 		sm->tptk_set = 0;
+ 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+ 		os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++		os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
+ #ifdef CONFIG_IEEE80211W
+ 		os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++		os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
+ #endif /* CONFIG_IEEE80211W */
+ 	}
+ 
+@@ -2825,8 +2845,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+ 	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+ 	os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++	os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
+ #ifdef CONFIG_IEEE80211W
+ 	os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++	os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
+ #endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+ 	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+@@ -2891,7 +2913,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+ 
+ 		wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
+ 				gd.gtk, gd.gtk_len);
+-		if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
++		if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
+ 			os_memset(&gd, 0, sizeof(gd));
+ 			wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
+ 				   "WNM mode");
+@@ -2903,7 +2925,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+ 		const struct wpa_igtk_kde *igtk;
+ 
+ 		igtk = (const struct wpa_igtk_kde *) (buf + 2);
+-		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++		if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
+  			return -1;
+ #endif /* CONFIG_IEEE80211W */
+ 	} else {
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index 27b6123..51753ee 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -31,8 +31,10 @@ struct wpa_sm {
+ 	int rx_replay_counter_set;
+ 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
+ 	struct wpa_gtk gtk;
++	struct wpa_gtk gtk_wnm_sleep;
+ #ifdef CONFIG_IEEE80211W
+ 	struct wpa_igtk igtk;
++	struct wpa_igtk igtk_wnm_sleep;
+ #endif /* CONFIG_IEEE80211W */
+ 
+ 	struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
+-- 
+1.9.1
+
+From 20280c8155506da6f1fc46f4fb345bc1ddaf1684 Mon Sep 17 00:00:00 2001
+From: Haiqing Bai <Haiqing.Bai@windriver.com>
+Date: Fri, 13 Oct 2017 10:32:52 +0800
+Subject: [PATCH 4/7] Prevent installation of an all-zero TK
+
+Properly track whether a PTK has already been installed to the driver
+and the TK part cleared from memory. This prevents an attacker from
+trying to trick the client into installing an all-zero TK.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+
+Upstream-Status: Backport
+
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/common/wpa_common.h | 1 +
+ src/rsn_supp/wpa.c      | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
+index 66f9977..5632d37 100644
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -222,6 +222,7 @@ struct wpa_ptk {
+ 	size_t kck_len;
+ 	size_t kek_len;
+ 	size_t tk_len;
++	int installed; /* 1 if key has already been installed to driver */
+ };
+ 
+ struct wpa_gtk {
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 19cc78b..97de8d3 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -594,6 +594,12 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
+ 	const u8 *key_rsc;
+ 	u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+ 
++	if (sm->ptk.installed) {
++		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++			"WPA: Do not re-install same PTK to the driver");
++		return 0;
++	}
++
+ 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 		"WPA: Installing PTK to the driver");
+ 
+@@ -632,6 +638,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
+ 
+ 	/* TK is not needed anymore in supplicant */
+ 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
++	sm->ptk.installed = 1;
+ 
+ 	if (sm->wpa_ptk_rekey) {
+ 		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
+-- 
+1.9.1
+
+From 39c0043c282ea1901eb37c902f663c8ab019fc63 Mon Sep 17 00:00:00 2001
+From: Haiqing Bai <Haiqing.Bai@windriver.com>
+Date: Fri, 13 Oct 2017 10:40:31 +0800
+Subject: [PATCH 5/7] Fix PTK rekeying to generate a new ANonce
+
+The Authenticator state machine path for PTK rekeying ended up bypassing
+the AUTHENTICATION2 state where a new ANonce is generated when going
+directly to the PTKSTART state since there is no need to try to
+determine the PMK again in such a case. This is far from ideal since the
+new PTK would depend on a new nonce only from the supplicant.
+
+Fix this by generating a new ANonce when moving to the PTKSTART state
+for the purpose of starting new 4-way handshake to rekey PTK.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport
+
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/ap/wpa_auth.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+index 0ebbdb5..5084b74 100644
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -1858,6 +1858,19 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
+ 	sm->TimeoutCtr = 0;
+ }
+ 
++static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
++{
++	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
++		wpa_printf(MSG_ERROR,
++			   "WPA: Failed to get random data for ANonce");
++		sm->Disconnect = TRUE;
++		return -1;
++	}
++	wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
++		    WPA_NONCE_LEN);
++	sm->TimeoutCtr = 0;
++	return 0;
++}
+ 
+ SM_STATE(WPA_PTK, INITPMK)
+ {
+@@ -2377,9 +2390,12 @@ SM_STEP(WPA_PTK)
+ 		SM_ENTER(WPA_PTK, AUTHENTICATION);
+ 	else if (sm->ReAuthenticationRequest)
+ 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
+-	else if (sm->PTKRequest)
+-		SM_ENTER(WPA_PTK, PTKSTART);
+-	else switch (sm->wpa_ptk_state) {
++	else if (sm->PTKRequest) {
++		if (wpa_auth_sm_ptk_update(sm) < 0)
++			SM_ENTER(WPA_PTK, DISCONNECTED);
++		else
++			SM_ENTER(WPA_PTK, PTKSTART);
++	} else switch (sm->wpa_ptk_state) {
+ 	case WPA_PTK_INITIALIZE:
+ 		break;
+ 	case WPA_PTK_DISCONNECT:
+-- 
+1.9.1
+
+From e1b4fa806a88ade798722fccf16ee07f6df1413a Mon Sep 17 00:00:00 2001
+From: Haiqing Bai <Haiqing.Bai@windriver.com>
+Date: Fri, 13 Oct 2017 10:55:03 +0800
+Subject: [PATCH 6/7] TDLS: Reject TPK-TK reconfiguration
+
+Do not try to reconfigure the same TPK-TK to the driver after it has
+been successfully configured. This is an explicit check to avoid issues
+related to resetting the TX/RX packet number. There was already a check
+for this for TPK M2 (retries of that message are ignored completely), so
+that behavior does not get modified.
+
+For TPK M3, the TPK-TK could have been reconfigured, but that was
+followed by immediate teardown of the link due to an issue in updating
+the STA entry. Furthermore, for TDLS with any real security (i.e.,
+ignoring open/WEP), the TPK message exchange is protected on the AP path
+and simple replay attacks are not feasible.
+
+As an additional corner case, make sure the local nonce gets updated if
+the peer uses a very unlikely "random nonce" of all zeros.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport
+
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/rsn_supp/tdls.c | 36 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
+index c1d7749..8633b8f 100644
+--- a/src/rsn_supp/tdls.c
++++ b/src/rsn_supp/tdls.c
+@@ -111,6 +111,7 @@ struct wpa_tdls_peer {
+ 		u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
+ 	} tpk;
+ 	int tpk_set;
++	int tk_set; /* TPK-TK configured to the driver */
+ 	int tpk_success;
+ 	int tpk_in_progress;
+ 
+@@ -191,6 +192,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+ 	u8 rsc[6];
+ 	enum wpa_alg alg;
+ 
++	if (peer->tk_set) {
++		/*
++		 * This same TPK-TK has already been configured to the driver
++		 * and this new configuration attempt (likely due to an
++		 * unexpected retransmitted frame) would result in clearing
++		 * the TX/RX sequence number which can break security, so must
++		 * not allow that to happen.
++		 */
++		wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
++			   " has already been configured to the driver - do not reconfigure",
++			   MAC2STR(peer->addr));
++		return -1;
++	}
++
+ 	os_memset(rsc, 0, 6);
+ 
+ 	switch (peer->cipher) {
+@@ -208,12 +223,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+ 		return -1;
+ 	}
+ 
++	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
++		   MAC2STR(peer->addr));
+ 	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
+ 			   rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
+ 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
+ 			   "driver");
+ 		return -1;
+ 	}
++	peer->tk_set = 1;
+ 	return 0;
+ }
+ 
+@@ -689,7 +707,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+ 	peer->cipher = 0;
+ 	peer->qos_info = 0;
+ 	peer->wmm_capable = 0;
+-	peer->tpk_set = peer->tpk_success = 0;
++	peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
+ 	peer->chan_switch_enabled = 0;
+ 	os_memset(&peer->tpk, 0, sizeof(peer->tpk));
+ 	os_memset(peer->inonce, 0, WPA_NONCE_LEN);
+@@ -1152,6 +1170,7 @@ skip_rsnie:
+ 		wpa_tdls_peer_free(sm, peer);
+ 		return -1;
+ 	}
++	peer->tk_set = 0; /* A new nonce results in a new TK */
+ 	wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
+ 		    peer->inonce, WPA_NONCE_LEN);
+ 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
+@@ -1747,6 +1766,17 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
+ 				       peer->supp_oper_classes_len);
+ }
+ 
++static int tdls_nonce_set(const u8 *nonce)
++{
++	int i;
++
++	for (i = 0; i < WPA_NONCE_LEN; i++) {
++		if (nonce[i])
++			return 1;
++	}
++
++	return 0;
++}
+ 
+ static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
+ 				   const u8 *buf, size_t len)
+@@ -2001,7 +2031,8 @@ skip_rsn:
+ 	peer->rsnie_i_len = kde.rsn_ie_len;
+ 	peer->cipher = cipher;
+ 
+-	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
++	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
++	    !tdls_nonce_set(peer->inonce)) {
+ 		/*
+ 		 * There is no point in updating the RNonce for every obtained
+ 		 * TPK M1 frame (e.g., retransmission due to timeout) with the
+@@ -2017,6 +2048,7 @@ skip_rsn:
+ 				"TDLS: Failed to get random data for responder nonce");
+ 			goto error;
+ 		}
++		peer->tk_set = 0; /* A new nonce results in a new TK */
+ 	}
+ 
+ #if 0
+-- 
+1.9.1
+
+From 6d966716df42d379c0aaa1b833f070b93a29aaec Mon Sep 17 00:00:00 2001
+From: Haiqing Bai <Haiqing.Bai@windriver.com>
+Date: Fri, 13 Oct 2017 11:07:21 +0800
+Subject: [PATCH 7/7] FT: Do not allow multiple Reassociation Response frames
+
+The driver is expected to not report a second association event without
+the station having explicitly request a new association. As such, this
+case should not be reachable. However, since reconfiguring the same
+pairwise or group keys to the driver could result in nonce reuse issues,
+be extra careful here and do an additional state check to avoid this
+even if the local driver ends up somehow accepting an unexpected
+Reassociation Response frame.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport
+
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/rsn_supp/wpa.c    | 3 +++
+ src/rsn_supp/wpa_ft.c | 8 ++++++++
+ src/rsn_supp/wpa_i.h  | 1 +
+ 3 files changed, 12 insertions(+)
+
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 97de8d3..b9c1ab5 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -2366,6 +2366,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
+ #ifdef CONFIG_TDLS
+ 	wpa_tdls_disassoc(sm);
+ #endif /* CONFIG_TDLS */
++#ifdef CONFIG_IEEE80211R
++	sm->ft_reassoc_completed = 0;
++#endif /* CONFIG_IEEE80211R */
+ 
+ 	/* Keys are not needed in the WPA state machine anymore */
+ 	wpa_sm_drop_sa(sm);
+diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
+index 06dea05..e8834dd 100644
+--- a/src/rsn_supp/wpa_ft.c
++++ b/src/rsn_supp/wpa_ft.c
+@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
+ 	u16 capab;
+ 
+ 	sm->ft_completed = 0;
++	sm->ft_reassoc_completed = 0;
+ 
+ 	buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+ 		2 + sm->r0kh_id_len + ric_ies_len + 100;
+@@ -683,6 +684,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
+ 		return -1;
+ 	}
+ 
++	if (sm->ft_reassoc_completed) {
++		wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
++		return 0;
++	}
++
+ 	if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
+ 		wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
+ 		return -1;
+@@ -783,6 +789,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
+ 		return -1;
+ 	}
+ 
++	sm->ft_reassoc_completed = 1;
++
+ 	if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
+ 		return -1;
+ 
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index 51753ee..85cc862 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -127,6 +127,7 @@ struct wpa_sm {
+ 	size_t r0kh_id_len;
+ 	u8 r1kh_id[FT_R1KH_ID_LEN];
+ 	int ft_completed;
++	int ft_reassoc_completed;
+ 	int over_the_ds_in_progress;
+ 	u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
+ 	int set_ptk_after_assoc;
+-- 
+1.9.1
+

meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb

@@ -33,6 +33,7 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \
            file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \
            file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \
            file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch \
+           file://key-replay-cve-multiple.patch \
           "
 SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d"
 SRC_URI[sha256sum] = "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122"

meta/recipes-core/glibc/glibc/CVE-2016-3706.patch

@@ -0,0 +1,226 @@
+From 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Fri, 29 Apr 2016 10:35:34 +0200
+Subject: [PATCH] CVE-2016-3706: getaddrinfo: stack overflow in hostent
+ conversion [BZ #20010]
+
+When converting a struct hostent response to struct gaih_addrtuple, the
+gethosts macro (which is called from gaih_inet) used alloca, without
+malloc fallback for large responses.  This commit changes this code to
+use calloc unconditionally.
+
+This commit also consolidated a second hostent-to-gaih_addrtuple
+conversion loop (in gaih_inet) to use the new conversion function.
+
+Upstream-Status: Backport
+CVE: CVE-2016-3706
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog                   |  10 ++++
+ NEWS                        |   5 +-
+ sysdeps/posix/getaddrinfo.c | 130 +++++++++++++++++++++++---------------------
+ 3 files changed, 83 insertions(+), 62 deletions(-)
+
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,13 @@
++2016-04-29  Florian Weimer  <fweimer@redhat.com>
++
++    [BZ #20010]
++    CVE-2016-3706
++    * sysdeps/posix/getaddrinfo.c
++    (convert_hostent_to_gaih_addrtuple): New function.
++    (gethosts): Call convert_hostent_to_gaih_addrtuple.
++    (gaih_inet): Use convert_hostent_to_gaih_addrtuple to convert
++    AF_INET data.
++
+ 2016-01-27  Paul Eggert  <eggert@cs.ucla.edu>
+ 
+ 	[BZ #18240]
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -2,6 +2,14 @@ GNU C Library NEWS -- history of user-vi
+ Copyright (C) 1992-2015 Free Software Foundation, Inc.
+ See the end for copying conditions.
+ 
++Security related changes:
++
++[Add security related changes here]
++ * Previously, getaddrinfo copied large amounts of address data to the stack,
++  even after the fix for CVE-2013-4458 has been applied, potentially
++  resulting in a stack overflow.  getaddrinfo now uses a heap allocation
++  instead.  Reported by Michael Petlan.  (CVE-2016-3706)
++
+ Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
+ using `glibc' in the "product" field.
+ 
+Index: git/sysdeps/posix/getaddrinfo.c
+===================================================================
+--- git.orig/sysdeps/posix/getaddrinfo.c
++++ git/sysdeps/posix/getaddrinfo.c
+@@ -168,9 +168,58 @@ gaih_inet_serv (const char *servicename,
+   return 0;
+ }
+ 
++/* Convert struct hostent to a list of struct gaih_addrtuple objects.
++   h_name is not copied, and the struct hostent object must not be
++   deallocated prematurely.  *RESULT must be NULL or a pointer to an
++   object allocated using malloc, which is freed.  */
++static bool
++convert_hostent_to_gaih_addrtuple (const struct addrinfo *req,
++				   int family,
++				   struct hostent *h,
++				   struct gaih_addrtuple **result)
++{
++  free (*result);
++  *result = NULL;
++
++  /* Count the number of addresses in h->h_addr_list.  */
++  size_t count = 0;
++  for (char **p = h->h_addr_list; *p != NULL; ++p)
++    ++count;
++
++  /* Report no data if no addresses are available, or if the incoming
++     address size is larger than what we can store.  */
++  if (count == 0 || h->h_length > sizeof (((struct gaih_addrtuple) {}).addr))
++    return true;
++
++  struct gaih_addrtuple *array = calloc (count, sizeof (*array));
++  if (array == NULL)
++    return false;
++
++  for (size_t i = 0; i < count; ++i)
++    {
++      if (family == AF_INET && req->ai_family == AF_INET6)
++	{
++	  /* Perform address mapping. */
++	  array[i].family = AF_INET6;
++	  memcpy(array[i].addr + 3, h->h_addr_list[i], sizeof (uint32_t));
++	  array[i].addr[2] = htonl (0xffff);
++	}
++      else
++	{
++	  array[i].family = family;
++	  memcpy (array[i].addr, h->h_addr_list[i], h->h_length);
++	}
++      array[i].next = array + i + 1;
++    }
++  array[0].name = h->h_name;
++  array[count - 1].next = NULL;
++
++  *result = array;
++  return true;
++}
++
+ #define gethosts(_family, _type) \
+  {									      \
+-  int i;								      \
+   int herrno;								      \
+   struct hostent th;							      \
+   struct hostent *h;							      \
+@@ -219,36 +268,23 @@ gaih_inet_serv (const char *servicename,
+     }									      \
+   else if (h != NULL)							      \
+     {									      \
+-      for (i = 0; h->h_addr_list[i]; i++)				      \
++      /* Make sure that addrmem can be freed.  */			      \
++      if (!malloc_addrmem)						      \
++	addrmem = NULL;							      \
++      if (!convert_hostent_to_gaih_addrtuple (req, _family,h, &addrmem))      \
+ 	{								      \
+-	  if (*pat == NULL)						      \
+-	    {								      \
+-	      *pat = __alloca (sizeof (struct gaih_addrtuple));		      \
+-	      (*pat)->scopeid = 0;					      \
+-	    }								      \
+-	  uint32_t *addr = (*pat)->addr;				      \
+-	  (*pat)->next = NULL;						      \
+-	  (*pat)->name = i == 0 ? strdupa (h->h_name) : NULL;		      \
+-	  if (_family == AF_INET && req->ai_family == AF_INET6)		      \
+-	    {								      \
+-	      (*pat)->family = AF_INET6;				      \
+-	      addr[3] = *(uint32_t *) h->h_addr_list[i];		      \
+-	      addr[2] = htonl (0xffff);					      \
+-	      addr[1] = 0;						      \
+-	      addr[0] = 0;						      \
+-	    }								      \
+-	  else								      \
+-	    {								      \
+-	      (*pat)->family = _family;					      \
+-	      memcpy (addr, h->h_addr_list[i], sizeof(_type));		      \
+-	    }								      \
+-	  pat = &((*pat)->next);					      \
++	  _res.options |= old_res_options & RES_USE_INET6;		      \
++	  result = -EAI_SYSTEM;						      \
++	  goto free_and_return;						      \
+ 	}								      \
++      *pat = addrmem;							      \
++      /* The conversion uses malloc unconditionally.  */		      \
++      malloc_addrmem = true;						      \
+ 									      \
+       if (localcanon !=	NULL && canon == NULL)				      \
+ 	canon = strdupa (localcanon);					      \
+ 									      \
+-      if (_family == AF_INET6 && i > 0)					      \
++      if (_family == AF_INET6 && *pat != NULL)				      \
+ 	got_ipv6 = true;						      \
+     }									      \
+  }
+@@ -612,44 +648,16 @@ gaih_inet (const char *name, const struc
+ 		{
+ 		  if (h != NULL)
+ 		    {
+-		      int i;
+-		      /* We found data, count the number of addresses.  */
+-		      for (i = 0; h->h_addr_list[i]; ++i)
+-			;
+-		      if (i > 0 && *pat != NULL)
+-			--i;
+-
+-		      if (__libc_use_alloca (alloca_used
+-					     + i * sizeof (struct gaih_addrtuple)))
+-			addrmem = alloca_account (i * sizeof (struct gaih_addrtuple),
+-						  alloca_used);
+-		      else
++		      /* We found data, convert it.  */
++		      if (!convert_hostent_to_gaih_addrtuple
++			  (req, AF_INET, h, &addrmem))
+ 			{
+-			  addrmem = malloc (i
+-					    * sizeof (struct gaih_addrtuple));
+-			  if (addrmem == NULL)
+-			    {
+-			      result = -EAI_MEMORY;
+-			      goto free_and_return;
+-			    }
+-			  malloc_addrmem = true;
+-			}
+-
+-		      /* Now convert it into the list.  */
+-		      struct gaih_addrtuple *addrfree = addrmem;
+-		      for (i = 0; h->h_addr_list[i]; ++i)
+-			{
+-			  if (*pat == NULL)
+-			    {
+-			      *pat = addrfree++;
+-			      (*pat)->scopeid = 0;
+-			    }
+-			  (*pat)->next = NULL;
+-			  (*pat)->family = AF_INET;
+-			  memcpy ((*pat)->addr, h->h_addr_list[i],
+-				  h->h_length);
+-			  pat = &((*pat)->next);
++			  result = -EAI_MEMORY;
++			  goto free_and_return;
+ 			}
++		      *pat = addrmem;
++		      /* The conversion uses malloc unconditionally.  */
++		      malloc_addrmem = true;
+ 		    }
+ 		}
+ 	      else

meta/recipes-core/glibc/glibc/CVE-2016-4429.patch

@@ -0,0 +1,89 @@
+From bc779a1a5b3035133024b21e2f339fe4219fb11c Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 23 May 2016 20:18:34 +0200
+Subject: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ
+ #20112]
+
+The call is technically in a loop, and under certain circumstances
+(which are quite difficult to reproduce in a test case), alloca
+can be invoked repeatedly during a single call to clntudp_call.
+As a result, the available stack space can be exhausted (even
+though individual alloca sizes are bounded implicitly by what
+can fit into a UDP packet, as a side effect of the earlier
+successful send operation).
+
+Upstream-Status: Backport
+CVE: CVE-2016-4429
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog         |  7 +++++++
+ NEWS              |  4 ++++
+ sunrpc/clnt_udp.c | 10 +++++++++-
+ 3 files changed, 20 insertions(+), 1 deletion(-)
+
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,10 @@
++2016-05-23  Florian Weimer  <fweimer@redhat.com>
++
++   CVE-2016-4429
++   [BZ #20112]
++   * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
++   payload.
++
+ 2016-04-29  Florian Weimer  <fweimer@redhat.com>
+ 
+     [BZ #20010]
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -5,6 +5,11 @@ See the end for copying conditions.
+ Security related changes:
+ 
+ [Add security related changes here]
++
++* The Sun RPC UDP client could exhaust all available stack space when
++  flooded with crafted ICMP and UDP messages.  Reported by Aldy Hernandez'
++  alloca plugin for GCC.  (CVE-2016-4429)
++
+  * Previously, getaddrinfo copied large amounts of address data to the stack,
+   even after the fix for CVE-2013-4458 has been applied, potentially
+   resulting in a stack overflow.  getaddrinfo now uses a heap allocation
+Index: git/sunrpc/clnt_udp.c
+===================================================================
+--- git.orig/sunrpc/clnt_udp.c
++++ git/sunrpc/clnt_udp.c
+@@ -420,9 +420,15 @@ send_again:
+ 	  struct sock_extended_err *e;
+ 	  struct sockaddr_in err_addr;
+ 	  struct iovec iov;
+-	  char *cbuf = (char *) alloca (outlen + 256);
++	  char *cbuf = malloc (outlen + 256);
+ 	  int ret;
+ 
++	  if (cbuf == NULL)
++	    {
++	      cu->cu_error.re_errno = errno;
++	      return (cu->cu_error.re_status = RPC_CANTRECV);
++	    }
++
+ 	  iov.iov_base = cbuf + 256;
+ 	  iov.iov_len = outlen;
+ 	  msg.msg_name = (void *) &err_addr;
+@@ -447,10 +453,12 @@ send_again:
+ 		 cmsg = CMSG_NXTHDR (&msg, cmsg))
+ 	      if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
+ 		{
++		  free (cbuf);
+ 		  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+ 		  cu->cu_error.re_errno = e->ee_errno;
+ 		  return (cu->cu_error.re_status = RPC_CANTRECV);
+ 		}
++	  free (cbuf);
+ 	}
+ #endif
+       do

meta/recipes-core/glibc/glibc_2.22.bb

@@ -48,6 +48,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://CVE-2015-8776.patch \
            file://CVE-2015-7547.patch \
            file://CVE-2015-8778.patch \
+           file://CVE-2016-3706.patch \
+           file://CVE-2016-4429.patch \
 "
 
 SRC_URI += "\

meta/recipes-core/images/build-appliance-image_12.0.1.bb

@@ -21,7 +21,7 @@ IMAGE_FSTYPES = "vmdk"
 
 inherit core-image
 
-SRCREV ?= "a325db9bc889499d6d20d8c9cd589153390f8521"
+SRCREV ?= "a20868079ccab342502c8a173d8933d2d4ee65d1"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=jethro \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \

meta/recipes-core/initrdscripts/files/init-install-efi-testfs.sh

@@ -69,7 +69,7 @@ umount /dev/${device}* 2> /dev/null || /bin/true
 mkdir -p /tmp
 cat /proc/mounts > /etc/mtab
 
-disk_size=$(parted /dev/${device} unit mb print | grep Disk | cut -d" " -f 3 | sed -e "s/MB//")
+disk_size=$(parted /dev/${device} unit mb print | grep '^Disk .*: .*MB' | cut -d" " -f 3 | sed -e "s/MB//")
 
 testfs_size=$((disk_size*testfs_ratio/100))
 rootfs_size=$((disk_size-boot_size-testfs_size))

meta/recipes-core/initrdscripts/files/init-install-efi.sh

@@ -120,7 +120,7 @@ if [ ! -e /etc/mtab ]; then
     cat /proc/mounts > /etc/mtab
 fi
 
-disk_size=$(parted ${device} unit mb print | grep Disk | cut -d" " -f 3 | sed -e "s/MB//")
+disk_size=$(parted ${device} unit mb print | grep '^Disk .*: .*MB' | cut -d" " -f 3 | sed -e "s/MB//")
 
 swap_size=$((disk_size*swap_ratio/100))
 rootfs_size=$((disk_size-boot_size-swap_size))

meta/recipes-core/initrdscripts/files/init-install.sh

@@ -116,7 +116,7 @@ if [ ! -L /etc/mtab ]; then
     cat /proc/mounts > /etc/mtab
 fi
 
-disk_size=$(parted ${device} unit mb print | grep Disk | cut -d" " -f 3 | sed -e "s/MB//")
+disk_size=$(parted ${device} unit mb print | grep '^Disk .*: .*MB' | cut -d" " -f 3 | sed -e "s/MB//")
 
 grub_version=$(grub-install -v|sed 's/.* \([0-9]\).*/\1/')
 

meta/recipes-core/libxml/libxml2/CVE-2016-1762.patch

@@ -0,0 +1,84 @@
+From a7a94612aa3b16779e2c74e1fa353b5d9786c602 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 9 Feb 2016 12:55:29 +0100
+Subject: [PATCH] Heap-based buffer overread in xmlNextChar
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759671
+
+when the end of the internal subset isn't properly detected
+xmlParseInternalSubset should just return instead of trying
+to process input further.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1762
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c                       |  1 +
+ result/errors/754946.xml.err   | 10 +++++-----
+ result/errors/content1.xml.err |  2 +-
+ result/valid/t8.xml.err        |  2 +-
+ result/valid/t8a.xml.err       |  2 +-
+ 5 files changed, 9 insertions(+), 8 deletions(-)
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -8480,6 +8480,7 @@ xmlParseInternalSubset(xmlParserCtxtPtr
+      */
+     if (RAW != '>') {
+ 	xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL);
++	return;
+     }
+     NEXT;
+ }
+Index: libxml2-2.9.2/result/errors/754946.xml.err
+===================================================================
+--- libxml2-2.9.2.orig/result/errors/754946.xml.err
++++ libxml2-2.9.2/result/errors/754946.xml.err
+@@ -11,9 +11,9 @@ Entity: line 1: parser error : DOCTYPE i
+ Entity: line 1: 
+ A<lbbbbbbbbbbbbbbbbbbb_
+ ^
+-./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity
+->%SYSTEM;<![
+-         ^
+-./test/errors/754946.xml:1: parser error : Extra content at the end of the document
+->%SYSTEM;<![
++Entity: line 1: parser error : Start tag expected, '<' not found
++ %SYSTEM; 
+          ^
++Entity: line 1: 
++A<lbbbbbbbbbbbbbbbbbbb_
++^
+Index: libxml2-2.9.2/result/errors/content1.xml.err
+===================================================================
+--- libxml2-2.9.2.orig/result/errors/content1.xml.err
++++ libxml2-2.9.2/result/errors/content1.xml.err
+@@ -13,4 +13,4 @@
+                          ^
+ ./test/errors/content1.xml:7: parser error : Start tag expected, '<' not found
+ <!ELEMENT aElement (a |b * >
+-                           ^
++                         ^
+Index: libxml2-2.9.2/result/valid/t8.xml.err
+===================================================================
+--- libxml2-2.9.2.orig/result/valid/t8.xml.err
++++ libxml2-2.9.2/result/valid/t8.xml.err
+@@ -16,4 +16,4 @@ Entity: line 1: parser error : Start tag
+           ^
+ Entity: line 1: 
+ &lt;!ELEMENT root (middle) >
+- ^
++^
+Index: libxml2-2.9.2/result/valid/t8a.xml.err
+===================================================================
+--- libxml2-2.9.2.orig/result/valid/t8a.xml.err
++++ libxml2-2.9.2/result/valid/t8a.xml.err
+@@ -16,4 +16,4 @@ Entity: line 1: parser error : Start tag
+           ^
+ Entity: line 1: 
+ &lt;!ELEMENT root (middle) >
+- ^
++^

meta/recipes-core/libxml/libxml2/CVE-2016-1833.patch

@@ -0,0 +1,368 @@
+From 0bcd05c5cd83dec3406c8f68b769b1d610c72f76 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Tue, 1 Mar 2016 15:18:04 -0800
+Subject: [PATCH] Heap-based buffer overread in htmlCurrentChar
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=758606
+
+* parserInternals.c:
+(xmlNextChar): Add an test to catch other issues on ctxt->input
+corruption proactively.
+For non-UTF-8 charsets, xmlNextChar() failed to check for the end
+of the input buffer and would continuing reading.  Fix this by
+pulling out the check for the end of the input buffer into common
+code, and return if we reach the end of the input buffer
+prematurely.
+* result/HTML/758606.html: Added.
+* result/HTML/758606.html.err: Added.
+* result/HTML/758606.html.sax: Added.
+* result/HTML/758606_2.html: Added.
+* result/HTML/758606_2.html.err: Added.
+* result/HTML/758606_2.html.sax: Added.
+* test/HTML/758606.html: Added test case.
+* test/HTML/758606_2.html: Added test case.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1833
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parserInternals.c             | 172 ++++++++++++++++++++++--------------------
+ result/HTML/758606.html       |   2 +
+ result/HTML/758606.html.err   |  16 ++++
+ result/HTML/758606.html.sax   |  10 +++
+ result/HTML/758606_2.html     |   2 +
+ result/HTML/758606_2.html.err |  16 ++++
+ result/HTML/758606_2.html.sax |  17 +++++
+ test/HTML/758606.html         |   1 +
+ test/HTML/758606_2.html       |   1 +
+ 9 files changed, 154 insertions(+), 83 deletions(-)
+ create mode 100644 result/HTML/758606.html
+ create mode 100644 result/HTML/758606.html.err
+ create mode 100644 result/HTML/758606.html.sax
+ create mode 100644 result/HTML/758606_2.html
+ create mode 100644 result/HTML/758606_2.html.err
+ create mode 100644 result/HTML/758606_2.html.sax
+ create mode 100644 test/HTML/758606.html
+ create mode 100644 test/HTML/758606_2.html
+
+diff --git a/parserInternals.c b/parserInternals.c
+index 8c79678..bfc778a 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -55,6 +55,10 @@
+ #include <libxml/globals.h>
+ #include <libxml/chvalid.h>
+ 
++#define CUR(ctxt) ctxt->input->cur
++#define END(ctxt) ctxt->input->end
++#define VALID_CTXT(ctxt) (CUR(ctxt) <= END(ctxt))
++
+ #include "buf.h"
+ #include "enc.h"
+ 
+@@ -422,103 +426,105 @@ xmlNextChar(xmlParserCtxtPtr ctxt)
+         (ctxt->input == NULL))
+         return;
+ 
+-    if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
+-        if ((*ctxt->input->cur == 0) &&
+-            (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0) &&
+-            (ctxt->instate != XML_PARSER_COMMENT)) {
+-            /*
+-             * If we are at the end of the current entity and
+-             * the context allows it, we pop consumed entities
+-             * automatically.
+-             * the auto closing should be blocked in other cases
+-             */
++    if (!(VALID_CTXT(ctxt))) {
++        xmlErrInternal(ctxt, "Parser input data memory error\n", NULL);
++	ctxt->errNo = XML_ERR_INTERNAL_ERROR;
++        xmlStopParser(ctxt);
++	return;
++    }
++
++    if ((*ctxt->input->cur == 0) &&
++        (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) {
++        if ((ctxt->instate != XML_PARSER_COMMENT))
+             xmlPopInput(ctxt);
+-        } else {
+-            const unsigned char *cur;
+-            unsigned char c;
++        return;
++    }
+ 
+-            /*
+-             *   2.11 End-of-Line Handling
+-             *   the literal two-character sequence "#xD#xA" or a standalone
+-             *   literal #xD, an XML processor must pass to the application
+-             *   the single character #xA.
+-             */
+-            if (*(ctxt->input->cur) == '\n') {
+-                ctxt->input->line++; ctxt->input->col = 1;
+-            } else
+-                ctxt->input->col++;
++    if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
++        const unsigned char *cur;
++        unsigned char c;
+ 
+-            /*
+-             * We are supposed to handle UTF8, check it's valid
+-             * From rfc2044: encoding of the Unicode values on UTF-8:
+-             *
+-             * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
+-             * 0000 0000-0000 007F   0xxxxxxx
+-             * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
+-             * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
+-             *
+-             * Check for the 0x110000 limit too
+-             */
+-            cur = ctxt->input->cur;
++        /*
++         *   2.11 End-of-Line Handling
++         *   the literal two-character sequence "#xD#xA" or a standalone
++         *   literal #xD, an XML processor must pass to the application
++         *   the single character #xA.
++         */
++        if (*(ctxt->input->cur) == '\n') {
++            ctxt->input->line++; ctxt->input->col = 1;
++        } else
++            ctxt->input->col++;
+ 
+-            c = *cur;
+-            if (c & 0x80) {
+-	        if (c == 0xC0)
+-		    goto encoding_error;
+-                if (cur[1] == 0) {
++        /*
++         * We are supposed to handle UTF8, check it's valid
++         * From rfc2044: encoding of the Unicode values on UTF-8:
++         *
++         * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
++         * 0000 0000-0000 007F   0xxxxxxx
++         * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
++         * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
++         *
++         * Check for the 0x110000 limit too
++         */
++        cur = ctxt->input->cur;
++
++        c = *cur;
++        if (c & 0x80) {
++        if (c == 0xC0)
++	    goto encoding_error;
++            if (cur[1] == 0) {
++                xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
++                cur = ctxt->input->cur;
++            }
++            if ((cur[1] & 0xc0) != 0x80)
++                goto encoding_error;
++            if ((c & 0xe0) == 0xe0) {
++                unsigned int val;
++
++                if (cur[2] == 0) {
+                     xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+                     cur = ctxt->input->cur;
+                 }
+-                if ((cur[1] & 0xc0) != 0x80)
++                if ((cur[2] & 0xc0) != 0x80)
+                     goto encoding_error;
+-                if ((c & 0xe0) == 0xe0) {
+-                    unsigned int val;
+-
+-                    if (cur[2] == 0) {
++                if ((c & 0xf0) == 0xf0) {
++                    if (cur[3] == 0) {
+                         xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+                         cur = ctxt->input->cur;
+                     }
+-                    if ((cur[2] & 0xc0) != 0x80)
++                    if (((c & 0xf8) != 0xf0) ||
++                        ((cur[3] & 0xc0) != 0x80))
+                         goto encoding_error;
+-                    if ((c & 0xf0) == 0xf0) {
+-                        if (cur[3] == 0) {
+-                            xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+-                            cur = ctxt->input->cur;
+-                        }
+-                        if (((c & 0xf8) != 0xf0) ||
+-                            ((cur[3] & 0xc0) != 0x80))
+-                            goto encoding_error;
+-                        /* 4-byte code */
+-                        ctxt->input->cur += 4;
+-                        val = (cur[0] & 0x7) << 18;
+-                        val |= (cur[1] & 0x3f) << 12;
+-                        val |= (cur[2] & 0x3f) << 6;
+-                        val |= cur[3] & 0x3f;
+-                    } else {
+-                        /* 3-byte code */
+-                        ctxt->input->cur += 3;
+-                        val = (cur[0] & 0xf) << 12;
+-                        val |= (cur[1] & 0x3f) << 6;
+-                        val |= cur[2] & 0x3f;
+-                    }
+-                    if (((val > 0xd7ff) && (val < 0xe000)) ||
+-                        ((val > 0xfffd) && (val < 0x10000)) ||
+-                        (val >= 0x110000)) {
+-			xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
+-					  "Char 0x%X out of allowed range\n",
+-					  val);
+-                    }
+-                } else
+-                    /* 2-byte code */
+-                    ctxt->input->cur += 2;
++                    /* 4-byte code */
++                    ctxt->input->cur += 4;
++                    val = (cur[0] & 0x7) << 18;
++                    val |= (cur[1] & 0x3f) << 12;
++                    val |= (cur[2] & 0x3f) << 6;
++                    val |= cur[3] & 0x3f;
++                } else {
++                    /* 3-byte code */
++                    ctxt->input->cur += 3;
++                    val = (cur[0] & 0xf) << 12;
++                    val |= (cur[1] & 0x3f) << 6;
++                    val |= cur[2] & 0x3f;
++                }
++                if (((val > 0xd7ff) && (val < 0xe000)) ||
++                    ((val > 0xfffd) && (val < 0x10000)) ||
++                    (val >= 0x110000)) {
++		xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
++				  "Char 0x%X out of allowed range\n",
++				  val);
++                }
+             } else
+-                /* 1-byte code */
+-                ctxt->input->cur++;
++                /* 2-byte code */
++                ctxt->input->cur += 2;
++        } else
++            /* 1-byte code */
++            ctxt->input->cur++;
+ 
+-            ctxt->nbChars++;
+-            if (*ctxt->input->cur == 0)
+-                xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+-        }
++        ctxt->nbChars++;
++        if (*ctxt->input->cur == 0)
++            xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+     } else {
+         /*
+          * Assume it's a fixed length encoding (1) with
+diff --git a/result/HTML/758606.html b/result/HTML/758606.html
+new file mode 100644
+index 0000000..4f21f62
+--- /dev/null
++++ b/result/HTML/758606.html
+@@ -0,0 +1,2 @@
++<!DOCTYPE >
++
+diff --git a/result/HTML/758606.html.err b/result/HTML/758606.html.err
+new file mode 100644
+index 0000000..060433a
+--- /dev/null
++++ b/result/HTML/758606.html.err
+@@ -0,0 +1,16 @@
++./test/HTML/758606.html:1: HTML parser error : Comment not terminated 
++<!--
++<!--<!doctype
++    ^
++./test/HTML/758606.html:1: HTML parser error : Invalid char in CDATA 0xC
++<!--<!doctype
++    ^
++./test/HTML/758606.html:1: HTML parser error : Misplaced DOCTYPE declaration
++<!--<!doctype
++     ^
++./test/HTML/758606.html:2: HTML parser error : htmlParseDocTypeDecl : no DOCTYPE name !
++
++^
++./test/HTML/758606.html:2: HTML parser error : DOCTYPE improperly terminated
++
++^
+diff --git a/result/HTML/758606.html.sax b/result/HTML/758606.html.sax
+new file mode 100644
+index 0000000..d44a5cf
+--- /dev/null
++++ b/result/HTML/758606.html.sax
+@@ -0,0 +1,10 @@
++SAX.setDocumentLocator()
++SAX.startDocument()
++SAX.error: Comment not terminated 
++<!--
++SAX.error: Invalid char in CDATA 0xC
++SAX.error: Misplaced DOCTYPE declaration
++SAX.error: htmlParseDocTypeDecl : no DOCTYPE name !
++SAX.error: DOCTYPE improperly terminated
++SAX.internalSubset((null), , )
++SAX.endDocument()
+diff --git a/result/HTML/758606_2.html b/result/HTML/758606_2.html
+new file mode 100644
+index 0000000..273816a
+--- /dev/null
++++ b/result/HTML/758606_2.html
+@@ -0,0 +1,2 @@
++<!DOCTYPE >
++<html><body><p>&#145;</p></body></html>
+diff --git a/result/HTML/758606_2.html.err b/result/HTML/758606_2.html.err
+new file mode 100644
+index 0000000..4be039f
+--- /dev/null
++++ b/result/HTML/758606_2.html.err
+@@ -0,0 +1,16 @@
++./test/HTML/758606_2.html:1: HTML parser error : Comment not terminated 
++<!--
++<!--<0C><!dOctYPE
++    ^
++./test/HTML/758606_2.html:1: HTML parser error : Invalid char in CDATA 0xC
++<!--<0C><!dOctYPE
++    ^
++./test/HTML/758606_2.html:1: HTML parser error : Misplaced DOCTYPE declaration
++‘<!dOctYPE
++  ^
++./test/HTML/758606_2.html:2: HTML parser error : htmlParseDocTypeDecl : no DOCTYPE name !
++
++^
++./test/HTML/758606_2.html:2: HTML parser error : DOCTYPE improperly terminated
++
++^
+diff --git a/result/HTML/758606_2.html.sax b/result/HTML/758606_2.html.sax
+new file mode 100644
+index 0000000..80ff3d7
+--- /dev/null
++++ b/result/HTML/758606_2.html.sax
+@@ -0,0 +1,17 @@
++SAX.setDocumentLocator()
++SAX.startDocument()
++SAX.error: Comment not terminated 
++<!--
++SAX.error: Invalid char in CDATA 0xC
++SAX.startElement(html)
++SAX.startElement(body)
++SAX.startElement(p)
++SAX.characters(&#145;, 2)
++SAX.error: Misplaced DOCTYPE declaration
++SAX.error: htmlParseDocTypeDecl : no DOCTYPE name !
++SAX.error: DOCTYPE improperly terminated
++SAX.internalSubset((null), , )
++SAX.endElement(p)
++SAX.endElement(body)
++SAX.endElement(html)
++SAX.endDocument()
+diff --git a/test/HTML/758606.html b/test/HTML/758606.html
+new file mode 100644
+index 0000000..01a013c
+--- /dev/null
++++ b/test/HTML/758606.html
+@@ -0,0 +1 @@
++<!--<!doctype
+diff --git a/test/HTML/758606_2.html b/test/HTML/758606_2.html
+new file mode 100644
+index 0000000..daa185b
+--- /dev/null
++++ b/test/HTML/758606_2.html
+@@ -0,0 +1 @@
++<!--<0C><!dOctYPE
+-- 
+2.3.5
+

meta/recipes-core/libxml/libxml2/CVE-2016-1834.patch

@@ -0,0 +1,55 @@
+From 8fbbf5513d609c1770b391b99e33314cd0742704 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Tue, 8 Mar 2016 17:29:00 -0800
+Subject: [PATCH] Bug 763071: heap-buffer-overflow in xmlStrncat
+ <https://bugzilla.gnome.org/show_bug.cgi?id=763071>
+
+* xmlstring.c:
+(xmlStrncat): Return NULL if xmlStrlen returns a negative length.
+(xmlStrncatNew): Ditto.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1834
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xmlstring.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/xmlstring.c b/xmlstring.c
+index b89c9e9..00287d4 100644
+--- a/xmlstring.c
++++ b/xmlstring.c
+@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
+         return(xmlStrndup(add, len));
+ 
+     size = xmlStrlen(cur);
++    if (size < 0)
++        return(NULL);
+     ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar));
+     if (ret == NULL) {
+         xmlErrMemory(NULL, NULL);
+@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) {
+     int size;
+     xmlChar *ret;
+ 
+-    if (len < 0)
++    if (len < 0) {
+         len = xmlStrlen(str2);
++        if (len < 0)
++            return(NULL);
++    }
+     if ((str2 == NULL) || (len == 0))
+         return(xmlStrdup(str1));
+     if (str1 == NULL)
+         return(xmlStrndup(str2, len));
+ 
+     size = xmlStrlen(str1);
++    if (size < 0)
++        return(NULL);
+     ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar));
+     if (ret == NULL) {
+         xmlErrMemory(NULL, NULL);
+-- 
+2.3.5
+

meta/recipes-core/libxml/libxml2/CVE-2016-1835.patch

@@ -0,0 +1,95 @@
+From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Mon, 7 Mar 2016 14:04:08 -0800
+Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759020
+
+* parser.c:
+(xmlParseStartTag2): Attribute strings are only valid if the
+base does not change, so add another check where the base may
+change.  Make sure to set 'attvalue' to NULL after freeing it.
+* result/errors/759020.xml: Added.
+* result/errors/759020.xml.err: Added.
+* result/errors/759020.xml.str: Added.
+* test/errors/759020.xml: Added test case.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1835
+
+excluded  test/errors/759020.xml: Added test case., they wont apply 
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c                     | 12 ++++++++++--
+ result/errors/759020.xml     |  0
+ result/errors/759020.xml.err |  6 ++++++
+ result/errors/759020.xml.str |  7 +++++++
+ test/errors/759020.xml       | 46 ++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 69 insertions(+), 2 deletions(-)
+ create mode 100644 result/errors/759020.xml
+ create mode 100644 result/errors/759020.xml.err
+ create mode 100644 result/errors/759020.xml.str
+ create mode 100644 test/errors/759020.xml
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -9499,7 +9499,10 @@ reparse:
+ 		else
+ 		    if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
+ skip_default_ns:
+-		if (alloc != 0) xmlFree(attvalue);
++		if ((attvalue != NULL) && (alloc != 0)) {
++		    xmlFree(attvalue);
++		    attvalue = NULL;
++		}
+ 		if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ 		    break;
+ 		if (!IS_BLANK_CH(RAW)) {
+@@ -9508,6 +9511,8 @@ skip_default_ns:
+ 		    break;
+ 		}
+ 		SKIP_BLANKS;
++		if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++		    goto base_changed;
+ 		continue;
+ 	    }
+             if (aprefix == ctxt->str_xmlns) {
+@@ -9579,7 +9584,10 @@ skip_default_ns:
+ 		else
+ 		    if (nsPush(ctxt, attname, URL) > 0) nbNs++;
+ skip_ns:
+-		if (alloc != 0) xmlFree(attvalue);
++		if ((attvalue != NULL) && (alloc != 0)) {
++		    xmlFree(attvalue);
++		    attvalue = NULL;
++		}
+ 		if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ 		    break;
+ 		if (!IS_BLANK_CH(RAW)) {
+Index: libxml2-2.9.2/result/errors/759020.xml.err
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759020.xml.err
+@@ -0,0 +1,6 @@
++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
++0000000000000000000000000000000000000000000000000000000000000000000000000000000'
++                                                                               ^
++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
++
++                                                                   ^
+Index: libxml2-2.9.2/result/errors/759020.xml.str
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759020.xml.str
+@@ -0,0 +1,7 @@
++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
++0000000000000000000000000000000000000000000000000000000000000000000000000000000'
++                                                                               ^
++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
++
++                                                                   ^
++./test/errors/759020.xml : failed to parse

meta/recipes-core/libxml/libxml2/CVE-2016-1836.patch

@@ -0,0 +1,443 @@
+From 45752d2c334b50016666d8f0ec3691e2d680f0a0 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Thu, 3 Mar 2016 11:50:34 -0800
+Subject: [PATCH] Bug 759398: Heap use-after-free in xmlDictComputeFastKey
+ <https://bugzilla.gnome.org/show_bug.cgi?id=759398>
+
+* parser.c:
+(xmlParseNCNameComplex): Store start position instead of a
+pointer to the name since the underlying buffer may change,
+resulting in a stale pointer being used.
+* result/errors/759398.xml: Added.
+* result/errors/759398.xml.err: Added.
+* result/errors/759398.xml.str: Added.
+* test/errors/759398.xml: Added test case.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1836
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c                     |   9 +-
+ result/errors/759398.xml     |   0
+ result/errors/759398.xml.err |   9 ++
+ result/errors/759398.xml.str |   5 +
+ test/errors/759398.xml       | 326 +++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 344 insertions(+), 5 deletions(-)
+ create mode 100644 result/errors/759398.xml
+ create mode 100644 result/errors/759398.xml.err
+ create mode 100644 result/errors/759398.xml.str
+ create mode 100755 test/errors/759398.xml
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -2010,6 +2010,7 @@ static int spacePop(xmlParserCtxtPtr ctx
+ #define CUR (*ctxt->input->cur)
+ #define NXT(val) ctxt->input->cur[(val)]
+ #define CUR_PTR ctxt->input->cur
++#define BASE_PTR ctxt->input->base
+ 
+ #define CMP4( s, c1, c2, c3, c4 ) \
+   ( ((unsigned char *) s)[ 0 ] == c1 && ((unsigned char *) s)[ 1 ] == c2 && \
+@@ -3484,7 +3485,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr c
+     int len = 0, l;
+     int c;
+     int count = 0;
+-    const xmlChar *end; /* needed because CUR_CHAR() can move cur on \r\n */
++    size_t startPosition = 0;
+ 
+ #ifdef DEBUG
+     nbParseNCNameComplex++;
+@@ -3494,7 +3495,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr c
+      * Handler for more complex cases
+      */
+     GROW;
+-    end = ctxt->input->cur;
++    startPosition = CUR_PTR - BASE_PTR;
+     c = CUR_CHAR(l);
+     if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */
+ 	(!xmlIsNameStartChar(ctxt, c) || (c == ':'))) {
+@@ -3516,7 +3517,6 @@ xmlParseNCNameComplex(xmlParserCtxtPtr c
+ 	}
+ 	len += l;
+ 	NEXTL(l);
+-	end = ctxt->input->cur;
+ 	c = CUR_CHAR(l);
+ 	if (c == 0) {
+ 	    count = 0;
+@@ -3530,7 +3530,6 @@ xmlParseNCNameComplex(xmlParserCtxtPtr c
+ 	    ctxt->input->cur += l;
+             if (ctxt->instate == XML_PARSER_EOF)
+                 return(NULL);
+-	    end = ctxt->input->cur;
+ 	    c = CUR_CHAR(l);
+ 	}
+     }
+@@ -3539,7 +3538,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr c
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+         return(NULL);
+     }
+-    return(xmlDictLookup(ctxt->dict, end - len, len));
++    return(xmlDictLookup(ctxt->dict, (BASE_PTR + startPosition), len));
+ }
+ 
+ /**
+Index: libxml2-2.9.2/result/errors/759398.xml.err
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759398.xml.err
+@@ -0,0 +1,9 @@
++./test/errors/759398.xml:210: parser error : StartTag: invalid element name
++need to worry about parsers whi<! don't expand PErefs finding
++                                ^
++./test/errors/759398.xml:309: parser error : Opening and ending tag mismatch: spec line 50 and termdef
++and provide access to their content and structure.</termdef> <termdef
++                                                            ^
++./test/errors/759398.xml:309: parser error : Extra content at the end of the document
++and provide access to their content and structure.</termdef> <termdef
++                                                             ^
+Index: libxml2-2.9.2/result/errors/759398.xml.str
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759398.xml.str
+@@ -0,0 +1,5 @@
++./test/errors/759398.xml:210: parser error : internal error: detected an error in element content
++
++need to worry about parsers whi<! don't expand
++                               ^
++./test/errors/759398.xml : failed to parse
+Index: libxml2-2.9.2/test/errors/759398.xml
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/test/errors/759398.xml
+@@ -0,0 +1,326 @@
++<?xml version='1.0' encoding='ISO-8859-5' standalone='no'?>
++<!DOCTYPE spec SYSTEM "dtds/spec.dtd" [
++
++<!-- LAST TOUCHED BY: Tim Bray, 8 February 1997 -->
++
++<!-- The words 'FINAL EDIT' in comments mark places where changes
++need to be made after approval of the document by the ERB, before
++publication.  -->
++
++<!ENTITY XML.version "1.0">
++<!ENTITY doc.date "10 February 1998">
++<!ENTITY iso6.doc.date "19980210">
++<!ENTITY w3c.doc.date "02-Feb-1998">
++<!ENTITY draft.day '10'>
++<!ENTITY draft.month 'February'>
++<!ENTITY draft.year '1998'>
++
++<!ENTITY WebSGML
++ 'WebSGML Adaptations Annex to ISO 8879'>
++
++<!ENTITY lt     "<">
++<!ENTITY gt     ">">
++<!ENTITY xmlpio "'&lt;?xml'">
++<!ENTITY pic    "'?>'">
++<!ENTITY br     "\n">
++<!ENTITY cellback '#c0d9c0'>
++<!ENTITY mdash  "--"> <!-- &#x2014, but nsgmls doesn't grok hex -->
++<!ENTITY com    "--">
++<!ENTITY como   "--">
++<!ENTITY comc   "--">
++<!ENTITY hcro   "&amp;#x">
++<!-- <!ENTITY nbsp "<22>"> -->
++<!ENTITY nbsp   "&#160;">
++<!ENTITY magicents "<code>amp</code>,
++<code>lt</code>,
++<code>gt</code>,
++<code>apos</code>,
++<code>quot</code>">
++
++<!-- audience and distribution status:  for use at publication time -->
++<!ENTITY doc.audience "public review and discussion">
++<!ENTITY doc.distribution "may be dislributed freely, as long as
++all text and legal notices remain intact">
++
++]>
++
++<!-- for Panorama *-->
++<?VERBATIM "eg" ?>
++
++<spec>
++<header>
++<title>Extensible Markup Language (XML) 1.0</title>
++<version></version>
++<w3c-designation>REC-xml-&iso6.doc.date;</w3c-designation>
++<w3c-doctype>W3C Recommendation</w3c-doctype>
++<pubdate><day>&draft.day;</day><month>&draft.month;</month><year>&draft.year;</year></pubdate>
++
++<publoc>
++<loc  href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;">
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;</loc>
++<loc  href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml">
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml</loc>
++<loc  href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html">
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html</loc>
++<loc  href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf">
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf</loc>
++<loc  href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps">
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps</loc>
++</publoc>
++<latestloc>
++<loc  href="http://www.w3.org/TR/REC-xml">
++htt<74><74><EFBFBD><EFBFBD>www.w3.org/TR/REC-xml</loc>
++</latestloc>
++<prevlocs>
++<loc  href="http://www.w3.org/TR/PR-xml-971208">
++http://www.w3.org/TR/PR-xml-971208</loc>
++<!--
++<loc  href='http://www.w3.org/TR/WD-xml-961114'>
++http://www.w3.org/TR/WD-xml-961114</loc>
++<loc  href='http://www.w3.org/TR/WD-xml-lang-970331'>
++http://www.w3.org/TR/WD-xml-lang-970331</loc>
++<loc  href='http://www.w3.org/TR/WD-xml-lang-970630'>
++http://www.w3.org/TR/WD-xml-lang-970630</loc>
++<loc  href='http://www.w3.org/TR/WD-xml-970807'>
++http://www.w3.org/TR/WD-xml-970807</loc>
++<loc  href='http://www.w3.org/TR/WD-xml-971117'>
++http://www.w3.org/TR/WD-xml-971117</loc>-->
++</prevlocs>
++<authlist>
++<author><name>Tim Bray</name>
++<affiliation>Textuality and Netscape</affiliation>
++<email
++href="mailto:tbray@textuality.com">tbray@textuality.com</email></author>
++<author><name>Jean Paoli</name>
++<affiliation>Microsoft</affiliation>
++<email href="mailto:jeanpa@microsoft.com">jeanpa@microsoft.com</email></author>
++<author><name>C. M. Sperberg-McQueen</name>
++<affiliation>University of Illinois at Chicago</affiliation>
++<email href="mailto:cmsmcq@uic.edu">cmsmcq@uic.edu</email></author>
++</authlist>
++<abstract>
++<p>The Extensible Markup Language (XML) is a subset of
++SGML that is completely described in this document. Its goal is to
++enable generic SGML to be served, received, and processed on the Web
++in the way that is now possible with HTML. XML has been designed for
++ease of implementation and for interoperability with both SGML and
++HTML.</p>
++</abstract>
++<status>
++<p>This document has been reviewed by W3C Members and
++other interested parties and has been endorsed by the
++Director as a W3C Recommendation. It is a stable
++document and may be used as reference material or cited
++as a normative reference from another document. W3C's
++role in making the Recommendation is to draw attention
++to the spPcification and to promote its widespread
++deployment. This enhances the functionality and
++interoperability of the Web.</p>
++<p>
++This document specifies a syntax created by subsetting an existing,
++widely used international text processing standard (Standard
++Generalized Markup Language, ISO 8879:1986(E) as amended and
++corrected) for use on the World Wide Web.  It is a product of the W3C
++XML Activity, details of which can be found at <loc
++href='http://www.w3.org/XML'>http://www.w3.org/XML</loc>.  A list of
++current W3C Recommendations and other technical documents can be found
++at <loc href='http://www.w3.org/TR'>http://www.w3.org/TR</loc>.
++</p>
++<p>This specification uses the term URI, which is defined by <bibref
++ref="Berners-Lee"/>, a work in progress expected to update <bibref
++ref="RFC1738"/> and <bibref ref="RFC1808"/>.
++</p>
++<p>The list of known errors in this specification is
++available at
++<loc href='http://www.w3.org/XML/xml-19980210-errata'>http://www.w3.org/XML/xml-19980210-errata</loc>.</p>
++<p>Please report errors in this document to
++<loc href='mailto:xml-editor@w3.org'>xml-editor@w3.org</loc>.
++</p>
++</status>
++
++
++<pubstmt>
++<p>Chicago, Vancouver, Mountain View, et al.:
++World-Wide Web Consortium, XML Working Group, 1996, 1997.</p>
++</pubstmt>
++<sourcedesc>
++<p>Created in electronic form.</p>
++</sourcedesc>
++<langusage>
++<language id='EN'>English</language>
++<language id='ebnf'>Extended Backus-Naur Form (formal grammar)</language>
++</langusage>
++<revisiondesc>
++<slist>
++<sitem>1997-12-03 : CMSMcQ : yet further changes</sitem>
++<sitem>1997-12-02 : TB : further changes (see TB to XML WG,
++2 December 1997)</sitem>
++<sitem>1997-12-02 : CMSMcQ : deal with as many corrections and
++comments from the proofreaders as possible:
++entify hard-coded document date in pubdate element,
++change expansion of entity WebSGML,
++update status description as per Dan Connolly (am not sure
++about refernece to Berners-Lee et al.),
++add 'The' to abstract as per WG decision,
++move Relationship to Existing Standards to back matter and
++combine with References,
++re-order back matter so normative appendices come first,
++re-tag back matter so informative appendices are tagged informdiv1,
++remove XXX XXX from list of 'normative' specs in prose,
++move some references from Other References to Normative References,
++add RFC 1738, 1808, and 2141 to Other References (they are not
++normative since we do not require the processor to enforce any
++rules based on them),
++add reference to 'Fielding draft' (Berners-Lee et al.),
++move notation section to end of body,
++drop URIchar non-terminal and use SkipLit instead,
++lose stray reference to defunct nonterminal 'markupdecls',
++move reference to Aho et al. into appendix (Tim's right),
++add prose note saying that hash marks and fragment identifiers are
++NOT part of the URI formally speaking, and are NOT legal in
++system identifiers (processor 'may' signal an error).
++Work through:
++Tim Bray reacting to James Clark,
++Tim Bray on his own,
++Eve Maler,
++
++NOT DONE YET:
++change binary / text to unparsed / parsed.
++handle James's suggestion about &lt; in attriubte values
++uppercase hex characters,
++namechar list,
++</sitem>
++<sitem>1997-12-01 : JB : add some column-width parameters</sitem>
++<sitem>1997-12-01 : CMSMcQ : begin round of changes to incorporate
++recent WG decisions and other corrections:
++binding sources of character encoding info (27 Aug / 3 Sept),
++correct wording of Faust quotation (restore dropped line),
++drop SDD from EncodingDecl,
++change text at version number 1.0,
++drop misleading (wrong!) sentence about ignorables and extenders,
++modify defin<69><6E><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>xamples with Byte Order Mark.
++Add content model as a term and clarify that it applies to both
++mixed and element content.
++</sitem>
++<sitem>1997-06-30 : CMSMcQ : change date, some cosmetic changes,
++changes to productions for choice, seq, Mixed, NotationType,
++Enumeration.  Follow James Clark's suggestion and prohibit
++conditional sections in internal subset.  TO DO:  simplify
++production for ignored sections as a result, since we don't
++need to worry about parsers whi<! don't expand PErefs finding
++a conditional section.</sitem>
++<sitem>1997-06-29 : TB : various edits</sitem>
++<sitem>1997-06-29 : CMSMcQ : further changes:
++Suppress old FINAL EDIT comments and some dead material.
++Revise occurrences of % in grammar to exploit Henry Thompson's pun,
++especially markupdecl and attdef.
++Remove RMD requirement relating to element content (?).
++</sitem>
++<sitem>1997-06-28 : CMSMcQ : Various changes for 1 July draft:
++Add text for draconian error handling (introduce
++the term Fatal Error).
++RE deleta est (changing wording from
++original announcement to restrict the requirement to validating
++parsers).
++Tag definition of validawwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww it meant 'may or may not'.</sitem>
++<sitem>1997-03-21 : TB : massive changes on plane flight from Chicago
++to Vancouver</sitem>
++<sitem>1997-03-21 : CMSMcQ : correct as many reported errors as possible.
++</sitem>
++<sitem>1997-03-20 : CMSMcQ : correct typos listed in CMSMcQ hand copy of spec.</sitem>
++<sitem>1997 James Clark:
++Define the set of characters from which [^abc] subtracts.
++Charref should use just [0-9] not Digit.
++Location info needs cleaner treatment:  remove?  (ERB
++question).
++One example of a PI has wrong pic.
++Clarify discussion of encoding names.
++Encoding failure should lead to unspecified results; don't
++prescribe error recovery.
++Don't require exposure of entity boundaries.
++Ignore white space in element content.
++Reserve entity names of the form u-NNNN.
++Clarify relative URLs.
++And some of my own:
++Correct productions for content model:  model cannot
++consist of a name, so "elements ::= cp" is no good.
++</sitem>
++<sitem>1996-11-11 : CMSMcQ : revise for style.
++Add new rhs to entity declaration, for parameter entities.</sitem>
++<sitem>1996-11-10 : CMSMcQ : revise for style.
++Fix / complete section on names, characters.
++Add sections on parameter entities, conditional sections.
++Still to do:  Add compatibility note on deterministic content models.
++Finish stylistic revision.</sitem>
++<sitem>1996-10-31 : TB : Add Entity Handling section</sitem>
++<sitem>1996-10-30 : TB : Clean up term &amp; termdef.  Slip in
++ERB decision re EMPTY.</sitem>
++<sitem>1996-10-28 : TB : Change DTD.  Implement some of Michael's
++suggestions.  Change comments back to //.  Introduce language for
++XML namespace reservation.  Add section on white-space handling.
++Lots more cleanup.</sitem>
++<sitem>1996-10-24 : CMSMcQ : quick tweaks, implement some ERB
++decisions.  Characters are not integers.  Comments are /* */ not //.
++Add bibliographic refs to 10646, HyTime, Unicode.
++Rename old Cdata as MsData since it's <emph>only</emph> seen
++in marked sections.  Call them attribute-value pairs not
++name-value pairs, except once.  Internal subset is optional, needs
++'?'.  Implied attributes should be signaled to the app, not
++have values supplied by processor.</sitem>
++<sitem>1996-10-16 : TB : track down &amp; excise all DSD references;
++introduce some EBNF for entity declarations.</sitem>
++<sitem>1996-10-?? nsistency check, fix up scraps so
++they all parse, get formatter working, correct a few productions.</sitem>
++<sitem>1996-10-10/11 : CMSMcQ : various maintenance, stylistic, and
++organizational changes:
++Replace a few literals with xmlpio and
++pi""entities, to make them consistent and ensure we can change pic
++reliably when the ERB votes.
++Drop paragraph on recognizers from notation section.
++Add match, exact match to terminology.
++Move old 2.2 XML Processors and Apps into intro.
++Mention comments, PIs, and marked sections in discussion of
++delimiter escaping.
++Streamline discussion of doctype decl syntax.
++Drop old section of 'PI syntax' for doctype decl, and add
++section on partial-DTD summary PIs to end of Logical Structures
++section.
++Revise DSD syntax section to use Tim's subset-in-a-PI
++mechanism.</sitem>
++<sitem>1996-10-10 : TB : eliminate name recognizers (and more?)</sitem>
++<sitem>1996-10-09 : CMSMcQ : revise for style, consistency through 2.3
++(Characters)</sitem>
++<sitem>1996-10-09 : CMSMcQ : re-unite everything for convenience,
++at least temporarily, and revise quickly</sitem>
++<sitem>1996-10-08 : TB : first major homogenization pass</sitem>
++<sitem>1996-10-08 : TB : turn "current" attribute on div type into
++CDATA</sitem>
++<sitem>1996-10-02 : TB : remould into skeleton + entities</sitem>
++<sitem>1996-09-30 : CMSMcQ : add a few more sections prior to exchange
++                            with Tim.</sitem>
++<sitem>1996-09-20 : CMSMcQ : finish transcribing notes.</sitem>
++<sitem>1996-09-19 : CMSMcQ : begin transcribing notes for draft.</sitem>
++<sitem>1996-09-13 : CMSMcQ : made outline from notes of 09-06,
++do some housekeeping</sitem>
++</slist>
++</revisiondesc>
++</header>
++<<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>m> is used to read XML documents
++and provide access to their content and structure.</termdef> <termdef
++id="dt-app" term="Application">It is @ssumed that an XML processor is
++doing its work on behalf of another module, called the
++<term>application</term>.</termdef> This specification describes the
++required beh\vior of an XML processor in terms of how it must read XML
++data and the information it must provide to the application.</p>
++
++<div2 id='sec-origin-goals'>
++<head>Origin and Goals</head>
++<p>XML was developed by an XML Working Group (orisable over the
++Internet.</p></item>
++<item><p>XML shall support a wide varie<69>y of applications.</p></item>
++<item><p>XML shall be compatible with SGML.</p></item>
++<item><p>It shall be easy to write programs which process XML
++documents.</p></item>
++<item><p>The number of optional features in XML is to be kept to the
++absolute minimum, ideally zero.</p></item>
++<item><p>XML documents shou
+\ No newline at end of file

meta/recipes-core/libxml/libxml2/CVE-2016-1837.patch

@@ -0,0 +1,143 @@
+From 11ed4a7a90d5ce156a18980a4ad4e53e77384852 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Wed, 2 Mar 2016 15:52:24 -0800
+Subject: [PATCH] Heap use-after-free in htmlParsePubidLiteral and
+ htmlParseSystemiteral
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=760263
+
+* HTMLparser.c: Add BASE_PTR convenience macro.
+(htmlParseSystemLiteral): Store length and start position instead
+of a pointer while iterating through the public identifier since
+the underlying buffer may change, resulting in a stale pointer
+being used.
+(htmlParsePubidLiteral): Ditto.
+
+Upstream-status: Backport
+CVE: CVE-2016-1837.patch
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 43 insertions(+), 15 deletions(-)
+
+Index: libxml2-2.9.2/HTMLparser.c
+===================================================================
+--- libxml2-2.9.2.orig/HTMLparser.c
++++ libxml2-2.9.2/HTMLparser.c
+@@ -303,6 +303,7 @@ htmlNodeInfoPop(htmlParserCtxtPtr ctxt)
+ #define UPP(val) (toupper(ctxt->input->cur[(val)]))
+ 
+ #define CUR_PTR ctxt->input->cur
++#define BASE_PTR ctxt->input->base
+ 
+ #define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \
+ 		   (ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \
+@@ -2773,31 +2774,43 @@ htmlParseAttValue(htmlParserCtxtPtr ctxt
+ 
+ static xmlChar *
+ htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
+-    const xmlChar *q;
++    size_t len = 0, startPosition = 0;
+     xmlChar *ret = NULL;
+ 
+     if (CUR == '"') {
+         NEXT;
+-	q = CUR_PTR;
+-	while ((IS_CHAR_CH(CUR)) && (CUR != '"'))
++
++        if (CUR_PTR < BASE_PTR)
++            return(ret);
++        startPosition = CUR_PTR - BASE_PTR;
++
++	while ((IS_CHAR_CH(CUR)) && (CUR != '"')) {
+ 	    NEXT;
++	    len++;
++	}
+ 	if (!IS_CHAR_CH(CUR)) {
+ 	    htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ 			 "Unfinished SystemLiteral\n", NULL, NULL);
+ 	} else {
+-	    ret = xmlStrndup(q, CUR_PTR - q);
++	    ret = xmlStrndup((BASE_PTR+startPosition), len);
+ 	    NEXT;
+         }
+     } else if (CUR == '\'') {
+         NEXT;
+-	q = CUR_PTR;
+-	while ((IS_CHAR_CH(CUR)) && (CUR != '\''))
++
++        if (CUR_PTR < BASE_PTR)
++            return(ret);
++        startPosition = CUR_PTR - BASE_PTR;
++
++	while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) {
+ 	    NEXT;
++	    len++;
++	}
+ 	if (!IS_CHAR_CH(CUR)) {
+ 	    htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ 			 "Unfinished SystemLiteral\n", NULL, NULL);
+ 	} else {
+-	    ret = xmlStrndup(q, CUR_PTR - q);
++	    ret = xmlStrndup((BASE_PTR+startPosition), len);
+ 	    NEXT;
+         }
+     } else {
+@@ -2821,32 +2834,47 @@ htmlParseSystemLiteral(htmlParserCtxtPtr
+ 
+ static xmlChar *
+ htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) {
+-    const xmlChar *q;
++    size_t len = 0, startPosition = 0;
+     xmlChar *ret = NULL;
+     /*
+      * Name ::= (Letter | '_') (NameChar)*
+      */
+     if (CUR == '"') {
+         NEXT;
+-	q = CUR_PTR;
+-	while (IS_PUBIDCHAR_CH(CUR)) NEXT;
++
++        if (CUR_PTR < BASE_PTR)
++            return(ret);
++        startPosition = CUR_PTR - BASE_PTR;
++
++        while (IS_PUBIDCHAR_CH(CUR)) {
++            len++;
++            NEXT;
++        }
++
+ 	if (CUR != '"') {
+ 	    htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ 	                 "Unfinished PubidLiteral\n", NULL, NULL);
+ 	} else {
+-	    ret = xmlStrndup(q, CUR_PTR - q);
++	    ret = xmlStrndup((BASE_PTR + startPosition), len);
+ 	    NEXT;
+ 	}
+     } else if (CUR == '\'') {
+         NEXT;
+-	q = CUR_PTR;
+-	while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\''))
+-	    NEXT;
++
++        if (CUR_PTR < BASE_PTR)
++            return(ret);
++        startPosition = CUR_PTR - BASE_PTR;
++
++        while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){
++            len++;
++            NEXT;
++        }
++
+ 	if (CUR != '\'') {
+ 	    htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ 	                 "Unfinished PubidLiteral\n", NULL, NULL);
+ 	} else {
+-	    ret = xmlStrndup(q, CUR_PTR - q);
++	    ret = xmlStrndup((BASE_PTR + startPosition), len);
+ 	    NEXT;
+ 	}
+     } else {

meta/recipes-core/libxml/libxml2/CVE-2016-1839.patch

@@ -0,0 +1,127 @@
+From a820dbeac29d330bae4be05d9ecd939ad6b4aa33 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Tue, 1 Mar 2016 11:34:04 -0800
+Subject: [PATCH] Bug 758605: Heap-based buffer overread in xmlDictAddString
+ <https://bugzilla.gnome.org/show_bug.cgi?id=758605>
+
+Reviewed by David Kilzer.
+
+* HTMLparser.c:
+(htmlParseName): Add bounds check.
+(htmlParseNameComplex): Ditto.
+* result/HTML/758605.html: Added.
+* result/HTML/758605.html.err: Added.
+* result/HTML/758605.html.sax: Added.
+* runtest.c:
+(pushParseTest): The input for the new test case was so small
+(4 bytes) that htmlParseChunk() was never called after
+htmlCreatePushParserCtxt(), thereby creating a false positive
+test failure.  Fixed by using a do-while loop so we always call
+htmlParseChunk() at least once.
+* test/HTML/758605.html: Added.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1839
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ HTMLparser.c                |  8 ++++++++
+ result/HTML/758605.html     |  3 +++
+ result/HTML/758605.html.err |  3 +++
+ result/HTML/758605.html.sax | 13 +++++++++++++
+ runtest.c                   |  4 ++--
+ test/HTML/758605.html       |  1 +
+ 6 files changed, 30 insertions(+), 2 deletions(-)
+ create mode 100644 result/HTML/758605.html
+ create mode 100644 result/HTML/758605.html.err
+ create mode 100644 result/HTML/758605.html.sax
+ create mode 100644 test/HTML/758605.html
+
+Index: libxml2-2.9.2/HTMLparser.c
+===================================================================
+--- libxml2-2.9.2.orig/HTMLparser.c
++++ libxml2-2.9.2/HTMLparser.c
+@@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) {
+ 	       (*in == '_') || (*in == '-') ||
+ 	       (*in == ':') || (*in == '.'))
+ 	    in++;
++
++	if (in == ctxt->input->end)
++	    return(NULL);
++
+ 	if ((*in > 0) && (*in < 0x80)) {
+ 	    count = in - ctxt->input->cur;
+ 	    ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count);
+@@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ct
+ 	NEXTL(l);
+ 	c = CUR_CHAR(l);
+     }
++
++    if (ctxt->input->base > ctxt->input->cur - len)
++	return(NULL);
++
+     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+ }
+ 
+Index: libxml2-2.9.2/result/HTML/758605.html
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/HTML/758605.html
+@@ -0,0 +1,3 @@
++<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
++<html><body><p>&amp;
++</p></body></html>
+Index: libxml2-2.9.2/result/HTML/758605.html.err
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/HTML/758605.html.err
+@@ -0,0 +1,3 @@
++./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name
++ê
++  ^
+Index: libxml2-2.9.2/result/HTML/758605.html.sax
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/HTML/758605.html.sax
+@@ -0,0 +1,13 @@
++SAX.setDocumentLocator()
++SAX.startDocument()
++SAX.error: htmlParseEntityRef: no name
++SAX.startElement(html)
++SAX.startElement(body)
++SAX.startElement(p)
++SAX.characters(&amp;, 1)
++SAX.ignorableWhitespace(
++, 1)
++SAX.endElement(p)
++SAX.endElement(body)
++SAX.endElement(html)
++SAX.endDocument()
+Index: libxml2-2.9.2/runtest.c
+===================================================================
+--- libxml2-2.9.2.orig/runtest.c
++++ libxml2-2.9.2/runtest.c
+@@ -1827,7 +1827,7 @@ pushParseTest(const char *filename, cons
+     ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename);
+     xmlCtxtUseOptions(ctxt, options);
+     cur += 4;
+-    while (cur < size) {
++    do {
+         if (cur + 1024 >= size) {
+ #ifdef LIBXML_HTML_ENABLED
+ 	    if (options & XML_PARSE_HTML)
+@@ -1845,7 +1845,7 @@ pushParseTest(const char *filename, cons
+ 	    xmlParseChunk(ctxt, base + cur, 1024, 0);
+ 	    cur += 1024;
+ 	}
+-    }
++    } while (cur < size);
+     doc = ctxt->myDoc;
+ #ifdef LIBXML_HTML_ENABLED
+     if (options & XML_PARSE_HTML)
+Index: libxml2-2.9.2/test/HTML/758605.html
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/test/HTML/758605.html
+@@ -0,0 +1 @@
++&:<3A>

meta/recipes-core/libxml/libxml2/CVE-2016-1840.patch

@@ -0,0 +1,37 @@
+From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Mon, 7 Mar 2016 06:34:26 -0800
+Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
+ <https://bugzilla.gnome.org/show_bug.cgi?id=757711>
+
+* xmlregexp.c:
+(xmlFAParseCharRange): Only advance to the next character if
+there is no error.  Advancing to the next character in case of
+an error while parsing regexp leads to an out of bounds access.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1840
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xmlregexp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.2/xmlregexp.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlregexp.c
++++ libxml2-2.9.2/xmlregexp.c
+@@ -5052,11 +5052,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr
+ 	ERROR("Expecting the end of a char range");
+ 	return;
+     }
+-    NEXTL(len);
++
+     /* TODO check that the values are acceptable character ranges for XML */
+     if (end < start) {
+ 	ERROR("End of range is before start of range");
+     } else {
++        NEXTL(len);
+         xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
+ 		           XML_REGEXP_CHARVAL, start, end, NULL);
+     }

meta/recipes-core/libxml/libxml2/CVE-2016-3627.patch

@@ -0,0 +1,64 @@
+From bdd66182ef53fe1f7209ab6535fda56366bd7ac9 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 May 2016 12:27:58 +0800
+Subject: [PATCH] Avoid building recursive entities
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=762100
+
+When we detect a recusive entity we should really not
+build the associated data, moreover if someone bypass
+libxml2 fatal errors and still tries to serialize a broken
+entity make sure we don't risk to get ito a recursion
+
+* parser.c: xmlParserEntityCheck() don't build if entity loop
+  were found and remove the associated text content
+* tree.c: xmlStringGetNodeList() avoid a potential recursion
+
+Upstream-Status: Backport
+CVE: CVE-2016-3627
+Signed-off-by: Armin Kuster <akuster@mvsita.com
+
+---
+ parser.c | 6 +++++-
+ tree.c   | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index ea0e89e..53a6b7f 100644
+--- a/parser.c
++++ b/parser.c
+@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+      * entities problems
+      */
+     if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
+-	(ent->content != NULL) && (ent->checked == 0)) {
++	(ent->content != NULL) && (ent->checked == 0) &&
++	(ctxt->errNo != XML_ERR_ENTITY_LOOP)) {
+ 	unsigned long oldnbent = ctxt->nbentities;
+ 	xmlChar *rep;
+ 
+@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ 	rep = xmlStringDecodeEntities(ctxt, ent->content,
+ 				  XML_SUBSTITUTE_REF, 0, 0, 0);
+         --ctxt->depth;
++	if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
++	    ent->content[0] = 0;
++	}
+ 
+ 	ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ 	if (rep != NULL) {
+diff --git a/tree.c b/tree.c
+index 7fbca6e..9d330b8 100644
+--- a/tree.c
++++ b/tree.c
+@@ -1593,6 +1593,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
+ 			else if ((ent != NULL) && (ent->children == NULL)) {
+ 			    xmlNodePtr temp;
+ 
++			    ent->children = (xmlNodePtr) -1;
+ 			    ent->children = xmlStringGetNodeList(doc,
+ 				    (const xmlChar*)node->content);
+ 			    ent->owner = 1;
+-- 
+2.3.5
+

meta/recipes-core/libxml/libxml2/CVE-2016-3705.patch

@@ -0,0 +1,71 @@
+From 8f30bdff69edac9075f4663ce3b56b0c52d48ce6 Mon Sep 17 00:00:00 2001
+From: Peter Simons <psimons@suse.com>
+Date: Fri, 15 Apr 2016 11:56:55 +0200
+Subject: [PATCH] Add missing increments of recursion depth counter to XML
+ parser.
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=765207
+CVE-2016-3705
+The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
+xmlStringDecodeEntities() in a recursive context without incrementing the
+'depth' counter in the parser context. Because of that omission, the parser
+failed to detect attribute recursions in certain documents before running out
+of stack space.
+
+Upstream-Status: Backport
+CVE: CVE-2016-3705
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
+ 
+ 	ent->checked = 1;
+ 
++        ++ctxt->depth;
+ 	rep = xmlStringDecodeEntities(ctxt, ent->content,
+ 				  XML_SUBSTITUTE_REF, 0, 0, 0);
++        --ctxt->depth;
+ 
+ 	ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ 	if (rep != NULL) {
+@@ -3978,8 +3980,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctx
+ 	 * an entity declaration, it is bypassed and left as is.
+ 	 * so XML_SUBSTITUTE_REF is not set here.
+ 	 */
++        ++ctxt->depth;
+ 	ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
+ 				      0, 0, 0);
++        --ctxt->depth;
+ 	if (orig != NULL)
+ 	    *orig = buf;
+ 	else
+@@ -4104,9 +4108,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ 		} else if ((ent != NULL) &&
+ 		           (ctxt->replaceEntities != 0)) {
+ 		    if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
++			++ctxt->depth;
+ 			rep = xmlStringDecodeEntities(ctxt, ent->content,
+ 						      XML_SUBSTITUTE_REF,
+ 						      0, 0, 0);
++			--ctxt->depth;
+ 			if (rep != NULL) {
+ 			    current = rep;
+ 			    while (*current != 0) { /* non input consuming */
+@@ -4142,8 +4148,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ 			(ent->content != NULL) && (ent->checked == 0)) {
+ 			unsigned long oldnbent = ctxt->nbentities;
+ 
++			++ctxt->depth;
+ 			rep = xmlStringDecodeEntities(ctxt, ent->content,
+ 						  XML_SUBSTITUTE_REF, 0, 0, 0);
++			--ctxt->depth;
+ 
+ 			ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ 			if (rep != NULL) {

meta/recipes-core/libxml/libxml2/CVE-2016-4447.patch

@@ -0,0 +1,208 @@
+From 00906759053986b8079985644172085f74331f83 Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Tue, 26 Jan 2016 16:57:03 -0800
+Subject: [PATCH] Heap-based buffer-underreads due to xmlParseName
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759573
+
+* parser.c:
+(xmlParseElementDecl): Return early on invalid input to fix
+non-minimized test case (759573-2.xml).  Otherwise the parser
+gets into a bad state in SKIP(3) at the end of the function.
+(xmlParseConditionalSections): Halt parsing when hitting invalid
+input that would otherwise caused xmlParserHandlePEReference()
+to recurse unexpectedly.  This fixes the minimized test case
+(759573.xml).
+
+* result/errors/759573-2.xml: Add.
+* result/errors/759573-2.xml.err: Add.
+* result/errors/759573-2.xml.str: Add.
+* result/errors/759573.xml: Add.
+* result/errors/759573.xml.err: Add.
+* result/errors/759573.xml.str: Add.
+* test/errors/759573-2.xml: Add.
+* test/errors/759573.xml: Add.
+
+Upstream-Status: Backport 
+CVE: CVE-2016-4447
+Signed-off-by: Armin Kuster <akuster@mvist.com>
+
+---
+ parser.c                       |  2 ++
+ result/errors/759573-2.xml     |  0
+ result/errors/759573-2.xml.err | 58 ++++++++++++++++++++++++++++++++++++++++++
+ result/errors/759573-2.xml.str |  4 +++
+ result/errors/759573.xml       |  0
+ result/errors/759573.xml.err   | 31 ++++++++++++++++++++++
+ result/errors/759573.xml.str   |  4 +++
+ test/errors/759573-2.xml       |  9 +++++++
+ test/errors/759573.xml         |  1 +
+ 9 files changed, 109 insertions(+)
+ create mode 100644 result/errors/759573-2.xml
+ create mode 100644 result/errors/759573-2.xml.err
+ create mode 100644 result/errors/759573-2.xml.str
+ create mode 100644 result/errors/759573.xml
+ create mode 100644 result/errors/759573.xml.err
+ create mode 100644 result/errors/759573.xml.str
+ create mode 100644 test/errors/759573-2.xml
+ create mode 100644 test/errors/759573.xml
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -6723,6 +6723,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctx
+ 	if (!IS_BLANK_CH(CUR)) {
+ 	    xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+ 		           "Space required after 'ELEMENT'\n");
++	    return(-1);
+ 	}
+         SKIP_BLANKS;
+         name = xmlParseName(ctxt);
+@@ -6874,6 +6875,7 @@ xmlParseConditionalSections(xmlParserCtx
+ 
+ 	    if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) {
+ 		xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL);
++		xmlHaltParser(ctxt);
+ 		break;
+ 	    }
+ 	}
+Index: libxml2-2.9.2/result/errors/759573-2.xml.err
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759573-2.xml.err
+@@ -0,0 +1,58 @@
++Entity: line 1: parser error : Space required after '<!ENTITY'
++ %zz;
++     ^
++Entity: line 1:
++<!ENTITY<?xDOCTYPEm~?>
++        ^
++Entity: line 1: parser error : xmlParseEntityDecl: no name
++ %zz;
++     ^
++Entity: line 1:
++<!ENTITY<?xDOCTYPEm~?>
++        ^
++Entity: line 1: parser error : ParsePI: PI xDOCTYPEm space expected
++ %zz;
++     ^
++Entity: line 1:
++<!ENTITY<?xDOCTYPEm~?>
++                   ^
++Entity: line 1: parser error : Space required after '<!ENTITY'
++ %zz;
++     ^
++Entity: line 1:
++<!ENTITY<?xDOCTYPEm~?>
++        ^
++Entity: line 1: parser error : xmlParseEntityDecl: no name
++ %zz;
++     ^
++Entity: line 1:
++<!ENTITY<?xDOCTYPEm~?>
++        ^
++Entity: line 1: parser error : ParsePI: PI xDOCTYPEm space expected
++ %zz;
++     ^
++Entity: line 1:
++<!ENTITY<?xDOCTYPEm~?>
++                   ^
++Entity: line 1: parser error : Space required after 'ELEMENT'
++ %xx;
++     ^
++Entity: line 3:
++%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz;
++             ^
++Entity: line 1: parser error : Content error in the external subset
++ %xx;
++     ^
++Entity: line 3:
++%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz;
++             ^
++./test/errors/759573-2.xml:6: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++%xx;<03>ggKENSMYNT&#35;MENTD&#372zz;'>
++    ^
++./test/errors/759573-2.xml:6: parser error : DOCTYPE improperly terminated
++%xx;<03>ggKENSMYNT&#35;MENTD&#372zz;'>
++    ^
++./test/errors/759573-2.xml:6: parser error : Start tag expected, '<' not found
++%xx;<03>ggKENSMYNT&#35;MENTD&#372zz;'>
++    ^
+Index: libxml2-2.9.2/result/errors/759573-2.xml.str
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759573-2.xml.str
+@@ -0,0 +1,4 @@
++./test/errors/759573-2.xml:2: parser error : Extra content at the end of the document
++<!DOCTYPE test [
++               ^
++./test/errors/759573-2.xml : failed to parse
+Index: libxml2-2.9.2/result/errors/759573.xml.err
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759573.xml.err
+@@ -0,0 +1,31 @@
++./test/errors/759573.xml:1: parser error : Space required after '<!ENTITY'
++ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITY
++                                                                               ^
++./test/errors/759573.xml:1: parser error : Space required after the entity name
++LEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz
++                                                                               ^
++./test/errors/759573.xml:1: parser error : Entity value required
++LEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz
++                                                                               ^
++Entity: line 1: parser error : PEReference: no name
++ %xx;
++     ^
++Entity: line 1:
++%<![INCLUDE[000%ஸ000%z;
++ ^
++Entity: line 1: parser error : Content error in the external subset
++ %xx;
++     ^
++Entity: line 1:
++%<![INCLUDE[000%ஸ000%z;
++            ^
++./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
++                                                                               ^
++./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated
++T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
++                                                                               ^
++./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found
++T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
++                                                                               ^
+Index: libxml2-2.9.2/result/errors/759573.xml.str
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/result/errors/759573.xml.str
+@@ -0,0 +1,4 @@
++./test/errors/759573.xml:1: parser error : Extra content at the end of the document
++<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
++               ^
++./test/errors/759573.xml : failed to parse
+Index: libxml2-2.9.2/test/errors/759573-2.xml
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/test/errors/759573-2.xml
+@@ -0,0 +1,9 @@
++<?xmh ven="1.0"?>
++<!DOCTYPE test [
++<!ELEMENT test (#PCDATA) >
++<!ENTITY % xx '&#37;zz;
+<![INCLUDE[
+&#37;zz;<!ELEMENTD(&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
++<!ENTITY % zz '&#60;!ENTITY<?xDOCTYPEm~?>' >
++%xx;<03>ggKENSMYNT&#35;MENTD&#372zz;'>
++<!ENBITY % zz '&#60;!EN#3&##37;z ';!EY'#x;g
++<!ENTent ref="b<>:b>r.B"/>
++e		</
+\ No newline at end of file
+Index: libxml2-2.9.2/test/errors/759573.xml
+===================================================================
+--- /dev/null
++++ libxml2-2.9.2/test/errors/759573.xml
+@@ -0,0 +1 @@

meta/recipes-core/libxml/libxml2/CVE-2016-4448_2.patch

@@ -0,0 +1,208 @@
+From 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Mon, 23 May 2016 14:58:41 +0800
+Subject: [PATCH] More format string warnings with possible format string
+ vulnerability
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=761029
+
+adds a new xmlEscapeFormatString() function to escape composed format
+strings
+
+Upstream-Status: Backport
+CVE: CVE-2016-4448 patch #2
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libxml.h     |  3 +++
+ relaxng.c    |  3 ++-
+ xmlschemas.c | 39 ++++++++++++++++++++++++++-------------
+ xmlstring.c  | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 86 insertions(+), 14 deletions(-)
+
+Index: libxml2-2.9.2/libxml.h
+===================================================================
+--- libxml2-2.9.2.orig/libxml.h
++++ libxml2-2.9.2/libxml.h
+@@ -9,6 +9,8 @@
+ #ifndef __XML_LIBXML_H__
+ #define __XML_LIBXML_H__
+ 
++#include <libxml/xmlstring.h>
++
+ #ifndef NO_LARGEFILE_SOURCE
+ #ifndef _LARGEFILE_SOURCE
+ #define _LARGEFILE_SOURCE
+@@ -96,6 +98,7 @@ int __xmlInitializeDict(void);
+ int __xmlRandom(void);
+ #endif
+ 
++XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg);
+ int xmlNop(void);
+ 
+ #ifdef IN_LIBXML
+Index: libxml2-2.9.2/relaxng.c
+===================================================================
+--- libxml2-2.9.2.orig/relaxng.c
++++ libxml2-2.9.2/relaxng.c
+@@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValid
+         snprintf(msg, 1000, "Unknown error code %d\n", err);
+     }
+     msg[1000 - 1] = 0;
+-    return (xmlStrdup((xmlChar *) msg));
++    xmlChar *result = xmlCharStrdup(msg);
++    return (xmlEscapeFormatString(&result));
+ }
+ 
+ /**
+Index: libxml2-2.9.2/xmlschemas.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlschemas.c
++++ libxml2-2.9.2/xmlschemas.c
+@@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **b
+     }
+     FREE_AND_NULL(str)
+ 
+-    return (*buf);
++    return (xmlEscapeFormatString(buf));
+ }
+ 
+ /**
+@@ -2249,6 +2249,13 @@ xmlSchemaFormatNodeForError(xmlChar ** m
+ 	TODO
+ 	return (NULL);
+     }
++
++    /*
++     * xmlSchemaFormatItemForReport() also returns an escaped format
++     * string, so do this before calling it below (in the future).
++     */
++    xmlEscapeFormatString(msg);
++
+     /*
+     * VAL TODO: The output of the given schema component is currently
+     * disabled.
+@@ -2476,11 +2483,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstract
+ 	msg = xmlStrcat(msg, BAD_CAST " '");
+ 	if (type->builtInType != 0) {
+ 	    msg = xmlStrcat(msg, BAD_CAST "xs:");
+-	    msg = xmlStrcat(msg, type->name);
+-	} else
+-	    msg = xmlStrcat(msg,
+-		xmlSchemaFormatQName(&str,
+-		    type->targetNamespace, type->name));
++	    str = xmlStrdup(type->name);
++	} else {
++	    const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
++	    if (!str)
++		str = xmlStrdup(qName);
++	}
++	msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+ 	msg = xmlStrcat(msg, BAD_CAST "'");
+ 	FREE_AND_NULL(str);
+     }
+@@ -2617,7 +2626,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstrac
+ 		str = xmlStrcat(str, BAD_CAST ", ");
+ 	}
+ 	str = xmlStrcat(str, BAD_CAST " ).\n");
+-	msg = xmlStrcat(msg, BAD_CAST str);
++	msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+ 	FREE_AND_NULL(str)
+     } else
+       msg = xmlStrcat(msg, BAD_CAST "\n");
+@@ -3141,11 +3150,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC
+ 		msg = xmlStrcat(msg, BAD_CAST " '");
+ 		if (type->builtInType != 0) {
+ 		    msg = xmlStrcat(msg, BAD_CAST "xs:");
+-		    msg = xmlStrcat(msg, type->name);
+-		} else
+-		    msg = xmlStrcat(msg,
+-			xmlSchemaFormatQName(&str,
+-			    type->targetNamespace, type->name));
++		    str = xmlStrdup(type->name);
++		} else {
++		    const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
++		    if (!str)
++			str = xmlStrdup(qName);
++		}
++		msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+ 		msg = xmlStrcat(msg, BAD_CAST "'.");
+ 		FREE_AND_NULL(str);
+ 	    }
+@@ -3158,7 +3169,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserC
+ 	}
+ 	if (expected) {
+ 	    msg = xmlStrcat(msg, BAD_CAST " Expected is '");
+-	    msg = xmlStrcat(msg, BAD_CAST expected);
++	    xmlChar *expectedEscaped = xmlCharStrdup(expected);
++	    msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped));
++	    FREE_AND_NULL(expectedEscaped);
+ 	    msg = xmlStrcat(msg, BAD_CAST "'.\n");
+ 	} else
+ 	    msg = xmlStrcat(msg, BAD_CAST "\n");
+Index: libxml2-2.9.2/xmlstring.c
+===================================================================
+--- libxml2-2.9.2.orig/xmlstring.c
++++ libxml2-2.9.2/xmlstring.c
+@@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int st
+     return(xmlUTF8Strndup(utf, len));
+ }
+ 
++/**
++ * xmlEscapeFormatString:
++ * @msg:  a pointer to the string in which to escape '%' characters.
++ * Must be a heap-allocated buffer created by libxml2 that may be
++ * returned, or that may be freed and replaced.
++ *
++ * Replaces the string pointed to by 'msg' with an escaped string.
++ * Returns the same string with all '%' characters escaped.
++ */
++xmlChar *
++xmlEscapeFormatString(xmlChar **msg)
++{
++    xmlChar *msgPtr = NULL;
++    xmlChar *result = NULL;
++    xmlChar *resultPtr = NULL;
++    size_t count = 0;
++    size_t msgLen = 0;
++    size_t resultLen = 0;
++
++    if (!msg || !*msg)
++        return(NULL);
++
++    for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) {
++        ++msgLen;
++        if (*msgPtr == '%')
++            ++count;
++    }
++
++    if (count == 0)
++        return(*msg);
++
++    resultLen = msgLen + count + 1;
++    result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar));
++    if (result == NULL) {
++        /* Clear *msg to prevent format string vulnerabilities in
++           out-of-memory situations. */
++        xmlFree(*msg);
++        *msg = NULL;
++        xmlErrMemory(NULL, NULL);
++        return(NULL);
++    }
++
++    for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) {
++        *resultPtr = *msgPtr;
++        if (*msgPtr == '%')
++            *(++resultPtr) = '%';
++    }
++    result[resultLen - 1] = '\0';
++
++    xmlFree(*msg);
++    *msg = result;
++
++    return *msg;
++}
++
+ #define bottom_xmlstring
+ #include "elfgcchack.h"

meta/recipes-core/libxml/libxml2/CVE-2016-4449.patch

@@ -0,0 +1,47 @@
+From b1d34de46a11323fccffa9fadeb33be670d602f5 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 14 Mar 2016 17:19:44 +0800
+Subject: [PATCH] Fix inappropriate fetch of entities content
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=761430
+
+libfuzzer regression testing exposed another case where the parser would
+fetch content of an external entity while not in validating mode.
+Plug that hole
+
+Upstream-status: Backport
+CVE: CVE-2016-4449
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -2873,7 +2873,21 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ 	        ctxt->nbentities += ent->checked / 2;
+ 	    if (ent != NULL) {
+                 if (ent->content == NULL) {
+-		    xmlLoadEntityContent(ctxt, ent);
++		    /*
++		     * Note: external parsed entities will not be loaded,
++		     * it is not required for a non-validating parser to
++		     * complete external PEreferences coming from the
++		     * internal subset
++		     */
++		    if (((ctxt->options & XML_PARSE_NOENT) != 0) ||
++			((ctxt->options & XML_PARSE_DTDVALID) != 0) ||
++			(ctxt->validate != 0)) {
++			xmlLoadEntityContent(ctxt, ent);
++		    } else {
++			xmlWarningMsg(ctxt, XML_ERR_ENTITY_PROCESSING,
++		  "not validating will not read content for PE entity %s\n",
++		                      ent->name, NULL);
++		    }
+ 		}
+ 		ctxt->depth++;
+ 		rep = xmlStringDecodeEntities(ctxt, ent->content, what,

meta/recipes-core/libxml/libxml2/CVE-2016-4483.patch

@@ -0,0 +1,55 @@
+From c97750d11bb8b6f3303e7131fe526a61ac65bcfd Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 May 2016 13:39:13 +0800
+Subject: [PATCH] Avoid an out of bound access when serializing malformed
+ strings
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=766414
+
+* xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value
+  is not UTF-8 be more careful when serializing it as we may do an
+  out of bound access as a result.
+
+Upstream-Status: Backport
+CVE: CVE-2016-4483
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xmlsave.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/xmlsave.c b/xmlsave.c
+index 774404b..4a8e3f3 100644
+--- a/xmlsave.c
++++ b/xmlsave.c
+@@ -2097,8 +2097,8 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc,
+             xmlBufAdd(buf, BAD_CAST "&amp;", 5);
+             cur++;
+             base = cur;
+-        } else if ((*cur >= 0x80) && ((doc == NULL) ||
+-                                      (doc->encoding == NULL))) {
++        } else if ((*cur >= 0x80) && (cur[1] != 0) &&
++	           ((doc == NULL) || (doc->encoding == NULL))) {
+             /*
+              * We assume we have UTF-8 content.
+              */
+@@ -2121,14 +2121,14 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc,
+                 val <<= 6;
+                 val |= (cur[1]) & 0x3F;
+                 l = 2;
+-            } else if (*cur < 0xF0) {
++            } else if ((*cur < 0xF0) && (cur [2] != 0)) {
+                 val = (cur[0]) & 0x0F;
+                 val <<= 6;
+                 val |= (cur[1]) & 0x3F;
+                 val <<= 6;
+                 val |= (cur[2]) & 0x3F;
+                 l = 3;
+-            } else if (*cur < 0xF8) {
++            } else if ((*cur < 0xF8) && (cur [2] != 0) && (cur[3] != 0)) {
+                 val = (cur[0]) & 0x07;
+                 val <<= 6;
+                 val |= (cur[1]) & 0x3F;
+-- 
+2.3.5
+

meta/recipes-core/libxml/libxml2_2.9.2.bb

@@ -4,6 +4,23 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
             file://72a46a519ce7326d9a00f0b6a7f2a8e958cd1675.patch \
 	    file://0001-threads-Define-pthread-definitions-for-glibc-complia.patch \
 	   "
+SRC_URI += "file://CVE-2016-1762.patch \
+            file://CVE-2016-3705.patch \
+            file://CVE-2016-1834.patch \
+            file://CVE-2016-4483.patch \
+            file://CVE-2016-1840.patch \
+            file://CVE-2016-1838.patch \
+            file://CVE-2016-1839.patch \
+            file://CVE-2016-1836.patch \
+            file://CVE-2016-4449.patch \
+            file://CVE-2016-1837.patch \
+            file://CVE-2016-1835.patch \
+            file://CVE-2016-1833.patch \
+            file://CVE-2016-3627.patch \
+            file://CVE-2016-4447.patch \
+            file://CVE-2016-4448_1.patch \
+            file://CVE-2016-4448_2.patch \
+    "
 
 SRC_URI[libtar.md5sum] = "9e6a9aca9d155737868b3dc5fd82f788"
 SRC_URI[libtar.sha256sum] = "5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc"

meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch

@@ -0,0 +1,59 @@
+From 7164a1c34d18831ac61c6744ad14ce916d389b3f Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 7 Jul 2016 14:22:41 +0200
+Subject: [PATCH] libblkid: ignore extended partition at zero offset
+
+If the extended partition starts at zero LBA then MBR is interpreted
+as EBR and all is recursively parsed... result is out-of-memory.
+
+ MBR --extended-partition--> EBR --> MBR --> ENB --> MBR ...
+
+Note that such PT is not possible to create by standard partitioning
+tools.
+
+Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+Upstream-status: Backport
+CVE: CVE-2016-5011 patch 1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libblkid/src/partitions/dos.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/libblkid/src/partitions/dos.c b/libblkid/src/partitions/dos.c
+index 9bba32f..e79f124 100644
+--- a/libblkid/src/partitions/dos.c
++++ b/libblkid/src/partitions/dos.c
+@@ -47,6 +47,12 @@ static int parse_dos_extended(blkid_probe pr, blkid_parttable tab,
+ 	int ct_nodata = 0;	/* count ext.partitions without data partitions */
+ 	int i;
+ 
++	DBG(LOWPROBE, ul_debug("parse EBR [start=%d, size=%d]", ex_start/ssf, ex_size/ssf));
++	if (ex_start == 0) {
++		DBG(LOWPROBE, ul_debug("Bad offset in primary extended partition -- ignore"));
++		return 0;
++	}
++
+ 	while (1) {
+ 		struct dos_partition *p, *p0;
+ 		uint32_t start, size;
+@@ -116,8 +122,12 @@ static int parse_dos_extended(blkid_probe pr, blkid_parttable tab,
+ 			start = dos_partition_get_start(p) * ssf;
+ 			size = dos_partition_get_size(p) * ssf;
+ 
+-			if (size && is_extended(p))
+-				break;
++			if (size && is_extended(p)) {
++				if (start == 0)
++					DBG(LOWPROBE, ul_debug("#%d: EBR link offset is zero -- ignore", i + 1));
++				else
++					break;
++			}
+ 		}
+ 		if (i == 4)
+ 			goto leave;
+-- 
+2.7.4
+

meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch

@@ -0,0 +1,91 @@
+From 50d1594c2e6142a3b51d2143c74027480df082e0 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 12 Jul 2016 13:34:54 +0200
+Subject: [PATCH] libblkid: avoid non-empty recursion in EBR
+
+This is extension to the patch 7164a1c34d18831ac61c6744ad14ce916d389b3f.
+
+We also need to detect non-empty recursion in the EBR chain. It's
+possible to create standard valid logical partitions and in the last one
+points back to the EBR chain. In this case all offsets will be non-empty.
+
+Unfortunately, it's valid to create logical partitions that are not in
+the "disk order" (sorted by start offset). So link somewhere back is
+valid, but this link cannot points to already existing partition
+(otherwise we will see recursion).
+
+This patch forces libblkid to ignore duplicate logical partitions, the
+duplicate chain segment is interpreted as non-data segment, after 100
+iterations with non-data segments it will break the loop -- no memory
+is allocated in this case by the loop.
+
+Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
+References: http://seclists.org/oss-sec/2016/q3/40
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+Upstream-status: Backport
+CVE: CVE-2016-5011 patch 2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libblkid/src/partitions/dos.c        |  7 +++++++
+ libblkid/src/partitions/partitions.c | 14 ++++++++++++++
+ libblkid/src/partitions/partitions.h |  2 ++
+ 3 files changed, 23 insertions(+)
+
+Index: util-linux-2.26.2/libblkid/src/partitions/dos.c
+===================================================================
+--- util-linux-2.26.2.orig/libblkid/src/partitions/dos.c
++++ util-linux-2.26.2/libblkid/src/partitions/dos.c
+@@ -105,6 +105,13 @@ static int parse_dos_extended(blkid_prob
+ 					continue;
+ 			}
+ 
++			/* Avoid recursive non-empty links, see ct_nodata counter */
++			if (blkid_partlist_get_partition_by_start(ls, abs_start)) {
++				DBG(LOWPROBE, ul_debug("#%d: EBR duplicate data partition [abs start=%u] -- ignore",
++							i + 1, abs_start));
++				continue;
++			}
++
+ 			par = blkid_partlist_add_partition(ls, tab, abs_start, size);
+ 			if (!par)
+ 				return -ENOMEM;
+Index: util-linux-2.26.2/libblkid/src/partitions/partitions.c
+===================================================================
+--- util-linux-2.26.2.orig/libblkid/src/partitions/partitions.c
++++ util-linux-2.26.2/libblkid/src/partitions/partitions.c
+@@ -940,6 +940,20 @@ blkid_partition blkid_partlist_get_parti
+ 	return &ls->parts[n];
+ }
+ 
++blkid_partition blkid_partlist_get_partition_by_start(blkid_partlist ls, uint64_t start)
++{
++	int i, nparts;
++	blkid_partition par;
++
++	nparts = blkid_partlist_numof_partitions(ls);
++	for (i = 0; i < nparts; i++) {
++		par = blkid_partlist_get_partition(ls, i);
++		if ((uint64_t) blkid_partition_get_start(par) == start)
++			return par;
++	}
++	return NULL;
++}
++
+ /**
+  * blkid_partlist_get_partition_by_partno
+  * @ls: partitions list
+Index: util-linux-2.26.2/libblkid/src/partitions/partitions.h
+===================================================================
+--- util-linux-2.26.2.orig/libblkid/src/partitions/partitions.h
++++ util-linux-2.26.2/libblkid/src/partitions/partitions.h
+@@ -21,6 +21,8 @@ extern int blkid_partlist_increment_part
+ 
+ extern blkid_partition blkid_partlist_get_parent(blkid_partlist ls);
+ 
++extern blkid_partition blkid_partlist_get_partition_by_start(blkid_partlist ls, uint64_t start);
++
+ extern int blkid_partitions_do_subprobe(blkid_probe pr,
+ 			blkid_partition parent, const struct blkid_idinfo *id);
+ 

meta/recipes-core/util-linux/util-linux_2.26.2.bb

@@ -16,6 +16,8 @@ SRC_URI += "file://util-linux-ng-replace-siginterrupt.patch \
             file://runuser.pamd \
             file://runuser-l.pamd \
             ${OLDHOST} \
+            file://CVE-2016-5011.patch \
+            file://CVE-2016-5011_p2.patch \
 "
 SRC_URI[md5sum] = "9bdf368c395f1b70325d0eb22c7f48fb"
 SRC_URI[sha256sum] = "0e29bda142528a48a0a953c39ff63093651a4809042e1790fbd6aa8663fd9666"

meta/recipes-devtools/gcc/gcc-target.inc

@@ -4,7 +4,6 @@ require gcc-configure-common.inc
 EXTRA_OECONF_PATHS = "\
     --with-sysroot=/ \
     --with-build-sysroot=${STAGING_DIR_TARGET} \
-    --with-native-system-header-dir=${STAGING_DIR_TARGET}${target_includedir} \
     --with-gxx-include-dir=${includedir}/c++/${BINV} \
 "
 

meta/recipes-devtools/git/git-2.5.0/CVE-2016-2315_2324.patch

@@ -0,0 +1,307 @@
+From 2824e1841b99393d2469c495253d547c643bd8f1 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Thu, 11 Feb 2016 17:28:36 -0500
+Subject: [PATCH] list-objects: pass full pathname to callbacks
+
+When we find a blob at "a/b/c", we currently pass this to
+our show_object_fn callbacks as two components: "a/b/" and
+"c". Callbacks which want the full value then call
+path_name(), which concatenates the two. But this is an
+inefficient interface; the path is a strbuf, and we could
+simply append "c" to it temporarily, then roll back the
+length, without creating a new copy.
+
+So we could improve this by teaching the callsites of
+path_name() this trick (and there are only 3). But we can
+also notice that no callback actually cares about the
+broken-down representation, and simply pass each callback
+the full path "a/b/c" as a string. The callback code becomes
+even simpler, then, as we do not have to worry about freeing
+an allocated buffer, nor rolling back our modification to
+the strbuf.
+
+This is theoretically less efficient, as some callbacks
+would not bother to format the final path component. But in
+practice this is not measurable. Since we use the same
+strbuf over and over, our work to grow it is amortized, and
+we really only pay to memcpy a few bytes.
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2315 and CVE-2016-2324 (actual fixs)
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ builtin/pack-objects.c | 15 ++-------------
+ builtin/rev-list.c     | 12 ++++--------
+ list-objects.c         | 14 +++++++++-----
+ list-objects.h         |  2 +-
+ pack-bitmap-write.c    |  3 +--
+ pack-bitmap.c          | 13 ++++---------
+ reachable.c            |  5 ++---
+ revision.c             | 17 ++---------------
+ revision.h             |  3 +--
+ 9 files changed, 26 insertions(+), 58 deletions(-)
+
+Index: git-2.5.0/builtin/pack-objects.c
+===================================================================
+--- git-2.5.0.orig/builtin/pack-objects.c
++++ git-2.5.0/builtin/pack-objects.c
+@@ -2284,21 +2284,11 @@ static void show_commit(struct commit *c
+ 		index_commit_for_bitmap(commit);
+ }
+ 
+-static void show_object(struct object *obj,
+-			struct strbuf *path, const char *last,
+-			void *data)
++static void show_object(struct object *obj, const char *name, void *data)
+ {
+-	char *name = path_name(path, last);
+-
+ 	add_preferred_base_object(name);
+ 	add_object_entry(obj->sha1, obj->type, name, 0);
+ 	obj->flags |= OBJECT_ADDED;
+-
+-	/*
+-	 * We will have generated the hash from the name,
+-	 * but not saved a pointer to it - we can free it
+-	 */
+-	free((char *)name);
+ }
+ 
+ static void show_edge(struct commit *commit)
+@@ -2480,8 +2470,7 @@ static int get_object_list_from_bitmap(s
+ }
+ 
+ static void record_recent_object(struct object *obj,
+-				 struct strbuf *path,
+-				 const char *last,
++				 const char *name,
+ 				 void *data)
+ {
+ 	sha1_array_append(&recent_objects, obj->sha1);
+Index: git-2.5.0/builtin/rev-list.c
+===================================================================
+--- git-2.5.0.orig/builtin/rev-list.c
++++ git-2.5.0/builtin/rev-list.c
+@@ -177,9 +177,7 @@ static void finish_commit(struct commit
+ 	free_commit_buffer(commit);
+ }
+ 
+-static void finish_object(struct object *obj,
+-			  struct strbuf *path, const char *name,
+-			  void *cb_data)
++static void finish_object(struct object *obj, const char *name, void *cb_data)
+ {
+ 	struct rev_list_info *info = cb_data;
+ 	if (obj->type == OBJ_BLOB && !has_sha1_file(obj->sha1))
+@@ -188,15 +186,13 @@ static void finish_object(struct object
+ 		parse_object(obj->sha1);
+ }
+ 
+-static void show_object(struct object *obj,
+-			struct strbuf *path, const char *component,
+-			void *cb_data)
++static void show_object(struct object *obj, const char *name, void *cb_data)
+ {
+ 	struct rev_list_info *info = cb_data;
+-	finish_object(obj, path, component, cb_data);
++	finish_object(obj, name, cb_data);
+ 	if (info->flags & REV_LIST_QUIET)
+ 		return;
+-	show_object_with_name(stdout, obj, path, component);
++	show_object_with_name(stdout, obj, name);
+ }
+ 
+ static void show_edge(struct commit *commit)
+Index: git-2.5.0/list-objects.c
+===================================================================
+--- git-2.5.0.orig/list-objects.c
++++ git-2.5.0/list-objects.c
+@@ -16,6 +16,7 @@ static void process_blob(struct rev_info
+ 			 void *cb_data)
+ {
+ 	struct object *obj = &blob->object;
++	size_t pathlen;
+ 
+ 	if (!revs->blob_objects)
+ 		return;
+@@ -24,7 +25,11 @@ static void process_blob(struct rev_info
+ 	if (obj->flags & (UNINTERESTING | SEEN))
+ 		return;
+ 	obj->flags |= SEEN;
+-	show(obj, path, name, cb_data);
++
++	pathlen = path->len;
++	strbuf_addstr(path, name);
++	show(obj, path->buf, cb_data);
++	strbuf_setlen(path, pathlen);
+ }
+ 
+ /*
+@@ -86,9 +91,8 @@ static void process_tree(struct rev_info
+ 	}
+ 
+ 	obj->flags |= SEEN;
+-	show(obj, base, name, cb_data);
+-
+ 	strbuf_addstr(base, name);
++	show(obj, base->buf, cb_data);
+ 	if (base->len)
+ 		strbuf_addch(base, '/');
+ 
+@@ -207,7 +211,7 @@ void traverse_commit_list(struct rev_inf
+ 			continue;
+ 		if (obj->type == OBJ_TAG) {
+ 			obj->flags |= SEEN;
+-			show_object(obj, NULL, name, data);
++			show_object(obj, name, data);
+ 			continue;
+ 		}
+ 		if (!path)
+@@ -219,7 +223,7 @@ void traverse_commit_list(struct rev_inf
+ 		}
+ 		if (obj->type == OBJ_BLOB) {
+ 			process_blob(revs, (struct blob *)obj, show_object,
+-				     NULL, path, data);
++				     &base, path, data);
+ 			continue;
+ 		}
+ 		die("unknown pending object %s (%s)",
+Index: git-2.5.0/list-objects.h
+===================================================================
+--- git-2.5.0.orig/list-objects.h
++++ git-2.5.0/list-objects.h
+@@ -2,7 +2,7 @@
+ #define LIST_OBJECTS_H
+ 
+ typedef void (*show_commit_fn)(struct commit *, void *);
+-typedef void (*show_object_fn)(struct object *, struct strbuf *, const char *, void *);
++typedef void (*show_object_fn)(struct object *, const char *, void *);
+ void traverse_commit_list(struct rev_info *, show_commit_fn, show_object_fn, void *);
+ 
+ typedef void (*show_edge_fn)(struct commit *);
+Index: git-2.5.0/pack-bitmap-write.c
+===================================================================
+--- git-2.5.0.orig/pack-bitmap-write.c
++++ git-2.5.0/pack-bitmap-write.c
+@@ -148,8 +148,7 @@ static uint32_t find_object_pos(const un
+ 	return entry->in_pack_pos;
+ }
+ 
+-static void show_object(struct object *object, struct strbuf *path,
+-			const char *last, void *data)
++static void show_object(struct object *object, const char *name, void *data)
+ {
+ 	struct bitmap *base = data;
+ 	bitmap_set(base, find_object_pos(object->sha1));
+Index: git-2.5.0/pack-bitmap.c
+===================================================================
+--- git-2.5.0.orig/pack-bitmap.c
++++ git-2.5.0/pack-bitmap.c
+@@ -422,19 +422,15 @@ static int ext_index_add_object(struct o
+ 	return bitmap_pos + bitmap_git.pack->num_objects;
+ }
+ 
+-static void show_object(struct object *object, struct strbuf *path,
+-			const char *last, void *data)
++static void show_object(struct object *object, const char *name, void *data)
+ {
+ 	struct bitmap *base = data;
+ 	int bitmap_pos;
+ 
+ 	bitmap_pos = bitmap_position(object->sha1);
+ 
+-	if (bitmap_pos < 0) {
+-		char *name = path_name(path, last);
++	if (bitmap_pos < 0)
+ 		bitmap_pos = ext_index_add_object(object, name);
+-		free(name);
+-	}
+ 
+ 	bitmap_set(base, bitmap_pos);
+ }
+@@ -902,9 +898,8 @@ struct bitmap_test_data {
+ 	size_t seen;
+ };
+ 
+-static void test_show_object(struct object *object,
+-			     struct strbuf *path,
+-			     const char *last, void *data)
++static void test_show_object(struct object *object, const char *name,
++			     void *data)
+ {
+ 	struct bitmap_test_data *tdata = data;
+ 	int bitmap_pos;
+Index: git-2.5.0/reachable.c
+===================================================================
+--- git-2.5.0.orig/reachable.c
++++ git-2.5.0/reachable.c
+@@ -37,15 +37,14 @@ static int add_one_ref(const char *path,
+  * The traversal will have already marked us as SEEN, so we
+  * only need to handle any progress reporting here.
+  */
+-static void mark_object(struct object *obj, struct strbuf *path,
+-			const char *name, void *data)
++static void mark_object(struct object *obj, const char *name, void *data)
+ {
+ 	update_progress(data);
+ }
+ 
+ static void mark_commit(struct commit *c, void *data)
+ {
+-	mark_object(&c->object, NULL, NULL, data);
++	mark_object(&c->object, NULL, data);
+ }
+ 
+ struct recent_data {
+Index: git-2.5.0/revision.c
+===================================================================
+--- git-2.5.0.orig/revision.c
++++ git-2.5.0/revision.c
+@@ -21,27 +21,14 @@
+ 
+ volatile show_early_output_fn_t show_early_output;
+ 
+-char *path_name(struct strbuf *path, const char *name)
++void show_object_with_name(FILE *out, struct object *obj, const char *name)
+ {
+-	struct strbuf ret = STRBUF_INIT;
+-	if (path)
+-		strbuf_addbuf(&ret, path);
+-	strbuf_addstr(&ret, name);
+-	return strbuf_detach(&ret, NULL);
+-}
+-
+-void show_object_with_name(FILE *out, struct object *obj,
+-			   struct strbuf *path, const char *component)
+-{
+-	char *name = path_name(path, component);
+-	char *p;
++	const char *p;
+ 
+ 	fprintf(out, "%s ", sha1_to_hex(obj->sha1));
+ 	for (p = name; *p && *p != '\n'; p++)
+ 		fputc(*p, out);
+ 	fputc('\n', out);
+-
+-	free(name);
+ }
+ 
+ static void mark_blob_uninteresting(struct blob *blob)
+Index: git-2.5.0/revision.h
+===================================================================
+--- git-2.5.0.orig/revision.h
++++ git-2.5.0/revision.h
+@@ -258,8 +258,7 @@ extern void mark_tree_uninteresting(stru
+ 
+ char *path_name(struct strbuf *path, const char *name);
+ 
+-extern void show_object_with_name(FILE *, struct object *,
+-				  struct strbuf *, const char *);
++extern void show_object_with_name(FILE *, struct object *, const char *);
+ 
+ extern void add_pending_object(struct rev_info *revs,
+ 			       struct object *obj, const char *name);

meta/recipes-devtools/git/git-2.5.0/CVE-2016-2315_p1.patch

@@ -0,0 +1,115 @@
+From c6bd2a1decc252d823104f9849c87ec8484b18ea Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Thu, 11 Feb 2016 17:23:48 -0500
+Subject: [PATCH] http-push: stop using name_path
+
+The graph traversal code here passes along a name_path to
+build up the pathname at which we find each blob. But we
+never actually do anything with the resulting names, making
+it a waste of code and memory.
+
+This usage came in aa1dbc9 (Update http-push functionality,
+2006-03-07), and originally the result was passed to
+"add_object" (which stored it, but didn't really use it,
+either). But we stopped using that function in 1f1e895 (Add
+"named object array" concept, 2006-06-19) in favor of
+storing just the objects themselves.
+
+Moreover, the generation of the name in process_tree() is
+buggy. It sticks "name" onto the end of the name_path linked
+list, and then passes it down again as it recurses (instead
+of "entry.path"). So it's a good thing this was unused, as
+the resulting path for "a/b/c/d" would end up as "a/a/a/a".
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2315 patch1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ http-push.c | 23 +++++++----------------
+ 1 file changed, 7 insertions(+), 16 deletions(-)
+
+diff --git a/http-push.c b/http-push.c
+index c98dad2..8341909 100644
+--- a/http-push.c
++++ b/http-push.c
+@@ -1276,9 +1276,7 @@ static struct object_list **add_one_object(struct object *obj, struct object_lis
+ }
+ 
+ static struct object_list **process_blob(struct blob *blob,
+-					 struct object_list **p,
+-					 struct name_path *path,
+-					 const char *name)
++					 struct object_list **p)
+ {
+ 	struct object *obj = &blob->object;
+ 
+@@ -1292,14 +1290,11 @@ static struct object_list **process_blob(struct blob *blob,
+ }
+ 
+ static struct object_list **process_tree(struct tree *tree,
+-					 struct object_list **p,
+-					 struct name_path *path,
+-					 const char *name)
++					 struct object_list **p)
+ {
+ 	struct object *obj = &tree->object;
+ 	struct tree_desc desc;
+ 	struct name_entry entry;
+-	struct name_path me;
+ 
+ 	obj->flags |= LOCAL;
+ 
+@@ -1309,21 +1304,17 @@ static struct object_list **process_tree(struct tree *tree,
+ 		die("bad tree object %s", sha1_to_hex(obj->sha1));
+ 
+ 	obj->flags |= SEEN;
+-	name = xstrdup(name);
+ 	p = add_one_object(obj, p);
+-	me.up = path;
+-	me.elem = name;
+-	me.elem_len = strlen(name);
+ 
+ 	init_tree_desc(&desc, tree->buffer, tree->size);
+ 
+ 	while (tree_entry(&desc, &entry))
+ 		switch (object_type(entry.mode)) {
+ 		case OBJ_TREE:
+-			p = process_tree(lookup_tree(entry.sha1), p, &me, name);
++			p = process_tree(lookup_tree(entry.sha1), p);
+ 			break;
+ 		case OBJ_BLOB:
+-			p = process_blob(lookup_blob(entry.sha1), p, &me, name);
++			p = process_blob(lookup_blob(entry.sha1), p);
+ 			break;
+ 		default:
+ 			/* Subproject commit - not in this repository */
+@@ -1342,7 +1333,7 @@ static int get_delta(struct rev_info *revs, struct remote_lock *lock)
+ 	int count = 0;
+ 
+ 	while ((commit = get_revision(revs)) != NULL) {
+-		p = process_tree(commit->tree, p, NULL, "");
++		p = process_tree(commit->tree, p);
+ 		commit->object.flags |= LOCAL;
+ 		if (!(commit->object.flags & UNINTERESTING))
+ 			count += add_send_request(&commit->object, lock);
+@@ -1361,11 +1352,11 @@ static int get_delta(struct rev_info *revs, struct remote_lock *lock)
+ 			continue;
+ 		}
+ 		if (obj->type == OBJ_TREE) {
+-			p = process_tree((struct tree *)obj, p, NULL, name);
++			p = process_tree((struct tree *)obj, p);
+ 			continue;
+ 		}
+ 		if (obj->type == OBJ_BLOB) {
+-			p = process_blob((struct blob *)obj, p, NULL, name);
++			p = process_blob((struct blob *)obj, p);
+ 			continue;
+ 		}
+ 		die("unknown pending object %s (%s)", sha1_to_hex(obj->sha1), name);
+-- 
+2.7.4
+

meta/recipes-devtools/git/git-2.5.0/CVE-2016-2315_p2.patch

@@ -0,0 +1,89 @@
+From 8eee9f9277b6e38ec46c84f4ca3be5d988ca0a33 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Thu, 11 Feb 2016 17:24:18 -0500
+Subject: [PATCH] show_object_with_name: simplify by using path_name()
+
+When "git rev-list" shows an object with its associated path
+name, it does so by walking the name_path linked list and
+printing each component (stopping at any embedded NULs or
+newlines).
+
+We'd like to eventually get rid of name_path entirely in
+favor of a single buffer, and dropping this custom printing
+code is part of that. As a first step, let's use path_name()
+to format the list into a single buffer, and print that.
+This is strictly less efficient than the original, but it's
+a temporary step in the refactoring; our end game will be to
+get the fully formatted name in the first place.
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2315 patch2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ revision.c | 40 ++++++----------------------------------
+ 1 file changed, 6 insertions(+), 34 deletions(-)
+
+diff --git a/revision.c b/revision.c
+index 0b322b4..cf544b6 100644
+--- a/revision.c
++++ b/revision.c
+@@ -45,46 +45,18 @@ char *path_name(const struct name_path *path, const char *name)
+ 	return n;
+ }
+ 
+-static int show_path_component_truncated(FILE *out, const char *name, int len)
+-{
+-	int cnt;
+-	for (cnt = 0; cnt < len; cnt++) {
+-		int ch = name[cnt];
+-		if (!ch || ch == '\n')
+-			return -1;
+-		fputc(ch, out);
+-	}
+-	return len;
+-}
+-
+-static int show_path_truncated(FILE *out, const struct name_path *path)
+-{
+-	int emitted, ours;
+-
+-	if (!path)
+-		return 0;
+-	emitted = show_path_truncated(out, path->up);
+-	if (emitted < 0)
+-		return emitted;
+-	if (emitted)
+-		fputc('/', out);
+-	ours = show_path_component_truncated(out, path->elem, path->elem_len);
+-	if (ours < 0)
+-		return ours;
+-	return ours || emitted;
+-}
+-
+ void show_object_with_name(FILE *out, struct object *obj,
+ 			   const struct name_path *path, const char *component)
+ {
+-	struct name_path leaf;
+-	leaf.up = (struct name_path *)path;
+-	leaf.elem = component;
+-	leaf.elem_len = strlen(component);
++	char *name = path_name(path, component);
++	char *p;
+ 
+ 	fprintf(out, "%s ", sha1_to_hex(obj->sha1));
+-	show_path_truncated(out, &leaf);
++	for (p = name; *p && *p != '\n'; p++)
++		fputc(*p, out);
+ 	fputc('\n', out);
++
++	free(name);
+ }
+ 
+ static void mark_blob_uninteresting(struct blob *blob)
+-- 
+2.7.4
+

meta/recipes-devtools/git/git-2.5.0/CVE-2016-2315_p3.patch

@@ -0,0 +1,160 @@
+From f3badaed5106a16499d0fae31a382f9047b272d7 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Thu, 11 Feb 2016 17:26:18 -0500
+Subject: [PATCH] list-objects: convert name_path to a strbuf
+
+The "struct name_path" data is examined in only two places:
+we generate it in process_tree(), and we convert it to a
+single string in path_name(). Everyone else just passes it
+through to those functions.
+
+We can further note that process_tree() already keeps a
+single strbuf with the leading tree path, for use with
+tree_entry_interesting().
+
+Instead of building a separate name_path linked list, let's
+just use the one we already build in "base". This reduces
+the amount of code (especially tricky code in path_name()
+which did not check for integer overflows caused by deep
+or large pathnames).
+
+It is also more efficient in some instances.  Any time we
+were using tree_entry_interesting, we were building up the
+strbuf anyway, so this is an immediate and obvious win
+there. In cases where we were not, we trade off storing
+"pathname/" in a strbuf on the heap for each level of the
+path, instead of two pointers and an int on the stack (with
+one pointer into the tree object). On a 64-bit system, the
+latter is 20 bytes; so if path components are less than that
+on average, this has lower peak memory usage.  In practice
+it probably doesn't matter either way; we are already
+holding in memory all of the tree objects leading up to each
+pathname, and for normal-depth pathnames, we are only
+talking about hundreds of bytes.
+
+This patch leaves "struct name_path" as a thin wrapper
+around the strbuf, to avoid disrupting callbacks. We should
+fix them, but leaving it out makes this diff easier to view.
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2315 patch3
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ list-objects.c | 22 +++++++++-------------
+ revision.c     | 25 +++++--------------------
+ revision.h     |  4 +---
+ 3 files changed, 15 insertions(+), 36 deletions(-)
+
+diff --git a/list-objects.c b/list-objects.c
+index 41736d2..dc46b9a 100644
+--- a/list-objects.c
++++ b/list-objects.c
+@@ -62,7 +62,6 @@ static void process_gitlink(struct rev_info *revs,
+ static void process_tree(struct rev_info *revs,
+ 			 struct tree *tree,
+ 			 show_object_fn show,
+-			 struct name_path *path,
+ 			 struct strbuf *base,
+ 			 const char *name,
+ 			 void *cb_data)
+@@ -86,17 +85,14 @@ static void process_tree(struct rev_info *revs,
+ 			return;
+ 		die("bad tree object %s", sha1_to_hex(obj->sha1));
+ 	}
++
+ 	obj->flags |= SEEN;
+-	show(obj, path, name, cb_data);
+-	me.up = path;
+-	me.elem = name;
+-	me.elem_len = strlen(name);
+-
+-	if (!match) {
+-		strbuf_addstr(base, name);
+-		if (base->len)
+-			strbuf_addch(base, '/');
+-	}
++	me.base = base;
++	show(obj, &me, name, cb_data);
++
++	strbuf_addstr(base, name);
++	if (base->len)
++		strbuf_addch(base, '/');
+ 
+ 	init_tree_desc(&desc, tree->buffer, tree->size);
+ 
+@@ -113,7 +109,7 @@ static void process_tree(struct rev_info *revs,
+ 		if (S_ISDIR(entry.mode))
+ 			process_tree(revs,
+ 				     lookup_tree(entry.sha1),
+-				     show, &me, base, entry.path,
++				     show, base, entry.path,
+ 				     cb_data);
+ 		else if (S_ISGITLINK(entry.mode))
+ 			process_gitlink(revs, entry.sha1,
+@@ -220,7 +216,7 @@ void traverse_commit_list(struct rev_info *revs,
+ 			path = "";
+ 		if (obj->type == OBJ_TREE) {
+ 			process_tree(revs, (struct tree *)obj, show_object,
+-				     NULL, &base, path, data);
++				     &base, path, data);
+ 			continue;
+ 		}
+ 		if (obj->type == OBJ_BLOB) {
+diff --git a/revision.c b/revision.c
+index cf544b6..f8c3034 100644
+--- a/revision.c
++++ b/revision.c
+@@ -23,26 +23,11 @@ volatile show_early_output_fn_t show_early_output;
+ 
+ char *path_name(const struct name_path *path, const char *name)
+ {
+-	const struct name_path *p;
+-	char *n, *m;
+-	int nlen = strlen(name);
+-	int len = nlen + 1;
+-
+-	for (p = path; p; p = p->up) {
+-		if (p->elem_len)
+-			len += p->elem_len + 1;
+-	}
+-	n = xmalloc(len);
+-	m = n + len - (nlen + 1);
+-	strcpy(m, name);
+-	for (p = path; p; p = p->up) {
+-		if (p->elem_len) {
+-			m -= p->elem_len + 1;
+-			memcpy(m, p->elem, p->elem_len);
+-			m[p->elem_len] = '/';
+-		}
+-	}
+-	return n;
++	struct strbuf ret = STRBUF_INIT;
++	if (path)
++		strbuf_addbuf(&ret, path->base);
++	strbuf_addstr(&ret, name);
++	return strbuf_detach(&ret, NULL);
+ }
+ 
+ void show_object_with_name(FILE *out, struct object *obj,
+diff --git a/revision.h b/revision.h
+index 0ea8b4e..5e3c47c 100644
+--- a/revision.h
++++ b/revision.h
+@@ -257,9 +257,7 @@ extern void mark_parents_uninteresting(struct commit *commit);
+ extern void mark_tree_uninteresting(struct tree *tree);
+ 
+ struct name_path {
+-	struct name_path *up;
+-	int elem_len;
+-	const char *elem;
++	struct strbuf *base;
+ };
+ 
+ char *path_name(const struct name_path *path, const char *name);
+-- 
+2.7.4
+

meta/recipes-devtools/git/git-2.5.0/CVE-2016-2315_p4.patch

@@ -0,0 +1,237 @@
+From dc06dc880013d48f2b09c6b4295419382f3b8230 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Thu, 11 Feb 2016 17:26:44 -0500
+Subject: [PATCH] list-objects: drop name_path entirely
+
+In the previous commit, we left name_path as a thin wrapper
+around a strbuf. This patch drops it entirely. As a result,
+every show_object_fn callback needs to be adjusted. However,
+none of their code needs to be changed at all, because the
+only use was to pass it to path_name(), which now handles
+the bare strbuf.
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2315 patch4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ builtin/pack-objects.c |  4 ++--
+ builtin/rev-list.c     |  4 ++--
+ list-objects.c         | 12 +++++-------
+ list-objects.h         |  2 +-
+ pack-bitmap-write.c    |  2 +-
+ pack-bitmap.c          |  4 ++--
+ reachable.c            |  2 +-
+ revision.c             |  6 +++---
+ revision.h             |  8 ++------
+ 9 files changed, 19 insertions(+), 25 deletions(-)
+
+Index: git-2.5.0/builtin/pack-objects.c
+===================================================================
+--- git-2.5.0.orig/builtin/pack-objects.c
++++ git-2.5.0/builtin/pack-objects.c
+@@ -2285,7 +2285,7 @@ static void show_commit(struct commit *c
+ }
+ 
+ static void show_object(struct object *obj,
+-			const struct name_path *path, const char *last,
++			struct strbuf *path, const char *last,
+ 			void *data)
+ {
+ 	char *name = path_name(path, last);
+@@ -2480,7 +2480,7 @@ static int get_object_list_from_bitmap(s
+ }
+ 
+ static void record_recent_object(struct object *obj,
+-				 const struct name_path *path,
++				 struct strbuf *path,
+ 				 const char *last,
+ 				 void *data)
+ {
+Index: git-2.5.0/builtin/rev-list.c
+===================================================================
+--- git-2.5.0.orig/builtin/rev-list.c
++++ git-2.5.0/builtin/rev-list.c
+@@ -178,7 +178,7 @@ static void finish_commit(struct commit
+ }
+ 
+ static void finish_object(struct object *obj,
+-			  const struct name_path *path, const char *name,
++			  struct strbuf *path, const char *name,
+ 			  void *cb_data)
+ {
+ 	struct rev_list_info *info = cb_data;
+@@ -189,7 +189,7 @@ static void finish_object(struct object
+ }
+ 
+ static void show_object(struct object *obj,
+-			const struct name_path *path, const char *component,
++			struct strbuf *path, const char *component,
+ 			void *cb_data)
+ {
+ 	struct rev_list_info *info = cb_data;
+Index: git-2.5.0/list-objects.c
+===================================================================
+--- git-2.5.0.orig/list-objects.c
++++ git-2.5.0/list-objects.c
+@@ -11,7 +11,7 @@
+ static void process_blob(struct rev_info *revs,
+ 			 struct blob *blob,
+ 			 show_object_fn show,
+-			 struct name_path *path,
++			 struct strbuf *path,
+ 			 const char *name,
+ 			 void *cb_data)
+ {
+@@ -52,7 +52,7 @@ static void process_blob(struct rev_info
+ static void process_gitlink(struct rev_info *revs,
+ 			    const unsigned char *sha1,
+ 			    show_object_fn show,
+-			    struct name_path *path,
++			    struct strbuf *path,
+ 			    const char *name,
+ 			    void *cb_data)
+ {
+@@ -69,7 +69,6 @@ static void process_tree(struct rev_info
+ 	struct object *obj = &tree->object;
+ 	struct tree_desc desc;
+ 	struct name_entry entry;
+-	struct name_path me;
+ 	enum interesting match = revs->diffopt.pathspec.nr == 0 ?
+ 		all_entries_interesting: entry_not_interesting;
+ 	int baselen = base->len;
+@@ -87,8 +86,7 @@ static void process_tree(struct rev_info
+ 	}
+ 
+ 	obj->flags |= SEEN;
+-	me.base = base;
+-	show(obj, &me, name, cb_data);
++	show(obj, base, name, cb_data);
+ 
+ 	strbuf_addstr(base, name);
+ 	if (base->len)
+@@ -113,12 +111,12 @@ static void process_tree(struct rev_info
+ 				     cb_data);
+ 		else if (S_ISGITLINK(entry.mode))
+ 			process_gitlink(revs, entry.sha1,
+-					show, &me, entry.path,
++					show, base, entry.path,
+ 					cb_data);
+ 		else
+ 			process_blob(revs,
+ 				     lookup_blob(entry.sha1),
+-				     show, &me, entry.path,
++				     show, base, entry.path,
+ 				     cb_data);
+ 	}
+ 	strbuf_setlen(base, baselen);
+Index: git-2.5.0/list-objects.h
+===================================================================
+--- git-2.5.0.orig/list-objects.h
++++ git-2.5.0/list-objects.h
+@@ -2,7 +2,7 @@
+ #define LIST_OBJECTS_H
+ 
+ typedef void (*show_commit_fn)(struct commit *, void *);
+-typedef void (*show_object_fn)(struct object *, const struct name_path *, const char *, void *);
++typedef void (*show_object_fn)(struct object *, struct strbuf *, const char *, void *);
+ void traverse_commit_list(struct rev_info *, show_commit_fn, show_object_fn, void *);
+ 
+ typedef void (*show_edge_fn)(struct commit *);
+Index: git-2.5.0/pack-bitmap-write.c
+===================================================================
+--- git-2.5.0.orig/pack-bitmap-write.c
++++ git-2.5.0/pack-bitmap-write.c
+@@ -148,7 +148,7 @@ static uint32_t find_object_pos(const un
+ 	return entry->in_pack_pos;
+ }
+ 
+-static void show_object(struct object *object, const struct name_path *path,
++static void show_object(struct object *object, struct strbuf *path,
+ 			const char *last, void *data)
+ {
+ 	struct bitmap *base = data;
+Index: git-2.5.0/pack-bitmap.c
+===================================================================
+--- git-2.5.0.orig/pack-bitmap.c
++++ git-2.5.0/pack-bitmap.c
+@@ -422,7 +422,7 @@ static int ext_index_add_object(struct o
+ 	return bitmap_pos + bitmap_git.pack->num_objects;
+ }
+ 
+-static void show_object(struct object *object, const struct name_path *path,
++static void show_object(struct object *object, struct strbuf *path,
+ 			const char *last, void *data)
+ {
+ 	struct bitmap *base = data;
+@@ -903,7 +903,7 @@ struct bitmap_test_data {
+ };
+ 
+ static void test_show_object(struct object *object,
+-			     const struct name_path *path,
++			     struct strbuf *path,
+ 			     const char *last, void *data)
+ {
+ 	struct bitmap_test_data *tdata = data;
+Index: git-2.5.0/reachable.c
+===================================================================
+--- git-2.5.0.orig/reachable.c
++++ git-2.5.0/reachable.c
+@@ -37,7 +37,7 @@ static int add_one_ref(const char *path,
+  * The traversal will have already marked us as SEEN, so we
+  * only need to handle any progress reporting here.
+  */
+-static void mark_object(struct object *obj, const struct name_path *path,
++static void mark_object(struct object *obj, struct strbuf *path,
+ 			const char *name, void *data)
+ {
+ 	update_progress(data);
+Index: git-2.5.0/revision.c
+===================================================================
+--- git-2.5.0.orig/revision.c
++++ git-2.5.0/revision.c
+@@ -21,17 +21,17 @@
+ 
+ volatile show_early_output_fn_t show_early_output;
+ 
+-char *path_name(const struct name_path *path, const char *name)
++char *path_name(struct strbuf *path, const char *name)
+ {
+ 	struct strbuf ret = STRBUF_INIT;
+ 	if (path)
+-		strbuf_addbuf(&ret, path->base);
++		strbuf_addbuf(&ret, path);
+ 	strbuf_addstr(&ret, name);
+ 	return strbuf_detach(&ret, NULL);
+ }
+ 
+ void show_object_with_name(FILE *out, struct object *obj,
+-			   const struct name_path *path, const char *component)
++			   struct strbuf *path, const char *component)
+ {
+ 	char *name = path_name(path, component);
+ 	char *p;
+Index: git-2.5.0/revision.h
+===================================================================
+--- git-2.5.0.orig/revision.h
++++ git-2.5.0/revision.h
+@@ -256,14 +256,10 @@ extern void put_revision_mark(const stru
+ extern void mark_parents_uninteresting(struct commit *commit);
+ extern void mark_tree_uninteresting(struct tree *tree);
+ 
+-struct name_path {
+-	struct strbuf *base;
+-};
+-
+-char *path_name(const struct name_path *path, const char *name);
++char *path_name(struct strbuf *path, const char *name);
+ 
+ extern void show_object_with_name(FILE *, struct object *,
+-				  const struct name_path *, const char *);
++				  struct strbuf *, const char *);
+ 
+ extern void add_pending_object(struct rev_info *revs,
+ 			       struct object *obj, const char *name);

meta/recipes-devtools/git/git_2.5.0.bb

@@ -16,4 +16,9 @@ SRC_URI += "\
     file://0010-CVE-2015-7545-3.patch \
     file://0011-CVE-2015-7545-4.patch \
     file://0012-CVE-2015-7545-5.patch \
+    file://CVE-2016-2315_p1.patch \
+    file://CVE-2016-2315_p2.patch \
+    file://CVE-2016-2315_p3.patch \
+    file://CVE-2016-2315_p4.patch \
+    file://CVE-2016-2315_2324.patch \
     "

meta/recipes-devtools/perl/perl-ptest.inc

@@ -7,8 +7,8 @@ do_install_ptest () {
 	mkdir -p ${D}${PTEST_PATH}
 	sed -e "s:\/opt:\/usr:" -i Porting/add-package.pl
 	sed -e "s:\/local\/gnu\/:\/:" -i hints/cxux.sh
-	tar -cf - * --exclude \*.o --exclude libperl.so --exclude Makefile --exclude makefile --exclude hostperl \
-		--exclude miniperl --exclude generate_uudmap --exclude patches | ( cd ${D}${PTEST_PATH} && tar -xf - )
+	tar -c --exclude=\*.o --exclude=libperl.so --exclude=Makefile --exclude=makefile --exclude=hostperl \
+		--exclude=miniperl --exclude=generate_uudmap --exclude=patches * | ( cd ${D}${PTEST_PATH} && tar -x )
 
 	sed -i -e "s,${D},,g" \
 	       -e "s,--sysroot=${STAGING_DIR_HOST},,g" \

meta/recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch

@@ -0,0 +1,74 @@
+From 652c8d4852a69f1bb4d387946f9b76350a1f0d0e Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 15 Dec 2015 10:56:54 +1100
+Subject: [PATCH] perl: fix CVE-2015-8607
+
+ensure File::Spec::canonpath() preserves taint
+
+Previously the unix specific XS implementation of canonpath() would
+return an untainted path when supplied a tainted path.
+
+For the empty string case, newSVpvs() already sets taint as needed on
+its result.
+
+This issue was assigned CVE-2015-8607.  [perl #126862]
+
+Backport patch from http://perl5.git.perl.org/perl.git/commitdiff/0b6f93036de171c12ba95d415e264d9cf7f4e1fd
+
+Upstream-Status: Backport
+CVE: CVE-2015-8607
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ dist/PathTools/Cwd.xs    |  1 +
+ dist/PathTools/t/taint.t | 19 ++++++++++++++++++-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs
+index 9d4dcf0..3d018dc 100644
+--- a/dist/PathTools/Cwd.xs
++++ b/dist/PathTools/Cwd.xs
+@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path)
+     *o = 0;
+     SvPOK_on(retval);
+     SvCUR_set(retval, o - SvPVX(retval));
++    SvTAINT(retval);
+     return retval;
+ }
+ 
+diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t
+index 309b3e5..48f8c5b 100644
+--- a/dist/PathTools/t/taint.t
++++ b/dist/PathTools/t/taint.t
+@@ -12,7 +12,7 @@ use Test::More;
+ BEGIN {
+     plan(
+         ${^TAINT}
+-        ? (tests => 17)
++        ? (tests => 21)
+         : (skip_all => "A perl without taint support")
+     );
+ }
+@@ -34,3 +34,20 @@ foreach my $func (@Functions) {
+ 
+ # Previous versions of Cwd tainted $^O
+ is !tainted($^O), 1, "\$^O should not be tainted";
++
++{
++    # [perl #126862] canonpath() loses taint
++    my $tainted = substr($ENV{PATH}, 0, 0);
++    # yes, getcwd()'s result should be tainted, and is tested above
++    # but be sure
++    ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)),
++        "canonpath() keeps taint on non-empty string";
++    ok tainted(File::Spec->canonpath($tainted)),
++        "canonpath() keeps taint on empty string";
++
++    (Cwd::getcwd() =~ /^(.*)/);
++    my $untainted = $1;
++    ok !tainted($untainted), "make sure our untainted value is untainted";
++    ok !tainted(File::Spec->canonpath($untainted)),
++        "canonpath() doesn't add taint to untainted string";
++}
+-- 
+2.8.1
+

meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch

@@ -0,0 +1,352 @@
+From 9987be3d24286d96d9dccec0433253ee8ad894b4 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 21 Jun 2016 10:02:02 +1000
+Subject: [PATCH] perl: fix CVE-2016-1238
+
+(perl #127834) remove . from the end of @INC if complex modules are loaded
+
+While currently Encode and Storable are know to attempt to load modules
+not included in the core, updates to other modules may lead to those
+also attempting to load new modules, so be safe and remove . for those
+as well.
+
+Backport patch from http://perl5.git.perl.org/perl.git/commitdiff/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab
+
+Upstream-Status: Backport
+CVE: CVE-2016-1238
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ cpan/Archive-Tar/bin/ptar                 | 1 +
+ cpan/Archive-Tar/bin/ptardiff             | 1 +
+ cpan/Archive-Tar/bin/ptargrep             | 1 +
+ cpan/CPAN/scripts/cpan                    | 1 +
+ cpan/Digest-SHA/shasum                    | 1 +
+ cpan/Encode/bin/enc2xs                    | 1 +
+ cpan/Encode/bin/encguess                  | 1 +
+ cpan/Encode/bin/piconv                    | 1 +
+ cpan/Encode/bin/ucmlint                   | 1 +
+ cpan/Encode/bin/unidump                   | 1 +
+ cpan/ExtUtils-MakeMaker/bin/instmodsh     | 1 +
+ cpan/IO-Compress/bin/zipdetails           | 1 +
+ cpan/JSON-PP/bin/json_pp                  | 1 +
+ cpan/Test-Harness/bin/prove               | 1 +
+ dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp | 1 +
+ dist/Module-CoreList/corelist             | 1 +
+ ext/Pod-Html/bin/pod2html                 | 1 +
+ utils/c2ph.PL                             | 1 +
+ utils/h2ph.PL                             | 2 ++
+ utils/h2xs.PL                             | 2 ++
+ utils/libnetcfg.PL                        | 1 +
+ utils/perlbug.PL                          | 1 +
+ utils/perldoc.PL                          | 5 ++++-
+ utils/perlivp.PL                          | 2 ++
+ utils/splain.PL                           | 6 ++++++
+ 25 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/cpan/Archive-Tar/bin/ptar b/cpan/Archive-Tar/bin/ptar
+index 0eaffa7..9dc6402 100644
+--- a/cpan/Archive-Tar/bin/ptar
++++ b/cpan/Archive-Tar/bin/ptar
+@@ -1,6 +1,7 @@
+ #!/usr/bin/perl
+ use strict;
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use File::Find;
+ use Getopt::Std;
+ use Archive::Tar;
+diff --git a/cpan/Archive-Tar/bin/ptardiff b/cpan/Archive-Tar/bin/ptardiff
+index 66bd859..4668fa6 100644
+--- a/cpan/Archive-Tar/bin/ptardiff
++++ b/cpan/Archive-Tar/bin/ptardiff
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use Archive::Tar;
+ use Getopt::Std;
+diff --git a/cpan/Archive-Tar/bin/ptargrep b/cpan/Archive-Tar/bin/ptargrep
+index 1a320f1..8dc6b4f 100644
+--- a/cpan/Archive-Tar/bin/ptargrep
++++ b/cpan/Archive-Tar/bin/ptargrep
+@@ -4,6 +4,7 @@
+ # archive.  See 'ptargrep --help' for more documentation.
+ #
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use warnings;
+ 
+diff --git a/cpan/CPAN/scripts/cpan b/cpan/CPAN/scripts/cpan
+index 5f4320e..ccba47e 100644
+--- a/cpan/CPAN/scripts/cpan
++++ b/cpan/CPAN/scripts/cpan
+@@ -1,5 +1,6 @@
+ #!/usr/local/bin/perl
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use vars qw($VERSION);
+ 
+diff --git a/cpan/Digest-SHA/shasum b/cpan/Digest-SHA/shasum
+index 14ddd60..62a2b0e 100644
+--- a/cpan/Digest-SHA/shasum
++++ b/cpan/Digest-SHA/shasum
+@@ -13,6 +13,7 @@
+ 	## "-0" option for reading bit strings, and
+ 	## "-p" option for portable digests (to be deprecated).
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use warnings;
+ use Fcntl;
+diff --git a/cpan/Encode/bin/enc2xs b/cpan/Encode/bin/enc2xs
+index 4d64e38..473a15c 100644
+--- a/cpan/Encode/bin/enc2xs
++++ b/cpan/Encode/bin/enc2xs
+@@ -4,6 +4,7 @@ BEGIN {
+     # with $ENV{PERL_CORE} set
+     # In case we need it in future...
+     require Config; import Config;
++    pop @INC if $INC[-1] eq '.';
+ }
+ use strict;
+ use warnings;
+diff --git a/cpan/Encode/bin/encguess b/cpan/Encode/bin/encguess
+index 5d7ac80..0be5c7c 100644
+--- a/cpan/Encode/bin/encguess
++++ b/cpan/Encode/bin/encguess
+@@ -1,5 +1,6 @@
+ #!./perl
+ use 5.008001;
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use warnings;
+ use Encode;
+diff --git a/cpan/Encode/bin/piconv b/cpan/Encode/bin/piconv
+index c1dad9e..60b2a59 100644
+--- a/cpan/Encode/bin/piconv
++++ b/cpan/Encode/bin/piconv
+@@ -1,6 +1,7 @@
+ #!./perl
+ # $Id: piconv,v 2.7 2014/05/31 09:48:48 dankogai Exp $
+ #
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use 5.8.0;
+ use strict;
+ use Encode ;
+diff --git a/cpan/Encode/bin/ucmlint b/cpan/Encode/bin/ucmlint
+index 622376d..25e0d67 100644
+--- a/cpan/Encode/bin/ucmlint
++++ b/cpan/Encode/bin/ucmlint
+@@ -3,6 +3,7 @@
+ # $Id: ucmlint,v 2.2 2008/03/12 09:51:11 dankogai Exp $
+ #
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ our  $VERSION = do { my @r = (q$Revision: 2.2 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r };
+ 
+diff --git a/cpan/Encode/bin/unidump b/cpan/Encode/bin/unidump
+index ae0da30..f190827 100644
+--- a/cpan/Encode/bin/unidump
++++ b/cpan/Encode/bin/unidump
+@@ -1,5 +1,6 @@
+ #!./perl
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use Encode;
+ use Getopt::Std;
+diff --git a/cpan/ExtUtils-MakeMaker/bin/instmodsh b/cpan/ExtUtils-MakeMaker/bin/instmodsh
+index e551434..b3b109f 100644
+--- a/cpan/ExtUtils-MakeMaker/bin/instmodsh
++++ b/cpan/ExtUtils-MakeMaker/bin/instmodsh
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl -w
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use IO::File;
+ use ExtUtils::Packlist;
+diff --git a/cpan/IO-Compress/bin/zipdetails b/cpan/IO-Compress/bin/zipdetails
+index 0249850..1b9c70a 100644
+--- a/cpan/IO-Compress/bin/zipdetails
++++ b/cpan/IO-Compress/bin/zipdetails
+@@ -5,6 +5,7 @@
+ # Display info on the contents of a Zip file
+ #
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use warnings ;
+ 
+diff --git a/cpan/JSON-PP/bin/json_pp b/cpan/JSON-PP/bin/json_pp
+index df9d243..896cd2f 100644
+--- a/cpan/JSON-PP/bin/json_pp
++++ b/cpan/JSON-PP/bin/json_pp
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use Getopt::Long;
+ 
+diff --git a/cpan/Test-Harness/bin/prove b/cpan/Test-Harness/bin/prove
+index 6637cc4..d71b238 100644
+--- a/cpan/Test-Harness/bin/prove
++++ b/cpan/Test-Harness/bin/prove
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl -w
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use warnings;
+ use App::Prove;
+diff --git a/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp b/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp
+index e2ac71a..d596cdf 100644
+--- a/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp
++++ b/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp
+@@ -1,5 +1,6 @@
+ #!perl
+ use 5.006;
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ eval {
+   require ExtUtils::ParseXS;
+diff --git a/dist/Module-CoreList/corelist b/dist/Module-CoreList/corelist
+index aa4a945..bbe61cc 100644
+--- a/dist/Module-CoreList/corelist
++++ b/dist/Module-CoreList/corelist
+@@ -130,6 +130,7 @@ requested perl versions.
+ 
+ =cut
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use Module::CoreList;
+ use Getopt::Long qw(:config no_ignore_case);
+ use Pod::Usage;
+diff --git a/ext/Pod-Html/bin/pod2html b/ext/Pod-Html/bin/pod2html
+index b022859..7d1d232 100644
+--- a/ext/Pod-Html/bin/pod2html
++++ b/ext/Pod-Html/bin/pod2html
+@@ -216,6 +216,7 @@ This program is distributed under the Artistic License.
+ 
+ =cut
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use Pod::Html;
+ 
+ pod2html @ARGV;
+diff --git a/utils/c2ph.PL b/utils/c2ph.PL
+index 13389ec..cef0b5c 100644
+--- a/utils/c2ph.PL
++++ b/utils/c2ph.PL
+@@ -280,6 +280,7 @@ Anyway, here it is.  Should run on perl v4 or greater.  Maybe less.
+ 
+ $RCSID = '$Id: c2ph,v 1.7 95/10/28 10:41:47 tchrist Exp Locker: tchrist $';
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use File::Temp;
+ 
+ ######################################################################
+diff --git a/utils/h2ph.PL b/utils/h2ph.PL
+index 55c1f72..300b756 100644
+--- a/utils/h2ph.PL
++++ b/utils/h2ph.PL
+@@ -36,6 +36,8 @@ $Config{startperl}
+ 
+ print OUT <<'!NO!SUBS!';
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
++
+ use strict;
+ 
+ use Config;
+diff --git a/utils/h2xs.PL b/utils/h2xs.PL
+index 268f680..f95ee0c 100644
+--- a/utils/h2xs.PL
++++ b/utils/h2xs.PL
+@@ -35,6 +35,8 @@ $Config{startperl}
+ 
+ print OUT <<'!NO!SUBS!';
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
++
+ use warnings;
+ 
+ =head1 NAME
+diff --git a/utils/libnetcfg.PL b/utils/libnetcfg.PL
+index 59a2de8..26d2f99 100644
+--- a/utils/libnetcfg.PL
++++ b/utils/libnetcfg.PL
+@@ -97,6 +97,7 @@ Jarkko Hietaniemi, conversion into libnetcfg for inclusion into Perl 5.8.
+ 
+ # $Id: Configure,v 1.8 1997/03/04 09:22:32 gbarr Exp $
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use IO::File;
+ use Getopt::Std;
+diff --git a/utils/perlbug.PL b/utils/perlbug.PL
+index 885785a..ae8c343 100644
+--- a/utils/perlbug.PL
++++ b/utils/perlbug.PL
+@@ -57,6 +57,7 @@ print OUT <<'!NO!SUBS!';
+ my @patches = Config::local_patches();
+ my $patch_tags = join "", map /(\S+)/ ? "+$1 " : (), @patches;
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use warnings;
+ use strict;
+ use Config;
+diff --git a/utils/perldoc.PL b/utils/perldoc.PL
+index e201de9..cd60bd4 100644
+--- a/utils/perldoc.PL
++++ b/utils/perldoc.PL
+@@ -44,7 +44,10 @@ $Config{startperl}
+ # This "$file" file was generated by "$0"
+ 
+ require 5;
+-BEGIN { \$^W = 1 if \$ENV{'PERLDOCDEBUG'} }
++BEGIN {
++    \$^W = 1 if \$ENV{'PERLDOCDEBUG'};
++    pop \@INC if \$INC[-1] eq '.';
++}
+ use Pod::Perldoc;
+ exit( Pod::Perldoc->run() );
+ 
+diff --git a/utils/perlivp.PL b/utils/perlivp.PL
+index cc49f96..696a44e 100644
+--- a/utils/perlivp.PL
++++ b/utils/perlivp.PL
+@@ -39,6 +39,8 @@ print OUT "\n# perlivp $^V\n";
+ 
+ print OUT <<'!NO!SUBS!';
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
++
+ sub usage {
+     warn "@_\n" if @_;
+     print << "    EOUSAGE";
+diff --git a/utils/splain.PL b/utils/splain.PL
+index 9c70b61..cae84a0 100644
+--- a/utils/splain.PL
++++ b/utils/splain.PL
+@@ -38,6 +38,12 @@ $Config{startperl}
+ 	if \$running_under_some_shell;
+ !GROK!THIS!
+ 
++print <<'!NO!SUBS!';
++
++BEGIN { pop @INC if $INC[-1] eq '.' }
++
++!NO!SUBS!
++
+ while (<IN>) {
+     print OUT unless /^package diagnostics/;
+ }
+-- 
+2.8.1
+

meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch

@@ -0,0 +1,113 @@
+Upstream-Status: Backport
+
+Backport patch to fix CVE-2016-2381 from
+
+http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From: Tony Cook <tony@develop-help.com>
+Date: Wed, 27 Jan 2016 00:52:15 +0000 (+1100)
+Subject: remove duplicate environment variables from environ
+X-Git-Tag: v5.23.9~170
+X-Git-Url: http://perl5.git.perl.org/perl.git/commitdiff_plain/ae37b791a73a9e78dedb89fb2429d2628cf58076
+
+remove duplicate environment variables from environ
+
+If we see duplicate environment variables while iterating over
+environ[]:
+
+a) make sure we use the same value in %ENV that getenv() returns.
+
+Previously on a duplicate, %ENV would have the last entry for the name
+from environ[], but a typical getenv() would return the first entry.
+
+Rather than assuming all getenv() implementations return the first entry
+explicitly call getenv() to ensure they agree.
+
+b) remove duplicate entries from environ
+
+Previously if there was a duplicate definition for a name in environ[]
+setting that name in %ENV could result in an unsafe value being passed
+to a child process, so ensure environ[] has no duplicates.
+
+CVE-2016-2381
+---
+
+diff --git a/perl.c b/perl.c
+index 4a324c6..5c71fd0 100644
+--- a/perl.c
++++ b/perl.c
+@@ -4329,23 +4329,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
+ 	}
+ 	if (env) {
+ 	  char *s, *old_var;
++          STRLEN nlen;
+ 	  SV *sv;
++          HV *dups = newHV();
++
+ 	  for (; *env; env++) {
+ 	    old_var = *env;
+ 
+ 	    if (!(s = strchr(old_var,'=')) || s == old_var)
+ 		continue;
++            nlen = s - old_var;
+ 
+ #if defined(MSDOS) && !defined(DJGPP)
+ 	    *s = '\0';
+ 	    (void)strupr(old_var);
+ 	    *s = '=';
+ #endif
+-	    sv = newSVpv(s+1, 0);
+-	    (void)hv_store(hv, old_var, s - old_var, sv, 0);
++            if (hv_exists(hv, old_var, nlen)) {
++                const char *name = savepvn(old_var, nlen);
++
++                /* make sure we use the same value as getenv(), otherwise code that
++                   uses getenv() (like setlocale()) might see a different value to %ENV
++                 */
++                sv = newSVpv(PerlEnv_getenv(name), 0);
++
++                /* keep a count of the dups of this name so we can de-dup environ later */
++                if (hv_exists(dups, name, nlen))
++                    ++SvIVX(*hv_fetch(dups, name, nlen, 0));
++                else
++                    (void)hv_store(dups, name, nlen, newSViv(1), 0);
++
++                Safefree(name);
++            }
++            else {
++                sv = newSVpv(s+1, 0);
++            }
++	    (void)hv_store(hv, old_var, nlen, sv, 0);
+ 	    if (env_is_not_environ)
+ 	        mg_set(sv);
+ 	  }
++          if (HvKEYS(dups)) {
++              /* environ has some duplicate definitions, remove them */
++              HE *entry;
++              hv_iterinit(dups);
++              while ((entry = hv_iternext_flags(dups, 0))) {
++                  STRLEN nlen;
++                  const char *name = HePV(entry, nlen);
++                  IV count = SvIV(HeVAL(entry));
++                  IV i;
++                  SV **valp = hv_fetch(hv, name, nlen, 0);
++
++                  assert(valp);
++
++                  /* try to remove any duplicate names, depending on the
++                   * implementation used in my_setenv() the iteration might
++                   * not be necessary, but let's be safe.
++                   */
++                  for (i = 0; i < count; ++i)
++                      my_setenv(name, 0);
++
++                  /* and set it back to the value we set $ENV{name} to */
++                  my_setenv(name, SvPV_nolen(*valp));
++              }
++          }
++          SvREFCNT_dec_NN(dups);
+       }
+ #endif /* USE_ENVIRON_ARRAY */
+ #endif /* !PERL_MICRO */

meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch

@@ -0,0 +1,128 @@
+From 7cedaa8bc2ca9e63369d0e2d4c4c23af9febb93a Mon Sep 17 00:00:00 2001
+From: Father Chrysostomos <sprout@cpan.org>
+Date: Sat, 2 Jul 2016 22:56:51 -0700
+Subject: [PATCH] perl: fix CVE-2016-6185
+MIME-Version: 1.0
+
+Don't let XSLoader load relative paths
+
+[rt.cpan.org #115808]
+
+The logic in XSLoader for determining the library goes like this:
+
+    my $c = () = split(/::/,$caller,-1);
+    $modlibname =~ s,[\\/][^\\/]+$,, while $c--;    # Q&D basename
+    my $file = "$modlibname/auto/$modpname/$modfname.bundle";
+
+(That last line varies by platform.)
+
+$caller is the calling package.  $modlibname is the calling file.  It
+removes as many path segments from $modlibname as there are segments
+in $caller.  So if you have Foo/Bar/XS.pm calling XSLoader from the
+Foo::Bar package, the $modlibname will end up containing the path in
+@INC where XS.pm was found, followed by "/Foo".  Usually the fallback
+to Dynaloader::bootstrap_inherit, which does an @INC search, makes
+things Just Work.
+
+But if our hypothetical Foo/Bar/XS.pm actually calls
+XSLoader::load from inside a string eval, then path ends up being
+"(eval 1)/auto/Foo/Bar/Bar.bundle".
+
+So if someone creates a directory named '(eval 1)' with a naughty
+binary file in it, it will be loaded if a script using Foo::Bar is run
+in the parent directory.
+
+This commit makes XSLoader fall back to Dynaloader's @INC search if
+the calling file has a relative path that is not found in @INC.
+
+Backport patch from http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7
+
+Upstream-Status: Backport
+CVE: CVE-2016-6185
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ dist/XSLoader/XSLoader_pm.PL | 25 +++++++++++++++++++++++++
+ dist/XSLoader/t/XSLoader.t   | 27 ++++++++++++++++++++++++++-
+ 2 files changed, 51 insertions(+), 1 deletion(-)
+
+diff --git a/dist/XSLoader/XSLoader_pm.PL b/dist/XSLoader/XSLoader_pm.PL
+index 668411d..778e46b 100644
+--- a/dist/XSLoader/XSLoader_pm.PL
++++ b/dist/XSLoader/XSLoader_pm.PL
+@@ -104,6 +104,31 @@ print OUT <<'EOT';
+     my $modpname = join('/',@modparts);
+     my $c = () = split(/::/,$caller,-1);
+     $modlibname =~ s,[\\/][^\\/]+$,, while $c--;    # Q&D basename
++    # Does this look like a relative path?
++    if ($modlibname !~ m|^[\\/]|) {
++        # Someone may have a #line directive that changes the file name, or
++        # may be calling XSLoader::load from inside a string eval.  We cer-
++        # tainly do not want to go loading some code that is not in @INC,
++        # as it could be untrusted.
++        #
++        # We could just fall back to DynaLoader here, but then the rest of
++        # this function would go untested in the perl core, since all @INC
++        # paths are relative during testing.  That would be a time bomb
++        # waiting to happen, since bugs could be introduced into the code.
++        #
++        # So look through @INC to see if $modlibname is in it.  A rela-
++        # tive $modlibname is not a common occurrence, so this block is
++        # not hot code.
++        FOUND: {
++            for (@INC) {
++                if ($_ eq $modlibname) {
++                    last FOUND;
++                }
++            }
++            # Not found.  Fall back to DynaLoader.
++            goto \&XSLoader::bootstrap_inherit;
++        }
++    }
+ EOT
+ 
+ my $dl_dlext = quotemeta($Config::Config{'dlext'});
+diff --git a/dist/XSLoader/t/XSLoader.t b/dist/XSLoader/t/XSLoader.t
+index 2ff11fe..1e86faa 100644
+--- a/dist/XSLoader/t/XSLoader.t
++++ b/dist/XSLoader/t/XSLoader.t
+@@ -33,7 +33,7 @@ my %modules = (
+     'Time::HiRes'=> q| ::can_ok( 'Time::HiRes' => 'usleep'  ) |,  # 5.7.3
+ );
+ 
+-plan tests => keys(%modules) * 3 + 9;
++plan tests => keys(%modules) * 3 + 10;
+ 
+ # Try to load the module
+ use_ok( 'XSLoader' );
+@@ -125,3 +125,28 @@ XSLoader::load("Devel::Peek");
+ EOS
+     or ::diag $@;
+ }
++
++SKIP: {
++  skip "File::Path not available", 1
++    unless eval { require File::Path };
++  my $name = "phooo$$";
++  File::Path::make_path("$name/auto/Foo/Bar");
++  open my $fh,
++    ">$name/auto/Foo/Bar/Bar.$Config::Config{'dlext'}";
++  close $fh;
++  my $fell_back;
++  local *XSLoader::bootstrap_inherit = sub {
++    $fell_back++;
++    # Break out of the calling subs
++    goto the_test;
++  };
++  eval <<END;
++#line 1 $name
++package Foo::Bar;
++XSLoader::load("Foo::Bar");
++END
++ the_test:
++  ok $fell_back,
++    'XSLoader will not load relative paths based on (caller)[1]';
++  File::Path::remove_tree($name);
++}
+-- 
+2.8.1
+

meta/recipes-devtools/perl/perl_5.22.0.bb

@@ -34,6 +34,10 @@ SRC_URI += " \
 	file://debian/cpan-missing-site-dirs.diff \
 	file://debian/fixes/memoize_storable_nstore.diff \
 	file://debian/regen-skip.diff \
+	file://perl-fix-CVE-2016-2381.patch \
+        file://perl-fix-CVE-2016-6185.patch \
+        file://perl-fix-CVE-2015-8607.patch \
+        file://perl-fix-CVE-2016-1238.patch \
 "
 
 SRC_URI += " \

meta/recipes-devtools/python/python/CVE-2016-0772.patch

@@ -0,0 +1,42 @@
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1465676202 25200
+# Node ID b3ce713fb9beebfff9848cefa0acbd59acc68fe9
+# Parent  3017e41b0c99d24e88faf1de447f230e2f64d122
+raise an error when STARTTLS fails
+
+Upstream-status: Backport
+CVE: CVE-2016-0772
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: Python-2.7.9/Lib/smtplib.py
+===================================================================
+--- Python-2.7.9.orig/Lib/smtplib.py
++++ Python-2.7.9/Lib/smtplib.py
+@@ -656,6 +656,11 @@ class SMTP:
+             self.ehlo_resp = None
+             self.esmtp_features = {}
+             self.does_esmtp = 0
++        else:
++            # RFC 3207:
++            # 501 Syntax error (no parameters allowed)
++            # 454 TLS not available due to temporary reason
++            raise SMTPResponseException(resp, reply)
+         return (resp, reply)
+ 
+     def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
+Index: Python-2.7.9/Misc/NEWS
+===================================================================
+--- Python-2.7.9.orig/Misc/NEWS
++++ Python-2.7.9/Misc/NEWS
+@@ -5136,6 +5136,9 @@ Library
+ 
+ - Issue #8140: Extend compileall to compile single files.  Add -i option.
+ 
++- Fix TLS stripping vulnerability in smptlib, CVE-2016-0772.  Reported by Team
++  Oststrom
++
+ - Issue #7356: ctypes.util: Make parsing of ldconfig output independent of the
+   locale.
+ 

meta/recipes-devtools/python/python/CVE-2016-1000110.patch

@@ -0,0 +1,145 @@
+
+# HG changeset patch
+# User Senthil Kumaran <senthil@uthcode.com>
+# Date 1469882993 25200
+# Node ID ba915d561667fa0584ad89f8d5a844fd43803c0d
+# Parent  c8c1ea94379a7706638f1571988576d504d7fc98
+Prevent HTTPoxy attack (CVE-2016-1000110)
+
+Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
+indicates that the script is in CGI mode.
+
+Issue reported and patch contributed by Rémi Rampin.
+
+Upstream-Status: Backport
+CVE: CVE-2016-1000110
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: Python-2.7.9/Doc/howto/urllib2.rst
+===================================================================
+--- Python-2.7.9.orig/Doc/howto/urllib2.rst
++++ Python-2.7.9/Doc/howto/urllib2.rst
+@@ -523,6 +523,11 @@ setting up a `Basic Authentication`_ han
+     through a proxy.  However, this can be enabled by extending urllib2 as
+     shown in the recipe [#]_.
+ 
++.. note::
++
++    ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
++    the documentation on :func:`~urllib.getproxies`.
++
+ 
+ Sockets and Layers
+ ==================
+Index: Python-2.7.9/Doc/library/urllib.rst
+===================================================================
+--- Python-2.7.9.orig/Doc/library/urllib.rst
++++ Python-2.7.9/Doc/library/urllib.rst
+@@ -288,6 +288,16 @@ Utility functions
+    find it, looks for proxy information from Mac OSX System Configuration for
+    Mac OS X and Windows Systems Registry for Windows.
+ 
++    .. note::
++
++        If the environment variable ``REQUEST_METHOD`` is set, which usually
++        indicates your script is running in a CGI environment, the environment
++        variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
++        because that variable can be injected by a client using the "Proxy:"
++        HTTP header. If you need to use an HTTP proxy in a CGI environment,
++        either use ``ProxyHandler`` explicitly, or make sure the variable name
++        is in lowercase (or at least the ``_proxy`` suffix).
++
+ .. note::
+     urllib also exposes certain utility functions like splittype, splithost and
+     others parsing url into various components. But it is recommended to use
+Index: Python-2.7.9/Doc/library/urllib2.rst
+===================================================================
+--- Python-2.7.9.orig/Doc/library/urllib2.rst
++++ Python-2.7.9/Doc/library/urllib2.rst
+@@ -224,6 +224,11 @@ The following classes are provided:
+ 
+    To disable autodetected proxy pass an empty dictionary.
+ 
++    .. note::
++
++       ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
++       see the documentation on :func:`~urllib.getproxies`.
++
+ 
+ .. class:: HTTPPasswordMgr()
+ 
+Index: Python-2.7.9/Misc/ACKS
+===================================================================
+--- Python-2.7.9.orig/Misc/ACKS
++++ Python-2.7.9/Misc/ACKS
+@@ -1090,6 +1090,7 @@ Jérôme Radix
+ Burton Radons
+ Jeff Ramnani
+ Brodie Rao
++Rémi Rampin
+ Senko Rasic
+ Antti Rasinen
+ Nikolaus Rath
+Index: Python-2.7.9/Lib/urllib.py
+===================================================================
+--- Python-2.7.9.orig/Lib/urllib.py
++++ Python-2.7.9/Lib/urllib.py
+@@ -1373,11 +1373,20 @@ def getproxies_environment():
+     [Fancy]URLopener constructor.
+ 
+     """
++    # Get all variables
+     proxies = {}
+     for name, value in os.environ.items():
+         name = name.lower()
+         if value and name[-6:] == '_proxy':
+             proxies[name[:-6]] = value
++
++    # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
++    # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
++    # header from the client
++    # If "proxy" is lowercase, it will still be used thanks to the next block
++    if 'REQUEST_METHOD' in os.environ:
++        proxies.pop('http', None)
++
+     return proxies
+ 
+ def proxy_bypass_environment(host):
+Index: Python-2.7.9/Lib/test/test_urllib.py
+===================================================================
+--- Python-2.7.9.orig/Lib/test/test_urllib.py
++++ Python-2.7.9/Lib/test/test_urllib.py
+@@ -161,6 +161,18 @@ class ProxyTests(unittest.TestCase):
+         self.env.set('NO_PROXY', 'localhost, anotherdomain.com, newdomain.com')
+         self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com'))
+ 
++    def test_proxy_cgi_ignore(self):
++        try:
++            self.env.set('HTTP_PROXY', 'http://somewhere:3128')
++            proxies = urllib.getproxies_environment()
++            self.assertEqual('http://somewhere:3128', proxies['http'])
++            self.env.set('REQUEST_METHOD', 'GET')
++            proxies = urllib.getproxies_environment()
++            self.assertNotIn('http', proxies)
++        finally:
++            self.env.unset('REQUEST_METHOD')
++            self.env.unset('HTTP_PROXY')
++
+ 
+ class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin):
+     """Test urlopen() opening a fake http connection."""
+Index: Python-2.7.9/Misc/NEWS
+===================================================================
+--- Python-2.7.9.orig/Misc/NEWS
++++ Python-2.7.9/Misc/NEWS
+@@ -13,6 +13,10 @@ What's New in Python 2.7.9?
+ Library
+ -------
+ 
++- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
++  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
++  that the script is in CGI mode.
++
+ - Issue #22928: Disabled HTTP header injections in httplib.
+   Original patch by Demian Brecht.
+ 

meta/recipes-devtools/python/python/CVE-2016-5636.patch

@@ -0,0 +1,42 @@
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1453357424 28800
+# Node ID 985fc64c60d6adffd1138b6cc46df388ca91ca5d
+# Parent  7ec954b9fc54448a35b56d271340ba109eb381b9
+prevent buffer overflow in get_data (closes #26171)
+
+Upstream-Status: Backport
+CVE: CVE-2016-5636
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: Python-2.7.9/Misc/NEWS
+===================================================================
+--- Python-2.7.9.orig/Misc/NEWS
++++ Python-2.7.9/Misc/NEWS
+@@ -7,6 +7,9 @@ What's New in Python 2.7.9?
+ 
+ *Release date: 2014-12-10*
+ 
++- Issue #26171: Fix possible integer overflow and heap corruption in
++  zipimporter.get_data().
++
+ Library
+ -------
+ 
+Index: Python-2.7.9/Modules/zipimport.c
+===================================================================
+--- Python-2.7.9.orig/Modules/zipimport.c
++++ Python-2.7.9/Modules/zipimport.c
+@@ -895,6 +895,11 @@ get_data(char *archive, PyObject *toc_en
+         PyMarshal_ReadShortFromFile(fp);        /* local header size */
+     file_offset += l;           /* Start of file data */
+ 
++    if (data_size > LONG_MAX - 1) {
++        fclose(fp);
++        PyErr_NoMemory();
++        return NULL;
++    }
+     raw_data = PyString_FromStringAndSize((char *)NULL, compress == 0 ?
+                                           data_size : data_size + 1);
+     if (raw_data == NULL) {

meta/recipes-devtools/python/python/CVE-2016-5699.patch

@@ -0,0 +1,162 @@
+
+# HG changeset patch
+# User Serhiy Storchaka <storchaka@gmail.com>
+# Date 1426151571 -7200
+# Node ID 1c45047c51020d46246385949d5c02e026d47320
+# Parent  36bd5add973285cce9d3ec7e068bbb20c9080565
+Issue #22928: Disabled HTTP header injections in httplib.
+Original patch by Demian Brecht.
+
+Index: Python-2.7.9/Lib/httplib.py
+===================================================================
+--- Python-2.7.9.orig/Lib/httplib.py
++++ Python-2.7.9/Lib/httplib.py
+@@ -68,6 +68,7 @@ Req-sent-unread-response       _CS_REQ_S
+ 
+ from array import array
+ import os
++import re
+ import socket
+ from sys import py3kwarning
+ from urlparse import urlsplit
+@@ -218,6 +219,34 @@ _MAXLINE = 65536
+ # maximum amount of headers accepted
+ _MAXHEADERS = 100
+ 
++# Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
++#
++# VCHAR          = %x21-7E
++# obs-text       = %x80-FF
++# header-field   = field-name ":" OWS field-value OWS
++# field-name     = token
++# field-value    = *( field-content / obs-fold )
++# field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
++# field-vchar    = VCHAR / obs-text
++#
++# obs-fold       = CRLF 1*( SP / HTAB )
++#                ; obsolete line folding
++#                ; see Section 3.2.4
++
++# token          = 1*tchar
++#
++# tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
++#                / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
++#                / DIGIT / ALPHA
++#                ; any VCHAR, except delimiters
++#
++# VCHAR defined in http://tools.ietf.org/html/rfc5234#appendix-B.1
++
++# the patterns for both name and value are more leniant than RFC
++# definitions to allow for backwards compatibility
++_is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
++_is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
++
+ 
+ class HTTPMessage(mimetools.Message):
+ 
+@@ -978,7 +1007,16 @@ class HTTPConnection:
+         if self.__state != _CS_REQ_STARTED:
+             raise CannotSendHeader()
+ 
+-        hdr = '%s: %s' % (header, '\r\n\t'.join([str(v) for v in values]))
++        header = '%s' % header
++        if not _is_legal_header_name(header):
++            raise ValueError('Invalid header name %r' % (header,))
++
++        values = [str(v) for v in values]
++        for one_value in values:
++            if _is_illegal_header_value(one_value):
++                raise ValueError('Invalid header value %r' % (one_value,))
++
++        hdr = '%s: %s' % (header, '\r\n\t'.join(values))
+         self._output(hdr)
+ 
+     def endheaders(self, message_body=None):
+Index: Python-2.7.9/Lib/test/test_httplib.py
+===================================================================
+--- Python-2.7.9.orig/Lib/test/test_httplib.py
++++ Python-2.7.9/Lib/test/test_httplib.py
+@@ -138,6 +138,33 @@ class HeaderTests(TestCase):
+         conn.putheader('Content-length',42)
+         self.assertIn('Content-length: 42', conn._buffer)
+ 
++        conn.putheader('Foo', ' bar ')
++        self.assertIn(b'Foo:  bar ', conn._buffer)
++        conn.putheader('Bar', '\tbaz\t')
++        self.assertIn(b'Bar: \tbaz\t', conn._buffer)
++        conn.putheader('Authorization', 'Bearer mytoken')
++        self.assertIn(b'Authorization: Bearer mytoken', conn._buffer)
++        conn.putheader('IterHeader', 'IterA', 'IterB')
++        self.assertIn(b'IterHeader: IterA\r\n\tIterB', conn._buffer)
++        conn.putheader('LatinHeader', b'\xFF')
++        self.assertIn(b'LatinHeader: \xFF', conn._buffer)
++        conn.putheader('Utf8Header', b'\xc3\x80')
++        self.assertIn(b'Utf8Header: \xc3\x80', conn._buffer)
++        conn.putheader('C1-Control', b'next\x85line')
++        self.assertIn(b'C1-Control: next\x85line', conn._buffer)
++        conn.putheader('Embedded-Fold-Space', 'is\r\n allowed')
++        self.assertIn(b'Embedded-Fold-Space: is\r\n allowed', conn._buffer)
++        conn.putheader('Embedded-Fold-Tab', 'is\r\n\tallowed')
++        self.assertIn(b'Embedded-Fold-Tab: is\r\n\tallowed', conn._buffer)
++        conn.putheader('Key Space', 'value')
++        self.assertIn(b'Key Space: value', conn._buffer)
++        conn.putheader('KeySpace ', 'value')
++        self.assertIn(b'KeySpace : value', conn._buffer)
++        conn.putheader(b'Nonbreak\xa0Space', 'value')
++        self.assertIn(b'Nonbreak\xa0Space: value', conn._buffer)
++        conn.putheader(b'\xa0NonbreakSpace', 'value')
++        self.assertIn(b'\xa0NonbreakSpace: value', conn._buffer)
++
+     def test_ipv6host_header(self):
+         # Default host header on IPv6 transaction should wrapped by [] if
+         # its actual IPv6 address
+@@ -157,6 +184,35 @@ class HeaderTests(TestCase):
+         conn.request('GET', '/foo')
+         self.assertTrue(sock.data.startswith(expected))
+ 
++    def test_invalid_headers(self):
++        conn = httplib.HTTPConnection('example.com')
++        conn.sock = FakeSocket('')
++        conn.putrequest('GET', '/')
++
++        # http://tools.ietf.org/html/rfc7230#section-3.2.4, whitespace is no
++        # longer allowed in header names
++        cases = (
++            (b'Invalid\r\nName', b'ValidValue'),
++            (b'Invalid\rName', b'ValidValue'),
++            (b'Invalid\nName', b'ValidValue'),
++            (b'\r\nInvalidName', b'ValidValue'),
++            (b'\rInvalidName', b'ValidValue'),
++            (b'\nInvalidName', b'ValidValue'),
++            (b' InvalidName', b'ValidValue'),
++            (b'\tInvalidName', b'ValidValue'),
++            (b'Invalid:Name', b'ValidValue'),
++            (b':InvalidName', b'ValidValue'),
++            (b'ValidName', b'Invalid\r\nValue'),
++            (b'ValidName', b'Invalid\rValue'),
++            (b'ValidName', b'Invalid\nValue'),
++            (b'ValidName', b'InvalidValue\r\n'),
++            (b'ValidName', b'InvalidValue\r'),
++            (b'ValidName', b'InvalidValue\n'),
++        )
++        for name, value in cases:
++            with self.assertRaisesRegexp(ValueError, 'Invalid header'):
++                conn.putheader(name, value)
++
+ 
+ class BasicTest(TestCase):
+     def test_status_lines(self):
+Index: Python-2.7.9/Misc/NEWS
+===================================================================
+--- Python-2.7.9.orig/Misc/NEWS
++++ Python-2.7.9/Misc/NEWS
+@@ -13,6 +13,9 @@ What's New in Python 2.7.9?
+ Library
+ -------
+ 
++- Issue #22928: Disabled HTTP header injections in httplib.
++  Original patch by Demian Brecht.
++
+ - Issue #22959: Remove the *check_hostname* parameter of
+   httplib.HTTPSConnection. The *context* parameter should be used instead.
+ 

meta/recipes-devtools/python/python_2.7.9.bb

@@ -26,6 +26,10 @@ SRC_URI += "\
   file://parallel-makeinst-create-bindir.patch \
   file://use_sysroot_ncurses_instead_of_host.patch \
   file://avoid_parallel_make_races_on_pgen.patch \
+  file://CVE-2016-0772.patch \
+  file://CVE-2016-5636.patch \
+  file://CVE-2016-5699.patch \
+  file://CVE-2016-1000110.patch \
 "
 
 S = "${WORKDIR}/Python-${PV}"

meta/recipes-devtools/qemu/qemu/CVE-2016-3710.patch

@@ -0,0 +1,112 @@
+From 4f0323d26c8da08b7bcfdd4722a38711bd2f1a3b Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 26 Apr 2016 08:49:10 +0200
+Subject: [PATCH] vga: fix banked access bounds checking (CVE-2016-3710)
+
+vga allows banked access to video memory using the window at 0xa00000
+and it supports a different access modes with different address
+calculations.
+
+The VBE bochs extentions support banked access too, using the
+VBE_DISPI_INDEX_BANK register.  The code tries to take the different
+address calculations into account and applies different limits to
+VBE_DISPI_INDEX_BANK depending on the current access mode.
+
+Which is probably effective in stopping misprogramming by accident.
+But from a security point of view completely useless as an attacker
+can easily change access modes after setting the bank register.
+
+Drop the bogus check, add range checks to vga_mem_{readb,writeb}
+instead.
+
+Fixes: CVE-2016-3710
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-3710
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/display/vga.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 9f68394..442fee9 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -177,6 +177,7 @@ static void vga_update_memory_access(VGACommonState *s)
+             size = 0x8000;
+             break;
+         }
++        assert(offset + size <= s->vram_size);
+         memory_region_init_alias(&s->chain4_alias, memory_region_owner(&s->vram),
+                                  "vga.chain4", &s->vram, offset, size);
+         memory_region_add_subregion_overlap(s->legacy_address_space, base,
+@@ -714,11 +715,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
+             vbe_fixup_regs(s);
+             break;
+         case VBE_DISPI_INDEX_BANK:
+-            if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
+-              val &= (s->vbe_bank_mask >> 2);
+-            } else {
+-              val &= s->vbe_bank_mask;
+-            }
++            val &= s->vbe_bank_mask;
+             s->vbe_regs[s->vbe_index] = val;
+             s->bank_offset = (val << 16);
+             vga_update_memory_access(s);
+@@ -817,13 +814,21 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
+ 
+     if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+         /* chain 4 mode : simplest access */
++        assert(addr < s->vram_size);
+         ret = s->vram_ptr[addr];
+     } else if (s->gr[VGA_GFX_MODE] & 0x10) {
+         /* odd/even mode (aka text mode mapping) */
+         plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
+-        ret = s->vram_ptr[((addr & ~1) << 1) | plane];
++        addr = ((addr & ~1) << 1) | plane;
++        if (addr >= s->vram_size) {
++            return 0xff;
++        }
++        ret = s->vram_ptr[addr];
+     } else {
+         /* standard VGA latched access */
++        if (addr * sizeof(uint32_t) >= s->vram_size) {
++            return 0xff;
++        }
+         s->latch = ((uint32_t *)s->vram_ptr)[addr];
+ 
+         if (!(s->gr[VGA_GFX_MODE] & 0x08)) {
+@@ -880,6 +885,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+         plane = addr & 3;
+         mask = (1 << plane);
+         if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
++            assert(addr < s->vram_size);
+             s->vram_ptr[addr] = val;
+ #ifdef DEBUG_VGA_MEM
+             printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr);
+@@ -893,6 +899,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+         mask = (1 << plane);
+         if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+             addr = ((addr & ~1) << 1) | plane;
++            if (addr >= s->vram_size) {
++                return;
++            }
+             s->vram_ptr[addr] = val;
+ #ifdef DEBUG_VGA_MEM
+             printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr);
+@@ -966,6 +975,9 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
+         mask = s->sr[VGA_SEQ_PLANE_WRITE];
+         s->plane_updated |= mask; /* only used to detect font change */
+         write_mask = mask16[mask];
++        if (addr * sizeof(uint32_t) >= s->vram_size) {
++            return;
++        }
+         ((uint32_t *)s->vram_ptr)[addr] =
+             (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) |
+             (val & write_mask);
+-- 
+2.7.4
+

meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p1.patch

@@ -0,0 +1,73 @@
+From 46aff2c7e91ef9f372ad38ba5e90c42b9b27ac75 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 26 Apr 2016 14:11:34 +0200
+Subject: [PATCH 1/4] vga: add vbe_enabled() helper
+
+Makes code a bit easier to read.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-3712 patch1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/vga.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 442fee9..cc1a682 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -140,6 +140,11 @@ static uint32_t expand4[256];
+ static uint16_t expand2[256];
+ static uint8_t expand4to8[16];
+ 
++static inline bool vbe_enabled(VGACommonState *s)
++{
++    return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
++}
++
+ static void vga_update_memory_access(VGACommonState *s)
+ {
+     hwaddr base, offset, size;
+@@ -562,7 +567,7 @@ static void vbe_fixup_regs(VGACommonState *s)
+     uint16_t *r = s->vbe_regs;
+     uint32_t bits, linelength, maxy, offset;
+ 
+-    if (!(r[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) {
++    if (!vbe_enabled(s)) {
+         /* vbe is turned off -- nothing to do */
+         return;
+     }
+@@ -1056,7 +1061,7 @@ static void vga_get_offsets(VGACommonState *s,
+ {
+     uint32_t start_addr, line_offset, line_compare;
+ 
+-    if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
++    if (vbe_enabled(s)) {
+         line_offset = s->vbe_line_offset;
+         start_addr = s->vbe_start_addr;
+         line_compare = 65535;
+@@ -1381,7 +1386,7 @@ static int vga_get_bpp(VGACommonState *s)
+ {
+     int ret;
+ 
+-    if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
++    if (vbe_enabled(s)) {
+         ret = s->vbe_regs[VBE_DISPI_INDEX_BPP];
+     } else {
+         ret = 0;
+@@ -1393,7 +1398,7 @@ static void vga_get_resolution(VGACommonState *s, int *pwidth, int *pheight)
+ {
+     int width, height;
+ 
+-    if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) {
++    if (vbe_enabled(s)) {
+         width = s->vbe_regs[VBE_DISPI_INDEX_XRES];
+         height = s->vbe_regs[VBE_DISPI_INDEX_YRES];
+     } else {
+-- 
+2.7.4
+

meta/recipes-devtools/qemu/qemu/CVE-2016-3712_p2.patch

@@ -0,0 +1,132 @@
+From 2f2f74e87c15e830f5a4dda7a166effcab5047ec Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 26 Apr 2016 15:24:18 +0200
+Subject: [PATCH 2/4] vga: factor out vga register setup
+
+When enabling vbe mode qemu will setup a bunch of vga registers to make
+sure the vga emulation operates in correct mode for a linear
+framebuffer.  Move that code to a separate function so we can call it
+from other places too.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-3712 patch2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/vga.c | 78 ++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 44 insertions(+), 34 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index cc1a682..f1987e3 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -642,6 +642,49 @@ static void vbe_fixup_regs(VGACommonState *s)
+     s->vbe_start_addr  = offset / 4;
+ }
+ 
++/* we initialize the VGA graphic mode */
++static void vbe_update_vgaregs(VGACommonState *s)
++{
++    int h, shift_control;
++
++    if (!vbe_enabled(s)) {
++        /* vbe is turned off -- nothing to do */
++        return;
++    }
++
++    /* graphic mode + memory map 1 */
++    s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 |
++        VGA_GR06_GRAPHICS_MODE;
++    s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */
++    s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3;
++    /* width */
++    s->cr[VGA_CRTC_H_DISP] =
++        (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
++    /* height (only meaningful if < 1024) */
++    h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1;
++    s->cr[VGA_CRTC_V_DISP_END] = h;
++    s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) |
++        ((h >> 7) & 0x02) | ((h >> 3) & 0x40);
++    /* line compare to 1023 */
++    s->cr[VGA_CRTC_LINE_COMPARE] = 0xff;
++    s->cr[VGA_CRTC_OVERFLOW] |= 0x10;
++    s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
++
++    if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
++        shift_control = 0;
++        s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
++    } else {
++        shift_control = 2;
++        /* set chain 4 mode */
++        s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
++        /* activate all planes */
++        s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
++    }
++    s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
++        (shift_control << 5);
++    s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */
++}
++
+ static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr)
+ {
+     VGACommonState *s = opaque;
+@@ -728,52 +771,19 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
+         case VBE_DISPI_INDEX_ENABLE:
+             if ((val & VBE_DISPI_ENABLED) &&
+                 !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) {
+-                int h, shift_control;
+ 
+                 s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0;
+                 s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0;
+                 s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0;
+                 s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED;
+                 vbe_fixup_regs(s);
++                vbe_update_vgaregs(s);
+ 
+                 /* clear the screen */
+                 if (!(val & VBE_DISPI_NOCLEARMEM)) {
+                     memset(s->vram_ptr, 0,
+                            s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset);
+                 }
+-
+-                /* we initialize the VGA graphic mode */
+-                /* graphic mode + memory map 1 */
+-                s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 |
+-                    VGA_GR06_GRAPHICS_MODE;
+-                s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */
+-                s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3;
+-                /* width */
+-                s->cr[VGA_CRTC_H_DISP] =
+-                    (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
+-                /* height (only meaningful if < 1024) */
+-                h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1;
+-                s->cr[VGA_CRTC_V_DISP_END] = h;
+-                s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) |
+-                    ((h >> 7) & 0x02) | ((h >> 3) & 0x40);
+-                /* line compare to 1023 */
+-                s->cr[VGA_CRTC_LINE_COMPARE] = 0xff;
+-                s->cr[VGA_CRTC_OVERFLOW] |= 0x10;
+-                s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
+-
+-                if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
+-                    shift_control = 0;
+-                    s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
+-                } else {
+-                    shift_control = 2;
+-                    /* set chain 4 mode */
+-                    s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
+-                    /* activate all planes */
+-                    s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
+-                }
+-                s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
+-                    (shift_control << 5);
+-                s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */
+             } else {
+                 s->bank_offset = 0;
+             }
+-- 
+2.7.4
+