build-appliance-image: Update to dunfell head revision

(From OE-Core rev: 8b91c463fb3546836789e1890b3c68acf69c162a) Signed-off-by: Steve Sakoman <steve@sakoman.com>
poky.conf: bump version for 3.1.28
2026-02-22 01:19:41 +01:00 · 2023-09-16 11:20:06 -10:00 · 2023-09-16 11:16:08 -10:00 · 2023-09-16 11:16:07 -10:00 · 2023-09-15 03:50:18 -10:00 · 2023-09-15 03:47:11 -10:00
188 changed files with 18015 additions and 922 deletions
--- a/bitbake/lib/bb/runqueue.py
+++ b/bitbake/lib/bb/runqueue.py
@@ -1975,11 +1975,19 @@ class RunQueueExecute:
                self.setbuildable(revdep)
                logger.debug(1, "Marking task %s as buildable", revdep)

-        for t in self.sq_deferred.copy():
+        found = None
+        for t in sorted(self.sq_deferred.copy()):
            if self.sq_deferred[t] == task:
-                logger.debug(2, "Deferred task %s now buildable" % t)
-                del self.sq_deferred[t]
-                update_scenequeue_data([t], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False)
+                # Allow the next deferred task to run. Any other deferred tasks should be deferred after that task.
+                # We shouldn't allow all to run at once as it is prone to races.
+                if not found:
+                    bb.note("Deferred task %s now buildable" % t)
+                    del self.sq_deferred[t]
+                    update_scenequeue_data([t], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False)
+                    found = t
+                else:
+                    bb.note("Deferring %s after %s" % (t, found))
+                    self.sq_deferred[t] = found

    def task_complete(self, task):
        self.stats.taskCompleted()
--- a/documentation/poky.yaml
+++ b/documentation/poky.yaml
@@ -1,13 +1,13 @@
-DISTRO : "3.1.25"
+DISTRO : "3.1.28"
 DISTRO_NAME_NO_CAP : "dunfell"
 DISTRO_NAME : "Dunfell"
 DISTRO_NAME_NO_CAP_MINUS_ONE : "zeus"
-YOCTO_DOC_VERSION : "3.1.25"
+YOCTO_DOC_VERSION : "3.1.28"
 YOCTO_DOC_VERSION_MINUS_ONE : "3.0.4"
-DISTRO_REL_TAG : "yocto-3.1.25"
-DOCCONF_VERSION : "3.1.25"
+DISTRO_REL_TAG : "yocto-3.1.28"
+DOCCONF_VERSION : "3.1.28"
 BITBAKE_SERIES : "1.46"
-POKYVERSION : "23.0.25"
+POKYVERSION : "23.0.28"
 YOCTO_POKY : "poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;"
 YOCTO_DL_URL : "https://downloads.yoctoproject.org"
 YOCTO_AB_URL : "https://autobuilder.yoctoproject.org"
--- a/documentation/ref-manual/ref-images.rst
+++ b/documentation/ref-manual/ref-images.rst
@@ -14,16 +14,17 @@ image you want.
   Building an image without GNU General Public License Version 3
   (GPLv3), GNU Lesser General Public License Version 3 (LGPLv3), and
   the GNU Affero General Public License Version 3 (AGPL-3.0) components
-   is only supported for minimal and base images. Furthermore, if you
-   are going to build an image using non-GPLv3 and similarly licensed
-   components, you must make the following changes in the ``local.conf``
-   file before using the BitBake command to build the minimal or base
-   image:
-   ::
+   is only tested for core-image-minimal image. Furthermore, if you would like to
+   build an image and verify that it does not include GPLv3 and similarly licensed
+   components, you must make the following changes in the image recipe
+   file before using the BitBake command to build the image:

-           1. Comment out the EXTRA_IMAGE_FEATURES line
-           2. Set INCOMPATIBLE_LICENSE = "GPL-3.0 LGPL-3.0 AGPL-3.0"
+       INCOMPATIBLE_LICENSE = "GPL-3.0* LGPL-3.0*"

+   Alternatively, you can adjust ``local.conf`` file, repeating and adjusting the line
+   for all images where the license restriction must apply:
+
+       INCOMPATIBLE_LICENSE_pn-your-image-name = "GPL-3.0* LGPL-3.0*"

 From within the ``poky`` Git repository, you can use the following
 command to display the list of directories within the :term:`Source Directory`
--- a/documentation/ref-manual/ref-system-requirements.rst
+++ b/documentation/ref-manual/ref-system-requirements.rst
@@ -34,19 +34,35 @@ and conceptual information in the :doc:`../overview-manual/overview-manual`.
 Supported Linux Distributions
 =============================

-Currently, the Yocto Project is supported on the following
-distributions:
+Currently, the &DISTRO; release ("&DISTRO_NAME;") of the Yocto Project is
+supported on the following distributions:

-  Ubuntu 16.04 (LTS)
+
+-  Ubuntu 20.04 (LTS)
+
+-  Ubuntu 22.04 (LTS)
+
+-  Fedora 37
+
+-  Debian GNU/Linux 11.x (Bullseye)
+
+-  AlmaLinux 8.8
+
+The following distribution versions are still tested (being listed
+in :term:`SANITY_TESTED_DISTROS`), even though the organizations
+publishing them no longer make updates publicly available:

 -  Ubuntu 18.04 (LTS)

+-  OpenSUSE Leap 15.3
+
+Finally, here are the distribution versions which were previously
+tested on former revisions of "&DISTRO_NAME;", but no longer are:
+
+-  Ubuntu 16.04 (LTS)
+
 -  Ubuntu 19.04

-  Ubuntu 20.04
-
-  Ubuntu 22.04
-
 -  Fedora 28

 -  Fedora 29
@@ -67,20 +83,18 @@ distributions:

 -  CentOS 7.x

+-  CentOS 8.x
+
 -  Debian GNU/Linux 8.x (Jessie)

 -  Debian GNU/Linux 9.x (Stretch)

 -  Debian GNU/Linux 10.x (Buster)

-  Debian GNU/Linux 11.x (Bullseye)
-
 -  OpenSUSE Leap 15.1

 -  OpenSUSE Leap 15.2

-  OpenSUSE Leap 15.3
-
 -  AlmaLinux 8.5

 -  AlmaLinux 8.7
--- a/documentation/ref-manual/ref-variables.rst
+++ b/documentation/ref-manual/ref-variables.rst
@@ -3337,9 +3337,18 @@ system and gives an overview of their function and contents.
   :term:`INCOMPATIBLE_LICENSE`
      Specifies a space-separated list of license names (as they would
      appear in :term:`LICENSE`) that should be excluded
-      from the build. Recipes that provide no alternatives to listed
+      from the build (if set globally), or from an image (if set locally
+      in an image recipe).
+
+      When the variable is set globally, recipes that provide no alternatives to listed
      incompatible licenses are not built. Packages that are individually
      licensed with the specified incompatible licenses will be deleted.
+      Most of the time this does not allow a feasible build (because it becomes impossible
+      to satisfy build time dependencies), so the recommended way to
+      implement license restrictions is to set the variable in specific
+      image recipes where the restrictions must apply. That way there
+      are no build time restrictions, but the license check is still
+      performed when the image's filesystem is assembled from packages.

      .. note::

--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -1,6 +1,6 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "3.1.25"
+DISTRO_VERSION = "3.1.28"
 DISTRO_CODENAME = "dunfell"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${DATE}', 'snapshot')}"
@@ -43,29 +43,13 @@ SANITY_TESTED_DISTROS ?= " \
            poky-2.7 \n \
            poky-3.0 \n \
            poky-3.1 \n \
-            ubuntu-16.04 \n \
            ubuntu-18.04 \n \
-            ubuntu-19.04 \n \
            ubuntu-20.04 \n \
            ubuntu-22.04 \n \
-            fedora-30 \n \
-            fedora-31 \n \
-            fedora-32 \n \
-            fedora-33 \n \
-            fedora-34 \n \
-            fedora-35 \n \
-            fedora-36 \n \
-            centos-7 \n \
-            centos-8 \n \
-            debian-8 \n \
-            debian-9 \n \
-            debian-10 \n \
+            fedora-37 \n \
            debian-11 \n \
-            opensuseleap-15.1 \n \
-            opensuseleap-15.2 \n \
            opensuseleap-15.3 \n \
-            almalinux-8.5 \n \
-            almalinux-8.7 \n \
+            almalinux-8.8 \n \
            "
 # add poky sanity bbclass
 INHERIT += "poky-sanity"
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"

 CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db"
 CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"

 CVE_CHECK_LOG ?= "${T}/cve.log"
@@ -154,7 +154,7 @@ python do_cve_check () {
 }

 addtask cve_check before do_build
-do_cve_check[depends] = "cve-update-db-native:do_fetch"
+do_cve_check[depends] = "cve-update-nvd2-native:do_fetch"
 do_cve_check[nostamp] = "1"

 python cve_check_cleanup () {
--- a/meta/classes/go.bbclass
+++ b/meta/classes/go.bbclass
@@ -118,7 +118,7 @@ go_do_install() {
 	tar -C ${B} -cf - --exclude-vcs --exclude '*.test' --exclude 'testdata' pkg | \
 		tar -C ${D}${libdir}/go --no-same-owner -xf -

-	if [ -n "`ls ${B}/${GO_BUILD_BINDIR}/`" ]; then
+	if ls ${B}/${GO_BUILD_BINDIR}/* >/dev/null 2>/dev/null ; then
 		install -d ${D}${bindir}
 		install -m 0755 ${B}/${GO_BUILD_BINDIR}/* ${D}${bindir}/
 	fi
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -1,5 +1,7 @@
 inherit kernel-uboot kernel-artifact-names uboot-sign

+KERNEL_IMAGETYPE_REPLACEMENT = ""
+
 python __anonymous () {
    kerneltypes = d.getVar('KERNEL_IMAGETYPES') or ""
    if 'fitImage' in kerneltypes.split():
@@ -21,6 +23,8 @@ python __anonymous () {
        else:
            replacementtype = "zImage"

+        d.setVar("KERNEL_IMAGETYPE_REPLACEMENT", replacementtype)
+
        # Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal
        # to kernel.bbclass . We have to override it, since we pack zImage
        # (at least for now) into the fitImage .
@@ -45,6 +49,8 @@ python __anonymous () {
        if d.getVar('UBOOT_SIGN_ENABLE') == "1" and d.getVar('UBOOT_DTB_BINARY'):
            uboot_pn = d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'
            d.appendVarFlag('do_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % uboot_pn)
+            if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
+                d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' %s:do_populate_sysroot' % uboot_pn)
 }

 # Options for the device tree compiler passed to mkimage '-D' feature:
@@ -180,6 +186,43 @@ fitimage_emit_section_dtb() {
 EOF
 }

+#
+# Emit the fitImage ITS u-boot script section
+#
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to boot script image
+fitimage_emit_section_boot_script() {
+
+	bootscr_csum="${FIT_HASH_ALG}"
+	bootscr_sign_algo="${FIT_SIGN_ALG}"
+	bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
+
+        cat << EOF >> $1
+                bootscr-$2 {
+                        description = "U-boot script";
+                        data = /incbin/("$3");
+                        type = "script";
+                        arch = "${UBOOT_ARCH}";
+                        compression = "none";
+                        hash-1 {
+                                algo = "$bootscr_csum";
+                        };
+                };
+EOF
+
+	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$bootscr_sign_keyname" ] ; then
+		sed -i '$ d' $1
+		cat << EOF >> $1
+                        signature-1 {
+                                algo = "$bootscr_csum,$bootscr_sign_algo";
+                                key-name-hint = "$bootscr_sign_keyname";
+                        };
+                };
+EOF
+	fi
+}
+
 #
 # Emit the fitImage ITS setup section
 #
@@ -250,8 +293,9 @@ EOF
 # $2 ... Linux kernel ID
 # $3 ... DTB image name
 # $4 ... ramdisk ID
-# $5 ... config ID
-# $6 ... default flag
+# $5 ... u-boot script ID
+# $6 ... config ID
+# $7 ... default flag
 fitimage_emit_section_config() {

 	conf_csum="${FIT_HASH_ALG}"
@@ -267,6 +311,7 @@ fitimage_emit_section_config() {
 	kernel_line=""
 	fdt_line=""
 	ramdisk_line=""
+	bootscr_line=""
 	setup_line=""
 	default_line=""

@@ -289,21 +334,28 @@ fitimage_emit_section_config() {
 	fi

 	if [ -n "${5}" ]; then
-		conf_desc="${conf_desc}${sep}setup"
-		setup_line="setup = \"setup-${5}\";"
+		conf_desc="${conf_desc}${sep}u-boot script"
+		sep=", "
+		bootscr_line="bootscr = \"bootscr-${5}\";"
 	fi

-	if [ "${6}" = "1" ]; then
+	if [ -n "${6}" ]; then
+		conf_desc="${conf_desc}${sep}setup"
+		setup_line="setup = \"setup-${6}\";"
+	fi
+
+	if [ "${7}" = "1" ]; then
 		default_line="default = \"conf-${3}\";"
 	fi

 	cat << EOF >> ${1}
                ${default_line}
                conf-${3} {
-			description = "${6} ${conf_desc}";
+			description = "${7} ${conf_desc}";
 			${kernel_line}
 			${fdt_line}
 			${ramdisk_line}
+			${bootscr_line}
 			${setup_line}
                        hash-1 {
                                algo = "${conf_csum}";
@@ -331,6 +383,11 @@ EOF
 		fi

 		if [ -n "${5}" ]; then
+			sign_line="${sign_line}${sep}\"bootscr\""
+			sep=", "
+		fi
+
+		if [ -n "${6}" ]; then
 			sign_line="${sign_line}${sep}\"setup\""
 		fi

@@ -363,6 +420,7 @@ fitimage_assemble() {
 	DTBS=""
 	ramdiskcount=${3}
 	setupcount=""
+	bootscr_id=""
 	rm -f ${1} arch/${ARCH}/boot/${2}

 	fitimage_emit_fit_header ${1}
@@ -373,7 +431,7 @@ fitimage_assemble() {
 	fitimage_emit_section_maint ${1} imagestart

 	uboot_prep_kimage
-	fitimage_emit_section_kernel ${1} "${kernelcount}" linux.bin "${linux_comp}"
+	fitimage_emit_section_kernel $1 $kernelcount linux.bin "$linux_comp"

 	#
 	# Step 2: Prepare a DTB image section
@@ -407,7 +465,21 @@ fitimage_assemble() {
 	fi

 	#
-	# Step 3: Prepare a setup section. (For x86)
+	# Step 3: Prepare a u-boot script section
+	#
+
+	if [ -n "${UBOOT_ENV}" ] && [ -d "${STAGING_DIR_HOST}/boot" ]; then
+		if [ -e "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY}" ]; then
+			cp ${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} ${B}
+			bootscr_id="${UBOOT_ENV_BINARY}"
+			fitimage_emit_section_boot_script ${1} "${bootscr_id}" ${UBOOT_ENV_BINARY}
+		else
+			bbwarn "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} not found."
+		fi
+	fi
+
+	#
+	# Step 4: Prepare a setup section. (For x86)
 	#
 	if [ -e arch/${ARCH}/boot/setup.bin ]; then
 		setupcount=1
@@ -415,9 +487,9 @@ fitimage_assemble() {
 	fi

 	#
-	# Step 4: Prepare a ramdisk section.
+	# Step 5: Prepare a ramdisk section.
 	#
-	if [ "x${ramdiskcount}" = "x1" ] ; then
+	if [ "x${ramdiskcount}" = "x1" ] && [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
 		# Find and use the first initramfs image archive type we find
 		for img in cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.gz ext2.gz cpio; do
 			initramfs_path="${DEPLOY_DIR_IMAGE}/${INITRAMFS_IMAGE_NAME}.${img}"
@@ -438,7 +510,7 @@ fitimage_assemble() {
 	fi

 	#
-	# Step 5: Prepare a configurations section
+	# Step 6: Prepare a configurations section
 	#
 	fitimage_emit_section_maint ${1} confstart

@@ -447,9 +519,9 @@ fitimage_assemble() {
 		for DTB in ${DTBS}; do
 			dtb_ext=${DTB##*.}
 			if [ "${dtb_ext}" = "dtbo" ]; then
-				fitimage_emit_section_config ${1} "" "${DTB}" "" "" "`expr ${i} = ${dtbcount}`"
+				fitimage_emit_section_config ${1} "" "${DTB}" "" "${bootscr_id}" "" "`expr ${i} = ${dtbcount}`"
 			else
-				fitimage_emit_section_config ${1} "${kernelcount}" "${DTB}" "${ramdiskcount}" "${setupcount}" "`expr ${i} = ${dtbcount}`"
+				fitimage_emit_section_config ${1} "${kernelcount}" "${DTB}" "${ramdiskcount}" "${bootscr_id}" "${setupcount}" "`expr ${i} = ${dtbcount}`"
 			fi
 			i=`expr ${i} + 1`
 		done
@@ -460,7 +532,7 @@ fitimage_assemble() {
 	fitimage_emit_section_maint ${1} fitend

 	#
-	# Step 6: Assemble the image
+	# Step 7: Assemble the image
 	#
 	uboot-mkimage \
 		${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
@@ -468,7 +540,7 @@ fitimage_assemble() {
 		arch/${ARCH}/boot/${2}

 	#
-	# Step 7: Sign the image and add public key to U-Boot dtb
+	# Step 8: Sign the image and add public key to U-Boot dtb
 	#
 	if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then
 		add_key_to_u_boot=""
@@ -500,7 +572,11 @@ do_assemble_fitimage_initramfs() {
 	if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage" && \
 		test -n "${INITRAMFS_IMAGE}" ; then
 		cd ${B}
-		fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage-${INITRAMFS_IMAGE} 1
+		if [ "${INITRAMFS_IMAGE_BUNDLE}" = "1" ]; then
+			fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage ""
+		else
+			fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage-${INITRAMFS_IMAGE} 1
+		fi
 	fi
 }

@@ -511,22 +587,32 @@ kernel_do_deploy[vardepsexclude] = "DATETIME"
 kernel_do_deploy_append() {
 	# Update deploy directory
 	if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then
-		echo "Copying fit-image.its source file..."
-		install -m 0644 ${B}/fit-image.its "$deployDir/fitImage-its-${KERNEL_FIT_NAME}.its"
-		ln -snf fitImage-its-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${KERNEL_FIT_LINK_NAME}"
+		if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
+			echo "Copying fit-image.its source file..."
+			install -m 0644 ${B}/fit-image.its "$deployDir/fitImage-its-${KERNEL_FIT_NAME}.its"
+			if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
+				ln -snf fitImage-its-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${KERNEL_FIT_LINK_NAME}"
+			fi

-		echo "Copying linux.bin file..."
-		install -m 0644 ${B}/linux.bin $deployDir/fitImage-linux.bin-${KERNEL_FIT_NAME}.bin
-		ln -snf fitImage-linux.bin-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-linux.bin-${KERNEL_FIT_LINK_NAME}"
+			echo "Copying linux.bin file..."
+			install -m 0644 ${B}/linux.bin $deployDir/fitImage-linux.bin-${KERNEL_FIT_NAME}.bin
+			if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
+				ln -snf fitImage-linux.bin-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-linux.bin-${KERNEL_FIT_LINK_NAME}"
+			fi
+		fi

 		if [ -n "${INITRAMFS_IMAGE}" ]; then
 			echo "Copying fit-image-${INITRAMFS_IMAGE}.its source file..."
 			install -m 0644 ${B}/fit-image-${INITRAMFS_IMAGE}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its"
 			ln -snf fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"

-			echo "Copying fitImage-${INITRAMFS_IMAGE} file..."
-			install -m 0644 ${B}/arch/${ARCH}/boot/fitImage-${INITRAMFS_IMAGE} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin"
-			ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
+			if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
+				echo "Copying fitImage-${INITRAMFS_IMAGE} file..."
+				install -m 0644 ${B}/arch/${ARCH}/boot/fitImage-${INITRAMFS_IMAGE} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin"
+				if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
+					ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
+				fi
+			fi
 		fi
 		if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then
 			# UBOOT_DTB_IMAGE is a realfile, but we can't use
@@ -536,3 +622,13 @@ kernel_do_deploy_append() {
 		fi
 	fi
 }
+
+# The function below performs the following in case of initramfs bundles:
+# - Removes do_assemble_fitimage. FIT generation is done through
+#   do_assemble_fitimage_initramfs. do_assemble_fitimage is not needed
+#   and should not be part of the tasks to be executed.
+python () {
+    d.appendVarFlag('do_compile', 'vardeps', ' INITRAMFS_IMAGE_BUNDLE')
+    if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
+        bb.build.deltask('do_assemble_fitimage', d)
+}
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -143,13 +143,14 @@ do_unpack[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILD
 do_clean[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILDDIR}"
 python do_symlink_kernsrc () {
    s = d.getVar("S")
-    if s[-1] == '/':
-        # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as directory name and fail
-        s=s[:-1]
    kernsrc = d.getVar("STAGING_KERNEL_DIR")
    if s != kernsrc:
        bb.utils.mkdirhier(kernsrc)
        bb.utils.remove(kernsrc, recurse=True)
+        if s[-1] == '/':
+            # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as
+            # directory name and fail
+            s = s[:-1]
        if d.getVar("EXTERNALSRC"):
            # With EXTERNALSRC S will not be wiped so we can symlink to it
            os.symlink(s, kernsrc)
@@ -417,12 +418,26 @@ kernel_do_install() {
 	#
 	install -d ${D}/${KERNEL_IMAGEDEST}
 	install -d ${D}/boot
+
+	#
+	# When including an initramfs bundle inside a FIT image, the fitImage is created after the install task
+	# by do_assemble_fitimage_initramfs.
+	# This happens after the generation of the initramfs bundle (done by do_bundle_initramfs).
+	# So, at the level of the install task we should not try to install the fitImage. fitImage is still not
+	# generated yet.
+	# After the generation of the fitImage, the deploy task copies the fitImage from the build directory to
+	# the deploy folder.
+	#
+
 	for imageType in ${KERNEL_IMAGETYPES} ; do
-		install -m 0644 ${KERNEL_OUTPUT_DIR}/${imageType} ${D}/${KERNEL_IMAGEDEST}/${imageType}-${KERNEL_VERSION}
-		if [ "${KERNEL_PACKAGE_NAME}" = "kernel" ]; then
-			ln -sf ${imageType}-${KERNEL_VERSION} ${D}/${KERNEL_IMAGEDEST}/${imageType}
+		if [ $imageType != "fitImage" ] || [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ] ; then
+			install -m 0644 ${KERNEL_OUTPUT_DIR}/${imageType} ${D}/${KERNEL_IMAGEDEST}/${imageType}-${KERNEL_VERSION}
+			if [ "${KERNEL_PACKAGE_NAME}" = "kernel" ]; then
+				ln -sf ${imageType}-${KERNEL_VERSION} ${D}/${KERNEL_IMAGEDEST}/${imageType}
+			fi
 		fi
 	done
+
 	install -m 0644 System.map ${D}/boot/System.map-${KERNEL_VERSION}
 	install -m 0644 .config ${D}/boot/config-${KERNEL_VERSION}
 	install -m 0644 vmlinux ${D}/boot/vmlinux-${KERNEL_VERSION}
--- a/meta/classes/populate_sdk_ext.bbclass
+++ b/meta/classes/populate_sdk_ext.bbclass
@@ -363,7 +363,8 @@ python copy_buildsystem () {
            f.write('BUILDCFG_HEADER = ""\n\n')

            # Write METADATA_REVISION
-            f.write('METADATA_REVISION = "%s"\n\n' % d.getVar('METADATA_REVISION'))
+            # Needs distro override so it can override the value set in the bbclass code (later than local.conf)
+            f.write('METADATA_REVISION:%s = "%s"\n\n' % (d.getVar('DISTRO'), d.getVar('METADATA_REVISION')))

            f.write('# Provide a flag to indicate we are in the EXT_SDK Context\n')
            f.write('WITHIN_EXT_SDK = "1"\n\n')
--- a/meta/classes/pypi.bbclass
+++ b/meta/classes/pypi.bbclass
@@ -24,3 +24,5 @@ S = "${WORKDIR}/${PYPI_PACKAGE}-${PV}"

 UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${PYPI_PACKAGE}/"
 UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/"
+
+CVE_PRODUCT ?= "python:${PYPI_PACKAGE}"
--- a/meta/classes/rootfs-postcommands.bbclass
+++ b/meta/classes/rootfs-postcommands.bbclass
@@ -1,6 +1,6 @@

 # Zap the root password if debug-tweaks feature is not enabled
-ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password ; ",d)}'
+ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password; ",d)}'

 # Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks or allow-empty-password is enabled
 ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-empty-password' ], "ssh_allow_empty_password; ", "",d)}'
@@ -12,7 +12,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb
 ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'post-install-logging' ], "postinst_enable_logging; ", "",d)}'

 # Create /etc/timestamp during image construction to give a reasonably sane default time setting
-ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; "
+ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp; "

 # Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled
 ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}'
@@ -26,7 +26,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only
 APPEND_append = '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", " ro", "", d)}'

 # Generates test data file with data store variables expanded in json format
-ROOTFS_POSTPROCESS_COMMAND += "write_image_test_data ; "
+ROOTFS_POSTPROCESS_COMMAND += "write_image_test_data; "

 # Write manifest
 IMAGE_MANIFEST = "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.manifest"
--- a/meta/classes/rootfsdebugfiles.bbclass
+++ b/meta/classes/rootfsdebugfiles.bbclass
@@ -28,7 +28,7 @@
 ROOTFS_DEBUG_FILES ?= ""
 ROOTFS_DEBUG_FILES[doc] = "Lists additional files or directories to be installed with 'cp -a' in the format 'source1 target1;source2 target2;...'"

-ROOTFS_POSTPROCESS_COMMAND += "rootfs_debug_files ;"
+ROOTFS_POSTPROCESS_COMMAND += "rootfs_debug_files;"
 rootfs_debug_files () {
   #!/bin/sh -e
   echo "${ROOTFS_DEBUG_FILES}" | sed -e 's/;/\n/g' | while read source target mode; do
--- a/meta/classes/uninative.bbclass
+++ b/meta/classes/uninative.bbclass
@@ -34,6 +34,8 @@ python uninative_event_fetchloader() {
        with open(loaderchksum, "r") as f:
            readchksum = f.read().strip()
        if readchksum == chksum:
+            if "uninative" not in d.getVar("SSTATEPOSTUNPACKFUNCS"):
+                enable_uninative(d)
            return

    import subprocess
@@ -167,5 +169,7 @@ python uninative_changeinterp () {
            if not elf.isDynamic():
                continue

+            os.chmod(f, s[stat.ST_MODE] | stat.S_IWUSR)
            subprocess.check_output(("patchelf-uninative", "--set-interpreter", d.getVar("UNINATIVE_LOADER"), f), stderr=subprocess.STDOUT)
+            os.chmod(f, s[stat.ST_MODE])
 }
--- a/meta/classes/useradd-staticids.bbclass
+++ b/meta/classes/useradd-staticids.bbclass
@@ -41,7 +41,7 @@ def update_useradd_static_config(d):
    def handle_missing_id(id, type, pkg, files, var, value):
        # For backwards compatibility we accept "1" in addition to "error"
        error_dynamic = d.getVar('USERADD_ERROR_DYNAMIC')
-        msg = "%s - %s: %sname %s does not have a static ID defined." % (d.getVar('PN'), pkg, type, id)
+        msg = 'Recipe %s, package %s: %sname "%s" does not have a static ID defined.' % (d.getVar('PN'), pkg, type, id)
        if files:
            msg += " Add %s to one of these files: %s" % (id, files)
        else:
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -897,7 +897,7 @@ BB_HASHCONFIG_WHITELIST ?= "${BB_HASHEXCLUDE_COMMON} DATE TIME SSH_AGENT_PID \
    PARALLEL_MAKE BB_NUMBER_THREADS BB_ORIGENV BB_INVALIDCONF BBINCLUDED \
    GIT_PROXY_COMMAND ALL_PROXY all_proxy NO_PROXY no_proxy FTP_PROXY ftp_proxy \
    HTTP_PROXY http_proxy HTTPS_PROXY https_proxy SOCKS5_USER SOCKS5_PASSWD \
-    BB_SETSCENE_ENFORCE BB_CMDLINE BB_SERVER_TIMEOUT"
+    BB_SETSCENE_ENFORCE BB_CMDLINE BB_SERVER_TIMEOUT BB_NICE_LEVEL"
 BB_SIGNATURE_EXCLUDE_FLAGS ?= "doc deps depends \
    lockfiles type vardepsexclude vardeps vardepvalue vardepvalueexclude \
    file-checksums python func task export unexport noexec nostamp dirs cleandirs \
--- a/meta/conf/distro/include/ptest-packagelists.inc
+++ b/meta/conf/distro/include/ptest-packagelists.inc
@@ -26,6 +26,7 @@ PTESTS_FAST = "\
    liberror-perl-ptest \
    libmodule-build-perl-ptest \
    libpcre-ptest \
+    libpng-ptest \
    libtimedate-perl-ptest \
    libtest-needs-perl-ptest \
    liburi-perl-ptest \
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,10 +6,10 @@
 # to the distro running on the build machine.
 #

-UNINATIVE_MAXGLIBCVERSION = "2.36"
-UNINATIVE_VERSION = "3.7"
+UNINATIVE_MAXGLIBCVERSION = "2.38"
+UNINATIVE_VERSION = "4.3"

 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "6a29bcae4b5b716d2d520e18800b33943b65f8a835eac1ff8793fc5ee65b4be6"
-UNINATIVE_CHECKSUM[i686] ?= "3f6d52e64996570c716108d49f8108baccf499a283bbefae438c7266b7a93305"
-UNINATIVE_CHECKSUM[x86_64] ?= "b110bf2e10fe420f5ca2f3ec55f048ee5f0a54c7e34856a3594e51eb2aea0570"
+UNINATIVE_CHECKSUM[aarch64] ?= "8df05f4a41455018b4303b2e0ea4eac5c960b5a13713f6dbb33dfdb3e32753ec"
+UNINATIVE_CHECKSUM[i686] ?= "bea76b4a97c9ba0077c0dd1295f519cd599dbf71f0ca1c964471c4cdb043addd"
+UNINATIVE_CHECKSUM[x86_64] ?= "1c35f09a75c4096749bbe1e009df4e3968cde151424062cf4aa3ed89db22b030"
--- a/meta/lib/oe/terminal.py
+++ b/meta/lib/oe/terminal.py
@@ -102,6 +102,10 @@ class Rxvt(XTerminal):
    command = 'rxvt -T "{title}" -e {command}'
    priority = 1

+class URxvt(XTerminal):
+    command = 'urxvt -T "{title}" -e {command}'
+    priority = 1
+
 class Screen(Terminal):
    command = 'screen -D -m -t "{title}" -S devshell {command}'

--- a/meta/lib/oeqa/core/target/ssh.py
+++ b/meta/lib/oeqa/core/target/ssh.py
@@ -226,6 +226,9 @@ def SSHCall(command, logger, timeout=None, **opts):
                            endtime = time.time() + timeout
                except InterruptedError:
                    continue
+                except BlockingIOError:
+                    logger.debug('BlockingIOError')
+                    continue

            # process hasn't returned yet
            if not eof:
--- a/meta/lib/oeqa/runtime/cases/ltp.py
+++ b/meta/lib/oeqa/runtime/cases/ltp.py
@@ -67,7 +67,7 @@ class LtpTest(LtpTestBase):
    def runltp(self, ltp_group):
            cmd = '/opt/ltp/runltp -f %s -p -q -r /opt/ltp -l /opt/ltp/results/%s -I 1 -d /opt/ltp' % (ltp_group, ltp_group)
            starttime = time.time()
-            (status, output) = self.target.run(cmd)
+            (status, output) = self.target.run(cmd, timeout=1200)
            endtime = time.time()

            with open(os.path.join(self.ltptest_log_dir, "%s-raw.log" % ltp_group), 'w') as f:
--- a/meta/lib/oeqa/runtime/cases/rpm.py
+++ b/meta/lib/oeqa/runtime/cases/rpm.py
@@ -57,8 +57,8 @@ class RpmBasicTest(OERuntimeTestCase):
                    return
                time.sleep(1)
            user_pss = [ps for ps in output.split("\n") if u + ' ' in ps]
-            msg = "There're %s 's process(es) still running: %s".format(u, "\n".join(user_pss))
-            assertTrue(True, msg=msg)
+            msg = "User %s has processes still running: %s" % (u, "\n".join(user_pss))
+            self.fail(msg=msg)

        def unset_up_test_user(u):
            # ensure no test1 process in running
--- a/meta/lib/oeqa/selftest/cases/bbtests.py
+++ b/meta/lib/oeqa/selftest/cases/bbtests.py
@@ -185,6 +185,10 @@ SSTATE_DIR = \"${TOPDIR}/download-selftest\"
        self.assertTrue(find, "No version returned for searched recipe. bitbake output: %s" % result.output)

    def test_prefile(self):
+        # Test when the prefile does not exist
+        result = runCmd('bitbake -r conf/prefile.conf', ignore_status=True)
+        self.assertEqual(1, result.status, "bitbake didn't error and should have when a specified prefile didn't exist: %s" % result.output)
+        # Test when the prefile exists
        preconf = os.path.join(self.builddir, 'conf/prefile.conf')
        self.track_for_cleanup(preconf)
        ftools.write_file(preconf ,"TEST_PREFILE=\"prefile\"")
@@ -195,6 +199,10 @@ SSTATE_DIR = \"${TOPDIR}/download-selftest\"
        self.assertIn('localconf', result.output)

    def test_postfile(self):
+        # Test when the postfile does not exist
+        result = runCmd('bitbake -R conf/postfile.conf', ignore_status=True)
+        self.assertEqual(1, result.status, "bitbake didn't error and should have when a specified postfile didn't exist: %s" % result.output)
+        # Test when the postfile exists
        postconf = os.path.join(self.builddir, 'conf/postfile.conf')
        self.track_for_cleanup(postconf)
        ftools.write_file(postconf , "TEST_POSTFILE=\"postfile\"")
--- a/meta/lib/oeqa/selftest/cases/devtool.py
+++ b/meta/lib/oeqa/selftest/cases/devtool.py
@@ -8,6 +8,7 @@ import shutil
 import tempfile
 import glob
 import fnmatch
+import unittest

 import oeqa.utils.ftools as ftools
 from oeqa.selftest.case import OESelftestTestCase
@@ -38,6 +39,13 @@ def setUpModule():
            canonical_layerpath = os.path.realpath(canonical_layerpath) + '/'
            edited_layers.append(layerpath)
            oldmetapath = os.path.realpath(layerpath)
+
+            # when downloading poky from tar.gz some tests will be skipped (BUG 12389)
+            try:
+                runCmd('git rev-parse --is-inside-work-tree', cwd=canonical_layerpath)
+            except:
+                raise unittest.SkipTest("devtool tests require folder to be a git repo")
+
            result = runCmd('git rev-parse --show-toplevel', cwd=canonical_layerpath)
            oldreporoot = result.output.rstrip()
            newmetapath = os.path.join(corecopydir, os.path.relpath(oldmetapath, oldreporoot))
--- a/meta/lib/oeqa/selftest/cases/glibc.py
+++ b/meta/lib/oeqa/selftest/cases/glibc.py
@@ -41,7 +41,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
        with contextlib.ExitStack() as s:
            # use the base work dir, as the nfs mount, since the recipe directory may not exist
            tmpdir = get_bb_var("BASE_WORKDIR")
-            nfsport, mountport = s.enter_context(unfs_server(tmpdir))
+            nfsport, mountport = s.enter_context(unfs_server(tmpdir, udp = False))

            # build core-image-minimal with required packages
            default_installed_packages = [
@@ -61,7 +61,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
            bitbake("core-image-minimal")

            # start runqemu
-            qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic"))
+            qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic", qemuparams = "-m 1024"))

            # validate that SSH is working
            status, _ = qemu.run("uname")
@@ -70,7 +70,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
            # setup nfs mount
            if qemu.run("mkdir -p \"{0}\"".format(tmpdir))[0] != 0:
                raise Exception("Failed to setup NFS mount directory on target")
-            mountcmd = "mount -o noac,nfsvers=3,port={0},udp,mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir)
+            mountcmd = "mount -o noac,nfsvers=3,port={0},mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir)
            status, output = qemu.run(mountcmd)
            if status != 0:
                raise Exception("Failed to setup NFS mount on target ({})".format(repr(output)))
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -188,7 +188,7 @@ class ReproducibleTests(OESelftestTestCase):

    def setUpLocal(self):
        super().setUpLocal()
-        needed_vars = ['TOPDIR', 'TARGET_PREFIX', 'BB_NUMBER_THREADS']
+        needed_vars = ['TOPDIR', 'TARGET_PREFIX', 'BB_NUMBER_THREADS', 'BB_HASHSERVE']
        bb_vars = get_bb_vars(needed_vars)
        for v in needed_vars:
            setattr(self, v.lower(), bb_vars[v])
@@ -259,7 +259,7 @@ class ReproducibleTests(OESelftestTestCase):
            # mirror, forcing a complete build from scratch
            config += textwrap.dedent('''\
                SSTATE_DIR = "${TMPDIR}/sstate"
-                SSTATE_MIRRORS = ""
+                SSTATE_MIRRORS = "file://.*/.*-native.*  http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH file://.*/.*-cross.*  http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
                ''')

        self.logger.info("Building %s (sstate%s allowed)..." % (name, '' if use_sstate else ' NOT'))
--- a/meta/lib/oeqa/selftest/cases/runtime_test.py
+++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
@@ -177,6 +177,8 @@ class TestImage(OESelftestTestCase):
        distro = oe.lsb.distro_identifier()
        if distro and distro.startswith('almalinux'):
            self.skipTest('virgl isn\'t working with Alma Linux')
+        if distro and distro.startswith('rocky'):
+            self.skipTest('virgl isn\'t working with Rocky Linux')
        if distro and distro == 'debian-8':
            self.skipTest('virgl isn\'t working with Debian 8')
        if distro and distro == 'centos-7':
@@ -189,10 +191,14 @@ class TestImage(OESelftestTestCase):
            self.skipTest('virgl isn\'t working with Fedora 35')
        if distro and distro == 'fedora-36':
            self.skipTest('virgl isn\'t working with Fedora 36')
+        if distro and distro == 'fedora-37':
+            self.skipTest('virgl isn\'t working with Fedora 37')
        if distro and distro == 'opensuseleap-15.0':
            self.skipTest('virgl isn\'t working with Opensuse 15.0')
        if distro and distro == 'ubuntu-22.04':
            self.skipTest('virgl isn\'t working with Ubuntu 22.04')
+        if distro and distro == 'ubuntu-22.10':
+            self.skipTest('virgl isn\'t working with Ubuntu 22.10')

        qemu_packageconfig = get_bb_var('PACKAGECONFIG', 'qemu-system-native')
        sdl_packageconfig = get_bb_var('PACKAGECONFIG', 'libsdl2-native')
--- a/meta/lib/oeqa/utils/metadata.py
+++ b/meta/lib/oeqa/utils/metadata.py
@@ -27,9 +27,9 @@ def metadata_from_bb():
    data_dict = get_bb_vars()

    # Distro information
-    info_dict['distro'] = {'id': data_dict['DISTRO'],
-                           'version_id': data_dict['DISTRO_VERSION'],
-                           'pretty_name': '%s %s' % (data_dict['DISTRO'], data_dict['DISTRO_VERSION'])}
+    info_dict['distro'] = {'id': data_dict.get('DISTRO', 'NODISTRO'),
+                                'version_id': data_dict.get('DISTRO_VERSION', 'NO_DISTRO_VERSION'),
+                                'pretty_name': '%s %s' % (data_dict.get('DISTRO', 'NODISTRO'), data_dict.get('DISTRO_VERSION', 'NO_DISTRO_VERSION'))}

    # Host distro information
    os_release = get_os_release()
--- a/meta/lib/oeqa/utils/nfs.py
+++ b/meta/lib/oeqa/utils/nfs.py
@@ -8,7 +8,7 @@ from oeqa.utils.commands import bitbake, get_bb_var, Command
 from oeqa.utils.network import get_free_port

@contextlib.contextmanager
-def unfs_server(directory, logger = None):
+def unfs_server(directory, logger = None, udp = True):
    unfs_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "unfs3-native")
    if not os.path.exists(os.path.join(unfs_sysroot, "usr", "bin", "unfsd")):
        # build native tool
@@ -22,7 +22,7 @@ def unfs_server(directory, logger = None):
            exports.write("{0} (rw,no_root_squash,no_all_squash,insecure)\n".format(directory).encode())

        # find some ports for the server
-        nfsport, mountport = get_free_port(udp = True), get_free_port(udp = True)
+        nfsport, mountport = get_free_port(udp), get_free_port(udp)

        nenv = dict(os.environ)
        nenv['PATH'] = "{0}/sbin:{0}/usr/sbin:{0}/usr/bin:".format(unfs_sysroot) + nenv.get('PATH', '')
--- a/meta/recipes-bsp/grub/files/CVE-2020-27749.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27749.patch
@@ -0,0 +1,609 @@
+From 4ea7bae51f97e49c84dc67ea30b466ca8633b9f6 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Thu, 7 Jan 2021 19:21:03 +0000
+Subject: kern/parser: Fix a stack buffer overflow
+
+grub_parser_split_cmdline() expands variable names present in the supplied
+command line in to their corresponding variable contents and uses a 1 kiB
+stack buffer for temporary storage without sufficient bounds checking. If
+the function is called with a command line that references a variable with
+a sufficiently large payload, it is possible to overflow the stack
+buffer via tab completion, corrupt the stack frame and potentially
+control execution.
+
+Fixes: CVE-2020-27749
+
+Reported-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=c6c426e5ab6ea715153b72584de6bd8c82f698ec && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=b1c9e9e889e4273fb15712051c887e6078511448 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=3d157bbd06506b170fde5ec23980c4bf9f7660e2 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=8bc817014ce3d7a498db44eae33c8b90e2430926 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=030fb6c4fa354cdbd6a8d6903dfed5d36eaf3cb2 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=4ea7bae51f97e49c84dc67ea30b466ca8633b9f6]
+CVE: CVE-2020-27749
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/Makefile.core.def |   1 +
+ grub-core/kern/buffer.c     | 117 +++++++++++++++++++++
+ grub-core/kern/parser.c     | 204 +++++++++++++++++++++++-------------
+ include/grub/buffer.h       | 144 +++++++++++++++++++++++++
+ 4 files changed, 395 insertions(+), 71 deletions(-)
+ create mode 100644 grub-core/kern/buffer.c
+ create mode 100644 include/grub/buffer.h
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 651ea2a..823cd57 100644
+--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
+@@ -123,6 +123,7 @@ kernel = {
+   riscv32_efi_startup = kern/riscv/efi/startup.S;
+   riscv64_efi_startup = kern/riscv/efi/startup.S;
+ 
+  common = kern/buffer.c;
+   common = kern/command.c;
+   common = kern/corecmd.c;
+   common = kern/device.c;
+diff --git a/grub-core/kern/buffer.c b/grub-core/kern/buffer.c
+new file mode 100644
+index 0000000..9f5f8b8
+--- /dev/null
+++ b/grub-core/kern/buffer.c
+@@ -0,0 +1,117 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2021  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/buffer.h>
+#include <grub/err.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/safemath.h>
+#include <grub/types.h>
+
+grub_buffer_t
+grub_buffer_new (grub_size_t sz)
+{
+  struct grub_buffer *ret;
+
+  ret = (struct grub_buffer *) grub_malloc (sizeof (*ret));
+  if (ret == NULL)
+    return NULL;
+
+  ret->data = (grub_uint8_t *) grub_malloc (sz);
+  if (ret->data == NULL)
+    {
+      grub_free (ret);
+      return NULL;
+    }
+
+  ret->sz = sz;
+  ret->pos = 0;
+  ret->used = 0;
+
+  return ret;
+}
+
+void
+grub_buffer_free (grub_buffer_t buf)
+{
+  grub_free (buf->data);
+  grub_free (buf);
+}
+
+grub_err_t
+grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req)
+{
+  grub_uint8_t *d;
+  grub_size_t newsz = 1;
+
+  /* Is the current buffer size adequate? */
+  if (buf->sz >= req)
+    return GRUB_ERR_NONE;
+
+  /* Find the smallest power-of-2 size that satisfies the request. */
+  while (newsz < req)
+    {
+      if (newsz == 0)
+	return grub_error (GRUB_ERR_OUT_OF_RANGE,
+			   N_("requested buffer size is too large"));
+      newsz <<= 1;
+    }
+
+  d = (grub_uint8_t *) grub_realloc (buf->data, newsz);
+  if (d == NULL)
+    return grub_errno;
+
+  buf->data = d;
+  buf->sz = newsz;
+
+  return GRUB_ERR_NONE;
+}
+
+void *
+grub_buffer_take_data (grub_buffer_t buf)
+{
+  void *data = buf->data;
+
+  buf->data = NULL;
+  buf->sz = buf->pos = buf->used = 0;
+
+  return data;
+}
+
+void
+grub_buffer_reset (grub_buffer_t buf)
+{
+  buf->pos = buf->used = 0;
+}
+
+grub_err_t
+grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n)
+{
+  grub_size_t newpos;
+
+  if (grub_add (buf->pos, n, &newpos))
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+
+  if (newpos > buf->used)
+    return grub_error (GRUB_ERR_OUT_OF_RANGE,
+		       N_("new read is position beyond the end of the written data"));
+
+  buf->pos = newpos;
+
+  return GRUB_ERR_NONE;
+}
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index d1cf061..6ab7aa4 100644
+--- a/grub-core/kern/parser.c
+++ b/grub-core/kern/parser.c
+@@ -1,7 +1,7 @@
+ /* parser.c - the part of the parser that can return partial tokens */
+ /*
+  *  GRUB  --  GRand Unified Bootloader
+- *  Copyright (C) 2005,2007,2009  Free Software Foundation, Inc.
+ *  Copyright (C) 2005,2007,2009,2021  Free Software Foundation, Inc.
+  *
+  *  GRUB is free software: you can redistribute it and/or modify
+  *  it under the terms of the GNU General Public License as published by
+@@ -18,6 +18,7 @@
+  */
+ 
+ #include <grub/parser.h>
+#include <grub/buffer.h>
+ #include <grub/env.h>
+ #include <grub/misc.h>
+ #include <grub/mm.h>
+@@ -107,8 +108,8 @@ check_varstate (grub_parser_state_t s)
+ }
+ 
+ 
+-static void
+-add_var (char *varname, char **bp, char **vp,
+static grub_err_t
+add_var (grub_buffer_t varname, grub_buffer_t buf,
+ 	 grub_parser_state_t state, grub_parser_state_t newstate)
+ {
+   const char *val;
+@@ -116,17 +117,74 @@ add_var (char *varname, char **bp, char **vp,
+   /* Check if a variable was being read in and the end of the name
+      was reached.  */
+   if (!(check_varstate (state) && !check_varstate (newstate)))
+-    return;
+    return GRUB_ERR_NONE;
+
+  if (grub_buffer_append_char (varname, '\0') != GRUB_ERR_NONE)
+    return grub_errno;
+ 
+-  *((*vp)++) = '\0';
+-  val = grub_env_get (varname);
+-  *vp = varname;
+  val = grub_env_get ((const char *) grub_buffer_peek_data (varname));
+  grub_buffer_reset (varname);
+   if (!val)
+-    return;
+    return GRUB_ERR_NONE;
+ 
+   /* Insert the contents of the variable in the buffer.  */
+-  for (; *val; val++)
+-    *((*bp)++) = *val;
+  return grub_buffer_append_data (buf, val, grub_strlen (val));
+}
+
+static grub_err_t
+terminate_arg (grub_buffer_t buffer, int *argc)
+{
+  grub_size_t unread = grub_buffer_get_unread_bytes (buffer);
+
+  if (unread == 0)
+    return GRUB_ERR_NONE;
+
+  if (*(const char *) grub_buffer_peek_data_at (buffer, unread - 1) == '\0')
+    return GRUB_ERR_NONE;
+
+  if (grub_buffer_append_char (buffer, '\0') != GRUB_ERR_NONE)
+    return grub_errno;
+
+  (*argc)++;
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+process_char (char c, grub_buffer_t buffer, grub_buffer_t varname,
+	      grub_parser_state_t state, int *argc,
+	      grub_parser_state_t *newstate)
+{
+  char use;
+
+  *newstate = grub_parser_cmdline_state (state, c, &use);
+
+  /*
+   * If a variable was being processed and this character does
+   * not describe the variable anymore, write the variable to
+   * the buffer.
+   */
+  if (add_var (varname, buffer, state, *newstate) != GRUB_ERR_NONE)
+    return grub_errno;
+
+  if (check_varstate (*newstate))
+    {
+      if (use)
+        return grub_buffer_append_char (varname, use);
+    }
+  else if (*newstate == GRUB_PARSER_STATE_TEXT &&
+	   state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
+    {
+      /*
+       * Don't add more than one argument if multiple
+       * spaces are used.
+       */
+      return terminate_arg (buffer, argc);
+    }
+  else if (use)
+    return grub_buffer_append_char (buffer, use);
+
+  return GRUB_ERR_NONE;
+ }
+ 
+ grub_err_t
+@@ -135,24 +193,36 @@ grub_parser_split_cmdline (const char *cmdline,
+ 			   int *argc, char ***argv)
+ {
+   grub_parser_state_t state = GRUB_PARSER_STATE_TEXT;
+-  /* XXX: Fixed size buffer, perhaps this buffer should be dynamically
+-     allocated.  */
+-  char buffer[1024];
+-  char *bp = buffer;
+  grub_buffer_t buffer, varname;
+   char *rd = (char *) cmdline;
+-  char varname[200];
+-  char *vp = varname;
+-  char *args;
+  char *rp = rd;
+   int i;
+ 
+   *argc = 0;
+   *argv = NULL;
+
+  buffer = grub_buffer_new (1024);
+  if (buffer == NULL)
+    return grub_errno;
+
+  varname = grub_buffer_new (200);
+  if (varname == NULL)
+    goto fail;
+
+   do
+     {
+-      if (!rd || !*rd)
+      if (rp == NULL || *rp == '\0')
+ 	{
+	  if (rd != cmdline)
+	    {
+	      grub_free (rd);
+	      rd = rp = NULL;
+	    }
+ 	  if (getline)
+-	    getline (&rd, 1, getline_data);
+	    {
+	      getline (&rd, 1, getline_data);
+	      rp = rd;
+	    }
+ 	  else
+ 	    break;
+ 	}
+@@ -160,39 +230,14 @@ grub_parser_split_cmdline (const char *cmdline,
+       if (!rd)
+ 	break;
+ 
+-      for (; *rd; rd++)
+      for (; *rp != '\0'; rp++)
+ 	{
+ 	  grub_parser_state_t newstate;
+-	  char use;
+ 
+-	  newstate = grub_parser_cmdline_state (state, *rd, &use);
+	  if (process_char (*rp, buffer, varname, state, argc,
+			    &newstate) != GRUB_ERR_NONE)
+	    goto fail;
+ 
+-	  /* If a variable was being processed and this character does
+-	     not describe the variable anymore, write the variable to
+-	     the buffer.  */
+-	  add_var (varname, &bp, &vp, state, newstate);
+-
+-	  if (check_varstate (newstate))
+-	    {
+-	      if (use)
+-		*(vp++) = use;
+-	    }
+-	  else
+-	    {
+-	      if (newstate == GRUB_PARSER_STATE_TEXT
+-		  && state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
+-		{
+-		  /* Don't add more than one argument if multiple
+-		     spaces are used.  */
+-		  if (bp != buffer && *(bp - 1))
+-		    {
+-		      *(bp++) = '\0';
+-		      (*argc)++;
+-		    }
+-		}
+-	      else if (use)
+-		*(bp++) = use;
+-	    }
+ 	  state = newstate;
+ 	}
+     }
+@@ -200,43 +245,60 @@ grub_parser_split_cmdline (const char *cmdline,
+ 
+   /* A special case for when the last character was part of a
+      variable.  */
+-  add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT);
+  if (add_var (varname, buffer, state, GRUB_PARSER_STATE_TEXT) != GRUB_ERR_NONE)
+    goto fail;
+ 
+-  if (bp != buffer && *(bp - 1))
+-    {
+-      *(bp++) = '\0';
+-      (*argc)++;
+-    }
+  /* Ensure that the last argument is terminated. */
+  if (terminate_arg (buffer, argc) != GRUB_ERR_NONE)
+    goto fail;
+ 
+   /* If there are no args, then we're done. */
+   if (!*argc)
+-    return 0;
+-
+-  /* Reserve memory for the return values.  */
+-  args = grub_malloc (bp - buffer);
+-  if (!args)
+-    return grub_errno;
+-  grub_memcpy (args, buffer, bp - buffer);
+    {
+      grub_errno = GRUB_ERR_NONE;
+      goto out;
+    }
+ 
+   *argv = grub_calloc (*argc + 1, sizeof (char *));
+   if (!*argv)
+-    {
+-      grub_free (args);
+-      return grub_errno;
+-    }
+    goto fail;
+ 
+   /* The arguments are separated with 0's, setup argv so it points to
+      the right values.  */
+-  bp = args;
+   for (i = 0; i < *argc; i++)
+     {
+-      (*argv)[i] = bp;
+-      while (*bp)
+-	bp++;
+-      bp++;
+      char *arg;
+
+      if (i > 0)
+	{
+	  if (grub_buffer_advance_read_pos (buffer, 1) != GRUB_ERR_NONE)
+	    goto fail;
+	}
+
+      arg = (char *) grub_buffer_peek_data (buffer);
+      if (arg == NULL ||
+	  grub_buffer_advance_read_pos (buffer, grub_strlen (arg)) != GRUB_ERR_NONE)
+	goto fail;
+
+      (*argv)[i] = arg;
+     }
+ 
+-  return 0;
+  /* Keep memory for the return values. */
+  grub_buffer_take_data (buffer);
+
+  grub_errno = GRUB_ERR_NONE;
+
+ out:
+  if (rd != cmdline)
+    grub_free (rd);
+  grub_buffer_free (buffer);
+  grub_buffer_free (varname);
+
+  return grub_errno;
+
+ fail:
+  grub_free (*argv);
+  goto out;
+ }
+ 
+ /* Helper for grub_parser_execute.  */
+diff --git a/include/grub/buffer.h b/include/grub/buffer.h
+new file mode 100644
+index 0000000..f4b10cf
+--- /dev/null
+++ b/include/grub/buffer.h
+@@ -0,0 +1,144 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2021  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_BUFFER_H
+#define GRUB_BUFFER_H	1
+
+#include <grub/err.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/safemath.h>
+#include <grub/types.h>
+
+struct grub_buffer
+{
+  grub_uint8_t *data;
+  grub_size_t sz;
+  grub_size_t pos;
+  grub_size_t used;
+};
+
+/*
+ * grub_buffer_t represents a simple variable sized byte buffer with
+ * read and write cursors. It currently only implements
+ * functionality required by the only user in GRUB (append byte[s],
+ * peeking data at a specified position and updating the read cursor.
+ * Some things that this doesn't do yet are:
+ * - Reading a portion of the buffer by copying data from the current
+ *   read position in to a caller supplied destination buffer and then
+ *   automatically updating the read cursor.
+ * - Dropping the read part at the start of the buffer when an append
+ *   requires more space.
+ */
+typedef struct grub_buffer *grub_buffer_t;
+
+/* Allocate a new buffer with the specified initial size. */
+extern grub_buffer_t grub_buffer_new (grub_size_t sz);
+
+/* Free the buffer and its resources. */
+extern void grub_buffer_free (grub_buffer_t buf);
+
+/* Return the number of unread bytes in this buffer. */
+static inline grub_size_t
+grub_buffer_get_unread_bytes (grub_buffer_t buf)
+{
+  return buf->used - buf->pos;
+}
+
+/*
+ * Ensure that the buffer size is at least the requested
+ * number of bytes.
+ */
+extern grub_err_t grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req);
+
+/*
+ * Append the specified number of bytes from the supplied
+ * data to the buffer.
+ */
+static inline grub_err_t
+grub_buffer_append_data (grub_buffer_t buf, const void *data, grub_size_t len)
+{
+  grub_size_t req;
+
+  if (grub_add (buf->used, len, &req))
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+
+  if (grub_buffer_ensure_space (buf, req) != GRUB_ERR_NONE)
+    return grub_errno;
+
+  grub_memcpy (&buf->data[buf->used], data, len);
+  buf->used = req;
+
+  return GRUB_ERR_NONE;
+}
+
+/* Append the supplied character to the buffer. */
+static inline grub_err_t
+grub_buffer_append_char (grub_buffer_t buf, char c)
+{
+  return grub_buffer_append_data (buf, &c, 1);
+}
+
+/*
+ * Forget and return the underlying data buffer. The caller
+ * becomes the owner of this buffer, and must free it when it
+ * is no longer required.
+ */
+extern void *grub_buffer_take_data (grub_buffer_t buf);
+
+/* Reset this buffer. Note that this does not deallocate any resources. */
+void grub_buffer_reset (grub_buffer_t buf);
+
+/*
+ * Return a pointer to the underlying data buffer at the specified
+ * offset from the current read position. Note that this pointer may
+ * become invalid if the buffer is mutated further.
+ */
+static inline void *
+grub_buffer_peek_data_at (grub_buffer_t buf, grub_size_t off)
+{
+  if (grub_add (buf->pos, off, &off))
+    {
+      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected."));
+      return NULL;
+    }
+
+  if (off >= buf->used)
+    {
+      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("peek out of range"));
+      return NULL;
+    }
+
+  return &buf->data[off];
+}
+
+/*
+ * Return a pointer to the underlying data buffer at the current
+ * read position. Note that this pointer may become invalid if the
+ * buffer is mutated further.
+ */
+static inline void *
+grub_buffer_peek_data (grub_buffer_t buf)
+{
+  return grub_buffer_peek_data_at (buf, 0);
+}
+
+/* Advance the read position by the specified number of bytes. */
+extern grub_err_t grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n);
+
+#endif /* GRUB_BUFFER_H */
+-- 
+2.25.1
+
--- a/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
@@ -0,0 +1,58 @@
+From 2a330dba93ff11bc00eda76e9419bc52b0c7ead6 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 16:07:29 +1100
+Subject: lib/arg: Block repeated short options that require an argument
+
+Fuzzing found the following crash:
+
+  search -hhhhhhhhhhhhhf
+
+We didn't allocate enough option space for 13 hints because the
+allocation code counts the number of discrete arguments (i.e. argc).
+However, the shortopt parsing code will happily keep processing
+a combination of short options without checking if those short
+options require an argument. This means you can easily end writing
+past the allocated option space.
+
+This fixes a OOB write which can cause heap corruption.
+
+Fixes: CVE-2021-20225
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2a330dba93ff11bc00eda76e9419bc52b0c7ead6]
+CVE: CVE-2021-20225
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/lib/arg.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
+index 3288609..537c5e9 100644
+--- a/grub-core/lib/arg.c
+++ b/grub-core/lib/arg.c
+@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
+ 		 it can have an argument value.  */
+ 	      if (*curshort)
+ 		{
+		  /*
+		   * Only permit further short opts if this one doesn't
+		   * require a value.
+		   */
+		  if (opt->type != ARG_TYPE_NONE &&
+		      !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
+		    {
+		      grub_error (GRUB_ERR_BAD_ARGUMENT,
+				  N_("missing mandatory option for `%s'"),
+				  opt->longarg);
+		      goto fail;
+		    }
+
+ 		  if (parse_option (cmd, opt, 0, usr) || grub_errno)
+ 		    goto fail;
+ 		}
+-- 
+2.25.1
+
--- a/meta/recipes-bsp/grub/files/CVE-2021-20233.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2021-20233.patch
@@ -0,0 +1,50 @@
+From 2f533a89a8dfcacbf2c9dbc77d910f111f24bf33 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 17:10:48 +1100
+Subject: commands/menuentry: Fix quoting in setparams_prefix()
+
+Commit 9acdcbf32542 (use single quotes in menuentry setparams command)
+says that expressing a quoted single quote will require 3 characters. It
+actually requires (and always did require!) 4 characters:
+
+  str: a'b => a'\''b
+  len:  3  => 6 (2 for the letters + 4 for the quote)
+
+This leads to not allocating enough memory and thus out of bounds writes
+that have been observed to cause heap corruption.
+
+Allocate 4 bytes for each single quote.
+
+Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same
+quoting, but it adds 3 as extra overhead on top of the single byte that
+the quote already needs. So it's correct.
+
+Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command)
+Fixes: CVE-2021-20233
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2f533a89a8dfcacbf2c9dbc77d910f111f24bf33]
+CVE: CVE-2021-20233
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/commands/menuentry.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
+index 9164df7..720e6d8 100644
+--- a/grub-core/commands/menuentry.c
+++ b/grub-core/commands/menuentry.c
+@@ -230,7 +230,7 @@ setparams_prefix (int argc, char **args)
+       len += 3; /* 3 = 1 space + 2 quotes */
+       p = args[i];
+       while (*p)
+-	len += (*p++ == '\'' ? 3 : 1);
+	len += (*p++ == '\'' ? 4 : 1);
+     }
+ 
+   result = grub_malloc (len + 2);
+-- 
+2.25.1
+
--- a/meta/recipes-bsp/grub/files/determinism.patch
+++ b/meta/recipes-bsp/grub/files/determinism.patch
@@ -11,7 +11,7 @@ missing sorting of the list used to generate it. Add such a sort.
 Also ensure the generated unidata.c file is deterministic by sorting the
 keys of the dict.

-Upstream-Status: Pending
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/grub-devel/2023-06/index.html]
 Richard Purdie <richard.purdie@linuxfoundation.org>

 Index: grub-2.04/grub-core/genmoddep.awk
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -106,6 +106,9 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \
           file://CVE-2022-2601.patch \
           file://CVE-2022-3775.patch \
+           file://CVE-2020-27749.patch \
+           file://CVE-2021-20225.patch \
+           file://CVE-2021-20233.patch \
           "
 SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
 SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
@@ -125,6 +128,8 @@ GRUBPLATFORM ??= "pc"

 inherit autotools gettext texinfo pkgconfig

+CFLAGS_remove = "-O2"
+
 EXTRA_OECONF = "--with-platform=${GRUBPLATFORM} \
                --disable-grub-mkfont \
                --program-prefix="" \
--- a/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb
+++ b/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb
@@ -19,9 +19,12 @@ PACKAGECONFIG[manpages] = "--enable-doc, --disable-doc, libxslt-native xmlto-nat

 RDEPENDS_${PN} = "grep bash"

+EXTRA_OECONF = "--libdir=${nonarch_libdir}"
+
 do_configure_prepend () {
 	( cd ${S}; autoreconf -f -i -s )
 }

-FILES_${PN} += "${libdir}/${BPN}/*"
+FILES_${PN} += "${nonarch_libdir}/${BPN}/*"
 FILES_${PN}-dbg += "${datadir}/doc/pm-utils/README.debugging"
+FILES_${PN}-dev += "${nonarch_libdir}/pkgconfig/pm-utils.pc"
--- a/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
@@ -0,0 +1,166 @@
+
+Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u9.debian.tar.xz
+Upstream patch https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch]
+Upstream Commit: https://github.com/isc-projects/bind9/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a
+CVE: CVE-2023-2828
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+
+---
+ lib/dns/rbtdb.c | 106 +++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 63 insertions(+), 43 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index b1b928c..3165e26 100644
+--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
+@@ -792,7 +792,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ 			  bool tree_locked, expire_t reason);
+ static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+-			  isc_stdtime_t now, bool tree_locked);
+			  size_t purgesize, bool tree_locked);
+ static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
+ 				  rdatasetheader_t *newheader);
+ static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+@@ -6784,6 +6784,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
+ 
+ static dns_dbmethods_t zone_methods;
+ 
+static size_t
+rdataset_size(rdatasetheader_t *header) {
+	if (!NONEXISTENT(header)) {
+		return (dns_rdataslab_size((unsigned char *)header,
+					   sizeof(*header)));
+	}
+
+	return (sizeof(*header));
+}
+
+ static isc_result_t
+ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ 	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+@@ -6932,7 +6942,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ 	}
+ 
+ 	if (cache_is_overmem)
+-		overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
+		overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
+		              tree_locked);
+ 
+ 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+ 		  isc_rwlocktype_write);
+@@ -6947,9 +6958,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ 			cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+ 
+ 		header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
+-		if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
+-			expire_header(rbtdb, header, tree_locked,
+-				      expire_ttl);
+		if (header != NULL) {
+			dns_ttl_t rdh_ttl = header->rdh_ttl;
+
+			if (rdh_ttl < now - RBTDB_VIRTUAL) {
+				expire_header(rbtdb, header, tree_locked,
+					      expire_ttl);
+			}
+		}
+ 
+ 		/*
+ 		 * If we've been holding a write lock on the tree just for
+@@ -10388,54 +10404,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ 	ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
+ }
+ 
+static size_t
+expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
+		   bool tree_locked) {
+	rdatasetheader_t *header, *header_prev;
+	size_t purged = 0;
+
+	for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+	     header != NULL && purged <= purgesize; header = header_prev)
+	{
+		header_prev = ISC_LIST_PREV(header, link);
+		/*
+		 * Unlink the entry at this point to avoid checking it
+		 * again even if it's currently used someone else and
+		 * cannot be purged at this moment.  This entry won't be
+		 * referenced any more (so unlinking is safe) since the
+		 * TTL was reset to 0.
+		 */
+		ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
+		size_t header_size = rdataset_size(header);
+		expire_header(rbtdb, header, tree_locked, expire_lru);
+		purged += header_size;
+	}
+
+	return (purged);
+}
+
+ /*%
+- * Purge some expired and/or stale (i.e. unused for some period) cache entries
+- * under an overmem condition.  To recover from this condition quickly, up to
+- * 2 entries will be purged.  This process is triggered while adding a new
+- * entry, and we specifically avoid purging entries in the same LRU bucket as
+- * the one to which the new entry will belong.  Otherwise, we might purge
+- * entries of the same name of different RR types while adding RRsets from a
+- * single response (consider the case where we're adding A and AAAA glue records
+- * of the same NS name).
+- */
+ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
+ * entries under the overmem condition.  To recover from this condition quickly,
+ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
+ *
+ * This process is triggered while adding a new entry, and we specifically avoid
+ * purging entries in the same LRU bucket as the one to which the new entry will
+ * belong.  Otherwise, we might purge entries of the same name of different RR
+ * types while adding RRsets from a single response (consider the case where
+ * we're adding A and AAAA glue records of the same NS name).
+*/
+ static void
+-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+-	      isc_stdtime_t now, bool tree_locked)
+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
+	      bool tree_locked)
+ {
+-	rdatasetheader_t *header, *header_prev;
+ 	unsigned int locknum;
+-	int purgecount = 2;
+	size_t purged = 0;
+ 
+ 	for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
+-	     locknum != locknum_start && purgecount > 0;
+	     locknum != locknum_start && purged <= purgesize;
+ 	     locknum = (locknum + 1) % rbtdb->node_lock_count) {
+ 		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+ 			  isc_rwlocktype_write);
+ 
+-		header = isc_heap_element(rbtdb->heaps[locknum], 1);
+-		if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
+-			expire_header(rbtdb, header, tree_locked,
+-				      expire_ttl);
+-			purgecount--;
+-		}
+-
+-		for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+-		     header != NULL && purgecount > 0;
+-		     header = header_prev) {
+-			header_prev = ISC_LIST_PREV(header, link);
+-			/*
+-			 * Unlink the entry at this point to avoid checking it
+-			 * again even if it's currently used someone else and
+-			 * cannot be purged at this moment.  This entry won't be
+-			 * referenced any more (so unlinking is safe) since the
+-			 * TTL was reset to 0.
+-			 */
+-			ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
+-					link);
+-			expire_header(rbtdb, header, tree_locked,
+-				      expire_lru);
+-			purgecount--;
+-		}
+		purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
+					     tree_locked);
+ 
+ 		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+ 				    isc_rwlocktype_write);
--- a/meta/recipes-connectivity/bind/bind_9.11.37.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://CVE-2022-2795.patch \
           file://CVE-2022-38177.patch \
           file://CVE-2022-38178.patch \
+           file://CVE-2023-2828.patch \
           "

 SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff"
--- a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
+++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
@@ -0,0 +1,54 @@
+From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 11 Apr 2023 08:12:56 +0200
+Subject: gdhcp: Verify and sanitize packet length first
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
+CVE: CVE-2023-28488
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ gdhcp/client.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 7efa7e45..82017692 100644
+--- a/gdhcp/client.c
+++ b/gdhcp/client.c
+@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
+ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ 				struct sockaddr_in *dst_addr)
+ {
+-	int bytes;
+ 	struct ip_udp_dhcp_packet packet;
+ 	uint16_t check;
+	int bytes, tot_len;
+ 
+ 	memset(&packet, 0, sizeof(packet));
+ 
+@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ 	if (bytes < 0)
+ 		return -1;
+ 
+-	if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+-		return -1;
+-
+-	if (bytes < ntohs(packet.ip.tot_len))
+	tot_len = ntohs(packet.ip.tot_len);
+	if (bytes > tot_len) {
+		/* ignore any extra garbage bytes */
+		bytes = tot_len;
+	} else if (bytes < tot_len) {
+ 		/* packet is bigger than sizeof(packet), we did partial read */
+ 		return -1;
+	}
+ 
+-	/* ignore any extra garbage bytes */
+-	bytes = ntohs(packet.ip.tot_len);
+	if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+		return -1;
+ 
+ 	if (!sanity_check(&packet, bytes))
+ 		return -1;
+-- 
+cgit 
+
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -14,6 +14,7 @@ SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
            file://CVE-2022-23098.patch \
            file://CVE-2022-32292.patch \
 	     file://CVE-2022-32293.patch \
+            file://CVE-2023-28488.patch \
 "

 SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
--- a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
+++ b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
@@ -0,0 +1,283 @@
+From 703418fe9d2e3b1e8d594df5788d8001a8116265 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Date: Fri, 30 Jun 2023 19:02:45 +0200
+Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check
+ set*id() return values
+
+Several setuid(), setgid(), seteuid() and setguid() return values
+were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
+leading to potential security issues.
+
+CVE: CVE-2023-40303
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6]
+Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Signed-off-by: Simon Josefsson <simon@josefsson.org>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ ftpd/ftpd.c  | 10 +++++++---
+ src/rcp.c    | 39 +++++++++++++++++++++++++++++++++------
+ src/rlogin.c | 11 +++++++++--
+ src/rsh.c    | 25 +++++++++++++++++++++----
+ src/rshd.c   | 20 +++++++++++++++++---
+ src/uucpd.c  | 15 +++++++++++++--
+ 6 files changed, 100 insertions(+), 20 deletions(-)
+
+diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
+index 5db88d0..b52b122 100644
+--- a/ftpd/ftpd.c
+++ b/ftpd/ftpd.c
+@@ -862,7 +862,9 @@ end_login (struct credentials *pcred)
+   char *remotehost = pcred->remotehost;
+   int atype = pcred->auth_type;
+ 
+-  seteuid ((uid_t) 0);
+  if (seteuid ((uid_t) 0) == -1)
+    _exit (EXIT_FAILURE);
+
+   if (pcred->logged_in)
+     {
+       logwtmp_keep_open (ttyline, "", "");
+@@ -1151,7 +1153,8 @@ getdatasock (const char *mode)
+ 
+   if (data >= 0)
+     return fdopen (data, mode);
+-  seteuid ((uid_t) 0);
+  if (seteuid ((uid_t) 0) == -1)
+    _exit (EXIT_FAILURE);
+   s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
+   if (s < 0)
+     goto bad;
+@@ -1978,7 +1981,8 @@ passive (int epsv, int af)
+   else	/* !AF_INET6 */
+     ((struct sockaddr_in *) &pasv_addr)->sin_port = 0;
+ 
+-  seteuid ((uid_t) 0);
+  if (seteuid ((uid_t) 0) == -1)
+    _exit (EXIT_FAILURE);
+   if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0)
+     {
+       if (seteuid ((uid_t) cred.uid))
+diff --git a/src/rcp.c b/src/rcp.c
+index bafa35f..366295c 100644
+--- a/src/rcp.c
+++ b/src/rcp.c
+@@ -347,14 +347,23 @@ main (int argc, char *argv[])
+   if (from_option)
+     {				/* Follow "protocol", send data. */
+       response ();
+-      setuid (userid);
+
+      if (setuid (userid) == -1)
+      {
+        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+      }
+
+       source (argc, argv);
+       exit (errs);
+     }
+ 
+   if (to_option)
+     {				/* Receive data. */
+-      setuid (userid);
+      if (setuid (userid) == -1)
+      {
+        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+      }
+
+       sink (argc, argv);
+       exit (errs);
+     }
+@@ -539,7 +548,11 @@ toremote (char *targ, int argc, char *argv[])
+ 	      if (response () < 0)
+ 		exit (EXIT_FAILURE);
+ 	      free (bp);
+-	      setuid (userid);
+
+	      if (setuid (userid) == -1)
+              {
+                error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+              }
+ 	    }
+ 	  source (1, argv + i);
+ 	  close (rem);
+@@ -634,7 +647,12 @@ tolocal (int argc, char *argv[])
+ 	  ++errs;
+ 	  continue;
+ 	}
+-      seteuid (userid);
+
+      if (seteuid (userid) == -1)
+      {
+        error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+      }
+
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+       sslen = sizeof (ss);
+       (void) getpeername (rem, (struct sockaddr *) &ss, &sslen);
+@@ -647,7 +665,12 @@ tolocal (int argc, char *argv[])
+ #endif
+       vect[0] = target;
+       sink (1, vect);
+-      seteuid (effuid);
+
+      if (seteuid (effuid) == -1)
+      {
+        error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+      }
+
+       close (rem);
+       rem = -1;
+ #ifdef SHISHI
+@@ -1453,7 +1476,11 @@ susystem (char *s, int userid)
+       return (127);
+ 
+     case 0:
+-      setuid (userid);
+      if (setuid (userid) == -1)
+      {
+        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+      }
+
+       execl (PATH_BSHELL, "sh", "-c", s, NULL);
+       _exit (127);
+     }
+diff --git a/src/rlogin.c b/src/rlogin.c
+index e5e11a7..6b38901 100644
+--- a/src/rlogin.c
+++ b/src/rlogin.c
+@@ -649,8 +649,15 @@ try_connect:
+   /* Now change to the real user ID.  We have to be set-user-ID root
+      to get the privileged port that rcmd () uses.  We now want, however,
+      to run as the real user who invoked us.  */
+-  seteuid (uid);
+-  setuid (uid);
+  if (seteuid (uid) == -1)
+  {
+    error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+  }
+
+  if (setuid (uid) == -1)
+  {
+    error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+  }
+ 
+   doit (&osmask);	/* The old mask will activate SIGURG and SIGUSR1!  */
+ 
+diff --git a/src/rsh.c b/src/rsh.c
+index bd70372..b451a70 100644
+--- a/src/rsh.c
+++ b/src/rsh.c
+@@ -278,8 +278,17 @@ main (int argc, char **argv)
+     {
+       if (asrsh)
+ 	*argv = (char *) "rlogin";
+-      seteuid (getuid ());
+-      setuid (getuid ());
+
+      if (seteuid (getuid ()) == -1)
+      {
+        error (EXIT_FAILURE, errno, "seteuid() failed");
+      }
+
+      if (setuid (getuid ()) == -1)
+      {
+        error (EXIT_FAILURE, errno, "setuid() failed");
+      }
+
+       execv (PATH_RLOGIN, argv);
+       error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
+     }
+@@ -543,8 +552,16 @@ try_connect:
+ 	error (0, errno, "setsockopt DEBUG (ignored)");
+     }
+ 
+-  seteuid (uid);
+-  setuid (uid);
+  if (seteuid (uid) == -1)
+  {
+    error (EXIT_FAILURE, errno, "seteuid() failed");
+  }
+
+  if (setuid (uid) == -1)
+  {
+    error (EXIT_FAILURE, errno, "setuid() failed");
+  }
+
+ #ifdef HAVE_SIGACTION
+   sigemptyset (&sigs);
+   sigaddset (&sigs, SIGINT);
+diff --git a/src/rshd.c b/src/rshd.c
+index b824a10..8cdcd06 100644
+--- a/src/rshd.c
+++ b/src/rshd.c
+@@ -1848,8 +1848,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+     pwd->pw_shell = PATH_BSHELL;
+ 
+   /* Set the gid, then uid to become the user specified by "locuser" */
+-  setegid ((gid_t) pwd->pw_gid);
+-  setgid ((gid_t) pwd->pw_gid);
+  if (setegid ((gid_t) pwd->pw_gid) == -1)
+  {
+    rshd_error ("Cannot drop privileges (setegid() failed)\n");
+    exit (EXIT_FAILURE);
+  }
+
+  if (setgid ((gid_t) pwd->pw_gid) == -1)
+  {
+    rshd_error ("Cannot drop privileges (setgid() failed)\n");
+    exit (EXIT_FAILURE);
+  }
+
+ #ifdef HAVE_INITGROUPS
+   initgroups (pwd->pw_name, pwd->pw_gid);	/* BSD groups */
+ #endif
+@@ -1871,7 +1881,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+     }
+ #endif /* WITH_PAM */
+ 
+-  setuid ((uid_t) pwd->pw_uid);
+  if (setuid ((uid_t) pwd->pw_uid) == -1)
+  {
+    rshd_error ("Cannot drop privileges (setuid() failed)\n");
+    exit (EXIT_FAILURE);
+  }
+ 
+   /* We'll execute the client's command in the home directory
+    * of locuser. Note, that the chdir must be executed after
+diff --git a/src/uucpd.c b/src/uucpd.c
+index 55c3d44..6aba294 100644
+--- a/src/uucpd.c
+++ b/src/uucpd.c
+@@ -254,7 +254,12 @@ doit (struct sockaddr *sap, socklen_t salen)
+   sprintf (Username, "USER=%s", user);
+   sprintf (Logname, "LOGNAME=%s", user);
+   dologin (pw, sap, salen);
+-  setgid (pw->pw_gid);
+
+  if (setgid (pw->pw_gid) == -1)
+  {
+    fprintf (stderr, "setgid() failed");
+    return;
+  }
+ #ifdef HAVE_INITGROUPS
+   initgroups (pw->pw_name, pw->pw_gid);
+ #endif
+@@ -263,7 +268,13 @@ doit (struct sockaddr *sap, socklen_t salen)
+       fprintf (stderr, "Login incorrect.");
+       return;
+     }
+-  setuid (pw->pw_uid);
+
+  if (setuid (pw->pw_uid) == -1)
+  {
+    fprintf (stderr, "setuid() failed");
+    return;
+  }
+
+   execl (uucico_location, "uucico", NULL);
+   perror ("uucico server: execl");
+ }
+-- 
+2.25.1
+
--- a/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
+++ b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
@@ -0,0 +1,254 @@
+From 70fe022f9dac760eaece0228cad17e3d29a57fb8 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Mon, 31 Jul 2023 13:59:05 +0200
+Subject: [PATCH] CVE-2023-40303: Indent changes in previous commit.
+
+CVE: CVE-2023-40303
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/rcp.c    | 42 ++++++++++++++++++++++++------------------
+ src/rlogin.c | 12 ++++++------
+ src/rsh.c    | 24 ++++++++++++------------
+ src/rshd.c   | 24 ++++++++++++------------
+ src/uucpd.c  | 16 ++++++++--------
+ 5 files changed, 62 insertions(+), 56 deletions(-)
+
+diff --git a/src/rcp.c b/src/rcp.c
+index cdcf8500..652f22e6 100644
+--- a/src/rcp.c
+++ b/src/rcp.c
+@@ -347,9 +347,10 @@ main (int argc, char *argv[])
+       response ();
+ 
+       if (setuid (userid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-      }
+	{
+	  error (EXIT_FAILURE, 0,
+		 "Could not drop privileges (setuid() failed)");
+	}
+ 
+       source (argc, argv);
+       exit (errs);
+@@ -358,9 +359,10 @@ main (int argc, char *argv[])
+   if (to_option)
+     {				/* Receive data. */
+       if (setuid (userid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-      }
+	{
+	  error (EXIT_FAILURE, 0,
+		 "Could not drop privileges (setuid() failed)");
+	}
+ 
+       sink (argc, argv);
+       exit (errs);
+@@ -548,9 +550,10 @@ toremote (char *targ, int argc, char *argv[])
+ 	      free (bp);
+ 
+ 	      if (setuid (userid) == -1)
+-              {
+-                error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-              }
+		{
+		  error (EXIT_FAILURE, 0,
+			 "Could not drop privileges (setuid() failed)");
+		}
+ 	    }
+ 	  source (1, argv + i);
+ 	  close (rem);
+@@ -645,9 +648,10 @@ tolocal (int argc, char *argv[])
+ 	}
+ 
+       if (seteuid (userid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+-      }
+	{
+	  error (EXIT_FAILURE, 0,
+		 "Could not drop privileges (seteuid() failed)");
+	}
+ 
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+       sslen = sizeof (ss);
+@@ -663,9 +667,10 @@ tolocal (int argc, char *argv[])
+       sink (1, vect);
+ 
+       if (seteuid (effuid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+-      }
+	{
+	  error (EXIT_FAILURE, 0,
+		 "Could not drop privileges (seteuid() failed)");
+	}
+ 
+       close (rem);
+       rem = -1;
+@@ -1465,9 +1470,10 @@ susystem (char *s, int userid)
+ 
+     case 0:
+       if (setuid (userid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-      }
+	{
+	  error (EXIT_FAILURE, 0,
+		 "Could not drop privileges (setuid() failed)");
+	}
+ 
+       execl (PATH_BSHELL, "sh", "-c", s, NULL);
+       _exit (127);
+diff --git a/src/rlogin.c b/src/rlogin.c
+index c543de0c..4360202f 100644
+--- a/src/rlogin.c
+++ b/src/rlogin.c
+@@ -648,14 +648,14 @@ try_connect:
+      to get the privileged port that rcmd () uses.  We now want, however,
+      to run as the real user who invoked us.  */
+   if (seteuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+-  }
+    {
+      error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+    }
+ 
+   if (setuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-  }
+    {
+      error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+    }
+ 
+   doit (&osmask);	/* The old mask will activate SIGURG and SIGUSR1!  */
+ 
+diff --git a/src/rsh.c b/src/rsh.c
+index 6f60667d..179b47cd 100644
+--- a/src/rsh.c
+++ b/src/rsh.c
+@@ -278,14 +278,14 @@ main (int argc, char **argv)
+ 	*argv = (char *) "rlogin";
+ 
+       if (seteuid (getuid ()) == -1)
+-      {
+-        error (EXIT_FAILURE, errno, "seteuid() failed");
+-      }
+	{
+	  error (EXIT_FAILURE, errno, "seteuid() failed");
+	}
+ 
+       if (setuid (getuid ()) == -1)
+-      {
+-        error (EXIT_FAILURE, errno, "setuid() failed");
+-      }
+	{
+	  error (EXIT_FAILURE, errno, "setuid() failed");
+	}
+ 
+       execv (PATH_RLOGIN, argv);
+       error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
+@@ -551,14 +551,14 @@ try_connect:
+     }
+ 
+   if (seteuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, errno, "seteuid() failed");
+-  }
+    {
+      error (EXIT_FAILURE, errno, "seteuid() failed");
+    }
+ 
+   if (setuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, errno, "setuid() failed");
+-  }
+    {
+      error (EXIT_FAILURE, errno, "setuid() failed");
+    }
+ 
+ #ifdef HAVE_SIGACTION
+   sigemptyset (&sigs);
+diff --git a/src/rshd.c b/src/rshd.c
+index 707790e7..3a153a18 100644
+--- a/src/rshd.c
+++ b/src/rshd.c
+@@ -1848,16 +1848,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+ 
+   /* Set the gid, then uid to become the user specified by "locuser" */
+   if (setegid ((gid_t) pwd->pw_gid) == -1)
+-  {
+-    rshd_error ("Cannot drop privileges (setegid() failed)\n");
+-    exit (EXIT_FAILURE);
+-  }
+    {
+      rshd_error ("Cannot drop privileges (setegid() failed)\n");
+      exit (EXIT_FAILURE);
+    }
+ 
+   if (setgid ((gid_t) pwd->pw_gid) == -1)
+-  {
+-    rshd_error ("Cannot drop privileges (setgid() failed)\n");
+-    exit (EXIT_FAILURE);
+-  }
+    {
+      rshd_error ("Cannot drop privileges (setgid() failed)\n");
+      exit (EXIT_FAILURE);
+    }
+ 
+ #ifdef HAVE_INITGROUPS
+   initgroups (pwd->pw_name, pwd->pw_gid);	/* BSD groups */
+@@ -1881,10 +1881,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+ #endif /* WITH_PAM */
+ 
+   if (setuid ((uid_t) pwd->pw_uid) == -1)
+-  {
+-    rshd_error ("Cannot drop privileges (setuid() failed)\n");
+-    exit (EXIT_FAILURE);
+-  }
+    {
+      rshd_error ("Cannot drop privileges (setuid() failed)\n");
+      exit (EXIT_FAILURE);
+    }
+ 
+   /* We'll execute the client's command in the home directory
+    * of locuser. Note, that the chdir must be executed after
+diff --git a/src/uucpd.c b/src/uucpd.c
+index 29cfce35..fde7b9c9 100644
+--- a/src/uucpd.c
+++ b/src/uucpd.c
+@@ -254,10 +254,10 @@ doit (struct sockaddr *sap, socklen_t salen)
+   dologin (pw, sap, salen);
+ 
+   if (setgid (pw->pw_gid) == -1)
+-  {
+-    fprintf (stderr, "setgid() failed");
+-    return;
+-  }
+    {
+      fprintf (stderr, "setgid() failed");
+      return;
+    }
+ #ifdef HAVE_INITGROUPS
+   initgroups (pw->pw_name, pw->pw_gid);
+ #endif
+@@ -268,10 +268,10 @@ doit (struct sockaddr *sap, socklen_t salen)
+     }
+ 
+   if (setuid (pw->pw_uid) == -1)
+-  {
+-    fprintf (stderr, "setuid() failed");
+-    return;
+-  }
+    {
+      fprintf (stderr, "setuid() failed");
+      return;
+    }
+ 
+   execl (uucico_location, "uucico", NULL);
+   perror ("uucico server: execl");
--- a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
@@ -25,6 +25,8 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \
           file://fix-buffer-fortify-tfpt.patch \
           file://CVE-2021-40491.patch \
           file://CVE-2022-39028.patch \
+           file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \
+           file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \
 "

 SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52"
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
@@ -5,8 +5,8 @@ SECTION = "network"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"

-SRCREV = "22a5de3ef637990ce03141f786fbdb327e9c5a3f"
-PV = "20221107"
+SRCREV = "aae7c68671d225e6d35224613d5b98192b9b2ffe"
+PV = "20230416"
 PE = "1"

 SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main"
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
@@ -0,0 +1,189 @@
+From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Fri, 1 Oct 2021 16:35:49 +1000
+Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough
+
+ok dtucker
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11-client.c | 16 ++++++++--------
+ ssh-pkcs11.c        | 26 +++++++++++++-------------
+ 2 files changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
+index 8a0ffef..41114c7 100644
+--- a/ssh-pkcs11-client.c
+++ b/ssh-pkcs11-client.c
+@@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+	return (ret);
+ }
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+     const BIGNUM *rp, EC_KEY *ec)
+@@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+	sshbuf_free(msg);
+	return (ret);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ static RSA_METHOD	*helper_rsa;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static EC_KEY_METHOD	*helper_ecdsa;
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ /* redirect private key crypto operations to the ssh-pkcs11-helper */
+ static void
+@@ -233,10 +233,10 @@ wrap_key(struct sshkey *k)
+ {
+	if (k->type == KEY_RSA)
+		RSA_set_method(k->rsa, helper_rsa);
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+	else if (k->type == KEY_ECDSA)
+		EC_KEY_set_method(k->ecdsa, helper_ecdsa);
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+	else
+		fatal("%s: unknown key type", __func__);
+ }
+@@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void)
+	if (helper_rsa != NULL)
+		return (0);
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+	int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
+	    unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
+	if (helper_ecdsa != NULL)
+@@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void)
+		return (-1);
+	EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
+	EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+	if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
+		fatal("%s: RSA_meth_dup failed", __func__);
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index a302c79..b56a41b 100644
+--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
+@@ -78,7 +78,7 @@ struct pkcs11_key {
+
+ int pkcs11_interactive = 0;
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static void
+ ossl_error(const char *msg)
+ {
+@@ -89,7 +89,7 @@ ossl_error(const char *msg)
+		error("%s: libcrypto error: %.100s", __func__,
+		    ERR_error_string(e, NULL));
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ int
+ pkcs11_init(int interactive)
+@@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id)
+
+ static RSA_METHOD *rsa_method;
+ static int rsa_idx = 0;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static EC_KEY_METHOD *ec_key_method;
+ static int ec_key_idx = 0;
+-#endif
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ /* release a wrapped object */
+ static void
+@@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
+	return (0);
+ }
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ /* openssl callback doing the actual signing operation */
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+@@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
+
+	return (0);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ /* remove trailing spaces */
+ static void
+@@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key)
+	return (0);
+ }
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static struct sshkey *
+ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+     CK_OBJECT_HANDLE *obj)
+@@ -802,7 +802,7 @@ fail:
+
+	return (key);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ static struct sshkey *
+ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+@@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ #endif
+	struct sshkey		*key = NULL;
+	int			 i;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+	int			 nid;
+ #endif
+	const u_char		*cp;
+@@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+		key->type = KEY_RSA;
+		key->flags |= SSHKEY_FLAG_EXT;
+		rsa = NULL;	/* now owned by key */
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+	} else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
+		if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
+			error("invalid x509; no ec key");
+@@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+		key->type = KEY_ECDSA;
+		key->flags |= SSHKEY_FLAG_EXT;
+		ec = NULL;	/* now owned by key */
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+	} else {
+		error("unknown certificate key type");
+		goto out;
+@@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
+		case CKK_RSA:
+			key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
+			break;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+		case CKK_ECDSA:
+			key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
+			break;
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+		default:
+			/* XXX print key type? */
+			key = NULL;
+--
+2.41.0
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
@@ -0,0 +1,581 @@
+From 92cebfbcc221c9ef3f6bbb78da3d7699c0ae56be Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 14:03:45 +0000
+Subject: [PATCH 02/12] upstream: Separate ssh-pkcs11-helpers for each p11
+ module
+
+Make ssh-pkcs11-client start an independent helper for each provider,
+providing better isolation between modules and reliability if a single
+module misbehaves.
+
+This also implements reference counting of PKCS#11-hosted keys,
+allowing ssh-pkcs11-helper subprocesses to be automatically reaped
+when no remaining keys reference them. This fixes some bugs we have
+that make PKCS11 keys unusable after they have been deleted, e.g.
+https://bugzilla.mindrot.org/show_bug.cgi?id=3125
+
+ok markus@
+
+OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11-client.c | 372 +++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 282 insertions(+), 90 deletions(-)
+
+diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
+index 41114c7..4f3c6ed 100644
+--- a/ssh-pkcs11-client.c
+++ b/ssh-pkcs11-client.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-pkcs11-client.c,v 1.16 2020/01/25 00:03:36 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11-client.c,v 1.18 2023/07/19 14:03:45 djm Exp $ */
+ /*
+  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
+@@ -30,12 +30,11 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <errno.h>
+#include <limits.h>
+
+ #include <openssl/ecdsa.h>
+ #include <openssl/rsa.h>
+
+-#include "openbsd-compat/openssl-compat.h"
+-
+ #include "pathnames.h"
+ #include "xmalloc.h"
+ #include "sshbuf.h"
+@@ -47,18 +46,140 @@
+ #include "ssh-pkcs11.h"
+ #include "ssherr.h"
+
+#include "openbsd-compat/openssl-compat.h"
+
+ /* borrows code from sftp-server and ssh-agent */
+
+-static int fd = -1;
+-static pid_t pid = -1;
+/*
+ * Maintain a list of ssh-pkcs11-helper subprocesses. These may be looked up
+ * by provider path or their unique EC/RSA METHOD pointers.
+ */
+struct helper {
+	char *path;
+	pid_t pid;
+	int fd;
+	RSA_METHOD *rsa_meth;
+	EC_KEY_METHOD *ec_meth;
+	int (*rsa_finish)(RSA *rsa);
+	void (*ec_finish)(EC_KEY *key);
+	size_t nrsa, nec; /* number of active keys of each type */
+};
+static struct helper **helpers;
+static size_t nhelpers;
+
+static struct helper *
+helper_by_provider(const char *path)
+{
+	size_t i;
+
+	for (i = 0; i < nhelpers; i++) {
+		if (helpers[i] == NULL || helpers[i]->path == NULL ||
+		    helpers[i]->fd == -1)
+			continue;
+		if (strcmp(helpers[i]->path, path) == 0)
+			return helpers[i];
+	}
+	return NULL;
+}
+
+static struct helper *
+helper_by_rsa(const RSA *rsa)
+{
+	size_t i;
+	const RSA_METHOD *meth;
+
+	if ((meth = RSA_get_method(rsa)) == NULL)
+		return NULL;
+	for (i = 0; i < nhelpers; i++) {
+		if (helpers[i] != NULL && helpers[i]->rsa_meth == meth)
+			return helpers[i];
+	}
+	return NULL;
+
+}
+
+static struct helper *
+helper_by_ec(const EC_KEY *ec)
+{
+	size_t i;
+	const EC_KEY_METHOD *meth;
+
+	if ((meth = EC_KEY_get_method(ec)) == NULL)
+		return NULL;
+	for (i = 0; i < nhelpers; i++) {
+		if (helpers[i] != NULL && helpers[i]->ec_meth == meth)
+			return helpers[i];
+	}
+	return NULL;
+
+}
+
+static void
+helper_free(struct helper *helper)
+{
+	size_t i;
+	int found = 0;
+
+	if (helper == NULL)
+		return;
+	if (helper->path == NULL || helper->ec_meth == NULL ||
+	    helper->rsa_meth == NULL)
+		fatal("%s: inconsistent helper", __func__);
+	debug3("%s: free helper for provider %s", __func__ , helper->path);
+	for (i = 0; i < nhelpers; i++) {
+		if (helpers[i] == helper) {
+			if (found)
+				fatal("%s: helper recorded more than once", __func__);
+			found = 1;
+		}
+		else if (found)
+			helpers[i - 1] = helpers[i];
+	}
+	if (found) {
+		helpers = xrecallocarray(helpers, nhelpers,
+		    nhelpers - 1, sizeof(*helpers));
+		nhelpers--;
+	}
+	free(helper->path);
+	EC_KEY_METHOD_free(helper->ec_meth);
+	RSA_meth_free(helper->rsa_meth);
+	free(helper);
+}
+
+static void
+helper_terminate(struct helper *helper)
+{
+	if (helper == NULL) {
+		return;
+	} else if (helper->fd == -1) {
+		debug3("%s: already terminated", __func__);
+	} else {
+		debug3("terminating helper for %s; "
+		    "remaining %zu RSA %zu ECDSA", __func__,
+		    helper->path, helper->nrsa, helper->nec);
+		close(helper->fd);
+		/* XXX waitpid() */
+		helper->fd = -1;
+		helper->pid = -1;
+	}
+	/*
+	 * Don't delete the helper entry until there are no remaining keys
+	 * that reference it. Otherwise, any signing operation would call
+	 * a free'd METHOD pointer and that would be bad.
+	 */
+	if (helper->nrsa == 0 && helper->nec == 0)
+		helper_free(helper);
+}
+
+ static void
+-send_msg(struct sshbuf *m)
+send_msg(int fd, struct sshbuf *m)
+ {
+	u_char buf[4];
+	size_t mlen = sshbuf_len(m);
+	int r;
+
+	if (fd == -1)
+		return;
+	POKE_U32(buf, mlen);
+	if (atomicio(vwrite, fd, buf, 4) != 4 ||
+	    atomicio(vwrite, fd, sshbuf_mutable_ptr(m),
+@@ -69,12 +190,15 @@ send_msg(struct sshbuf *m)
+ }
+
+ static int
+-recv_msg(struct sshbuf *m)
+recv_msg(int fd, struct sshbuf *m)
+ {
+	u_int l, len;
+	u_char c, buf[1024];
+	int r;
+
+	sshbuf_reset(m);
+	if (fd == -1)
+		return 0; /* XXX */
+	if ((len = atomicio(read, fd, buf, 4)) != 4) {
+		error("read from helper failed: %u", len);
+		return (0); /* XXX */
+@@ -83,7 +207,6 @@ recv_msg(struct sshbuf *m)
+	if (len > 256 * 1024)
+		fatal("response too long: %u", len);
+	/* read len bytes into m */
+-	sshbuf_reset(m);
+	while (len > 0) {
+		l = len;
+		if (l > sizeof(buf))
+@@ -104,14 +227,17 @@ recv_msg(struct sshbuf *m)
+ int
+ pkcs11_init(int interactive)
+ {
+-	return (0);
+	return 0;
+ }
+
+ void
+ pkcs11_terminate(void)
+ {
+-	if (fd >= 0)
+-		close(fd);
+	size_t i;
+
+	debug3("%s: terminating %zu helpers", __func__, nhelpers);
+	for (i = 0; i < nhelpers; i++)
+		helper_terminate(helpers[i]);
+ }
+
+ static int
+@@ -122,7 +248,11 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+	u_char *blob = NULL, *signature = NULL;
+	size_t blen, slen = 0;
+	int r, ret = -1;
+	struct helper *helper;
+
+	if ((helper = helper_by_rsa(rsa)) == NULL || helper->fd == -1)
+		fatal("%s: no helper for PKCS11 key", __func__);
+	debug3("%s: signing with PKCS11 provider %s", __func__, helper->path);
+	if (padding != RSA_PKCS1_PADDING)
+		goto fail;
+	key = sshkey_new(KEY_UNSPEC);
+@@ -144,10 +274,10 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+	    (r = sshbuf_put_string(msg, from, flen)) != 0 ||
+	    (r = sshbuf_put_u32(msg, 0)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-	send_msg(msg);
+	send_msg(helper->fd, msg);
+	sshbuf_reset(msg);
+
+-	if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) {
+	if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {
+		if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0)
+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		if (slen <= (size_t)RSA_size(rsa)) {
+@@ -163,7 +293,26 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+	return (ret);
+ }
+
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+static int
+rsa_finish(RSA *rsa)
+{
+	struct helper *helper;
+
+	if ((helper = helper_by_rsa(rsa)) == NULL)
+		fatal("%s: no helper for PKCS11 key", __func__);
+	debug3("%s: free PKCS11 RSA key for provider %s", __func__, helper->path);
+	if (helper->rsa_finish != NULL)
+		helper->rsa_finish(rsa);
+	if (helper->nrsa == 0)
+		fatal("%s: RSA refcount error", __func__);
+	helper->nrsa--;
+	debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
+	    helper->path, helper->nrsa, helper->nec);
+	if (helper->nrsa == 0 && helper->nec == 0)
+		helper_terminate(helper);
+	return 1;
+}
+
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+     const BIGNUM *rp, EC_KEY *ec)
+@@ -175,7 +324,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+	u_char *blob = NULL, *signature = NULL;
+	size_t blen, slen = 0;
+	int r, nid;
+	struct helper *helper;
+
+	if ((helper = helper_by_ec(ec)) == NULL || helper->fd == -1)
+		fatal("%s: no helper for PKCS11 key", __func__);
+	debug3("%s: signing with PKCS11 provider %s", __func__, helper->path);
+	nid = sshkey_ecdsa_key_to_nid(ec);
+	if (nid < 0) {
+		error("%s: couldn't get curve nid", __func__);
+@@ -203,10 +356,10 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+	    (r = sshbuf_put_string(msg, dgst, dgst_len)) != 0 ||
+	    (r = sshbuf_put_u32(msg, 0)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-	send_msg(msg);
+	send_msg(helper->fd, msg);
+	sshbuf_reset(msg);
+
+-	if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) {
+	if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {
+		if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0)
+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		cp = signature;
+@@ -220,75 +373,110 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+	sshbuf_free(msg);
+	return (ret);
+ }
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+-static RSA_METHOD	*helper_rsa;
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+-static EC_KEY_METHOD	*helper_ecdsa;
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+static void
+ecdsa_do_finish(EC_KEY *ec)
+{
+	struct helper *helper;
+
+	if ((helper = helper_by_ec(ec)) == NULL)
+		fatal("%s: no helper for PKCS11 key", __func__);
+	debug3("%s: free PKCS11 ECDSA key for provider %s", __func__, helper->path);
+	if (helper->ec_finish != NULL)
+		helper->ec_finish(ec);
+	if (helper->nec == 0)
+		fatal("%s: ECDSA refcount error", __func__);
+	helper->nec--;
+	debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
+	    helper->path, helper->nrsa, helper->nec);
+	if (helper->nrsa == 0 && helper->nec == 0)
+		helper_terminate(helper);
+}
+
+ /* redirect private key crypto operations to the ssh-pkcs11-helper */
+ static void
+-wrap_key(struct sshkey *k)
+wrap_key(struct helper *helper, struct sshkey *k)
+ {
+-	if (k->type == KEY_RSA)
+-		RSA_set_method(k->rsa, helper_rsa);
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+-	else if (k->type == KEY_ECDSA)
+-		EC_KEY_set_method(k->ecdsa, helper_ecdsa);
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+-	else
+	debug3("%s: wrap %s for provider %s", __func__, sshkey_type(k), helper->path);
+	if (k->type == KEY_RSA) {
+		RSA_set_method(k->rsa, helper->rsa_meth);
+		if (helper->nrsa++ >= INT_MAX)
+			fatal("%s: RSA refcount error", __func__);
+	} else if (k->type == KEY_ECDSA) {
+		EC_KEY_set_method(k->ecdsa, helper->ec_meth);
+		if (helper->nec++ >= INT_MAX)
+			fatal("%s: EC refcount error", __func__);
+	} else
+		fatal("%s: unknown key type", __func__);
+	k->flags |= SSHKEY_FLAG_EXT;
+	debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
+	    helper->path, helper->nrsa, helper->nec);
+ }
+
+ static int
+-pkcs11_start_helper_methods(void)
+pkcs11_start_helper_methods(struct helper *helper)
+ {
+-	if (helper_rsa != NULL)
+-		return (0);
+-
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+-	int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
+	int (*ec_init)(EC_KEY *key);
+	int (*ec_copy)(EC_KEY *dest, const EC_KEY *src);
+	int (*ec_set_group)(EC_KEY *key, const EC_GROUP *grp);
+	int (*ec_set_private)(EC_KEY *key, const BIGNUM *priv_key);
+	int (*ec_set_public)(EC_KEY *key, const EC_POINT *pub_key);
+	int (*ec_sign)(int, const unsigned char *, int, unsigned char *,
+	    unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
+-	if (helper_ecdsa != NULL)
+-		return (0);
+-	helper_ecdsa = EC_KEY_METHOD_new(EC_KEY_OpenSSL());
+-	if (helper_ecdsa == NULL)
+-		return (-1);
+-	EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
+-	EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+-
+-	if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
+	RSA_METHOD *rsa_meth;
+	EC_KEY_METHOD *ec_meth;
+
+	if ((ec_meth = EC_KEY_METHOD_new(EC_KEY_OpenSSL())) == NULL)
+		return -1;
+	EC_KEY_METHOD_get_sign(ec_meth, &ec_sign, NULL, NULL);
+	EC_KEY_METHOD_set_sign(ec_meth, ec_sign, NULL, ecdsa_do_sign);
+	EC_KEY_METHOD_get_init(ec_meth, &ec_init, &helper->ec_finish,
+	    &ec_copy, &ec_set_group, &ec_set_private, &ec_set_public);
+	EC_KEY_METHOD_set_init(ec_meth, ec_init, ecdsa_do_finish,
+	    ec_copy, ec_set_group, ec_set_private, ec_set_public);
+
+	if ((rsa_meth = RSA_meth_dup(RSA_get_default_method())) == NULL)
+		fatal("%s: RSA_meth_dup failed", __func__);
+-	if (!RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper") ||
+-	    !RSA_meth_set_priv_enc(helper_rsa, rsa_encrypt))
+	helper->rsa_finish = RSA_meth_get_finish(rsa_meth);
+	if (!RSA_meth_set1_name(rsa_meth, "ssh-pkcs11-helper") ||
+	    !RSA_meth_set_priv_enc(rsa_meth, rsa_encrypt) ||
+	    !RSA_meth_set_finish(rsa_meth, rsa_finish))
+		fatal("%s: failed to prepare method", __func__);
+
+-	return (0);
+	helper->ec_meth = ec_meth;
+	helper->rsa_meth = rsa_meth;
+	return 0;
+ }
+
+-static int
+-pkcs11_start_helper(void)
+static struct helper *
+pkcs11_start_helper(const char *path)
+ {
+	int pair[2];
+-	char *helper, *verbosity = NULL;
+-
+-	if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
+-		verbosity = "-vvv";
+-
+-	if (pkcs11_start_helper_methods() == -1) {
+-		error("pkcs11_start_helper_methods failed");
+-		return (-1);
+-	}
+	char *prog, *verbosity = NULL;
+	struct helper *helper;
+	pid_t pid;
+
+	if (nhelpers >= INT_MAX)
+		fatal("%s: too many helpers", __func__);
+	debug3("%s: start helper for %s", __func__, path);
+	if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) {
+		error("socketpair: %s", strerror(errno));
+-		return (-1);
+		return NULL;
+	}
+	helper = xcalloc(1, sizeof(*helper));
+	if (pkcs11_start_helper_methods(helper) == -1) {
+		error("pkcs11_start_helper_methods failed");
+		goto fail;
+	}
+	if ((pid = fork()) == -1) {
+		error("fork: %s", strerror(errno));
+-		return (-1);
+ fail:
+		close(pair[0]);
+		close(pair[1]);
+		RSA_meth_free(helper->rsa_meth);
+		EC_KEY_METHOD_free(helper->ec_meth);
+		free(helper);
+		return NULL;
+	} else if (pid == 0) {
+		if ((dup2(pair[1], STDIN_FILENO) == -1) ||
+		    (dup2(pair[1], STDOUT_FILENO) == -1)) {
+@@ -297,18 +485,27 @@ pkcs11_start_helper(void)
+		}
+		close(pair[0]);
+		close(pair[1]);
+-		helper = getenv("SSH_PKCS11_HELPER");
+-		if (helper == NULL || strlen(helper) == 0)
+-			helper = _PATH_SSH_PKCS11_HELPER;
+		prog = getenv("SSH_PKCS11_HELPER");
+		if (prog == NULL || strlen(prog) == 0)
+			prog = _PATH_SSH_PKCS11_HELPER;
+		if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
+			verbosity = "-vvv";
+		debug("%s: starting %s %s", __func__, helper,
+		    verbosity == NULL ? "" : verbosity);
+-		execlp(helper, helper, verbosity, (char *)NULL);
+-		fprintf(stderr, "exec: %s: %s\n", helper, strerror(errno));
+		execlp(prog, prog, verbosity, (char *)NULL);
+		fprintf(stderr, "exec: %s: %s\n", prog, strerror(errno));
+		_exit(1);
+	}
+	close(pair[1]);
+-	fd = pair[0];
+-	return (0);
+	helper->fd = pair[0];
+	helper->path = xstrdup(path);
+	helper->pid = pid;
+	debug3("%s: helper %zu for \"%s\" on fd %d pid %ld", __func__, nhelpers,
+	    helper->path, helper->fd, (long)helper->pid);
+	helpers = xrecallocarray(helpers, nhelpers,
+	    nhelpers + 1, sizeof(*helpers));
+	helpers[nhelpers++] = helper;
+	return helper;
+ }
+
+ int
+@@ -322,9 +519,11 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+	size_t blen;
+	u_int nkeys, i;
+	struct sshbuf *msg;
+	struct helper *helper;
+
+-	if (fd < 0 && pkcs11_start_helper() < 0)
+-		return (-1);
+	if ((helper = helper_by_provider(name)) == NULL &&
+	    (helper = pkcs11_start_helper(name)) == NULL)
+		return -1;
+
+	if ((msg = sshbuf_new()) == NULL)
+		fatal("%s: sshbuf_new failed", __func__);
+@@ -332,10 +531,10 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+	    (r = sshbuf_put_cstring(msg, name)) != 0 ||
+	    (r = sshbuf_put_cstring(msg, pin)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-	send_msg(msg);
+	send_msg(helper->fd, msg);
+	sshbuf_reset(msg);
+
+-	type = recv_msg(msg);
+	type = recv_msg(helper->fd, msg);
+	if (type == SSH2_AGENT_IDENTITIES_ANSWER) {
+		if ((r = sshbuf_get_u32(msg, &nkeys)) != 0)
+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -350,7 +549,7 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+				    __func__, ssh_err(r));
+			if ((r = sshkey_from_blob(blob, blen, &k)) != 0)
+				fatal("%s: bad key: %s", __func__, ssh_err(r));
+-			wrap_key(k);
+			wrap_key(helper, k);
+			(*keysp)[i] = k;
+			if (labelsp)
+				(*labelsp)[i] = label;
+@@ -371,22 +570,15 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+ int
+ pkcs11_del_provider(char *name)
+ {
+-	int r, ret = -1;
+-	struct sshbuf *msg;
+-
+-	if ((msg = sshbuf_new()) == NULL)
+-		fatal("%s: sshbuf_new failed", __func__);
+-	if ((r = sshbuf_put_u8(msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY)) != 0 ||
+-	    (r = sshbuf_put_cstring(msg, name)) != 0 ||
+-	    (r = sshbuf_put_cstring(msg, "")) != 0)
+-		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-	send_msg(msg);
+-	sshbuf_reset(msg);
+-
+-	if (recv_msg(msg) == SSH_AGENT_SUCCESS)
+-		ret = 0;
+-	sshbuf_free(msg);
+-	return (ret);
+	struct helper *helper;
+
+	/*
+	 * ssh-agent deletes keys before calling this, so the helper entry
+	 * should be gone before we get here.
+	 */
+	debug3("%s: delete %s", __func__, name);
+	if ((helper = helper_by_provider(name)) != NULL)
+		helper_terminate(helper);
+	return 0;
+ }
+-
+ #endif /* ENABLE_PKCS11 */
+--
+2.41.0
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
@@ -0,0 +1,171 @@
+From 2f1be98e83feb90665b9292eff8bb734537fd491 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 14:02:27 +0000
+Subject: [PATCH 03/12] upstream: Ensure FIDO/PKCS11 libraries contain expected
+ symbols
+
+This checks via nlist(3) that candidate provider libraries contain one
+of the symbols that we will require prior to dlopen(), which can cause
+a number of side effects, including execution of constructors.
+
+Feedback deraadt; ok markus
+
+OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ misc.c       | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ misc.h       |  1 +
+ ssh-pkcs11.c |  4 +++
+ ssh-sk.c     |  6 ++--
+ 4 files changed, 86 insertions(+), 2 deletions(-)
+
+diff --git a/misc.c b/misc.c
+index 3a31d5c..8a107e4 100644
+--- a/misc.c
+++ b/misc.c
+@@ -28,6 +28,7 @@
+
+ #include <sys/types.h>
+ #include <sys/ioctl.h>
+#include <sys/mman.h>
+ #include <sys/socket.h>
+ #include <sys/stat.h>
+ #include <sys/time.h>
+@@ -41,6 +42,9 @@
+ #ifdef HAVE_POLL_H
+ #include <poll.h>
+ #endif
+#ifdef HAVE_NLIST_H
+#include <nlist.h>
+#endif
+ #include <signal.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+@@ -2266,3 +2270,76 @@ ssh_signal(int signum, sshsig_t handler)
+	}
+	return osa.sa_handler;
+ }
+
+
+/*
+ * Returns zero if the library at 'path' contains symbol 's', nonzero
+ * otherwise.
+ */
+int
+lib_contains_symbol(const char *path, const char *s)
+{
+#ifdef HAVE_NLIST_H
+	struct nlist nl[2];
+	int ret = -1, r;
+
+	memset(nl, 0, sizeof(nl));
+	nl[0].n_name = xstrdup(s);
+	nl[1].n_name = NULL;
+	if ((r = nlist(path, nl)) == -1) {
+		error("%s: nlist failed for %s", __func__, path);
+		goto out;
+	}
+	if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) {
+		error("%s: library %s does not contain symbol %s", __func__, path, s);
+		goto out;
+	}
+	/* success */
+	ret = 0;
+ out:
+	free(nl[0].n_name);
+	return ret;
+#else /* HAVE_NLIST_H */
+	int fd, ret = -1;
+	struct stat st;
+	void *m = NULL;
+	size_t sz = 0;
+
+	memset(&st, 0, sizeof(st));
+	if ((fd = open(path, O_RDONLY)) < 0) {
+		error("%s: open %s: %s", __func__, path, strerror(errno));
+		return -1;
+	}
+	if (fstat(fd, &st) != 0) {
+		error("%s: fstat %s: %s", __func__, path, strerror(errno));
+		goto out;
+	}
+	if (!S_ISREG(st.st_mode)) {
+		error("%s: %s is not a regular file", __func__, path);
+		goto out;
+	}
+	if (st.st_size < 0 ||
+	    (size_t)st.st_size < strlen(s) ||
+	    st.st_size >= INT_MAX/2) {
+		error("%s: %s bad size %lld", __func__, path, (long long)st.st_size);
+		goto out;
+	}
+	sz = (size_t)st.st_size;
+	if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED ||
+	    m == NULL) {
+		error("%s: mmap %s: %s", __func__, path, strerror(errno));
+		goto out;
+	}
+	if (memmem(m, sz, s, strlen(s)) == NULL) {
+		error("%s: %s does not contain expected string %s", __func__, path, s);
+		goto out;
+	}
+	/* success */
+	ret = 0;
+ out:
+	if (m != NULL && m != MAP_FAILED)
+		munmap(m, sz);
+	close(fd);
+	return ret;
+#endif /* HAVE_NLIST_H */
+}
+diff --git a/misc.h b/misc.h
+index 4a05db2..3f9f4db 100644
+--- a/misc.h
+++ b/misc.h
+@@ -86,6 +86,7 @@ const char *atoi_err(const char *, int *);
+ int	 parse_absolute_time(const char *, uint64_t *);
+ void	 format_absolute_time(uint64_t, char *, size_t);
+ int	 path_absolute(const char *);
+int	 lib_contains_symbol(const char *, const char *);
+
+ void	 sock_set_v6only(int);
+
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index b56a41b..639a6f7 100644
+--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
+@@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_id, char *pin,
+		    __func__, provider_id);
+		goto fail;
+	}
+	if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) {
+		error("provider %s is not a PKCS11 library", provider_id);
+		goto fail;
+	}
+	/* open shared pkcs11-library */
+	if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) {
+		error("dlopen %s failed: %s", provider_id, dlerror());
+diff --git a/ssh-sk.c b/ssh-sk.c
+index 5ff9381..9df12cc 100644
+--- a/ssh-sk.c
+++ b/ssh-sk.c
+@@ -119,10 +119,12 @@ sshsk_open(const char *path)
+ #endif
+		return ret;
+	}
+-	if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
+-		error("Provider \"%s\" dlopen failed: %s", path, dlerror());
+	if (lib_contains_symbol(path, "sk_api_version") != 0) {
+		error("provider %s is not an OpenSSH FIDO library", path);
+		goto fail;
+	}
+	if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL)
+		fatal("Provider \"%s\" dlopen failed: %s", path, dlerror());
+	if ((ret->sk_api_version = dlsym(ret->dlhandle,
+	    "sk_api_version")) == NULL) {
+		error("Provider \"%s\" dlsym(sk_api_version) failed: %s",
+--
+2.41.0
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
@@ -0,0 +1,34 @@
+From 0862f338941bfdfb2cadee87de6d5fdca1b8f457 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 13:55:53 +0000
+Subject: [PATCH 04/12] upstream: terminate process if requested to load a
+ PKCS#11 provider that isn't a PKCS#11 provider; from / ok markus@
+
+OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index 639a6f7..7530acc 100644
+--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
+@@ -1508,10 +1508,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
+		error("dlopen %s failed: %s", provider_id, dlerror());
+		goto fail;
+	}
+-	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+-		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+-		goto fail;
+-	}
+	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
+		fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+	p = xcalloc(1, sizeof(*p));
+	p->name = xstrdup(provider_id);
+	p->handle = handle;
+--
+2.41.0
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
@@ -0,0 +1,194 @@
+From a6cee3905edf070c0de135d3f2ee5b74da1dbd28 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 May 2020 01:26:58 +0000
+Subject: [PATCH 05/12] upstream: Restrict ssh-agent from signing web
+ challenges for FIDO
+
+keys.
+
+When signing messages in ssh-agent using a FIDO key that has an
+application string that does not start with "ssh:", ensure that the
+message being signed is one of the forms expected for the SSH protocol
+(currently pubkey authentication and sshsig signatures).
+
+This prevents ssh-agent forwarding on a host that has FIDO keys
+attached granting the ability for the remote side to sign challenges
+for web authentication using those keys too.
+
+Note that the converse case of web browsers signing SSH challenges is
+already precluded because no web RP can have the "ssh:" prefix in the
+application string that we require.
+
+ok markus@
+
+OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0c111eb84efba7c2a38b2cc3278901a0123161b9]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 100 insertions(+), 10 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index ceb348c..1794f35 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.255 2020/02/06 22:30:54 naddy Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -77,6 +77,7 @@
+
+ #include "xmalloc.h"
+ #include "ssh.h"
+#include "ssh2.h"
+ #include "sshbuf.h"
+ #include "sshkey.h"
+ #include "authfd.h"
+@@ -167,6 +168,9 @@ static long lifetime = 0;
+
+ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+
+/* Refuse signing of non-SSH messages for web-origin FIDO keys */
+static int restrict_websafe = 1;
+
+ static void
+ close_socket(SocketEntry *e)
+ {
+@@ -282,6 +286,80 @@ agent_decode_alg(struct sshkey *key, u_int flags)
+	return NULL;
+ }
+
+/*
+ * This function inspects a message to be signed by a FIDO key that has a
+ * web-like application string (i.e. one that does not begin with "ssh:".
+ * It checks that the message is one of those expected for SSH operations
+ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
+ * for the web.
+ */
+static int
+check_websafe_message_contents(struct sshkey *key,
+    const u_char *msg, size_t len)
+{
+	int matched = 0;
+	struct sshbuf *b;
+	u_char m, n;
+	char *cp1 = NULL, *cp2 = NULL;
+	int r;
+	struct sshkey *mkey = NULL;
+
+	if ((b = sshbuf_from(msg, len)) == NULL)
+		fatal("%s: sshbuf_new", __func__);
+
+	/* SSH userauth request */
+	if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */
+	    (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */
+	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */
+	    (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */
+	    (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */
+	    (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */
+	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */
+	    (r = sshkey_froms(b, &mkey)) == 0 && /* key */
+	    sshbuf_len(b) == 0) {
+		debug("%s: parsed userauth", __func__);
+		if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 &&
+		    strcmp(cp1, "ssh-connection") == 0 &&
+		    strcmp(cp2, "publickey") == 0 &&
+		    sshkey_equal(key, mkey)) {
+			debug("%s: well formed userauth", __func__);
+			matched = 1;
+		}
+	}
+	free(cp1);
+	free(cp2);
+	sshkey_free(mkey);
+	sshbuf_free(b);
+	if (matched)
+		return 1;
+
+	if ((b = sshbuf_from(msg, len)) == NULL)
+		fatal("%s: sshbuf_new", __func__);
+	cp1 = cp2 = NULL;
+	mkey = NULL;
+
+	/* SSHSIG */
+	if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 &&
+	    (r = sshbuf_consume(b, 6)) == 0 &&
+	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */
+	    (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */
+	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */
+	    (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */
+	    sshbuf_len(b) == 0) {
+		debug("%s: parsed sshsig", __func__);
+		matched = 1;
+	}
+
+	sshbuf_free(b);
+	if (matched)
+		return 1;
+
+	/* XXX CA signature operation */
+
+	error("web-origin key attempting to sign non-SSH message");
+	return 0;
+}
+
+ /* ssh2 only */
+ static void
+ process_sign_request2(SocketEntry *e)
+@@ -314,14 +392,20 @@ process_sign_request2(SocketEntry *e)
+		verbose("%s: user refused key", __func__);
+		goto send;
+	}
+-	if (sshkey_is_sk(id->key) &&
+-	    (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
+-		if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
+-		    SSH_FP_DEFAULT)) == NULL)
+-			fatal("%s: fingerprint failed", __func__);
+-		notifier = notify_start(0,
+-		    "Confirm user presence for key %s %s",
+-		    sshkey_type(id->key), fp);
+	if (sshkey_is_sk(id->key)) {
+		if (strncmp(id->key->sk_application, "ssh:", 4) != 0 &&
+		    !check_websafe_message_contents(key, data, dlen)) {
+			/* error already logged */
+			goto send;
+		}
+		if ((id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
+			if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
+			    SSH_FP_DEFAULT)) == NULL)
+				fatal("%s: fingerprint failed", __func__);
+			notifier = notify_start(0,
+			    "Confirm user presence for key %s %s",
+			    sshkey_type(id->key), fp);
+		}
+	}
+	if ((r = sshkey_sign(id->key, &signature, &slen,
+	    data, dlen, agent_decode_alg(key, flags),
+@@ -1214,7 +1298,7 @@ main(int ac, char **av)
+	__progname = ssh_get_progname(av[0]);
+	seed_rng();
+
+-	while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
+	while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
+		switch (ch) {
+		case 'E':
+			fingerprint_hash = ssh_digest_alg_by_name(optarg);
+@@ -1229,6 +1313,12 @@ main(int ac, char **av)
+		case 'k':
+			k_flag++;
+			break;
+		case 'O':
+			if (strcmp(optarg, "no-restrict-websafe") == 0)
+				restrict_websafe  = 0;
+			else
+				fatal("Unknown -O option");
+			break;
+		case 'P':
+			if (provider_whitelist != NULL)
+				fatal("-P option already specified");
+--
+2.41.0
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
@@ -0,0 +1,73 @@
+From a5d845b7b42861d18f43e83de9f24c7374d1b458 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 18 Sep 2020 08:16:38 +0000
+Subject: [PATCH 06/12] upstream: handle multiple messages in a single read()
+
+PR#183 by Dennis Kaarsemaker; feedback and ok markus@
+
+OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/52a03e9fca2d74eef953ddd4709250f365ca3975]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 1794f35..78f7268 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -853,8 +853,10 @@ send:
+ }
+ #endif /* ENABLE_PKCS11 */
+
+-/* dispatch incoming messages */
+-
+/*
+ * dispatch incoming message.
+ * returns 1 on success, 0 for incomplete messages or -1 on error.
+ */
+ static int
+ process_message(u_int socknum)
+ {
+@@ -908,7 +910,7 @@ process_message(u_int socknum)
+			/* send a fail message for all other request types */
+			send_status(e, 0);
+		}
+-		return 0;
+		return 1;
+	}
+
+	switch (type) {
+@@ -952,7 +954,7 @@ process_message(u_int socknum)
+		send_status(e, 0);
+		break;
+	}
+-	return 0;
+	return 1;
+ }
+
+ static void
+@@ -1043,7 +1045,12 @@ handle_conn_read(u_int socknum)
+	if ((r = sshbuf_put(sockets[socknum].input, buf, len)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+	explicit_bzero(buf, sizeof(buf));
+-	process_message(socknum);
+	for (;;) {
+		if ((r = process_message(socknum)) == -1)
+			return -1;
+		else if (r == 0)
+			break;
+	}
+	return 0;
+ }
+
+--
+2.41.0
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
@@ -0,0 +1,125 @@
+From 653cc18c922fc387b3d3aa1b081c5e5283cce28a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 Jan 2021 00:47:47 +0000
+Subject: [PATCH 07/12] upstream: use recallocarray to allocate the agent
+ sockets table;
+
+also clear socket entries that are being marked as unused.
+
+spinkle in some debug2() spam to make it easier to watch an agent
+do its thing.
+
+ok markus
+
+OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1fe16fd61bb53944ec510882acc0491abd66ff76]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 78f7268..2635bc5 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -175,11 +175,12 @@ static void
+ close_socket(SocketEntry *e)
+ {
+	close(e->fd);
+-	e->fd = -1;
+-	e->type = AUTH_UNUSED;
+	sshbuf_free(e->input);
+	sshbuf_free(e->output);
+	sshbuf_free(e->request);
+	memset(e, '\0', sizeof(*e));
+	e->fd = -1;
+	e->type = AUTH_UNUSED;
+ }
+
+ static void
+@@ -249,6 +250,8 @@ process_request_identities(SocketEntry *e)
+	struct sshbuf *msg;
+	int r;
+
+	debug2("%s: entering", __func__);
+
+	if ((msg = sshbuf_new()) == NULL)
+		fatal("%s: sshbuf_new failed", __func__);
+	if ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 ||
+@@ -441,6 +444,7 @@ process_remove_identity(SocketEntry *e)
+	struct sshkey *key = NULL;
+	Identity *id;
+
+	debug2("%s: entering", __func__);
+	if ((r = sshkey_froms(e->request, &key)) != 0) {
+		error("%s: get key: %s", __func__, ssh_err(r));
+		goto done;
+@@ -467,6 +471,7 @@ process_remove_all_identities(SocketEntry *e)
+ {
+	Identity *id;
+
+	debug2("%s: entering", __func__);
+	/* Loop over all identities and clear the keys. */
+	for (id = TAILQ_FIRST(&idtab->idlist); id;
+	    id = TAILQ_FIRST(&idtab->idlist)) {
+@@ -520,6 +525,7 @@ process_add_identity(SocketEntry *e)
+	u_char ctype;
+	int r = SSH_ERR_INTERNAL_ERROR;
+
+	debug2("%s: entering", __func__);
+	if ((r = sshkey_private_deserialize(e->request, &k)) != 0 ||
+	    k == NULL ||
+	    (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) {
+@@ -667,6 +673,7 @@ process_lock_agent(SocketEntry *e, int lock)
+	static u_int fail_count = 0;
+	size_t pwlen;
+
+	debug2("%s: entering", __func__);
+	/*
+	 * This is deliberately fatal: the user has requested that we lock,
+	 * but we can't parse their request properly. The only safe thing to
+@@ -738,6 +745,7 @@ process_add_smartcard_key(SocketEntry *e)
+	struct sshkey **keys = NULL, *k;
+	Identity *id;
+
+	debug2("%s: entering", __func__);
+	if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
+	    (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
+		error("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -818,6 +826,7 @@ process_remove_smartcard_key(SocketEntry *e)
+	int r, success = 0;
+	Identity *id, *nxt;
+
+	debug2("%s: entering", __func__);
+	if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
+	    (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
+		error("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -962,6 +971,8 @@ new_socket(sock_type type, int fd)
+ {
+	u_int i, old_alloc, new_alloc;
+
+	debug("%s: type = %s", __func__, type == AUTH_CONNECTION ? "CONNECTION" :
+	    (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
+	set_nonblock(fd);
+
+	if (fd > max_fd)
+@@ -981,7 +992,8 @@ new_socket(sock_type type, int fd)
+		}
+	old_alloc = sockets_alloc;
+	new_alloc = sockets_alloc + 10;
+-	sockets = xreallocarray(sockets, new_alloc, sizeof(sockets[0]));
+	sockets = xrecallocarray(sockets, old_alloc, new_alloc,
+	    sizeof(sockets[0]));
+	for (i = old_alloc; i < new_alloc; i++)
+		sockets[i].type = AUTH_UNUSED;
+	sockets_alloc = new_alloc;
+--
+2.41.0
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
@@ -0,0 +1,315 @@
+From c30158ea225cf8ad67c3dcc88fa9e4afbf8959a7 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 Jan 2021 00:53:31 +0000
+Subject: [PATCH 08/12] upstream: more ssh-agent refactoring
+
+Allow confirm_key() to accept an additional reason suffix
+
+Factor publickey userauth parsing out into its own function and allow
+it to optionally return things it parsed out of the message to its
+caller.
+
+feedback/ok markus@
+
+OpenBSD-Commit-ID: 29006515617d1aa2d8b85cd2bf667e849146477e
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/e0e8bee8024fa9e31974244d14f03d799e5c0775]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 197 ++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 130 insertions(+), 67 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 2635bc5..7ad323c 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -216,15 +216,16 @@ lookup_identity(struct sshkey *key)
+
+ /* Check confirmation of keysign request */
+ static int
+-confirm_key(Identity *id)
+confirm_key(Identity *id, const char *extra)
+ {
+	char *p;
+	int ret = -1;
+
+	p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT);
+	if (p != NULL &&
+-	    ask_permission("Allow use of key %s?\nKey fingerprint %s.",
+-	    id->comment, p))
+	    ask_permission("Allow use of key %s?\nKey fingerprint %s.%s%s",
+	    id->comment, p,
+	    extra == NULL ? "" : "\n", extra == NULL ? "" : extra))
+		ret = 0;
+	free(p);
+
+@@ -290,74 +291,133 @@ agent_decode_alg(struct sshkey *key, u_int flags)
+ }
+
+ /*
+- * This function inspects a message to be signed by a FIDO key that has a
+- * web-like application string (i.e. one that does not begin with "ssh:".
+- * It checks that the message is one of those expected for SSH operations
+- * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
+- * for the web.
+ * Attempt to parse the contents of a buffer as a SSH publickey userauth
+ * request, checking its contents for consistency and matching the embedded
+ * key against the one that is being used for signing.
+ * Note: does not modify msg buffer.
+ * Optionally extract the username and session ID from the request.
+  */
+ static int
+-check_websafe_message_contents(struct sshkey *key,
+-    const u_char *msg, size_t len)
+parse_userauth_request(struct sshbuf *msg, const struct sshkey *expected_key,
+    char **userp, struct sshbuf **sess_idp)
+ {
+-	int matched = 0;
+-	struct sshbuf *b;
+-	u_char m, n;
+-	char *cp1 = NULL, *cp2 = NULL;
+	struct sshbuf *b = NULL, *sess_id = NULL;
+	char *user = NULL, *service = NULL, *method = NULL, *pkalg = NULL;
+	int r;
+	u_char t, sig_follows;
+	struct sshkey *mkey = NULL;
+
+-	if ((b = sshbuf_from(msg, len)) == NULL)
+-		fatal("%s: sshbuf_new", __func__);
+	if (userp != NULL)
+		*userp = NULL;
+	if (sess_idp != NULL)
+		*sess_idp = NULL;
+	if ((b = sshbuf_fromb(msg)) == NULL)
+		fatal("%s: sshbuf_fromb", __func__);
+
+	/* SSH userauth request */
+-	if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */
+-	    (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */
+-	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */
+-	    (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */
+-	    (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */
+-	    (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */
+-	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */
+-	    (r = sshkey_froms(b, &mkey)) == 0 && /* key */
+-	    sshbuf_len(b) == 0) {
+-		debug("%s: parsed userauth", __func__);
+-		if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 &&
+-		    strcmp(cp1, "ssh-connection") == 0 &&
+-		    strcmp(cp2, "publickey") == 0 &&
+-		    sshkey_equal(key, mkey)) {
+-			debug("%s: well formed userauth", __func__);
+-			matched = 1;
+-		}
+	if ((r = sshbuf_froms(b, &sess_id)) != 0)
+		goto out;
+	if (sshbuf_len(sess_id) == 0) {
+		r = SSH_ERR_INVALID_FORMAT;
+		goto out;
+	}
+-	free(cp1);
+-	free(cp2);
+-	sshkey_free(mkey);
+	if ((r = sshbuf_get_u8(b, &t)) != 0 || /* SSH2_MSG_USERAUTH_REQUEST */
+	    (r = sshbuf_get_cstring(b, &user, NULL)) != 0 || /* server user */
+	    (r = sshbuf_get_cstring(b, &service, NULL)) != 0 || /* service */
+	    (r = sshbuf_get_cstring(b, &method, NULL)) != 0 || /* method */
+	    (r = sshbuf_get_u8(b, &sig_follows)) != 0 || /* sig-follows */
+	    (r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0 || /* alg */
+	    (r = sshkey_froms(b, &mkey)) != 0) /* key */
+		goto out;
+	if (t != SSH2_MSG_USERAUTH_REQUEST ||
+	    sig_follows != 1 ||
+	    strcmp(service, "ssh-connection") != 0 ||
+	    !sshkey_equal(expected_key, mkey) ||
+	    sshkey_type_from_name(pkalg) != expected_key->type) {
+		r = SSH_ERR_INVALID_FORMAT;
+		goto out;
+	}
+	if (strcmp(method, "publickey") != 0) {
+		r = SSH_ERR_INVALID_FORMAT;
+		goto out;
+	}
+	if (sshbuf_len(b) != 0) {
+		r = SSH_ERR_INVALID_FORMAT;
+		goto out;
+	}
+	/* success */
+	r = 0;
+	debug("%s: well formed userauth", __func__);
+	if (userp != NULL) {
+		*userp = user;
+		user = NULL;
+	}
+	if (sess_idp != NULL) {
+		*sess_idp = sess_id;
+		sess_id = NULL;
+	}
+ out:
+	sshbuf_free(b);
+-	if (matched)
+-		return 1;
+	sshbuf_free(sess_id);
+	free(user);
+	free(service);
+	free(method);
+	free(pkalg);
+	sshkey_free(mkey);
+	return r;
+}
+
+-	if ((b = sshbuf_from(msg, len)) == NULL)
+-		fatal("%s: sshbuf_new", __func__);
+-	cp1 = cp2 = NULL;
+-	mkey = NULL;
+-
+-	/* SSHSIG */
+-	if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 &&
+-	    (r = sshbuf_consume(b, 6)) == 0 &&
+-	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */
+-	    (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */
+-	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */
+-	    (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */
+-	    sshbuf_len(b) == 0) {
+-		debug("%s: parsed sshsig", __func__);
+-		matched = 1;
+-	}
+/*
+ * Attempt to parse the contents of a buffer as a SSHSIG signature request.
+ * Note: does not modify buffer.
+ */
+static int
+parse_sshsig_request(struct sshbuf *msg)
+{
+	int r;
+	struct sshbuf *b;
+
+	if ((b = sshbuf_fromb(msg)) == NULL)
+		fatal("%s: sshbuf_fromb", __func__);
+
+	if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) != 0 ||
+	    (r = sshbuf_consume(b, 6)) != 0 ||
+	    (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* namespace */
+	    (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || /* reserved */
+	    (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* hashalg */
+	    (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0) /* H(msg) */
+		goto out;
+	if (sshbuf_len(b) != 0) {
+		r = SSH_ERR_INVALID_FORMAT;
+		goto out;
+	}
+	/* success */
+	r = 0;
+ out:
+	sshbuf_free(b);
+-	if (matched)
+	return r;
+}
+
+/*
+ * This function inspects a message to be signed by a FIDO key that has a
+ * web-like application string (i.e. one that does not begin with "ssh:".
+ * It checks that the message is one of those expected for SSH operations
+ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
+ * for the web.
+ */
+static int
+check_websafe_message_contents(struct sshkey *key, struct sshbuf *data)
+{
+	if (parse_userauth_request(data, key, NULL, NULL) == 0) {
+		debug("%s: signed data matches public key userauth request", __func__);
+		return 1;
+	}
+	if (parse_sshsig_request(data) == 0) {
+		debug("%s: signed data matches SSHSIG signature request", __func__);
+		return 1;
+	}
+
+-	/* XXX CA signature operation */
+	/* XXX check CA signature operation */
+
+	error("web-origin key attempting to sign non-SSH message");
+	return 0;
+@@ -367,21 +427,22 @@ check_websafe_message_contents(struct sshkey *key,
+ static void
+ process_sign_request2(SocketEntry *e)
+ {
+-	const u_char *data;
+	u_char *signature = NULL;
+-	size_t dlen, slen = 0;
+	size_t i, slen = 0;
+	u_int compat = 0, flags;
+	int r, ok = -1;
+	char *fp = NULL;
+-	struct sshbuf *msg;
+	struct sshbuf *msg = NULL, *data = NULL;
+	struct sshkey *key = NULL;
+	struct identity *id;
+	struct notifier_ctx *notifier = NULL;
+
+-	if ((msg = sshbuf_new()) == NULL)
+	debug("%s: entering", __func__);
+
+	if ((msg = sshbuf_new()) == NULL | (data = sshbuf_new()) == NULL)
+		fatal("%s: sshbuf_new failed", __func__);
+	if ((r = sshkey_froms(e->request, &key)) != 0 ||
+-	    (r = sshbuf_get_string_direct(e->request, &data, &dlen)) != 0 ||
+	    (r = sshbuf_get_stringb(e->request, data)) != 0 ||
+	    (r = sshbuf_get_u32(e->request, &flags)) != 0) {
+		error("%s: couldn't parse request: %s", __func__, ssh_err(r));
+		goto send;
+@@ -391,13 +452,13 @@ process_sign_request2(SocketEntry *e)
+		verbose("%s: %s key not found", __func__, sshkey_type(key));
+		goto send;
+	}
+-	if (id->confirm && confirm_key(id) != 0) {
+	if (id->confirm && confirm_key(id, NULL) != 0) {
+		verbose("%s: user refused key", __func__);
+		goto send;
+	}
+	if (sshkey_is_sk(id->key)) {
+		if (strncmp(id->key->sk_application, "ssh:", 4) != 0 &&
+-		    !check_websafe_message_contents(key, data, dlen)) {
+		    !check_websafe_message_contents(key, data)) {
+			/* error already logged */
+			goto send;
+		}
+@@ -411,7 +472,7 @@ process_sign_request2(SocketEntry *e)
+		}
+	}
+	if ((r = sshkey_sign(id->key, &signature, &slen,
+-	    data, dlen, agent_decode_alg(key, flags),
+	    sshbuf_ptr(data), sshbuf_len(data), agent_decode_alg(key, flags),
+	    id->sk_provider, compat)) != 0) {
+		error("%s: sshkey_sign: %s", __func__, ssh_err(r));
+		goto send;
+@@ -420,8 +481,7 @@ process_sign_request2(SocketEntry *e)
+	ok = 0;
+  send:
+	notify_complete(notifier);
+-	sshkey_free(key);
+-	free(fp);
+
+	if (ok == 0) {
+		if ((r = sshbuf_put_u8(msg, SSH2_AGENT_SIGN_RESPONSE)) != 0 ||
+		    (r = sshbuf_put_string(msg, signature, slen)) != 0)
+@@ -432,7 +492,10 @@ process_sign_request2(SocketEntry *e)
+	if ((r = sshbuf_put_stringb(e->output, msg)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+	sshbuf_free(data);
+	sshbuf_free(msg);
+	sshkey_free(key);
+	free(fp);
+	free(signature);
+ }
+
+--
+2.41.0
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
@@ -0,0 +1,38 @@
+From 7adba46611e5d076d7d12d9f4162dd4cabd5ff50 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 29 Jan 2021 06:28:10 +0000
+Subject: [PATCH 09/12] upstream: give typedef'd struct a struct name; makes
+ the fuzzer I'm
+
+writing a bit easier
+
+OpenBSD-Commit-ID: 1052ab521505a4d8384d67acb3974ef81b8896cb
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8afaa7d7918419d3da6c0477b83db2159879cb33]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 7ad323c..c99927c 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -108,7 +108,7 @@ typedef enum {
+	AUTH_CONNECTION
+ } sock_type;
+
+-typedef struct {
+typedef struct socket_entry {
+	int fd;
+	sock_type type;
+	struct sshbuf *input;
+--
+2.41.0
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
@@ -0,0 +1,39 @@
+From 343e2a2c0ef754a7a86118016b248f7a73f8d510 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 29 Jan 2021 06:29:46 +0000
+Subject: [PATCH 10/12] upstream: fix the values of enum sock_type
+
+OpenBSD-Commit-ID: 18d048f4dbfbb159ff500cfc2700b8fb1407facd
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1a4b92758690faa12f49079dd3b72567f909466d]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index c99927c..7f1e14b 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -103,9 +103,9 @@
+ #define AGENT_RBUF_LEN	(4096)
+
+ typedef enum {
+-	AUTH_UNUSED,
+-	AUTH_SOCKET,
+-	AUTH_CONNECTION
+	AUTH_UNUSED = 0,
+	AUTH_SOCKET = 1,
+	AUTH_CONNECTION = 2,
+ } sock_type;
+
+ typedef struct socket_entry {
+--
+2.41.0
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
@@ -0,0 +1,307 @@
+From 2b3b369c8cf71f9ef5942a5e074e6f86e7ca1e0c Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 19 Dec 2021 22:09:23 +0000
+Subject: [PATCH 11/12] upstream: ssh-agent side of binding
+
+record session ID/hostkey/forwarding status for each active socket.
+
+Attempt to parse data-to-be-signed at signature request time and extract
+session ID from the blob if it is a pubkey userauth request.
+
+ok markus@
+
+OpenBSD-Commit-ID: a80fd41e292b18b67508362129e9fed549abd318
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/4c1e3ce85e183a9d0c955c88589fed18e4d6a058]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ authfd.h    |   3 +
+ ssh-agent.c | 175 +++++++++++++++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 170 insertions(+), 8 deletions(-)
+
+diff --git a/authfd.h b/authfd.h
+index c3bf625..9cc9807 100644
+--- a/authfd.h
+++ b/authfd.h
+@@ -76,6 +76,9 @@ int	ssh_agent_sign(int sock, const struct sshkey *key,
+ #define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
+ #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
+
+/* generic extension mechanism */
+#define SSH_AGENTC_EXTENSION			27
+
+ #define	SSH_AGENT_CONSTRAIN_LIFETIME		1
+ #define	SSH_AGENT_CONSTRAIN_CONFIRM		2
+ #define	SSH_AGENT_CONSTRAIN_MAXSIGN		3
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 7f1e14b..01c7f2b 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -98,9 +98,15 @@
+ #endif
+
+ /* Maximum accepted message length */
+-#define AGENT_MAX_LEN	(256*1024)
+#define AGENT_MAX_LEN		(256*1024)
+ /* Maximum bytes to read from client socket */
+-#define AGENT_RBUF_LEN	(4096)
+#define AGENT_RBUF_LEN		(4096)
+/* Maximum number of recorded session IDs/hostkeys per connection */
+#define AGENT_MAX_SESSION_IDS		16
+/* Maximum size of session ID */
+#define AGENT_MAX_SID_LEN		128
+
+/* XXX store hostkey_sid in a refcounted tree */
+
+ typedef enum {
+	AUTH_UNUSED = 0,
+@@ -108,12 +114,20 @@ typedef enum {
+	AUTH_CONNECTION = 2,
+ } sock_type;
+
+struct hostkey_sid {
+	struct sshkey *key;
+	struct sshbuf *sid;
+	int forwarded;
+};
+
+ typedef struct socket_entry {
+	int fd;
+	sock_type type;
+	struct sshbuf *input;
+	struct sshbuf *output;
+	struct sshbuf *request;
+	size_t nsession_ids;
+	struct hostkey_sid *session_ids;
+ } SocketEntry;
+
+ u_int sockets_alloc = 0;
+@@ -174,10 +188,17 @@ static int restrict_websafe = 1;
+ static void
+ close_socket(SocketEntry *e)
+ {
+	size_t i;
+
+	close(e->fd);
+	sshbuf_free(e->input);
+	sshbuf_free(e->output);
+	sshbuf_free(e->request);
+	for (i = 0; i < e->nsession_ids; i++) {
+		sshkey_free(e->session_ids[i].key);
+		sshbuf_free(e->session_ids[i].sid);
+	}
+	free(e->session_ids);
+	memset(e, '\0', sizeof(*e));
+	e->fd = -1;
+	e->type = AUTH_UNUSED;
+@@ -423,6 +444,18 @@ check_websafe_message_contents(struct sshkey *key, struct sshbuf *data)
+	return 0;
+ }
+
+static int
+buf_equal(const struct sshbuf *a, const struct sshbuf *b)
+{
+	if (sshbuf_ptr(a) == NULL || sshbuf_ptr(b) == NULL)
+		return SSH_ERR_INVALID_ARGUMENT;
+	if (sshbuf_len(a) != sshbuf_len(b))
+		return SSH_ERR_INVALID_FORMAT;
+	if (timingsafe_bcmp(sshbuf_ptr(a), sshbuf_ptr(b), sshbuf_len(a)) != 0)
+		return SSH_ERR_INVALID_FORMAT;
+	return 0;
+}
+
+ /* ssh2 only */
+ static void
+ process_sign_request2(SocketEntry *e)
+@@ -431,8 +464,8 @@ process_sign_request2(SocketEntry *e)
+	size_t i, slen = 0;
+	u_int compat = 0, flags;
+	int r, ok = -1;
+-	char *fp = NULL;
+-	struct sshbuf *msg = NULL, *data = NULL;
+	char *fp = NULL, *user = NULL, *sig_dest = NULL;
+	struct sshbuf *msg = NULL, *data = NULL, *sid = NULL;
+	struct sshkey *key = NULL;
+	struct identity *id;
+	struct notifier_ctx *notifier = NULL;
+@@ -452,7 +485,33 @@ process_sign_request2(SocketEntry *e)
+		verbose("%s: %s key not found", __func__, sshkey_type(key));
+		goto send;
+	}
+-	if (id->confirm && confirm_key(id, NULL) != 0) {
+	/*
+	 * If session IDs were recorded for this socket, then use them to
+	 * annotate the confirmation messages with the host keys.
+	 */
+	if (e->nsession_ids > 0 &&
+	    parse_userauth_request(data, key, &user, &sid) == 0) {
+		/*
+		 * session ID from userauth request should match the final
+		 * ID in the list recorded in the socket, unless the ssh
+		 * client at that point lacks the binding extension (or if
+		 * an attacker is trying to steal use of the agent).
+		 */
+		i = e->nsession_ids - 1;
+		if (buf_equal(sid, e->session_ids[i].sid) == 0) {
+			if ((fp = sshkey_fingerprint(e->session_ids[i].key,
+			    SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
+				fatal("%s: fingerprint failed", __func__);
+			debug3("%s: destination %s %s (slot %zu)", __func__,
+			    sshkey_type(e->session_ids[i].key), fp, i);
+			xasprintf(&sig_dest, "public key request for "
+			    "target user \"%s\" to %s %s", user,
+			    sshkey_type(e->session_ids[i].key), fp);
+			free(fp);
+			fp = NULL;
+		}
+	}//
+	if (id->confirm && confirm_key(id, sig_dest) != 0) {
+		verbose("%s: user refused key", __func__);
+		goto send;
+	}
+@@ -467,8 +526,10 @@ process_sign_request2(SocketEntry *e)
+			    SSH_FP_DEFAULT)) == NULL)
+				fatal("%s: fingerprint failed", __func__);
+			notifier = notify_start(0,
+-			    "Confirm user presence for key %s %s",
+-			    sshkey_type(id->key), fp);
+			    "Confirm user presence for key %s %s%s%s",
+			    sshkey_type(id->key), fp,
+			    sig_dest == NULL ? "" : "\n",
+			    sig_dest == NULL ? "" : sig_dest);
+		}
+	}
+	if ((r = sshkey_sign(id->key, &signature, &slen,
+@@ -492,11 +553,14 @@ process_sign_request2(SocketEntry *e)
+	if ((r = sshbuf_put_stringb(e->output, msg)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+	sshbuf_free(sid);
+	sshbuf_free(data);
+	sshbuf_free(msg);
+	sshkey_free(key);
+	free(fp);
+	free(signature);
+	free(sig_dest);
+	free(user);
+ }
+
+ /* shared */
+@@ -925,6 +989,98 @@ send:
+ }
+ #endif /* ENABLE_PKCS11 */
+
+static int
+process_ext_session_bind(SocketEntry *e)
+{
+	int r, sid_match, key_match;
+	struct sshkey *key = NULL;
+	struct sshbuf *sid = NULL, *sig = NULL;
+	char *fp = NULL;
+	u_char fwd;
+	size_t i;
+
+	debug2("%s: entering", __func__);
+	if ((r = sshkey_froms(e->request, &key)) != 0 ||
+	    (r = sshbuf_froms(e->request, &sid)) != 0 ||
+	    (r = sshbuf_froms(e->request, &sig)) != 0 ||
+	    (r = sshbuf_get_u8(e->request, &fwd)) != 0) {
+		error("%s: parse: %s", __func__, ssh_err(r));
+		goto out;
+	}
+	if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
+	    SSH_FP_DEFAULT)) == NULL)
+		fatal("%s: fingerprint failed", __func__);
+	/* check signature with hostkey on session ID */
+	if ((r = sshkey_verify(key, sshbuf_ptr(sig), sshbuf_len(sig),
+	    sshbuf_ptr(sid), sshbuf_len(sid), NULL, 0, NULL)) != 0) {
+		error("%s: sshkey_verify for %s %s: %s", __func__, sshkey_type(key), fp, ssh_err(r));
+		goto out;
+	}
+	/* check whether sid/key already recorded */
+	for (i = 0; i < e->nsession_ids; i++) {
+		sid_match = buf_equal(sid, e->session_ids[i].sid) == 0;
+		key_match = sshkey_equal(key, e->session_ids[i].key);
+		if (sid_match && key_match) {
+			debug("%s: session ID already recorded for %s %s", __func__,
+			    sshkey_type(key), fp);
+			r = 0;
+			goto out;
+		} else if (sid_match) {
+			error("%s: session ID recorded against different key "
+			    "for %s %s", __func__, sshkey_type(key), fp);
+			r = -1;
+			goto out;
+		}
+		/*
+		 * new sid with previously-seen key can happen, e.g. multiple
+		 * connections to the same host.
+		 */
+	}
+	/* record new key/sid */
+	if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
+		error("%s: too many session IDs recorded", __func__);
+		goto out;
+	}
+	e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
+	    e->nsession_ids + 1, sizeof(*e->session_ids));
+	i = e->nsession_ids++;
+	debug("%s: recorded %s %s (slot %zu of %d)", __func__, sshkey_type(key), fp, i,
+	    AGENT_MAX_SESSION_IDS);
+	e->session_ids[i].key = key;
+	e->session_ids[i].forwarded = fwd != 0;
+	key = NULL; /* transferred */
+	/* can't transfer sid; it's refcounted and scoped to request's life */
+	if ((e->session_ids[i].sid = sshbuf_new()) == NULL)
+		fatal("%s: sshbuf_new", __func__);
+	if ((r = sshbuf_putb(e->session_ids[i].sid, sid)) != 0)
+		fatal("%s: sshbuf_putb session ID: %s", __func__, ssh_err(r));
+	/* success */
+	r = 0;
+ out:
+	sshkey_free(key);
+	sshbuf_free(sid);
+	sshbuf_free(sig);
+	return r == 0 ? 1 : 0;
+}
+
+static void
+process_extension(SocketEntry *e)
+{
+	int r, success = 0;
+	char *name;
+
+	debug2("%s: entering", __func__);
+	if ((r = sshbuf_get_cstring(e->request, &name, NULL)) != 0) {
+		error("%s: parse: %s", __func__, ssh_err(r));
+		goto send;
+	}
+	if (strcmp(name, "session-bind@openssh.com") == 0)
+		success = process_ext_session_bind(e);
+	else
+		debug("%s: unsupported extension \"%s\"", __func__, name);
+send:
+	send_status(e, success);
+}
+ /*
+  * dispatch incoming message.
+  * returns 1 on success, 0 for incomplete messages or -1 on error.
+@@ -1019,6 +1175,9 @@ process_message(u_int socknum)
+		process_remove_smartcard_key(e);
+		break;
+ #endif /* ENABLE_PKCS11 */
+	case SSH_AGENTC_EXTENSION:
+		process_extension(e);
+		break;
+	default:
+		/* Unknown message.  Respond with failure. */
+		error("Unknown message %d", type);
+--
+2.41.0
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
@@ -0,0 +1,120 @@
+From 4fe3d0fbd3d6dc1f19354e0d73a3231c461ed044 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 13:56:33 +0000
+Subject: [PATCH 12/12] upstream: Disallow remote addition of FIDO/PKCS11
+ provider libraries to ssh-agent by default.
+
+The old behaviour of allowing remote clients from loading providers
+can be restored using `ssh-agent -O allow-remote-pkcs11`.
+
+Detection of local/remote clients requires a ssh(1) that supports
+the `session-bind@openssh.com` extension. Forwarding access to a
+ssh-agent socket using non-OpenSSH tools may circumvent this control.
+
+ok markus@
+
+OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.1 | 20 ++++++++++++++++++++
+ ssh-agent.c | 26 ++++++++++++++++++++++++--
+ 2 files changed, 44 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-agent.1 b/ssh-agent.1
+index fff0db6..a0f1e21 100644
+--- a/ssh-agent.1
+++ b/ssh-agent.1
+@@ -97,6 +97,26 @@ The default is
+ Kill the current agent (given by the
+ .Ev SSH_AGENT_PID
+ environment variable).
+Currently two options are supported:
+.Cm allow-remote-pkcs11
+and
+.Pp
+The
+.Cm allow-remote-pkcs11
+option allows clients of a forwarded
+.Nm
+to load PKCS#11 or FIDO provider libraries.
+By default only local clients may perform this operation.
+Note that signalling that a
+.Nm
+client remote is performed by
+.Xr ssh 1 ,
+and use of other tools to forward access to the agent socket may circumvent
+this restriction.
+.Pp
+The
+.Cm no-restrict-websafe ,
+instructs
+ .It Fl P Ar provider_whitelist
+ Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
+ shared libraries that may be used with the
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 01c7f2b..40c1b6b 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -167,6 +167,12 @@ char socket_dir[PATH_MAX];
+ /* PKCS#11/Security key path whitelist */
+ static char *provider_whitelist;
+
+/*
+ * Allows PKCS11 providers or SK keys that use non-internal providers to
+ * be added over a remote connection (identified by session-bind@openssh.com).
+ */
+static int remote_add_provider;
+
+ /* locking */
+ #define LOCK_SIZE	32
+ #define LOCK_SALT_SIZE	16
+@@ -736,6 +742,15 @@ process_add_identity(SocketEntry *e)
+		if (strcasecmp(sk_provider, "internal") == 0) {
+			debug("%s: internal provider", __func__);
+		} else {
+			if (e->nsession_ids != 0 && !remote_add_provider) {
+				verbose("failed add of SK provider \"%.100s\": "
+				    "remote addition of providers is disabled",
+				    sk_provider);
+				free(sk_provider);
+				free(comment);
+				sshkey_free(k);
+				goto send;
+			}
+			if (realpath(sk_provider, canonical_provider) == NULL) {
+				verbose("failed provider \"%.100s\": "
+				    "realpath: %s", sk_provider,
+@@ -901,6 +916,11 @@ process_add_smartcard_key(SocketEntry *e)
+			goto send;
+		}
+	}
+	if (e->nsession_ids != 0 && !remote_add_provider) {
+		verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
+		    "providers is disabled", provider);
+		goto send;
+	}
+	if (realpath(provider, canonical_provider) == NULL) {
+		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+		    provider, strerror(errno));
+@@ -1556,7 +1576,9 @@ main(int ac, char **av)
+			break;
+		case 'O':
+			if (strcmp(optarg, "no-restrict-websafe") == 0)
+-				restrict_websafe  = 0;
+				restrict_websafe = 0;
+			else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
+				remote_add_provider = 1;
+			else
+				fatal("Unknown -O option");
+			break;
+--
+2.41.0
--- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,5 +1,6 @@
 [Unit]
 Conflicts=sshd.service
+Wants=sshdgenkeys.service

 [Socket]
 ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
--- a/meta/recipes-connectivity/openssh/openssh/sshd@.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service
@@ -1,13 +1,11 @@
 [Unit]
 Description=OpenSSH Per-Connection Daemon
-Wants=sshdgenkeys.service
 After=sshdgenkeys.service

 [Service]
 Environment="SSHD_OPTS="
 EnvironmentFile=-/etc/default/ssh
 ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS
-ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
 StandardInput=socket
 StandardError=syslog
 KillMode=process
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -27,6 +27,18 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://CVE-2020-14145.patch \
           file://CVE-2021-28041.patch \
           file://CVE-2021-41617.patch \
+           file://CVE-2023-38408-01.patch \
+           file://CVE-2023-38408-02.patch \
+           file://CVE-2023-38408-03.patch \
+           file://CVE-2023-38408-04.patch \
+           file://CVE-2023-38408-05.patch \
+           file://CVE-2023-38408-06.patch \
+           file://CVE-2023-38408-07.patch \
+           file://CVE-2023-38408-08.patch \
+           file://CVE-2023-38408-09.patch \
+           file://CVE-2023-38408-10.patch \
+           file://CVE-2023-38408-11.patch \
+           file://CVE-2023-38408-12.patch \
           "
 SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
 SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
--- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch
@@ -0,0 +1,38 @@
+From 679ae2f72ef8cf37609cb0eff5de3b98aa85e395 Mon Sep 17 00:00:00 2001
+From: Steve Sakoman <steve@sakoman.com>
+Date: Thu, 20 Jul 2023 04:14:42 -1000
+Subject: [PATCH] Configure: add 2 missing key sorts in generation of unified_info
+
+Otherwise generation of this section in configdata.pm is not reproducible
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+Upstream-Status: Backport [adapted from 3.x commit https://github.com/openssl/openssl/commit/764cf5b26306a8712e8b3d41599c44dc5ed07a25]
+---
+ Configure | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Configure b/Configure
+index 2a01746..8fc5a2c 100755
+--- a/Configure
+++ b/Configure
+@@ -2326,7 +2326,7 @@ EOF
+                      "dso" => [ @{$unified_info{engines}} ],
+                      "bin" => [ @{$unified_info{programs}} ],
+                      "script" => [ @{$unified_info{scripts}} ] );
+-    foreach my $type (keys %loopinfo) {
+    foreach my $type (sort keys %loopinfo) {
+         foreach my $product (@{$loopinfo{$type}}) {
+             my %dirs = ();
+             my $pd = dirname($product);
+@@ -2347,7 +2347,7 @@ EOF
+                 push @{$unified_info{dirinfo}->{$d}->{deps}}, $_
+                     if $d ne $pd;
+             }
+-            foreach (keys %dirs) {
+            foreach (sort keys %dirs) {
+                 push @{$unified_info{dirinfo}->{$_}->{products}->{$type}},
+                     $product;
+             }
+-- 
+2.34.1
+
--- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -0,0 +1,37 @@
+From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Tue, 14 Sep 2021 12:18:25 +0200
+Subject: [PATCH] Configure: do not tweak mips cflags
+
+This conflicts with mips machine definitons from yocto,
+e.g.
+| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Configure | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+Index: openssl-3.0.4/Configure
+===================================================================
+--- openssl-3.0.4.orig/Configure
+++ openssl-3.0.4/Configure
+@@ -1243,16 +1243,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+         push @{$config{shared_ldflag}}, "-mno-cygwin";
+         }
+ 
+-if ($target =~ /linux.*-mips/ && !$disabled{asm}
+-        && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+-        # minimally required architecture flags for assembly modules
+-        my $value;
+-        $value = '-mips2' if ($target =~ /mips32/);
+-        $value = '-mips3' if ($target =~ /mips64/);
+-        unshift @{$config{cflags}}, $value;
+-        unshift @{$config{cxxflags}}, $value if $config{CXX};
+-}
+-
+ # If threads aren't disabled, check how possible they are
+ unless ($disabled{threads}) {
+     if ($auto_threads) {
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
@@ -1,226 +0,0 @@
-From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001
-From: Pauli <pauli@openssl.org>
-Date: Wed, 8 Mar 2023 15:28:20 +1100
-Subject: [PATCH] x509: excessive resource use verifying policy constraints
-
-A security vulnerability has been identified in all supported versions
-of OpenSSL related to the verification of X.509 certificate chains
-that include policy constraints.  Attackers may be able to exploit this
-vulnerability by creating a malicious certificate chain that triggers
-exponential use of computational resources, leading to a denial-of-service
-(DoS) attack on affected systems.
-
-Fixes CVE-2023-0464
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-(Merged from https://github.com/openssl/openssl/pull/20569)
-
-CVE: CVE-2023-0464
-Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b]
-Signed-off-by: Nikhil R <nikhil.r@kpit.com>
-
---
- crypto/x509v3/pcy_local.h |  8 +++++++-
- crypto/x509v3/pcy_node.c  | 12 +++++++++---
- crypto/x509v3/pcy_tree.c  | 37 +++++++++++++++++++++++++++----------
- 3 files changed, 43 insertions(+), 14 deletions(-)
-
-diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h
-index 5daf78de45..344aa06765 100644
--- a/crypto/x509v3/pcy_local.h
-+++ b/crypto/x509v3/pcy_local.h
-@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
- };
- 
- struct X509_POLICY_TREE_st {
-+    /* The number of nodes in the tree */
-+    size_t node_count;
-+    /* The maximum number of nodes in the tree */
-+    size_t node_maximum;
-+
-     /* This is the tree 'level' data */
-     X509_POLICY_LEVEL *levels;
-     int nlevel;
-@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
- X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-                                  X509_POLICY_DATA *data,
-                                  X509_POLICY_NODE *parent,
-                                 X509_POLICY_TREE *tree);
-+                                 X509_POLICY_TREE *tree,
-+                                 int extra_data);
- void policy_node_free(X509_POLICY_NODE *node);
- int policy_node_match(const X509_POLICY_LEVEL *lvl,
-                       const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
-diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
-index e2d7b15322..d574fb9d66 100644
--- a/crypto/x509v3/pcy_node.c
-+++ b/crypto/x509v3/pcy_node.c
-@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
- X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-                                  X509_POLICY_DATA *data,
-                                  X509_POLICY_NODE *parent,
-                                 X509_POLICY_TREE *tree)
-+                                 X509_POLICY_TREE *tree,
-+                                 int extra_data)
- {
-     X509_POLICY_NODE *node;
- 
-+    /* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
-+    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
-+        return NULL;
-+
-     node = OPENSSL_zalloc(sizeof(*node));
-     if (node == NULL) {
-         X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
-@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-     }
-     node->data = data;
-     node->parent = parent;
-    if (level) {
-+    if (level != NULL) {
-         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
-             if (level->anyPolicy)
-                 goto node_error;
-@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-         }
-     }
- 
-    if (tree) {
-+    if (extra_data) {
-         if (tree->extra_data == NULL)
-             tree->extra_data = sk_X509_POLICY_DATA_new_null();
-         if (tree->extra_data == NULL){
-@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-         }
-     }
- 
-+    tree->node_count++;
-     if (parent)
-         parent->nchild++;
- 
-diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
-index 6e8322cbc5..6c7fd35405 100644
--- a/crypto/x509v3/pcy_tree.c
-+++ b/crypto/x509v3/pcy_tree.c
-@@ -13,6 +13,18 @@
- 
- #include "pcy_local.h"
- 
-+/*
-+ * If the maximum number of nodes in the policy tree isn't defined, set it to
-+ * a generous default of 1000 nodes.
-+ *
-+ * Defining this to be zero means unlimited policy tree growth which opens the
-+ * door on CVE-2023-0464.
-+ */
-+
-+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
-+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
-+#endif
-+
- /*
-  * Enable this to print out the complete policy tree at various point during
-  * evaluation.
-@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
-         return X509_PCY_TREE_INTERNAL;
-     }
- 
-+    /* Limit the growth of the tree to mitigate CVE-2023-0464 */
-+    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
-+
-     /*
-      * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
-      *
-@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
-     level = tree->levels;
-     if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)
-         goto bad_tree;
-    if (level_add_node(level, data, NULL, tree) == NULL) {
-+    if (level_add_node(level, data, NULL, tree, 1) == NULL) {
-         policy_data_free(data);
-         goto bad_tree;
-     }
-@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
-  * Return value: 1 on success, 0 otherwise
-  */
- static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-                                    X509_POLICY_DATA *data)
-+                                    X509_POLICY_DATA *data,
-+                                    X509_POLICY_TREE *tree)
- {
-     X509_POLICY_LEVEL *last = curr - 1;
-     int i, matched = 0;
-@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-         X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
- 
-         if (policy_node_match(last, node, data->valid_policy)) {
-            if (level_add_node(curr, data, node, NULL) == NULL)
-+            if (level_add_node(curr, data, node, tree, 0) == NULL)
-                 return 0;
-             matched = 1;
-         }
-     }
-     if (!matched && last->anyPolicy) {
-        if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
-+        if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
-             return 0;
-     }
-     return 1;
-@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-  * Return value: 1 on success, 0 otherwise.
-  */
- static int tree_link_nodes(X509_POLICY_LEVEL *curr,
-                           const X509_POLICY_CACHE *cache)
-+                           const X509_POLICY_CACHE *cache,
-+                           X509_POLICY_TREE *tree)
- {
-     int i;
- 
-@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
-         X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
- 
-         /* Look for matching nodes in previous level */
-        if (!tree_link_matching_nodes(curr, data))
-+        if (!tree_link_matching_nodes(curr, data, tree))
-             return 0;
-     }
-     return 1;
-@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
-     /* Curr may not have anyPolicy */
-     data->qualifier_set = cache->anyPolicy->qualifier_set;
-     data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
-    if (level_add_node(curr, data, node, tree) == NULL) {
-+    if (level_add_node(curr, data, node, tree, 1) == NULL) {
-         policy_data_free(data);
-         return 0;
-     }
-@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
-     }
-     /* Finally add link to anyPolicy */
-     if (last->anyPolicy &&
-        level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)
-+        level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL)
-         return 0;
-     return 1;
- }
-@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
-             extra->qualifier_set = anyPolicy->data->qualifier_set;
-             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
-                 | POLICY_DATA_FLAG_EXTRA_NODE;
-            node = level_add_node(NULL, extra, anyPolicy->parent, tree);
-+            node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
-         }
-         if (!tree->user_policies) {
-             tree->user_policies = sk_X509_POLICY_NODE_new_null();
-@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
- 
-     for (i = 1; i < tree->nlevel; i++, curr++) {
-         cache = policy_cache_set(curr->cert);
-        if (!tree_link_nodes(curr, cache))
-+        if (!tree_link_nodes(curr, cache, tree))
-             return X509_PCY_TREE_INTERNAL;
- 
-         if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
-- 
-2.34.1
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
@@ -1,60 +0,0 @@
-From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 7 Mar 2023 16:52:55 +0000
-Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
- certs
-
-Even though we check the leaf cert to confirm it is valid, we
-later ignored the invalid flag and did not notice that the leaf
-cert was bad.
-
-Fixes: CVE-2023-0465
-
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/20588)
-
-CVE: CVE-2023-0465
-Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95]
-Comment: Refreshed first hunk
-Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
-
---
- crypto/x509/x509_vfy.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 925fbb5412..1dfe4f9f31 100644
--- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -1649,18 +1649,25 @@
-     }
-     /* Invalid or inconsistent extensions */
-     if (ret == X509_PCY_TREE_INVALID) {
-        int i;
-+        int i, cbcalled = 0;
- 
-         /* Locate certificates with bad extensions and notify callback. */
-        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
-+        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
-             X509 *x = sk_X509_value(ctx->chain, i);
- 
-             if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
-                 continue;
-+            cbcalled = 1;
-             if (!verify_cb_cert(ctx, x, i,
-                                 X509_V_ERR_INVALID_POLICY_EXTENSION))
-                 return 0;
-         }
-+        if (!cbcalled) {
-+            /* Should not be able to get here */
-+            X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
-+            return 0;
-+        }
-+        /* The callback ignored the error so we return success */
-         return 1;
-     }
-     if (ret == X509_PCY_TREE_FAILURE) {
-- 
-2.34.1
-
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch
@@ -1,82 +0,0 @@
-From 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Tue, 21 Mar 2023 16:15:47 +0100
-Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy()
-
-The function was incorrectly documented as enabling policy checking.
-
-Fixes: CVE-2023-0466
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/20564)
-
-CVE: CVE-2023-0466
-Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a]
-Comment: Refreshed first hunk from CHANGE and NEWS
-Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
-
---
- CHANGES                                  | 5 +++++
- NEWS                                     | 1 +
- doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++--
- 3 files changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/CHANGES b/CHANGES
-index efccf7838e..b19f1429bb 100644
--- a/CHANGES
-+++ b/CHANGES
-@@ -9,6 +9,11 @@
- 
-  Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
- 
-+  *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
-+     that it does not enable policy checking. Thanks to
-+     David Benjamin for discovering this issue. (CVE-2023-0466)
-+     [Tomas Mraz]
-+
-   *) Fixed X.400 address type confusion in X.509 GeneralName.
- 
-      There is a type confusion vulnerability relating to X.400 address processing
-diff --git a/NEWS b/NEWS
-index 36a9bb6890..62615693fa 100644
--- a/NEWS
-+++ b/NEWS
-@@ -7,6 +7,7 @@
- 
-   Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
- 
-+      o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
-       o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
-       o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
-       o Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450)
-diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-index f6f304bf7b..aa292f9336 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-@@ -92,8 +92,9 @@ B<trust>.
- X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
- B<t>. Normally the current time is used.
- 
-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
-by default) and adds B<policy> to the acceptable policy set.
-+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
-+Contrary to preexisting documentation of this function it does not enable
-+policy checking.
- 
- X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
- by default) and sets the acceptable policy set to B<policies>. Any existing
-@@ -377,6 +378,10 @@ and has no effect.
- 
- The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
- 
-+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
-+enabling policy checking however the implementation has never done this.
-+The documentation was changed to align with the implementation.
-+
- =head1 COPYRIGHT
- 
- Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
-- 
-2.34.1
-
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1v.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1v.bb
@@ -18,16 +18,15 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           file://afalg.patch \
           file://reproducible.patch \
           file://reproducibility.patch \
-           file://CVE-2023-0464.patch \
-           file://CVE-2023-0465.patch \
-           file://CVE-2023-0466.patch \
+           file://0001-Configure-add-2-missing-key-sorts.patch \
+           file://0001-Configure-do-not-tweak-mips-cflags.patch \
           "

 SRC_URI_append_class-nativesdk = " \
           file://environment.d-openssl.sh \
           "

-SRC_URI[sha256sum] = "8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b"
+SRC_URI[sha256sum] = "d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0"

 inherit lib_package multilib_header multilib_script ptest
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.31/master"
 PV = "2.31+git${SRCPV}"
-SRCREV_glibc ?= "d4b75594574ab8a9c2c41209cd8c62aac76b5a04"
+SRCREV_glibc ?= "2d4f26e5cfda682f9ce61444b81533b83f6381af"
 SRCREV_localedef ?= "cd9f958c4c94a638fa7b2b4e21627364f1a1a655"

 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
--- a/meta/recipes-core/glibc/glibc/check-test-wrapper
+++ b/meta/recipes-core/glibc/glibc/check-test-wrapper
@@ -58,7 +58,7 @@ elif targettype == "ssh":
    user = os.environ.get("SSH_HOST_USER", None)
    port = os.environ.get("SSH_HOST_PORT", None)

-    command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no"]
+    command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "LogLevel=quiet"]
    if port:
        command += ["-p", str(port)]
    if not host:
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk"

 inherit core-image setuptools3

-SRCREV ?= "ee461b42358db458f39e558b8667fbcffb6d8044"
+SRCREV ?= "6d6d43248e003895aa02103b2d239238e97d6167"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=dunfell \
           file://Yocto_Build_Appliance.vmx \
           file://Yocto_Build_Appliance.vmxf \
--- a/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
@@ -0,0 +1,79 @@
+From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:46:35 +0200
+Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
+
+Fix a null pointer dereference when parsing (invalid) XML schemas.
+
+Thanks to Robby Simpson for the report!
+
+Fixes #491.
+
+CVE: CVE-2023-28484
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ result/schemas/issue491_0_0.err |  1 +
+ test/schemas/issue491_0.xml     |  1 +
+ test/schemas/issue491_0.xsd     | 18 ++++++++++++++++++
+ xmlschemas.c                    |  2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 result/schemas/issue491_0_0.err
+ create mode 100644 test/schemas/issue491_0.xml
+ create mode 100644 test/schemas/issue491_0.xsd
+
+diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
+new file mode 100644
+index 00000000..9b2bb969
+--- /dev/null
+++ b/result/schemas/issue491_0_0.err
+@@ -0,0 +1 @@
+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
+diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
+new file mode 100644
+index 00000000..e2b2fc2e
+--- /dev/null
+++ b/test/schemas/issue491_0.xml
+@@ -0,0 +1 @@
+<Child xmlns="http://www.test.com">5</Child>
+diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
+new file mode 100644
+index 00000000..81702649
+--- /dev/null
+++ b/test/schemas/issue491_0.xsd
+@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
+  <xs:complexType name="BaseType">
+    <xs:simpleContent>
+      <xs:extension base="xs:int" />
+    </xs:simpleContent>
+  </xs:complexType>
+  <xs:complexType name="ChildType">
+    <xs:complexContent>
+      <xs:extension base="BaseType">
+        <xs:sequence>
+          <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
+        </xs:sequence>
+      </xs:extension>
+    </xs:complexContent>
+  </xs:complexType>
+  <xs:element name="Child" type="ChildType" />
+</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 6a353858..a4eaf591 100644
+--- a/xmlschemas.c
+++ b/xmlschemas.c
+@@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
+ 			"allowed to appear inside other model groups",
+ 			NULL, NULL);
+ 
+-		} else if (! dummySequence) {
+		} else if ((!dummySequence) && (baseType->subtypes != NULL)) {
+ 		    xmlSchemaTreeItemPtr effectiveContent =
+ 			(xmlSchemaTreeItemPtr) type->subtypes;
+ 		    /*
+-- 
+GitLab
+
--- a/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
@@ -0,0 +1,42 @@
+From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:49:27 +0200
+Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
+ deterministic
+
+When hashing empty strings which aren't null-terminated,
+xmlDictComputeFastKey could produce inconsistent results. This could
+lead to various logic or memory errors, including double frees.
+
+For consistency the seed is also taken into account, but this shouldn't
+have an impact on security.
+
+Found by OSS-Fuzz.
+
+Fixes #510.
+
+CVE: CVE-2023-29469
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ dict.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index 86c3f6d7..d7fd1a06 100644
+--- a/dict.c
+++ b/dict.c
+@@ -451,7 +451,8 @@ static unsigned long
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+     unsigned long value = seed;
+ 
+-    if (name == NULL) return(0);
+    if ((name == NULL) || (namelen <= 0))
+        return(value);
+     value = *name;
+     value <<= 5;
+     if (namelen > 10) {
+-- 
+GitLab
+
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -36,6 +36,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
           file://CVE-2016-3709.patch \
           file://CVE-2022-40303.patch \
           file://CVE-2022-40304.patch \
+           file://CVE-2023-28484.patch \
+           file://CVE-2023-29469.patch \
           "

 SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -0,0 +1,342 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "MIT"
+
+# Important note:
+# This product uses the NVD API but is not endorsed or certified by the NVD.
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+inherit native
+
+deltask do_unpack
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+
+NVDCVE_URL ?= "https://services.nvd.nist.gov/rest/json/cves/2.0"
+
+# If you have a NVD API key (https://nvd.nist.gov/developers/request-an-api-key)
+# then setting this to get higher rate limits.
+NVDCVE_API_KEY ?= ""
+
+# CVE database update interval, in seconds. By default: once a day (24*60*60).
+# Use 0 to force the update
+# Use a negative value to skip the update
+CVE_DB_UPDATE_INTERVAL ?= "86400"
+
+# Timeout for blocking socket operations, such as the connection attempt.
+CVE_SOCKET_TIMEOUT ?= "60"
+
+CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db"
+
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db"
+
+python () {
+    if not bb.data.inherits_class("cve-check", d):
+        raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
+}
+
+python do_fetch() {
+    """
+    Update NVD database with API 2.0
+    """
+    import bb.utils
+    import bb.progress
+    import shutil
+
+    bb.utils.export_proxies(d)
+
+    db_file = d.getVar("CVE_CHECK_DB_FILE")
+    db_dir = os.path.dirname(db_file)
+    db_tmp_file = d.getVar("CVE_DB_TEMP_FILE")
+
+    cleanup_db_download(db_file, db_tmp_file)
+    # By default let's update the whole database (since time 0)
+    database_time = 0
+
+    # The NVD database changes once a day, so no need to update more frequently
+    # Allow the user to force-update
+    try:
+        import time
+        update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
+        if update_interval < 0:
+            bb.note("CVE database update skipped")
+            return
+        if time.time() - os.path.getmtime(db_file) < update_interval:
+            bb.note("CVE database recently updated, skipping")
+            return
+        database_time = os.path.getmtime(db_file)
+
+    except OSError:
+        pass
+
+    bb.utils.mkdirhier(db_dir)
+    if os.path.exists(db_file):
+        shutil.copy2(db_file, db_tmp_file)
+
+    if update_db_file(db_tmp_file, d, database_time) == True:
+        # Update downloaded correctly, can swap files
+        shutil.move(db_tmp_file, db_file)
+    else:
+        # Update failed, do not modify the database
+        bb.warn("CVE database update failed")
+        os.remove(db_tmp_file)
+}
+
+do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
+do_fetch[file-checksums] = ""
+do_fetch[vardeps] = ""
+
+def cleanup_db_download(db_file, db_tmp_file):
+    """
+    Cleanup the download space from possible failed downloads
+    """
+
+    # Clean up the updates done on the main file
+    # Remove it only if a journal file exists - it means a complete re-download
+    if os.path.exists("{0}-journal".format(db_file)):
+        # If a journal is present the last update might have been interrupted. In that case,
+        # just wipe any leftovers and force the DB to be recreated.
+        os.remove("{0}-journal".format(db_file))
+
+        if os.path.exists(db_file):
+            os.remove(db_file)
+
+    # Clean-up the temporary file downloads, we can remove both journal
+    # and the temporary database
+    if os.path.exists("{0}-journal".format(db_tmp_file)):
+        # If a journal is present the last update might have been interrupted. In that case,
+        # just wipe any leftovers and force the DB to be recreated.
+        os.remove("{0}-journal".format(db_tmp_file))
+
+    if os.path.exists(db_tmp_file):
+        os.remove(db_tmp_file)
+
+def nvd_request_next(url, api_key, args):
+    """
+    Request next part of the NVD dabase
+    """
+
+    import urllib.request
+    import urllib.parse
+    import gzip
+    import http
+    import time
+
+    request = urllib.request.Request(url + "?" + urllib.parse.urlencode(args))
+    if api_key:
+        request.add_header("apiKey", api_key)
+    bb.note("Requesting %s" % request.full_url)
+
+    for attempt in range(5):
+        try:
+            r = urllib.request.urlopen(request)
+
+            if (r.headers['content-encoding'] == 'gzip'):
+                buf = r.read()
+                raw_data = gzip.decompress(buf).decode("utf-8")
+            else:
+                raw_data = r.read().decode("utf-8")
+
+            r.close()
+
+        except Exception as e:
+            bb.note("CVE database: received error (%s), retrying" % (e))
+            time.sleep(6)
+            pass
+        else:
+            return raw_data
+    else:
+        # We failed at all attempts
+        return None
+
+def update_db_file(db_tmp_file, d, database_time):
+    """
+    Update the given database file
+    """
+    import bb.utils, bb.progress
+    import datetime
+    import sqlite3
+    import json
+
+    # Connect to database
+    conn = sqlite3.connect(db_tmp_file)
+    initialize_db(conn)
+
+    req_args = {'startIndex' : 0}
+
+    # The maximum range for time is 120 days
+    # Force a complete update if our range is longer
+    if (database_time != 0):
+        database_date = datetime.datetime.fromtimestamp(database_time, tz=datetime.timezone.utc)
+        today_date = datetime.datetime.now(tz=datetime.timezone.utc)
+        delta = today_date - database_date
+        if delta.days < 120:
+            bb.note("CVE database: performing partial update")
+            req_args['lastModStartDate'] = database_date.isoformat()
+            req_args['lastModEndDate'] = today_date.isoformat()
+        else:
+            bb.note("CVE database: file too old, forcing a full update")
+
+    with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f:
+
+        bb.note("Updating entries")
+        index = 0
+        url = d.getVar("NVDCVE_URL")
+        api_key = d.getVar("NVDCVE_API_KEY") or None
+
+        while True:
+            req_args['startIndex'] = index
+            raw_data = nvd_request_next(url, api_key, req_args)
+            if raw_data is None:
+                # We haven't managed to download data
+                return False
+
+            data = json.loads(raw_data)
+
+            index = data["startIndex"]
+            total = data["totalResults"]
+            per_page = data["resultsPerPage"]
+            bb.note("Got %d entries" % per_page)
+            for cve in data["vulnerabilities"]:
+               update_db(conn, cve)
+
+            index += per_page
+            ph.update((float(index) / (total+1)) * 100)
+            if index >= total:
+               break
+
+            # Recommended by NVD
+            time.sleep(6)
+
+        # Update success, set the date to cve_check file.
+        cve_f.write('CVE database update : %s\n\n' % datetime.date.today())
+
+    conn.commit()
+    conn.close()
+    return True
+
+def initialize_db(conn):
+    with conn:
+        c = conn.cursor()
+
+        c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
+
+        c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
+            SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+
+        c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
+            VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
+            VERSION_END TEXT, OPERATOR_END TEXT)")
+        c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
+
+        c.close()
+
+def parse_node_and_insert(conn, node, cveId):
+
+    def cpe_generator():
+        for cpe in node.get('cpeMatch', ()):
+            if not cpe['vulnerable']:
+                return
+            cpe23 = cpe.get('criteria')
+            if not cpe23:
+                return
+            cpe23 = cpe23.split(':')
+            if len(cpe23) < 6:
+                return
+            vendor = cpe23[3]
+            product = cpe23[4]
+            version = cpe23[5]
+
+            if cpe23[6] == '*' or cpe23[6] == '-':
+                version_suffix = ""
+            else:
+                version_suffix = "_" + cpe23[6]
+
+            if version != '*' and version != '-':
+                # Version is defined, this is a '=' match
+                yield [cveId, vendor, product, version + version_suffix, '=', '', '']
+            elif version == '-':
+                # no version information is available
+                yield [cveId, vendor, product, version, '', '', '']
+            else:
+                # Parse start version, end version and operators
+                op_start = ''
+                op_end = ''
+                v_start = ''
+                v_end = ''
+
+                if 'versionStartIncluding' in cpe:
+                    op_start = '>='
+                    v_start = cpe['versionStartIncluding']
+
+                if 'versionStartExcluding' in cpe:
+                    op_start = '>'
+                    v_start = cpe['versionStartExcluding']
+
+                if 'versionEndIncluding' in cpe:
+                    op_end = '<='
+                    v_end = cpe['versionEndIncluding']
+
+                if 'versionEndExcluding' in cpe:
+                    op_end = '<'
+                    v_end = cpe['versionEndExcluding']
+
+                if op_start or op_end or v_start or v_end:
+                    yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+                else:
+                    # This is no version information, expressed differently.
+                    # Save processing by representing as -.
+                    yield [cveId, vendor, product, '-', '', '', '']
+
+    conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close()
+
+def update_db(conn, elt):
+    """
+    Update a single entry in the on-disk database
+    """
+
+    accessVector = None
+    cveId = elt['cve']['id']
+    if elt['cve']['vulnStatus'] ==  "Rejected":
+        return
+    cveDesc = ""
+    for desc in elt['cve']['descriptions']:
+        if desc['lang'] == 'en':
+            cveDesc = desc['value']
+    date = elt['cve']['lastModified']
+    try:
+        accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
+        cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
+    except KeyError:
+        cvssv2 = 0.0
+    cvssv3 = None
+    try:
+        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
+        cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
+    except KeyError:
+        pass
+    try:
+        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
+        cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
+    except KeyError:
+        pass
+    accessVector = accessVector or "UNKNOWN"
+    cvssv3 = cvssv3 or 0.0
+
+    conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
+
+    try:
+        for config in elt['cve']['configurations']:
+            # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing
+            for node in config["nodes"]:
+                parse_node_and_insert(conn, node, cveId)
+    except KeyError:
+        bb.note("CVE %s has no configurations" % cveId)
+
+do_fetch[nostamp] = "1"
+
+EXCLUDE_FROM_WORLD = "1"
--- a/meta/recipes-core/systemd/systemd-systemctl/systemctl
+++ b/meta/recipes-core/systemd/systemd-systemctl/systemctl
@@ -182,12 +182,14 @@ class SystemdUnit():

        raise SystemdUnitNotFoundError(self.root, unit)

-    def _process_deps(self, config, service, location, prop, dirstem):
+    def _process_deps(self, config, service, location, prop, dirstem, instance):
        systemdir = self.root / SYSCONFDIR / "systemd" / "system"

        target = ROOT / location.relative_to(self.root)
        try:
            for dependent in config.get('Install', prop):
+                # expand any %i to instance (ignoring escape sequence %%)
+                dependent = re.sub("([^%](%%)*)%i", "\\g<1>{}".format(instance), dependent)
                wants = systemdir / "{}.{}".format(dependent, dirstem) / service
                add_link(wants, target)

@@ -227,8 +229,8 @@ class SystemdUnit():
        else:
            service = self.unit

-        self._process_deps(config, service, path, 'WantedBy', 'wants')
-        self._process_deps(config, service, path, 'RequiredBy', 'requires')
+        self._process_deps(config, service, path, 'WantedBy', 'wants', instance)
+        self._process_deps(config, service, path, 'RequiredBy', 'requires', instance)

        try:
            for also in config.get('Install', 'Also'):
--- a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
+++ b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
@@ -12,10 +12,7 @@ set( CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY )

 set(CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX "$ENV{OE_CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX}")

-# Set CMAKE_SYSTEM_PROCESSOR from the sysroot name (assuming processor-distro-os).
-if ($ENV{SDKTARGETSYSROOT} MATCHES "/sysroots/([a-zA-Z0-9_-]+)-.+-.+")
-  set(CMAKE_SYSTEM_PROCESSOR ${CMAKE_MATCH_1})
-endif()
+set( CMAKE_SYSTEM_PROCESSOR $ENV{OECORE_TARGET_ARCH} )

 # Include the toolchain configuration subscripts
 file( GLOB toolchain_config_files "${CMAKE_TOOLCHAIN_FILE}.d/*.cmake" )
--- a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
@@ -0,0 +1,236 @@
+From 24def311c6168d0dfb7c5f0f183b72b709c49265 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:21 +0100
+Subject: [PATCH] dmidecode: Split table fetching from decoding
+
+Clean up function dmi_table so that it does only one thing:
+* dmi_table() is renamed to dmi_table_get(). It now retrieves the
+  DMI table, but does not process it any longer.
+* Decoding or dumping the table is now done in smbios3_decode(),
+  smbios_decode() and legacy_decode().
+No functional change.
+
+A side effect of this change is that writing the header and body of
+dump files is now done in a single location. This is required to
+further consolidate the writing of dump files.
+
+CVE-ID: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab7]
+
+Backport Changes:
+- In the file dmidecode.c, the commit [dd593d2] in v3.3 introduces
+  pr_info(). This is backported to printf() as per v3.2.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit 39b2dd7b6ab719b920e96ed832cfb4bdd664e808)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+---
+ dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 62 insertions(+), 24 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index a3e9d6c..d6eedd1 100644
+--- a/dmidecode.c
+++ b/dmidecode.c
+@@ -5211,8 +5211,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+ 	}
+ }
+ 
+-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+-		      u32 flags)
+/* Allocates a buffer for the table, must be freed by the caller */
+static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver,
+			 const char *devmem, u32 flags)
+ {
+ 	u8 *buf;
+ 
+@@ -5231,7 +5232,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+ 		{
+ 			if (num)
+ 				printf("%u structures occupying %u bytes.\n",
+-				       num, len);
+				       num, *len);
+ 			if (!(opt.flags & FLAG_FROM_DUMP))
+ 				printf("Table at 0x%08llX.\n",
+ 				       (unsigned long long)base);
+@@ -5249,19 +5250,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+ 		 * would be the result of the kernel truncating the table on
+ 		 * parse error.
+ 		 */
+-		size_t size = len;
+		size_t size = *len;
+ 		buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base,
+ 			&size, devmem);
+-		if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len)
+		if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len)
+ 		{
+ 			fprintf(stderr, "Wrong DMI structures length: %u bytes "
+ 				"announced, only %lu bytes available.\n",
+-				len, (unsigned long)size);
+				*len, (unsigned long)size);
+ 		}
+-		len = size;
+		*len = size;
+ 	}
+ 	else
+-		buf = mem_chunk(base, len, devmem);
+		buf = mem_chunk(base, *len, devmem);
+ 
+ 	if (buf == NULL)
+ 	{
+@@ -5271,15 +5272,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+ 			fprintf(stderr,
+ 				"Try compiling dmidecode with -DUSE_MMAP.\n");
+ #endif
+-		return;
+ 	}
+ 
+-	if (opt.flags & FLAG_DUMP_BIN)
+-		dmi_table_dump(buf, len);
+-	else
+-		dmi_table_decode(buf, len, num, ver >> 8, flags);
+-
+-	free(buf);
+	return buf;
+ }
+ 
+ 
+@@ -5314,8 +5309,9 @@ static void overwrite_smbios3_address(u8 *buf)
+ 
+ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+-	u32 ver;
+	u32 ver, len;
+ 	u64 offset;
+	u8 *table;
+ 
+ 	/* Don't let checksum run beyond the buffer */
+ 	if (buf[0x06] > 0x20)
+@@ -5341,8 +5337,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ 		return 0;
+ 	}
+ 
+-	dmi_table(((off_t)offset.h << 32) | offset.l,
+-		  DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT);
+	/* Maximum length, may get trimmed */
+	len = DWORD(buf + 0x0C);
+	table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver,
+			      devmem, flags | FLAG_STOP_AT_EOT);
+	if (table == NULL)
+		return 1;
+ 
+ 	if (opt.flags & FLAG_DUMP_BIN)
+ 	{
+@@ -5351,18 +5351,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ 		memcpy(crafted, buf, 32);
+ 		overwrite_smbios3_address(crafted);
+ 
+		dmi_table_dump(table, len);
+ 		if (!(opt.flags & FLAG_QUIET))
+ 			printf("# Writing %d bytes to %s.\n", crafted[0x06],
+ 			       opt.dumpfile);
+ 		write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
+ 	}
+	else
+	{
+		dmi_table_decode(table, len, 0, ver >> 8,
+				 flags | FLAG_STOP_AT_EOT);
+	}
+
+	free(table);
+ 
+ 	return 1;
+ }
+ 
+ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+-	u16 ver;
+	u16 ver, num;
+	u32 len;
+	u8 *table;
+ 
+ 	/* Don't let checksum run beyond the buffer */
+ 	if (buf[0x05] > 0x20)
+@@ -5402,8 +5412,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ 		printf("SMBIOS %u.%u present.\n",
+ 			ver >> 8, ver & 0xFF);
+ 
+-	dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C),
+-		ver << 8, devmem, flags);
+	/* Maximum length, may get trimmed */
+	len = WORD(buf + 0x16);
+	num = WORD(buf + 0x1C);
+	table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8,
+			      devmem, flags);
+	if (table == NULL)
+		return 1;
+ 
+ 	if (opt.flags & FLAG_DUMP_BIN)
+ 	{
+@@ -5412,27 +5427,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ 		memcpy(crafted, buf, 32);
+ 		overwrite_dmi_address(crafted + 0x10);
+ 
+		dmi_table_dump(table, len);
+ 		if (!(opt.flags & FLAG_QUIET))
+ 			printf("# Writing %d bytes to %s.\n", crafted[0x05],
+ 				opt.dumpfile);
+ 		write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
+ 	}
+	else
+	{
+		dmi_table_decode(table, len, num, ver, flags);
+	}
+
+	free(table);
+ 
+ 	return 1;
+ }
+ 
+ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+	u16 ver, num;
+	u32 len;
+	u8 *table;
+
+ 	if (!checksum(buf, 0x0F))
+ 		return 0;
+ 
+	ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F);
+ 	if (!(opt.flags & FLAG_QUIET))
+ 		printf("Legacy DMI %u.%u present.\n",
+ 			buf[0x0E] >> 4, buf[0x0E] & 0x0F);
+ 
+-	dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C),
+-		((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8),
+-		devmem, flags);
+	/* Maximum length, may get trimmed */
+	len = WORD(buf + 0x06);
+	num = WORD(buf + 0x0C);
+	table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8,
+			      devmem, flags);
+	if (table == NULL)
+		return 1;
+ 
+ 	if (opt.flags & FLAG_DUMP_BIN)
+ 	{
+@@ -5441,11 +5472,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ 		memcpy(crafted, buf, 16);
+ 		overwrite_dmi_address(crafted);
+ 
+		dmi_table_dump(table, len);
+ 		if (!(opt.flags & FLAG_QUIET))
+ 			printf("# Writing %d bytes to %s.\n", 0x0F,
+ 				opt.dumpfile);
+ 		write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
+ 	}
+	else
+	{
+		dmi_table_decode(table, len, num, ver, flags);
+	}
+
+	free(table);
+ 
+ 	return 1;
+ }
--- a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch
@@ -0,0 +1,198 @@
+From 58e8a07b1aef0e53af1642b30248255e53e42790 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:25 +0100
+Subject: [PATCH] dmidecode: Write the whole dump file at once
+
+When option --dump-bin is used, write the whole dump file at once,
+instead of opening and closing the file separately for the table
+and then for the entry point.
+
+As the file writing function is no longer generic, it gets moved
+from util.c to dmidecode.c.
+
+One minor functional change resulting from the new implementation is
+that the entry point is written first now, so the messages printed
+are swapped.
+
+CVE: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f38]
+
+Backport Changes:
+- In the file dmidecode.c, the commit [2241f1d] in v3.3 introduces
+  pr_info(). This is backported to printf() as per v3.2.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit d8cfbc808f387e87091c25e7d5b8c2bb348bb206)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+
+---
+ dmidecode.c | 69 +++++++++++++++++++++++++++++++++++++++--------------
+ util.c      | 40 -------------------------------
+ util.h      |  1 -
+ 3 files changed, 51 insertions(+), 59 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index d6eedd1..b91e53b 100644
+--- a/dmidecode.c
+++ b/dmidecode.c
+@@ -5094,11 +5094,56 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver
+ 	}
+ }
+ 
+-static void dmi_table_dump(const u8 *buf, u32 len)
+static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
+			  u32 table_len)
+ {
+	FILE *f;
+
+	f = fopen(opt.dumpfile, "wb");
+	if (!f)
+	{
+		fprintf(stderr, "%s: ", opt.dumpfile);
+		perror("fopen");
+		return -1;
+	}
+
+	if (!(opt.flags & FLAG_QUIET))
+		printf("# Writing %d bytes to %s.\n", ep_len, opt.dumpfile);
+	if (fwrite(ep, ep_len, 1, f) != 1)
+	{
+		fprintf(stderr, "%s: ", opt.dumpfile);
+		perror("fwrite");
+		goto err_close;
+	}
+
+	if (fseek(f, 32, SEEK_SET) != 0)
+	{
+		fprintf(stderr, "%s: ", opt.dumpfile);
+		perror("fseek");
+		goto err_close;
+	}
+
+ 	if (!(opt.flags & FLAG_QUIET))
+-		printf("# Writing %d bytes to %s.\n", len, opt.dumpfile);
+-	write_dump(32, len, buf, opt.dumpfile, 0);
+		printf("# Writing %d bytes to %s.\n", table_len, opt.dumpfile);
+	if (fwrite(table, table_len, 1, f) != 1)
+	{
+		fprintf(stderr, "%s: ", opt.dumpfile);
+		perror("fwrite");
+		goto err_close;
+	}
+
+	if (fclose(f))
+	{
+		fprintf(stderr, "%s: ", opt.dumpfile);
+		perror("fclose");
+		return -1;
+	}
+
+	return 0;
+
+err_close:
+	fclose(f);
+	return -1;
+ }
+ 
+ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+@@ -5351,11 +5396,7 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ 		memcpy(crafted, buf, 32);
+ 		overwrite_smbios3_address(crafted);
+ 
+-		dmi_table_dump(table, len);
+-		if (!(opt.flags & FLAG_QUIET))
+-			printf("# Writing %d bytes to %s.\n", crafted[0x06],
+-			       opt.dumpfile);
+-		write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
+		dmi_table_dump(crafted, crafted[0x06], table, len);
+ 	}
+ 	else
+ 	{
+@@ -5427,11 +5468,7 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ 		memcpy(crafted, buf, 32);
+ 		overwrite_dmi_address(crafted + 0x10);
+ 
+-		dmi_table_dump(table, len);
+-		if (!(opt.flags & FLAG_QUIET))
+-			printf("# Writing %d bytes to %s.\n", crafted[0x05],
+-				opt.dumpfile);
+-		write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
+		dmi_table_dump(crafted, crafted[0x05], table, len);
+ 	}
+ 	else
+ 	{
+@@ -5472,11 +5509,7 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ 		memcpy(crafted, buf, 16);
+ 		overwrite_dmi_address(crafted);
+ 
+-		dmi_table_dump(table, len);
+-		if (!(opt.flags & FLAG_QUIET))
+-			printf("# Writing %d bytes to %s.\n", 0x0F,
+-				opt.dumpfile);
+-		write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
+		dmi_table_dump(crafted, 0x0F, table, len);
+ 	}
+ 	else
+ 	{
+diff --git a/util.c b/util.c
+index eeffdae..2e1931c 100644
+--- a/util.c
+++ b/util.c
+@@ -247,46 +247,6 @@ out:
+ 	return p;
+ }
+ 
+-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add)
+-{
+-	FILE *f;
+-
+-	f = fopen(dumpfile, add ? "r+b" : "wb");
+-	if (!f)
+-	{
+-		fprintf(stderr, "%s: ", dumpfile);
+-		perror("fopen");
+-		return -1;
+-	}
+-
+-	if (fseek(f, base, SEEK_SET) != 0)
+-	{
+-		fprintf(stderr, "%s: ", dumpfile);
+-		perror("fseek");
+-		goto err_close;
+-	}
+-
+-	if (fwrite(data, len, 1, f) != 1)
+-	{
+-		fprintf(stderr, "%s: ", dumpfile);
+-		perror("fwrite");
+-		goto err_close;
+-	}
+-
+-	if (fclose(f))
+-	{
+-		fprintf(stderr, "%s: ", dumpfile);
+-		perror("fclose");
+-		return -1;
+-	}
+-
+-	return 0;
+-
+-err_close:
+-	fclose(f);
+-	return -1;
+-}
+-
+ /* Returns end - start + 1, assuming start < end */
+ u64 u64_range(u64 start, u64 end)
+ {
+diff --git a/util.h b/util.h
+index 3094cf8..ef24eb9 100644
+--- a/util.h
+++ b/util.h
+@@ -27,5 +27,4 @@
+ int checksum(const u8 *buf, size_t len);
+ void *read_file(off_t base, size_t *len, const char *filename);
+ void *mem_chunk(off_t base, size_t len, const char *devmem);
+-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add);
+ u64 u64_range(u64 start, u64 end);
--- a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch
@@ -0,0 +1,62 @@
+From b7dacccff32294ea522df32a9391d0218e7600ea Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:31 +0100
+Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing file
+
+Make sure that the file passed to option --dump-bin does not already
+exist. In practice, it is rather unlikely that an honest user would
+want to overwrite an existing dump file, while this possibility
+could be used by a rogue user to corrupt a system file.
+
+CVE: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=6ca381c1247c]
+
+Backport Changes:
+- Ignored changes in man/dmidecode.8 file.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+
+---
+ dmidecode.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index b91e53b..846d9a1 100644
+--- a/dmidecode.c
+++ b/dmidecode.c
+@@ -60,6 +60,7 @@
+  *    https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf
+  */
+ 
+#include <fcntl.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <strings.h>
+@@ -5097,13 +5098,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver
+ static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
+ 			  u32 table_len)
+ {
+	int fd;
+ 	FILE *f;
+ 
+-	f = fopen(opt.dumpfile, "wb");
+	fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666);
+	if (fd == -1)
+	{
+		fprintf(stderr, "%s: ", opt.dumpfile);
+		perror("open");
+		return -1;
+	}
+
+	f = fdopen(fd, "wb");
+ 	if (!f)
+ 	{
+ 		fprintf(stderr, "%s: ", opt.dumpfile);
+-		perror("fopen");
+		perror("fdopen");
+ 		return -1;
+ 	}
+ 
--- a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
+++ b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
@@ -6,6 +6,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"

 SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \
           file://0001-Committing-changes-from-do_unpack_extra.patch \
+           file://CVE-2023-30630-dependent_p1.patch \
+           file://CVE-2023-30630-dependent_p2.patch \
+           file://CVE-2023-30630.patch \
           "

 COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux"
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest
@@ -8,3 +8,4 @@ rm -f *.tmp
 rm -f *.ok
 rm -f *.failed
 rm -f *.log
+cp ../data/test_data.tmp ./
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.7.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.7.bb
@@ -144,4 +144,7 @@ do_install_ptest() {

        install -d ${D}${PTEST_PATH}/lib
        install -m 0644 ${B}/lib/config.h  ${D}${PTEST_PATH}/lib/
+
+        install -d ${D}${PTEST_PATH}/data
+        install -m 0644 ${B}/tests/test_data.tmp ${D}${PTEST_PATH}/data/
 }
--- a/meta/recipes-devtools/elfutils/elfutils_0.178.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.178.bb
@@ -34,6 +34,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
           file://0001-ppc_initreg.c-Incliude-asm-ptrace.h-for-pt_regs-defi.patch \
           file://run-ptest \
           file://ptest.patch \
+           file://CVE-2021-33294.patch \
           "
 SRC_URI_append_libc-musl = " \
           file://0001-musl-obstack-fts.patch \
--- a/meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch
+++ b/meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch
@@ -0,0 +1,72 @@
+From 480b6fa3662ba8ffeee274bf0d37423413c01e55 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 3 Mar 2021 21:40:53 +0100
+Subject: [PATCH] readelf: Sanity check verneed and verdef offsets in handle_symtab.
+
+We are going through vna_next, vn_next and vd_next in a while loop.
+Make sure that all offsets are sane. We don't want things to wrap
+around so we go in cycles.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=27501
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=480b6fa3662ba8ffeee274bf0d37423413c01e55]
+CVE: CVE-2021-33294
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/ChangeLog |  5 +++++
+ src/readelf.c | 10 +++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/ChangeLog b/src/ChangeLog
+index 6af977e..f0d9e39 100644
+--- a/src/ChangeLog
+++ b/src/ChangeLog
+@@ -1,3 +1,8 @@
+2021-03-03  Mark Wielaard  <mark@klomp.org>
+
+	* readelf.c (handle_symtab): Sanity check verneed vna_next,
+	vn_next and verdef vd_next offsets.
+
+ 2019-11-26  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* Makefile.am (BUILD_STATIC): Add libraries needed for libdw.
+diff --git a/src/readelf.c b/src/readelf.c
+index 5994615..ab7a1c1 100644
+--- a/src/readelf.c
+++ b/src/readelf.c
+@@ -2550,7 +2550,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
+ 						 &vernaux_mem);
+ 		      while (vernaux != NULL
+ 			     && vernaux->vna_other != *versym
+-			     && vernaux->vna_next != 0)
+			     && vernaux->vna_next != 0
+			     && (verneed_data->d_size - vna_offset
+				 >= vernaux->vna_next))
+ 			{
+ 			  /* Update the offset.  */
+ 			  vna_offset += vernaux->vna_next;
+@@ -2567,6 +2569,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
+ 			/* Found it.  */
+ 			break;
+ 
+		      if (verneed_data->d_size - vn_offset < verneed->vn_next)
+			break;
+
+ 		      vn_offset += verneed->vn_next;
+ 		      verneed = (verneed->vn_next == 0
+ 				 ? NULL
+@@ -2602,6 +2607,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
+ 			/* Found the definition.  */
+ 			break;
+ 
+		      if (verdef_data->d_size - vd_offset < verdef->vd_next)
+			break;
+
+ 		      vd_offset += verdef->vd_next;
+ 		      verdef = (verdef->vd_next == 0
+ 				? NULL
+-- 
+2.25.1
+
--- a/meta/recipes-devtools/gcc/gcc-9.5.inc
+++ b/meta/recipes-devtools/gcc/gcc-9.5.inc
@@ -75,7 +75,7 @@ S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}"
 SRC_URI[sha256sum] = "27769f64ef1d4cd5e2be8682c0c93f9887983e6cfd1a927ce5a0a2915a95cf8f"
 # For dev release snapshotting
 #S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/official-gcc-${RELEASE}"
-#B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}"
+B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}"

 # Language Overrides
 FORTRAN = ""
--- a/meta/recipes-devtools/git/files/CVE-2023-25652.patch
+++ b/meta/recipes-devtools/git/files/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
+From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <johannes.schindelin@gmx.de>
+Date: Thu, 9 Mar 2023 16:02:54 +0100
+Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
+ exists
+
+The `git apply --reject` is expected to write out `.rej` files in case
+one or more hunks fail to apply cleanly. Historically, the command
+overwrites any existing `.rej` files. The idea being that
+apply/reject/edit cycles are relatively common, and the generated `.rej`
+files are not considered precious.
+
+But the command does not overwrite existing `.rej` symbolic links, and
+instead follows them. This is unsafe because the same patch could
+potentially create such a symbolic link and point at arbitrary paths
+outside the current worktree, and `git apply` would write the contents
+of the `.rej` file into that location.
+
+Therefore, let's make sure that any existing `.rej` file or symbolic
+link is removed before writing it.
+
+Reported-by: RyotaK <ryotak.mail@gmail.com>
+Helped-by: Taylor Blau <me@ttaylorr.com>
+Helped-by: Junio C Hamano <gitster@pobox.com>
+Helped-by: Linus Torvalds <torvalds@linuxfoundation.org>
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
+CVE: CVE-2023-25652
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ apply.c                  | 14 ++++++++++++--
+ t/t4115-apply-symlink.sh | 15 +++++++++++++++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/apply.c b/apply.c
+index 4f303bf..aa7111d 100644
+--- a/apply.c
+++ b/apply.c
+@@ -4531,7 +4531,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
+ 	FILE *rej;
+ 	char namebuf[PATH_MAX];
+ 	struct fragment *frag;
+-	int cnt = 0;
+	int fd, cnt = 0;
+ 	struct strbuf sb = STRBUF_INIT;
+ 
+ 	for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
+@@ -4571,7 +4571,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
+ 	memcpy(namebuf, patch->new_name, cnt);
+ 	memcpy(namebuf + cnt, ".rej", 5);
+ 
+-	rej = fopen(namebuf, "w");
+	fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
+	if (fd < 0) {
+		if (errno != EEXIST)
+			return error_errno(_("cannot open %s"), namebuf);
+		if (unlink(namebuf))
+			return error_errno(_("cannot unlink '%s'"), namebuf);
+		fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
+		if (fd < 0)
+			return error_errno(_("cannot open %s"), namebuf);
+	}
+	rej = fdopen(fd, "w");
+ 	if (!rej)
+ 		return error_errno(_("cannot open %s"), namebuf);
+ 
+diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
+index 1acb7b2..2b034ff 100755
+--- a/t/t4115-apply-symlink.sh
+++ b/t/t4115-apply-symlink.sh
+@@ -125,4 +125,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' '
+ 	test_path_is_file .git/delete-me
+ '
+ 
+test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
+	test_when_finished "git reset --hard && git clean -dfx" &&
+
+	test_commit file &&
+	echo modified >file.t &&
+	git diff -- file.t >patch &&
+	echo modified-again >file.t &&
+
+	ln -s foo file.t.rej &&
+	test_must_fail git apply patch --reject 2>err &&
+	test_i18ngrep "Rejected hunk" err &&
+	test_path_is_missing foo &&
+	test_path_is_file file.t.rej
+'
+
+ test_done
+-- 
+2.25.1
+
--- a/meta/recipes-devtools/git/files/CVE-2023-29007.patch
+++ b/meta/recipes-devtools/git/files/CVE-2023-29007.patch
@@ -0,0 +1,159 @@
+From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
+From: Taylor Blau <me@ttaylorr.com>
+Date: Fri, 14 Apr 2023 11:46:59 -0400
+Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
+
+Avoids issues with renaming or deleting sections with long lines, where
+configuration values may be interpreted as sections, leading to
+configuration injection. Addresses CVE-2023-29007.
+
+* tb/config-copy-or-rename-in-file-injection:
+  config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+  config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+  config: avoid fixed-sized buffer when renaming/deleting a section
+  t1300: demonstrate failure when renaming sections with long lines
+
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4]
+CVE: CVE-2023-29007
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ config.c          | 36 +++++++++++++++++++++++++-----------
+ t/t1300-config.sh | 30 ++++++++++++++++++++++++++++++
+ 2 files changed, 55 insertions(+), 11 deletions(-)
+
+diff --git a/config.c b/config.c
+index e7052b3..676b687 100644
+--- a/config.c
+++ b/config.c
+@@ -2987,9 +2987,10 @@ void git_config_set_multivar(const char *key, const char *value,
+ 					multi_replace);
+ }
+ 
+-static int section_name_match (const char *buf, const char *name)
+static size_t section_name_match (const char *buf, const char *name)
+ {
+-	int i = 0, j = 0, dot = 0;
+	size_t i = 0, j = 0;
+	int dot = 0;
+ 	if (buf[i] != '[')
+ 		return 0;
+ 	for (i = 1; buf[i] && buf[i] != ']'; i++) {
+@@ -3042,6 +3043,8 @@ static int section_name_is_ok(const char *name)
+ 	return 1;
+ }
+ 
+#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
+
+ /* if new_name == NULL, the section is removed instead */
+ static int git_config_copy_or_rename_section_in_file(const char *config_filename,
+ 				      const char *old_name,
+@@ -3051,11 +3054,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ 	char *filename_buf = NULL;
+ 	struct lock_file lock = LOCK_INIT;
+ 	int out_fd;
+-	char buf[1024];
+	struct strbuf buf = STRBUF_INIT;
+ 	FILE *config_file = NULL;
+ 	struct stat st;
+ 	struct strbuf copystr = STRBUF_INIT;
+ 	struct config_store_data store;
+	uint32_t line_nr = 0;
+ 
+ 	memset(&store, 0, sizeof(store));
+ 
+@@ -3092,16 +3096,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ 		goto out;
+ 	}
+ 
+-	while (fgets(buf, sizeof(buf), config_file)) {
+-		int i;
+-		int length;
+	while (!strbuf_getwholeline(&buf, config_file, '\n')) {
+		size_t i, length;
+ 		int is_section = 0;
+-		char *output = buf;
+-		for (i = 0; buf[i] && isspace(buf[i]); i++)
+		char *output = buf.buf;
+
+		line_nr++;
+
+		if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) {
+			ret = error(_("refusing to work with overly long line "
+				      "in '%s' on line %"PRIuMAX),
+				    config_filename, (uintmax_t)line_nr);
+			goto out;
+		}
+
+		for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++)
+ 			; /* do nothing */
+-		if (buf[i] == '[') {
+		if (buf.buf[i] == '[') {
+ 			/* it's a section */
+-			int offset;
+			size_t offset;
+ 			is_section = 1;
+ 
+ 			/*
+@@ -3118,7 +3131,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ 				strbuf_reset(&copystr);
+ 			}
+ 
+-			offset = section_name_match(&buf[i], old_name);
+			offset = section_name_match(&buf.buf[i], old_name);
+ 			if (offset > 0) {
+ 				ret++;
+ 				if (new_name == NULL) {
+@@ -3193,6 +3206,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ out_no_rollback:
+ 	free(filename_buf);
+ 	config_store_data_clear(&store);
+	strbuf_release(&buf);
+ 	return ret;
+ }
+ 
+diff --git a/t/t1300-config.sh b/t/t1300-config.sh
+index 983a0a1..9b67f6b 100755
+--- a/t/t1300-config.sh
+++ b/t/t1300-config.sh
+@@ -616,6 +616,36 @@ test_expect_success 'renaming to bogus section is rejected' '
+ 	test_must_fail git config --rename-section branch.zwei "bogus name"
+ '
+ 
+test_expect_success 'renaming a section with a long line' '
+	{
+		printf "[b]\\n" &&
+		printf "  c = d %1024s [a] e = f\\n" " " &&
+		printf "[a] g = h\\n"
+	} >y &&
+	git config -f y --rename-section a xyz &&
+	test_must_fail git config -f y b.e
+'
+
+test_expect_success 'renaming an embedded section with a long line' '
+	{
+		printf "[b]\\n" &&
+		printf "  c = d %1024s [a] [foo] e = f\\n" " " &&
+		printf "[a] g = h\\n"
+	} >y &&
+	git config -f y --rename-section a xyz &&
+	test_must_fail git config -f y foo.e
+'
+
+test_expect_success 'renaming a section with an overly-long line' '
+	{
+		printf "[b]\\n" &&
+		printf "  c = d %525000s e" " " &&
+		printf "[a] g = h\\n"
+	} >y &&
+	test_must_fail git config -f y --rename-section a xyz 2>err &&
+	test_i18ngrep "refusing to work with overly long line in .y. on line 2" err
+'
+
+ cat >> .git/config << EOF
+   [branch "zwei"] a = 1 [branch "vier"]
+ EOF
+-- 
+2.25.1
+
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -28,6 +28,8 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
           file://CVE-2023-22490-2.patch \
           file://CVE-2023-22490-3.patch \
           file://CVE-2023-23946.patch \
+           file://CVE-2023-29007.patch \
+           file://CVE-2023-25652.patch \
           "
 S = "${WORKDIR}/git-${PV}"

--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -58,6 +58,18 @@ SRC_URI += "\
    file://CVE-2020-29510.patch \
    file://CVE-2023-24537.patch \
    file://CVE-2023-24534.patch \
+    file://CVE-2023-24538-1.patch \
+    file://CVE-2023-24538-2.patch \
+    file://CVE-2023-24538-3.patch \
+    file://CVE-2023-24539.patch \
+    file://CVE-2023-24540.patch \
+    file://CVE-2023-29405-1.patch \
+    file://CVE-2023-29405-2.patch \
+    file://CVE-2023-29402.patch \
+    file://CVE-2023-29404.patch \
+    file://CVE-2023-29400.patch \
+    file://CVE-2023-29406.patch \
+    file://CVE-2023-29409.patch \
 "

 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
@@ -0,0 +1,125 @@
+From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001
+From: Brad Fitzpatrick <bradfitz@golang.org>
+Date: Mon, 2 Aug 2021 14:55:51 -0700
+Subject: [PATCH 1/3] net/netip: add new IP address package
+
+Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati)
+Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
+Co-authored-by: David Anderson <dave@natulte.net> (Tailscale CLA)
+Co-authored-by: David Crawshaw <crawshaw@tailscale.com> (Tailscale CLA)
+Co-authored-by: Dmytro Shynkevych <dmytro@tailscale.com> (Tailscale CLA)
+Co-authored-by: Elias Naur <mail@eliasnaur.com>
+Co-authored-by: Joe Tsai <joetsai@digital-static.net> (Tailscale CLA)
+Co-authored-by: Jonathan Yu <jawnsy@cpan.org> (GitHub @jawnsy)
+Co-authored-by: Josh Bleecher Snyder <josharian@gmail.com> (Tailscale CLA)
+Co-authored-by: Maisem Ali <maisem@tailscale.com> (Tailscale CLA)
+Co-authored-by: Manuel Mendez (Go AUTHORS mmendez534@...)
+Co-authored-by: Matt Layher <mdlayher@gmail.com>
+Co-authored-by: Noah Treuhaft <noah.treuhaft@gmail.com> (GitHub @nwt)
+Co-authored-by: Stefan Majer <stefan.majer@gmail.com>
+Co-authored-by: Terin Stock <terinjokes@gmail.com> (Cloudflare CLA)
+Co-authored-by: Tobias Klauser <tklauser@distanz.ch>
+
+Fixes #46518
+
+Change-Id: I0041f9e1115d61fa6e95fcf32b01d9faee708712
+Reviewed-on: https://go-review.googlesource.com/c/go/+/339309
+Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Trust: Brad Fitzpatrick <bradfitz@golang.org>
+
+Dependency Patch #1
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0]
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/internal/godebug/godebug.go      | 34 ++++++++++++++++++++++++++++++++++
+ src/internal/godebug/godebug_test.go | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+)
+ create mode 100644 src/internal/godebug/godebug.go
+ create mode 100644 src/internal/godebug/godebug_test.go
+
+diff --git a/src/internal/godebug/godebug.go b/src/internal/godebug/godebug.go
+new file mode 100644
+index 0000000..ac434e5
+--- /dev/null
+++ b/src/internal/godebug/godebug.go
+@@ -0,0 +1,34 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package godebug parses the GODEBUG environment variable.
+package godebug
+
+import "os"
+
+// Get returns the value for the provided GODEBUG key.
+func Get(key string) string {
+	return get(os.Getenv("GODEBUG"), key)
+}
+
+// get returns the value part of key=value in s (a GODEBUG value).
+func get(s, key string) string {
+	for i := 0; i < len(s)-len(key)-1; i++ {
+		if i > 0 && s[i-1] != ',' {
+			continue
+		}
+		afterKey := s[i+len(key):]
+		if afterKey[0] != '=' || s[i:i+len(key)] != key {
+			continue
+		}
+		val := afterKey[1:]
+		for i, b := range val {
+			if b == ',' {
+				return val[:i]
+			}
+		}
+		return val
+	}
+	return ""
+}
+diff --git a/src/internal/godebug/godebug_test.go b/src/internal/godebug/godebug_test.go
+new file mode 100644
+index 0000000..41b9117
+--- /dev/null
+++ b/src/internal/godebug/godebug_test.go
+@@ -0,0 +1,34 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package godebug
+
+import "testing"
+
+func TestGet(t *testing.T) {
+	tests := []struct {
+		godebug string
+		key     string
+		want    string
+	}{
+		{"", "", ""},
+		{"", "foo", ""},
+		{"foo=bar", "foo", "bar"},
+		{"foo=bar,after=x", "foo", "bar"},
+		{"before=x,foo=bar,after=x", "foo", "bar"},
+		{"before=x,foo=bar", "foo", "bar"},
+		{",,,foo=bar,,,", "foo", "bar"},
+		{"foodecoy=wrong,foo=bar", "foo", "bar"},
+		{"foo=", "foo", ""},
+		{"foo", "foo", ""},
+		{",foo", "foo", ""},
+		{"foo=bar,baz", "loooooooong", ""},
+	}
+	for _, tt := range tests {
+		got := get(tt.godebug, tt.key)
+		if got != tt.want {
+			t.Errorf("get(%q, %q) = %q; want %q", tt.godebug, tt.key, got, tt.want)
+		}
+	}
+}
+--
+2.7.4
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
@@ -0,0 +1,196 @@
+From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
+From: empijei <robclap8@gmail.com>
+Date: Fri, 27 Mar 2020 19:27:55 +0100
+Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes
+ for JSON compatibility
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The existing implementation is not compatible with JSON
+escape as it uses hex escaping.
+Unicode escape, instead, is valid for both JSON and JS.
+This fix avoids creating a separate escaping context for
+scripts of type "application/ld+json" and it is more
+future-proof in case more JSON+JS contexts get added
+to the platform (e.g. import maps).
+
+Fixes #33671
+Fixes #37634
+
+Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543
+Reviewed-on: https://go-review.googlesource.com/c/go/+/226097
+Reviewed-by: Carl Johnson <me@carlmjohnson.net>
+Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
+Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+
+Dependency Patch #2
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072ddacea0e0d6b55fb148fff18070
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/html/template/js.go    | 70 +++++++++++++++++++++++++++-------------------
+ src/text/template/funcs.go |  8 +++---
+ 2 files changed, 46 insertions(+), 32 deletions(-)
+
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index 0e91458..ea9c183 100644
+--- a/src/html/template/js.go
+++ b/src/html/template/js.go
+@@ -163,7 +163,6 @@ func jsValEscaper(args ...interface{}) string {
+	}
+	// TODO: detect cycles before calling Marshal which loops infinitely on
+	// cyclic data. This may be an unacceptable DoS risk.
+-
+	b, err := json.Marshal(a)
+	if err != nil {
+		// Put a space before comment so that if it is flush against
+@@ -178,8 +177,8 @@ func jsValEscaper(args ...interface{}) string {
+	// TODO: maybe post-process output to prevent it from containing
+	// "<!--", "-->", "<![CDATA[", "]]>", or "</script"
+	// in case custom marshalers produce output containing those.
+-
+-	// TODO: Maybe abbreviate \u00ab to \xab to produce more compact output.
+	// Note: Do not use \x escaping to save bytes because it is not JSON compatible and this escaper
+	// supports ld+json content-type.
+	if len(b) == 0 {
+		// In, `x=y/{{.}}*z` a json.Marshaler that produces "" should
+		// not cause the output `x=y/*z`.
+@@ -260,6 +259,8 @@ func replace(s string, replacementTable []string) string {
+		r, w = utf8.DecodeRuneInString(s[i:])
+		var repl string
+		switch {
+		case int(r) < len(lowUnicodeReplacementTable):
+			repl = lowUnicodeReplacementTable[r]
+		case int(r) < len(replacementTable) && replacementTable[r] != "":
+			repl = replacementTable[r]
+		case r == '\u2028':
+@@ -283,67 +284,80 @@ func replace(s string, replacementTable []string) string {
+	return b.String()
+ }
+
+var lowUnicodeReplacementTable = []string{
+	0: `\u0000`, 1: `\u0001`, 2: `\u0002`, 3: `\u0003`, 4: `\u0004`, 5: `\u0005`, 6: `\u0006`,
+	'\a': `\u0007`,
+	'\b': `\u0008`,
+	'\t': `\t`,
+	'\n': `\n`,
+	'\v': `\u000b`, // "\v" == "v" on IE 6.
+	'\f': `\f`,
+	'\r': `\r`,
+	0xe:  `\u000e`, 0xf: `\u000f`, 0x10: `\u0010`, 0x11: `\u0011`, 0x12: `\u0012`, 0x13: `\u0013`,
+	0x14: `\u0014`, 0x15: `\u0015`, 0x16: `\u0016`, 0x17: `\u0017`, 0x18: `\u0018`, 0x19: `\u0019`,
+	0x1a: `\u001a`, 0x1b: `\u001b`, 0x1c: `\u001c`, 0x1d: `\u001d`, 0x1e: `\u001e`, 0x1f: `\u001f`,
+}
+
+ var jsStrReplacementTable = []string{
+-	0:    `\0`,
+	0:    `\u0000`,
+	'\t': `\t`,
+	'\n': `\n`,
+-	'\v': `\x0b`, // "\v" == "v" on IE 6.
+	'\v': `\u000b`, // "\v" == "v" on IE 6.
+	'\f': `\f`,
+	'\r': `\r`,
+	// Encode HTML specials as hex so the output can be embedded
+	// in HTML attributes without further encoding.
+-	'"':  `\x22`,
+-	'&':  `\x26`,
+-	'\'': `\x27`,
+-	'+':  `\x2b`,
+	'"':  `\u0022`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
+	'+':  `\u002b`,
+	'/':  `\/`,
+-	'<':  `\x3c`,
+-	'>':  `\x3e`,
+	'<':  `\u003c`,
+	'>':  `\u003e`,
+	'\\': `\\`,
+ }
+
+ // jsStrNormReplacementTable is like jsStrReplacementTable but does not
+ // overencode existing escapes since this table has no entry for `\`.
+ var jsStrNormReplacementTable = []string{
+-	0:    `\0`,
+	0:    `\u0000`,
+	'\t': `\t`,
+	'\n': `\n`,
+-	'\v': `\x0b`, // "\v" == "v" on IE 6.
+	'\v': `\u000b`, // "\v" == "v" on IE 6.
+	'\f': `\f`,
+	'\r': `\r`,
+	// Encode HTML specials as hex so the output can be embedded
+	// in HTML attributes without further encoding.
+-	'"':  `\x22`,
+-	'&':  `\x26`,
+-	'\'': `\x27`,
+-	'+':  `\x2b`,
+	'"':  `\u0022`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
+	'+':  `\u002b`,
+	'/':  `\/`,
+-	'<':  `\x3c`,
+-	'>':  `\x3e`,
+	'<':  `\u003c`,
+	'>':  `\u003e`,
+ }
+-
+ var jsRegexpReplacementTable = []string{
+-	0:    `\0`,
+	0:    `\u0000`,
+	'\t': `\t`,
+	'\n': `\n`,
+-	'\v': `\x0b`, // "\v" == "v" on IE 6.
+	'\v': `\u000b`, // "\v" == "v" on IE 6.
+	'\f': `\f`,
+	'\r': `\r`,
+	// Encode HTML specials as hex so the output can be embedded
+	// in HTML attributes without further encoding.
+-	'"':  `\x22`,
+	'"':  `\u0022`,
+	'$':  `\$`,
+-	'&':  `\x26`,
+-	'\'': `\x27`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
+	'(':  `\(`,
+	')':  `\)`,
+	'*':  `\*`,
+-	'+':  `\x2b`,
+	'+':  `\u002b`,
+	'-':  `\-`,
+	'.':  `\.`,
+	'/':  `\/`,
+-	'<':  `\x3c`,
+-	'>':  `\x3e`,
+	'<':  `\u003c`,
+	'>':  `\u003e`,
+	'?':  `\?`,
+	'[':  `\[`,
+	'\\': `\\`,
+diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go
+index 46125bc..f3de9fb 100644
+--- a/src/text/template/funcs.go
+++ b/src/text/template/funcs.go
+@@ -640,10 +640,10 @@ var (
+	jsBackslash = []byte(`\\`)
+	jsApos      = []byte(`\'`)
+	jsQuot      = []byte(`\"`)
+-	jsLt        = []byte(`\x3C`)
+-	jsGt        = []byte(`\x3E`)
+-	jsAmp       = []byte(`\x26`)
+-	jsEq        = []byte(`\x3D`)
+	jsLt        = []byte(`\u003C`)
+	jsGt        = []byte(`\u003E`)
+	jsAmp       = []byte(`\u0026`)
+	jsEq        = []byte(`\u003D`)
+ )
+
+ // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b.
+--
+2.7.4
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch
@@ -0,0 +1,208 @@
+From 16f4882984569f179d73967c9eee679bb9b098c5 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Mon, 20 Mar 2023 11:01:13 -0700
+Subject: [PATCH 3/3] html/template: disallow actions in JS template literals
+
+ECMAScript 6 introduced template literals[0][1] which are delimited with
+backticks. These need to be escaped in a similar fashion to the
+delimiters for other string literals. Additionally template literals can
+contain special syntax for string interpolation.
+
+There is no clear way to allow safe insertion of actions within JS
+template literals, as handling (JS) string interpolation inside of these
+literals is rather complex. As such we've chosen to simply disallow
+template actions within these template literals.
+
+A new error code is added for this parsing failure case, errJsTmplLit,
+but it is unexported as it is not backwards compatible with other minor
+release versions to introduce an API change in a minor release. We will
+export this code in the next major release.
+
+The previous behavior (with the cavet that backticks are now escaped
+properly) can be re-enabled with GODEBUG=jstmpllitinterp=1.
+
+This change subsumes CL471455.
+
+Thanks to Sohom Datta, Manipal Institute of Technology, for reporting
+this issue.
+
+Fixes CVE-2023-24538
+For #59234
+Fixes #59271
+
+[0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals
+[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481987
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/html/template/context.go      |  2 ++
+ src/html/template/error.go        | 13 +++++++++++++
+ src/html/template/escape.go       | 11 +++++++++++
+ src/html/template/js.go           |  2 ++
+ src/html/template/jsctx_string.go |  9 +++++++++
+ src/html/template/transition.go   |  7 ++++++-
+ 6 files changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index f7d4849..0b65313 100644
+--- a/src/html/template/context.go
+++ b/src/html/template/context.go
+@@ -116,6 +116,8 @@ const (
+	stateJSDqStr
+	// stateJSSqStr occurs inside a JavaScript single quoted string.
+	stateJSSqStr
+	// stateJSBqStr occurs inside a JavaScript back quoted string.
+	stateJSBqStr
+	// stateJSRegexp occurs inside a JavaScript regexp literal.
+	stateJSRegexp
+	// stateJSBlockCmt occurs inside a JavaScript /* block comment */.
+diff --git a/src/html/template/error.go b/src/html/template/error.go
+index 0e52706..fd26b64 100644
+--- a/src/html/template/error.go
+++ b/src/html/template/error.go
+@@ -211,6 +211,19 @@ const (
+	//   pipeline occurs in an unquoted attribute value context, "html" is
+	//   disallowed. Avoid using "html" and "urlquery" entirely in new templates.
+	ErrPredefinedEscaper
+
+	// errJSTmplLit: "... appears in a JS template literal"
+	// Example:
+	//     <script>var tmpl = `{{.Interp}`</script>
+	// Discussion:
+	//   Package html/template does not support actions inside of JS template
+	//   literals.
+	//
+	// TODO(rolandshoemaker): we cannot add this as an exported error in a minor
+	// release, since it is backwards incompatible with the other minor
+	// releases. As such we need to leave it unexported, and then we'll add it
+	// in the next major release.
+	errJSTmplLit
+ )
+
+ func (e *Error) Error() string {
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index f12dafa..29ca5b3 100644
+--- a/src/html/template/escape.go
+++ b/src/html/template/escape.go
+@@ -8,6 +8,7 @@ import (
+	"bytes"
+	"fmt"
+	"html"
+	"internal/godebug"
+	"io"
+	"text/template"
+	"text/template/parse"
+@@ -203,6 +204,16 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
+		c.jsCtx = jsCtxDivOp
+	case stateJSDqStr, stateJSSqStr:
+		s = append(s, "_html_template_jsstrescaper")
+	case stateJSBqStr:
+		debugAllowActionJSTmpl := godebug.Get("jstmpllitinterp")
+		if debugAllowActionJSTmpl == "1" {
+			s = append(s, "_html_template_jsstrescaper")
+		} else {
+			return context{
+				state: stateError,
+				err:   errorf(errJSTmplLit, n, n.Line, "%s appears in a JS template literal", n),
+			}
+		}
+	case stateJSRegexp:
+		s = append(s, "_html_template_jsregexpescaper")
+	case stateCSS:
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index ea9c183..b888eaf 100644
+--- a/src/html/template/js.go
+++ b/src/html/template/js.go
+@@ -308,6 +308,7 @@ var jsStrReplacementTable = []string{
+	// Encode HTML specials as hex so the output can be embedded
+	// in HTML attributes without further encoding.
+	'"':  `\u0022`,
+	'`':  `\u0060`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
+	'+':  `\u002b`,
+@@ -331,6 +332,7 @@ var jsStrNormReplacementTable = []string{
+	'"':  `\u0022`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
+	'`':  `\u0060`,
+	'+':  `\u002b`,
+	'/':  `\/`,
+	'<':  `\u003c`,
+diff --git a/src/html/template/jsctx_string.go b/src/html/template/jsctx_string.go
+index dd1d87e..2394893 100644
+--- a/src/html/template/jsctx_string.go
+++ b/src/html/template/jsctx_string.go
+@@ -4,6 +4,15 @@ package template
+
+ import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[jsCtxRegexp-0]
+	_ = x[jsCtxDivOp-1]
+	_ = x[jsCtxUnknown-2]
+}
+
+ const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown"
+
+ var _jsCtx_index = [...]uint8{0, 11, 21, 33}
+diff --git a/src/html/template/transition.go b/src/html/template/transition.go
+index 06df679..92eb351 100644
+--- a/src/html/template/transition.go
+++ b/src/html/template/transition.go
+@@ -27,6 +27,7 @@ var transitionFunc = [...]func(context, []byte) (context, int){
+	stateJS:          tJS,
+	stateJSDqStr:     tJSDelimited,
+	stateJSSqStr:     tJSDelimited,
+	stateJSBqStr:     tJSDelimited,
+	stateJSRegexp:    tJSDelimited,
+	stateJSBlockCmt:  tBlockCmt,
+	stateJSLineCmt:   tLineCmt,
+@@ -262,7 +263,7 @@ func tURL(c context, s []byte) (context, int) {
+
+ // tJS is the context transition function for the JS state.
+ func tJS(c context, s []byte) (context, int) {
+-	i := bytes.IndexAny(s, `"'/`)
+	i := bytes.IndexAny(s, "\"`'/")
+	if i == -1 {
+		// Entire input is non string, comment, regexp tokens.
+		c.jsCtx = nextJSCtx(s, c.jsCtx)
+@@ -274,6 +275,8 @@ func tJS(c context, s []byte) (context, int) {
+		c.state, c.jsCtx = stateJSDqStr, jsCtxRegexp
+	case '\'':
+		c.state, c.jsCtx = stateJSSqStr, jsCtxRegexp
+	case '`':
+		c.state, c.jsCtx = stateJSBqStr, jsCtxRegexp
+	case '/':
+		switch {
+		case i+1 < len(s) && s[i+1] == '/':
+@@ -303,6 +306,8 @@ func tJSDelimited(c context, s []byte) (context, int) {
+	switch c.state {
+	case stateJSSqStr:
+		specials = `\'`
+	case stateJSBqStr:
+		specials = "`\\"
+	case stateJSRegexp:
+		specials = `\/[]`
+	}
+--
+2.7.4
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
@@ -0,0 +1,60 @@
+From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 13 Apr 2023 15:40:44 -0700
+Subject: [PATCH] html/template: disallow angle brackets in CSS values
+
+Angle brackets should not appear in CSS contexts, as they may affect
+token boundaries (such as closing a <style> tag, resulting in
+injection). Instead emit filterFailsafe, matching the behavior for other
+dangerous characters.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes #59720
+Fixes CVE-2023-24539
+
+Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491615
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport from [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1]
+CVE: CVE-2023-24539
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+---
+ src/html/template/css.go      | 2 +-
+ src/html/template/css_test.go | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/html/template/css.go b/src/html/template/css.go
+index 890a0c6b227fe..f650d8b3e843a 100644
+--- a/src/html/template/css.go
+++ b/src/html/template/css.go
+@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string {
+ 	// inside a string that might embed JavaScript source.
+ 	for i, c := range b {
+ 		switch c {
+-		case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
+		case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>':
+ 			return filterFailsafe
+ 		case '-':
+ 			// Disallow <!-- or -->.
+diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go
+index a735638b0314f..2b76256a766e9 100644
+--- a/src/html/template/css_test.go
+++ b/src/html/template/css_test.go
+@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) {
+ 		{`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
+ 		{`-expre\0000073sion`, "-expre\x073sion"},
+ 		{`@import url evil.css`, "ZgotmplZ"},
+		{"<", "ZgotmplZ"},
+		{">", "ZgotmplZ"},
+ 	}
+ 	for _, test := range tests {
+ 		got := cssValueFilter(test.css)
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch
@@ -0,0 +1,90 @@
+From ce7bd33345416e6d8cac901792060591cafc2797 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Tue, 11 Apr 2023 16:27:43 +0100
+Subject: [PATCH] [release-branch.go1.19] html/template: handle all JS
+ whitespace characters
+
+Rather than just a small set. Character class as defined by \s [0].
+
+Thanks to Juho Nurminen of Mattermost for reporting this.
+
+For #59721
+Fixes  #59813
+Fixes CVE-2023-24540
+
+[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes
+
+Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491355
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+TryBot-Bypass: Carlos Amedee <carlos@golang.org>
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797]
+CVE: CVE-2023-24540
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/html/template/js.go      |  8 +++++++-
+ src/html/template/js_test.go | 11 +++++++----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index fe7054efe5cd8..4e05c1455723f 100644
+--- a/src/html/template/js.go
+++ b/src/html/template/js.go
+@@ -13,6 +13,11 @@ import (
+ 	"unicode/utf8"
+ )
+ 
+// jsWhitespace contains all of the JS whitespace characters, as defined
+// by the \s character class.
+// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes.
+const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff"
+
+ // nextJSCtx returns the context that determines whether a slash after the
+ // given run of tokens starts a regular expression instead of a division
+ // operator: / or /=.
+@@ -26,7 +31,8 @@ import (
+ // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
+ // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
+ func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
+-	s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
+	// Trim all JS whitespace characters
+	s = bytes.TrimRight(s, jsWhitespace)
+ 	if len(s) == 0 {
+ 		return preceding
+ 	}
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index e07c695f7a77d..e52180cc113b5 100644
+--- a/src/html/template/js_test.go
+++ b/src/html/template/js_test.go
+@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) {
+ 		{jsCtxDivOp, "0"},
+ 		// Dots that are part of a number are div preceders.
+ 		{jsCtxDivOp, "0."},
+		// Some JS interpreters treat NBSP as a normal space, so
+		// we must too in order to properly escape things.
+		{jsCtxRegexp, "=\u00A0"},
+ 	}
+ 
+ 	for _, test := range tests {
+-		if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx {
+-			t.Errorf("want %s got %q", test.jsCtx, test.s)
+		if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx {
+			t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ 		}
+-		if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx {
+-			t.Errorf("want %s got %q", test.jsCtx, test.s)
+		if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx {
+			t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ 		}
+ 	}
+ 
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch
@@ -0,0 +1,94 @@
+From 0d347544cbca0f42b160424f6bc2458ebcc7b3fc Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 13 Apr 2023 14:01:50 -0700
+Subject: [PATCH] html/template: emit filterFailsafe for empty unquoted attr
+ value
+
+An unquoted action used as an attribute value can result in unsafe
+behavior if it is empty, as HTML normalization will result in unexpected
+attributes, and may allow attribute injection. If executing a template
+results in a empty unquoted attribute value, emit filterFailsafe
+instead.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes #59722
+Fixes CVE-2023-29400
+
+Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491617
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport from [https://github.com/golang/go/commit/0d347544cbca0f42b160424f6bc2458ebcc7b3fc]
+CVE: CVE-2023-29400
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+---
+ src/html/template/escape.go      |  5 ++---
+ src/html/template/escape_test.go | 15 +++++++++++++++
+ src/html/template/html.go        |  3 +++
+ 3 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index 4ba1d6b31897e..a62ef159f0dcd 100644
+--- a/src/html/template/escape.go
+++ b/src/html/template/escape.go
+@@ -382,9 +382,8 @@ func normalizeEscFn(e string) string {
+ // for all x.
+ var redundantFuncs = map[string]map[string]bool{
+ 	"_html_template_commentescaper": {
+-		"_html_template_attrescaper":    true,
+-		"_html_template_nospaceescaper": true,
+-		"_html_template_htmlescaper":    true,
+		"_html_template_attrescaper": true,
+		"_html_template_htmlescaper": true,
+ 	},
+ 	"_html_template_cssescaper": {
+ 		"_html_template_attrescaper": true,
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index 3dd212bac9406..f8b2b448f2dfa 100644
+--- a/src/html/template/escape_test.go
+++ b/src/html/template/escape_test.go
+@@ -678,6 +678,21 @@ func TestEscape(t *testing.T) {
+ 			`<img srcset={{",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"}}>`,
+ 			`<img srcset=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,>`,
+ 		},
+		{
+			"unquoted empty attribute value (plaintext)",
+			"<p name={{.U}}>",
+			"<p name=ZgotmplZ>",
+		},
+		{
+			"unquoted empty attribute value (url)",
+			"<p href={{.U}}>",
+			"<p href=ZgotmplZ>",
+		},
+		{
+			"quoted empty attribute value",
+			"<p name=\"{{.U}}\">",
+			"<p name=\"\">",
+		},
+ 	}
+ 
+ 	for _, test := range tests {
+diff --git a/src/html/template/html.go b/src/html/template/html.go
+index bcca0b51a0ef9..a181699a5bda8 100644
+--- a/src/html/template/html.go
+++ b/src/html/template/html.go
+@@ -14,6 +14,9 @@ import (
+ // htmlNospaceEscaper escapes for inclusion in unquoted attribute values.
+ func htmlNospaceEscaper(args ...interface{}) string {
+ 	s, t := stringify(args...)
+	if s == "" {
+		return filterFailsafe
+	}
+ 	if t == contentTypeHTML {
+ 		return htmlReplacer(stripTags(s), htmlNospaceNormReplacementTable, false)
+ 	}
+
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
@@ -0,0 +1,201 @@
+rom c160b49b6d328c86bd76ca2fff9009a71347333f Mon Sep 17 00:00:00 2001
+From: "Bryan C. Mills" <bcmills@google.com>
+Date: Fri, 12 May 2023 14:15:16 -0400
+Subject: [PATCH] [release-branch.go1.19] cmd/go: disallow package directories
+ containing newlines
+
+Directory or file paths containing newlines may cause tools (such as
+cmd/cgo) that emit "//line" or "#line" -directives to write part of
+the path into non-comment lines in generated source code. If those
+lines contain valid Go code, it may be injected into the resulting
+binary.
+
+(Note that Go import paths and file paths within module zip files
+already could not contain newlines.)
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Updates #60167.
+Fixes #60515.
+Fixes CVE-2023-29402.
+
+Change-Id: If55d0400c02beb7a5da5eceac60f1abeac99f064
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1882606
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 41f9046495564fc728d6f98384ab7276450ac7e2)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902229
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904343
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Bryan Mills <bcmills@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501218
+Run-TryBot: David Chase <drchase@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f]
+CVE: CVE-2023-29402
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/cmd/go/internal/load/pkg.go               |   4 +
+ src/cmd/go/internal/work/exec.go              |   6 ++
+ src/cmd/go/script_test.go                     |   1 +
+ .../go/testdata/script/build_cwd_newline.txt  | 100 ++++++++++++++++++
+ 4 files changed, 111 insertions(+)
+ create mode 100644 src/cmd/go/testdata/script/build_cwd_newline.txt
+
+diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
+index 369a79b..d2b63b0 100644
+--- a/src/cmd/go/internal/load/pkg.go
+++ b/src/cmd/go/internal/load/pkg.go
+@@ -1697,6 +1697,10 @@ func (p *Package) load(stk *ImportStack, bp *build.Package, err error) {
+ 		setError(ImportErrorf(p.ImportPath, "invalid import path %q", p.ImportPath))
+ 		return
+ 	}
+	if strings.ContainsAny(p.Dir, "\r\n") {
+		setError(fmt.Errorf("invalid package directory %q", p.Dir))
+		return
+	}
+ 
+ 	// Build list of imported packages and full dependency list.
+ 	imports := make([]*Package, 0, len(p.Imports))
+diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
+index 9a9650b..050b785 100644
+--- a/src/cmd/go/internal/work/exec.go
+++ b/src/cmd/go/internal/work/exec.go
+@@ -458,6 +458,12 @@ func (b *Builder) build(a *Action) (err error) {
+ 		b.Print(a.Package.ImportPath + "\n")
+ 	}
+ 
+	if p.Error != nil {
+		// Don't try to build anything for packages with errors. There may be a
+		// problem with the inputs that makes the package unsafe to build.
+		return p.Error
+	}
+
+ 	if a.Package.BinaryOnly {
+ 		p.Stale = true
+ 		p.StaleReason = "binary-only packages are no longer supported"
+diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go
+index ec498bb..a1398ad 100644
+--- a/src/cmd/go/script_test.go
+++ b/src/cmd/go/script_test.go
+@@ -123,6 +123,7 @@ func (ts *testScript) setup() {
+ 		"devnull=" + os.DevNull,
+ 		"goversion=" + goVersion(ts),
+ 		":=" + string(os.PathListSeparator),
+                "newline=\n",
+ 	}
+ 
+ 	if runtime.GOOS == "plan9" {
+diff --git a/src/cmd/go/testdata/script/build_cwd_newline.txt b/src/cmd/go/testdata/script/build_cwd_newline.txt
+new file mode 100644
+index 0000000..61c6966
+--- /dev/null
+++ b/src/cmd/go/testdata/script/build_cwd_newline.txt
+@@ -0,0 +1,100 @@
+[windows] skip 'filesystem normalizes / to \'
+[plan9] skip 'filesystem disallows \n in paths'
+
+# If the directory path containing a package to be built includes a newline,
+# the go command should refuse to even try to build the package.
+
+env DIR=$WORK${/}${newline}'package main'${newline}'func main() { panic("uh-oh")'${newline}'/*'
+
+mkdir $DIR
+cd $DIR
+exec pwd
+cp $WORK/go.mod ./go.mod
+cp $WORK/main.go ./main.go
+cp $WORK/main_test.go ./main_test.go
+
+! go build -o $devnull .
+stderr 'package example: invalid package directory .*uh-oh'
+
+! go build -o $devnull main.go
+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
+
+! go run .
+stderr 'package example: invalid package directory .*uh-oh'
+
+! go run main.go
+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
+
+! go test .
+stderr 'package example: invalid package directory .*uh-oh'
+
+! go test -v main.go main_test.go
+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
+
+
+# Since we do preserve $PWD (or set it appropriately) for commands, and we do
+# not resolve symlinks unnecessarily, referring to the contents of the unsafe
+# directory via a safe symlink should be ok, and should not inject the data from
+# the symlink target path.
+
+[!symlink] stop 'remainder of test checks symlink behavior'
+[short] stop 'links and runs binaries'
+
+symlink $WORK${/}link -> $DIR
+
+go run $WORK${/}link${/}main.go
+! stdout panic
+! stderr panic
+stderr '^ok$'
+
+go test -v $WORK${/}link${/}main.go $WORK${/}link${/}main_test.go
+! stdout panic
+! stderr panic
+stdout '^ok$'   # 'go test' combines the test's stdout into stderr
+
+cd $WORK/link
+
+! go run $DIR${/}main.go
+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
+
+go run .
+! stdout panic
+! stderr panic
+stderr '^ok$'
+
+go run main.go
+! stdout panic
+! stderr panic
+stderr '^ok$'
+
+go test -v
+! stdout panic
+! stderr panic
+stdout '^ok$'  # 'go test' combines the test's stdout into stderr
+
+go test -v .
+! stdout panic
+! stderr panic
+stdout '^ok$'  # 'go test' combines the test's stdout into stderr
+
+
+-- $WORK/go.mod --
+module example
+go 1.19
+-- $WORK/main.go --
+package main
+
+import "C"
+
+func main() {
+	/* nothing here */
+	println("ok")
+}
+-- $WORK/main_test.go --
+package main
+
+import "testing"
+
+func TestMain(*testing.M) {
+	main()
+}
+-- 
+2.25.1
+
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch
@@ -0,0 +1,84 @@
+From bf3c8ce03e175e870763901a3850bca01381a828 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 5 May 2023 13:10:34 -0700
+Subject: [PATCH] [release-branch.go1.19] cmd/go: enforce flags with
+ non-optional arguments
+
+Enforce that linker flags which expect arguments get them, otherwise it
+may be possible to smuggle unexpected flags through as the linker can
+consume what looks like a flag as an argument to a preceding flag (i.e.
+"-Wl,-O -Wl,-R,-bad-flag" is interpreted as "-O=-R -bad-flag"). Also be
+somewhat more restrictive in the general format of some flags.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Updates #60305
+Fixes #60511
+Fixes CVE-2023-29404
+
+Change-Id: Icdffef2c0f644da50261cace6f43742783931cff
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1876275
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 896779503cf754cbdac24b61d4cc953b50fe2dde)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902225
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904342
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501217
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+Run-TryBot: David Chase <drchase@google.com>
+TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/bf3c8ce03e175e870763901a3850bca01381a828]
+CVE: CVE-2023-29404
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/cmd/go/internal/work/security.go      | 6 +++---
+ src/cmd/go/internal/work/security_test.go | 5 +++++
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
+index a823b20..8acb6dc 100644
+--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
+@@ -177,17 +177,17 @@ var validLinkerFlags = []*lazyregexp.Regexp{
+ 	re(`-Wl,-Bdynamic`),
+ 	re(`-Wl,-berok`),
+ 	re(`-Wl,-Bstatic`),
+-	re(`-WL,-O([^@,\-][^,]*)?`),
+	re(`-Wl,-O[0-9]+`),
+ 	re(`-Wl,-d[ny]`),
+ 	re(`-Wl,--disable-new-dtags`),
+-	re(`-Wl,-e[=,][a-zA-Z0-9]*`),
+	re(`-Wl,-e[=,][a-zA-Z0-9]+`),
+ 	re(`-Wl,--enable-new-dtags`),
+ 	re(`-Wl,--end-group`),
+ 	re(`-Wl,--(no-)?export-dynamic`),
+ 	re(`-Wl,-framework,[^,@\-][^,]+`),
+ 	re(`-Wl,-headerpad_max_install_names`),
+ 	re(`-Wl,--no-undefined`),
+-	re(`-Wl,-R([^@\-][^,@]*$)`),
+	re(`-Wl,-R,?([^@\-,][^,@]*$)`),
+ 	re(`-Wl,--just-symbols[=,]([^,@\-][^,@]+)`),
+ 	re(`-Wl,-rpath(-link)?[=,]([^,@\-][^,]+)`),
+ 	re(`-Wl,-s`),
+diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go
+index bd707ff..7b0b7d3 100644
+--- a/src/cmd/go/internal/work/security_test.go
+++ b/src/cmd/go/internal/work/security_test.go
+@@ -220,6 +220,11 @@ var badLinkerFlags = [][]string{
+ 	{"-Wl,-R,@foo"},
+ 	{"-Wl,--just-symbols,@foo"},
+ 	{"../x.o"},
+	{"-Wl,-R,"},
+	{"-Wl,-O"},
+	{"-Wl,-e="},
+	{"-Wl,-e,"},
+	{"-Wl,-R,-flag"},
+ }
+ 
+ func TestCheckLinkerFlags(t *testing.T) {
+-- 
+2.25.1
+
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
@@ -0,0 +1,112 @@
+From fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Thu, 4 May 2023 14:06:39 -0700
+Subject: [PATCH] [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one
+ line per flag
+
+The flags that we recorded in _cgo_flags did not use any quoting,
+so a flag containing embedded spaces was mishandled.
+Change the _cgo_flags format to put each flag on a separate line.
+That is a simple format that does not require any quoting.
+
+As far as I can tell only cmd/go uses _cgo_flags, and it is only
+used for gccgo. If this patch doesn't cause any trouble, then
+in the next release we can change to only using _cgo_flags for gccgo.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Updates #60306
+Fixes #60514
+Fixes CVE-2023-29405
+
+Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+(cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501220
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: David Chase <drchase@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+---
+Upstream-Status: Backport [https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4]
+CVE: CVE-2023-29405
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ src/cmd/cgo/out.go                            |  4 +++-
+ src/cmd/go/internal/work/gccgo.go             | 14 ++++++-------
+ .../go/testdata/script/gccgo_link_ldflags.txt | 20 +++++++++++++++++++
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+
+diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
+index d26f9e76a374a..d0c6fe3d4c2c2 100644
+--- a/src/cmd/cgo/out.go
+++ b/src/cmd/cgo/out.go
+@@ -47,7 +47,9 @@ func (p *Package) writeDefs() {
+ 
+ 	fflg := creat(*objDir + "_cgo_flags")
+ 	for k, v := range p.CgoFlags {
+-		fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " "))
+		for _, arg := range v {
+			fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
+		}
+ 		if k == "LDFLAGS" && !*gccgo {
+ 			for _, arg := range v {
+ 				fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg)
+diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go
+index 08a4c2d8166c7..a048b7f4eecef 100644
+--- a/src/cmd/go/internal/work/gccgo.go
+++ b/src/cmd/go/internal/work/gccgo.go
+@@ -280,14 +280,12 @@ func (tools gccgoToolchain) link(b *Builder, root *Action, out, importcfg string
+ 		const ldflagsPrefix = "_CGO_LDFLAGS="
+ 		for _, line := range strings.Split(string(flags), "\n") {
+ 			if strings.HasPrefix(line, ldflagsPrefix) {
+-				newFlags := strings.Fields(line[len(ldflagsPrefix):])
+-				for _, flag := range newFlags {
+-					// Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
+-					// but they don't mean anything to the linker so filter
+-					// them out.
+-					if flag != "-g" && !strings.HasPrefix(flag, "-O") {
+-						cgoldflags = append(cgoldflags, flag)
+-					}
+				flag := line[len(ldflagsPrefix):]
+				// Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
+				// but they don't mean anything to the linker so filter
+				// them out.
+				if flag != "-g" && !strings.HasPrefix(flag, "-O") {
+					cgoldflags = append(cgoldflags, flag)
+ 				}
+ 			}
+ 		}
+diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+new file mode 100644
+index 0000000000000..4e91ae56505b6
+--- /dev/null
+++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+@@ -0,0 +1,20 @@
+# Test that #cgo LDFLAGS are properly quoted.
+# The #cgo LDFLAGS below should pass a string with spaces to -L,
+# as though searching a directory with a space in its name.
+# It should not pass --nosuchoption to the external linker.
+
+[!cgo] skip
+
+go build
+
+[!exec:gccgo] skip
+
+go build -compiler gccgo
+
+-- go.mod --
+module m
+-- cgo.go --
+package main
+// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption"
+import "C"
+func main() {}
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
@@ -0,0 +1,38 @@
+From 1008486a9ff979dbd21c7466eeb6abf378f9c637 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Tue, 6 Jun 2023 12:51:17 -0700
+Subject: [PATCH] [release-branch.go1.20] cmd/cgo: correct _cgo_flags output
+
+For #60306
+For #60514
+
+Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501298
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: David Chase <drchase@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+---
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/1008486a9ff979dbd21c7466eeb6abf378f9c637]
+CVE: CVE-2023-29405
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+
+ src/cmd/cgo/out.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
+index d0c6fe3d4c2c2..a48f52105628a 100644
+--- a/src/cmd/cgo/out.go
+++ b/src/cmd/cgo/out.go
+@@ -48,7 +48,7 @@ func (p *Package) writeDefs() {
+ 	fflg := creat(*objDir + "_cgo_flags")
+ 	for k, v := range p.CgoFlags {
+ 		for _, arg := range v {
+-			fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
+			fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, arg)
+ 		}
+ 		if k == "LDFLAGS" && !*gccgo {
+ 			for _, arg := range v {
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch
@@ -0,0 +1,212 @@
+From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 28 Jun 2023 13:20:08 -0700
+Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header before
+ sending
+
+Verify that the Host header we send is valid.
+Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
+adding an X-Evil header to HTTP/1 requests.
+
+Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
+header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
+the header and will go into a retry loop when the server rejects it.
+CL 506995 adds the necessary validation to x/net/http2.
+
+Updates #60374
+Fixes #61075
+For CVE-2023-29406
+
+Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
+Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/507358
+Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b]
+CVE: CVE-2023-29406
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/net/http/http_test.go      | 29 ---------------------
+ src/net/http/request.go        | 47 ++++++++--------------------------
+ src/net/http/request_test.go   | 11 ++------
+ src/net/http/transport_test.go | 18 +++++++++++++
+ 4 files changed, 31 insertions(+), 74 deletions(-)
+
+diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go
+index f4ea52d..ea38cb4 100644
+--- a/src/net/http/http_test.go
+++ b/src/net/http/http_test.go
+@@ -49,35 +49,6 @@ func TestForeachHeaderElement(t *testing.T) {
+	}
+ }
+
+-func TestCleanHost(t *testing.T) {
+-	tests := []struct {
+-		in, want string
+-	}{
+-		{"www.google.com", "www.google.com"},
+-		{"www.google.com foo", "www.google.com"},
+-		{"www.google.com/foo", "www.google.com"},
+-		{" first character is a space", ""},
+-		{"[1::6]:8080", "[1::6]:8080"},
+-
+-		// Punycode:
+-		{"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"},
+-		{"bücher.de", "xn--bcher-kva.de"},
+-		{"bücher.de:8080", "xn--bcher-kva.de:8080"},
+-		// Verify we convert to lowercase before punycode:
+-		{"BÜCHER.de", "xn--bcher-kva.de"},
+-		{"BÜCHER.de:8080", "xn--bcher-kva.de:8080"},
+-		// Verify we normalize to NFC before punycode:
+-		{"gophér.nfc", "xn--gophr-esa.nfc"},            // NFC input; no work needed
+-		{"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input
+-	}
+-	for _, tt := range tests {
+-		got := cleanHost(tt.in)
+-		if tt.want != got {
+-			t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want)
+-		}
+-	}
+-}
+-
+ // Test that cmd/go doesn't link in the HTTP server.
+ //
+ // This catches accidental dependencies between the HTTP transport and
+diff --git a/src/net/http/request.go b/src/net/http/request.go
+index cb2edd2..2706300 100644
+--- a/src/net/http/request.go
+++ b/src/net/http/request.go
+@@ -18,7 +18,6 @@ import (
+	"io/ioutil"
+	"mime"
+	"mime/multipart"
+-	"net"
+	"net/http/httptrace"
+	"net/textproto"
+	"net/url"
+@@ -26,7 +25,8 @@ import (
+	"strconv"
+	"strings"
+	"sync"
+-
+
+	"golang.org/x/net/http/httpguts"
+	"golang.org/x/net/idna"
+ )
+
+@@ -557,12 +557,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
+	// is not given, use the host from the request URL.
+	//
+	// Clean the host, in case it arrives with unexpected stuff in it.
+-	host := cleanHost(r.Host)
+	host := r.Host
+	if host == "" {
+		if r.URL == nil {
+			return errMissingHost
+		}
+-		host = cleanHost(r.URL.Host)
+		host = r.URL.Host
+	}
+	host, err = httpguts.PunycodeHostPort(host)
+	if err != nil {
+		return err
+	}
+	if !httpguts.ValidHostHeader(host) {
+		return errors.New("http: invalid Host header")
+	}
+
+	// According to RFC 6874, an HTTP client, proxy, or other
+@@ -717,38 +724,6 @@ func idnaASCII(v string) (string, error) {
+	return idna.Lookup.ToASCII(v)
+ }
+
+-// cleanHost cleans up the host sent in request's Host header.
+-//
+-// It both strips anything after '/' or ' ', and puts the value
+-// into Punycode form, if necessary.
+-//
+-// Ideally we'd clean the Host header according to the spec:
+-//   https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]")
+-//   https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host)
+-//   https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host)
+-// But practically, what we are trying to avoid is the situation in
+-// issue 11206, where a malformed Host header used in the proxy context
+-// would create a bad request. So it is enough to just truncate at the
+-// first offending character.
+-func cleanHost(in string) string {
+-	if i := strings.IndexAny(in, " /"); i != -1 {
+-		in = in[:i]
+-	}
+-	host, port, err := net.SplitHostPort(in)
+-	if err != nil { // input was just a host
+-		a, err := idnaASCII(in)
+-		if err != nil {
+-			return in // garbage in, garbage out
+-		}
+-		return a
+-	}
+-	a, err := idnaASCII(host)
+-	if err != nil {
+-		return in // garbage in, garbage out
+-	}
+-	return net.JoinHostPort(a, port)
+-}
+-
+ // removeZone removes IPv6 zone identifier from host.
+ // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080"
+ func removeZone(host string) string {
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index 461d66e..0d417ff 100644
+--- a/src/net/http/request_test.go
+++ b/src/net/http/request_test.go
+@@ -676,15 +676,8 @@ func TestRequestBadHost(t *testing.T) {
+	}
+	req.Host = "foo.com with spaces"
+	req.URL.Host = "foo.com with spaces"
+-	req.Write(logWrites{t, &got})
+-	want := []string{
+-		"GET /after HTTP/1.1\r\n",
+-		"Host: foo.com\r\n",
+-		"User-Agent: " + DefaultUserAgent + "\r\n",
+-		"\r\n",
+-	}
+-	if !reflect.DeepEqual(got, want) {
+-		t.Errorf("Writes = %q\n  Want = %q", got, want)
+	if err := req.Write(logWrites{t, &got}); err == nil {
+		t.Errorf("Writing request with invalid Host: succeded, want error")
+	}
+ }
+
+diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
+index fa0c370..0afb6b9 100644
+--- a/src/net/http/transport_test.go
+++ b/src/net/http/transport_test.go
+@@ -6249,3 +6249,21 @@ func TestIssue32441(t *testing.T) {
+		t.Error(err)
+	}
+ }
+
+func TestRequestSanitization(t *testing.T) {
+	setParallel(t)
+	defer afterTest(t)
+
+	ts := newClientServerTest(t, h1Mode, HandlerFunc(func(rw ResponseWriter, req *Request) {
+		if h, ok := req.Header["X-Evil"]; ok {
+			t.Errorf("request has X-Evil header: %q", h)
+		}
+	})).ts
+	defer ts.Close()
+	req, _ := NewRequest("GET", ts.URL, nil)
+	req.Host = "go.dev\r\nX-Evil:evil"
+	resp, _ := ts.Client().Do(req)
+	if resp != nil {
+		resp.Body.Close()
+	}
+}
+--
+2.25.1
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch
@@ -0,0 +1,175 @@
+From 2300f7ef07718f6be4d8aa8486c7de99836e233f Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Wed, 7 Jun 2023 15:27:13 -0700
+Subject: [PATCH] [release-branch.go1.19] crypto/tls: restrict RSA keys in
+ certificates to <= 8192 bits
+
+Extremely large RSA keys in certificate chains can cause a client/server
+to expend significant CPU time verifying signatures. Limit this by
+restricting the size of RSA keys transmitted during handshakes to <=
+8192 bits.
+
+Based on a survey of publicly trusted RSA keys, there are currently only
+three certificates in circulation with keys larger than this, and all
+three appear to be test certificates that are not actively deployed. It
+is possible there are larger keys in use in private PKIs, but we target
+the web PKI, so causing breakage here in the interests of increasing the
+default safety of users of crypto/tls seems reasonable.
+
+Thanks to Mateusz Poliwczak for reporting this issue.
+
+Updates #61460
+Fixes #61579
+Fixes CVE-2023-29409
+
+Change-Id: Ie35038515a649199a36a12fc2c5df3af855dca6c
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1912161
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+(cherry picked from commit d865c715d92887361e4bd5596e19e513f27781b7)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1965487
+Reviewed-on: https://go-review.googlesource.com/c/go/+/514915
+Run-TryBot: David Chase <drchase@google.com>
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+TryBot-Bypass: David Chase <drchase@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/2300f7ef07718f6be4d8aa8486c7de99836e233f]
+CVE: CVE-2023-29409
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/crypto/tls/handshake_client.go      |  8 +++
+ src/crypto/tls/handshake_client_test.go | 78 +++++++++++++++++++++++++
+ src/crypto/tls/handshake_server.go      |  4 ++
+ 3 files changed, 90 insertions(+)
+
+diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
+index 4fb528c..ba33ea1 100644
+--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
+@@ -788,6 +788,10 @@ func (hs *clientHandshakeState) sendFinished(out []byte) error {
+ 	return nil
+ }
+ 
+// maxRSAKeySize is the maximum RSA key size in bits that we are willing
+// to verify the signatures of during a TLS handshake.
+const maxRSAKeySize = 8192
+
+ // verifyServerCertificate parses and verifies the provided chain, setting
+ // c.verifiedChains and c.peerCertificates or sending the appropriate alert.
+ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
+@@ -798,6 +802,10 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
+ 			c.sendAlert(alertBadCertificate)
+ 			return errors.New("tls: failed to parse certificate from server: " + err.Error())
+ 		}
+		if cert.PublicKeyAlgorithm == x509.RSA && cert.PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize {
+			c.sendAlert(alertBadCertificate)
+			return fmt.Errorf("tls: server sent certificate containing RSA key larger than %d bits", maxRSAKeySize)
+		}
+ 		certs[i] = cert
+ 	}
+ 
+diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
+index 6bd3c37..8d20b2b 100644
+--- a/src/crypto/tls/handshake_client_test.go
+++ b/src/crypto/tls/handshake_client_test.go
+@@ -1984,3 +1984,81 @@ func TestCloseClientConnectionOnIdleServer(t *testing.T) {
+ 		t.Errorf("Error expected, but no error returned")
+ 	}
+ }
+
+// discardConn wraps a net.Conn but discards all writes, but reports that they happened.
+type discardConn struct {
+	net.Conn
+}
+
+func (dc *discardConn) Write(data []byte) (int, error) {
+	return len(data), nil
+}
+
+// largeRSAKeyCertPEM contains a 8193 bit RSA key
+const largeRSAKeyCertPEM = `-----BEGIN CERTIFICATE-----
+MIIInjCCBIWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwd0ZXN0
+aW5nMB4XDTIzMDYwNzIxMjMzNloXDTIzMDYwNzIzMjMzNlowEjEQMA4GA1UEAxMH
+dGVzdGluZzCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBAWdHsf6Rh2Ca
+n2SQwn4t4OQrOjbLLdGE1pM6TBKKrHUFy62uEL8atNjlcfXIsa4aEu3xNGiqxqur
+ZectlkZbm0FkaaQ1Wr9oikDY3KfjuaXdPdO/XC/h8AKNxlDOylyXwUSK/CuYb+1j
+gy8yF5QFvVfwW/xwTlHmhUeSkVSQPosfQ6yXNNsmMzkd+ZPWLrfq4R+wiNtwYGu0
+WSBcI/M9o8/vrNLnIppoiBJJ13j9CR1ToEAzOFh9wwRWLY10oZhoh1ONN1KQURx4
+qedzvvP2DSjZbUccdvl2rBGvZpzfOiFdm1FCnxB0c72Cqx+GTHXBFf8bsa7KHky9
+sNO1GUanbq17WoDNgwbY6H51bfShqv0CErxatwWox3we4EcAmFHPVTCYL1oWVMGo
+a3Eth91NZj+b/nGhF9lhHKGzXSv9brmLLkfvM1jA6XhNhA7BQ5Vz67lj2j3XfXdh
+t/BU5pBXbL4Ut4mIhT1YnKXAjX2/LF5RHQTE8Vwkx5JAEKZyUEGOReD/B+7GOrLp
+HduMT9vZAc5aR2k9I8qq1zBAzsL69lyQNAPaDYd1BIAjUety9gAYaSQffCgAgpRO
+Gt+DYvxS+7AT/yEd5h74MU2AH7KrAkbXOtlwupiGwhMVTstncDJWXMJqbBhyHPF8
+3UmZH0hbL4PYmzSj9LDWQQXI2tv6vrCpfts3Cqhqxz9vRpgY7t1Wu6l/r+KxYYz3
+1pcGpPvRmPh0DJm7cPTiXqPnZcPt+ulSaSdlxmd19OnvG5awp0fXhxryZVwuiT8G
+VDkhyARrxYrdjlINsZJZbQjO0t8ketXAELJOnbFXXzeCOosyOHkLwsqOO96AVJA8
+45ZVL5m95ClGy0RSrjVIkXsxTAMVG6SPAqKwk6vmTdRGuSPS4rhgckPVDHmccmuq
+dfnT2YkX+wB2/M3oCgU+s30fAHGkbGZ0pCdNbFYFZLiH0iiMbTDl/0L/z7IdK0nH
+GLHVE7apPraKC6xl6rPWsD2iSfrmtIPQa0+rqbIVvKP5JdfJ8J4alI+OxFw/znQe
+V0/Rez0j22Fe119LZFFSXhRv+ZSvcq20xDwh00mzcumPWpYuCVPozA18yIhC9tNn
+ALHndz0tDseIdy9vC71jQWy9iwri3ueN0DekMMF8JGzI1Z6BAFzgyAx3DkHtwHg7
+B7qD0jPG5hJ5+yt323fYgJsuEAYoZ8/jzZ01pkX8bt+UsVN0DGnSGsI2ktnIIk3J
+l+8krjmUy6EaW79nITwoOqaeHOIp8m3UkjEcoKOYrzHRKqRy+A09rY+m/cAQaafW
+4xp0Zv7qZPLwnu0jsqB4jD8Ll9yPB02ndsoV6U5PeHzTkVhPml19jKUAwFfs7TJg
+kXy+/xFhYVUCAwEAATANBgkqhkiG9w0BAQsFAAOCBAIAAQnZY77pMNeypfpba2WK
+aDasT7dk2JqP0eukJCVPTN24Zca+xJNPdzuBATm/8SdZK9lddIbjSnWRsKvTnO2r
+/rYdlPf3jM5uuJtb8+Uwwe1s+gszelGS9G/lzzq+ehWicRIq2PFcs8o3iQMfENiv
+qILJ+xjcrvms5ZPDNahWkfRx3KCg8Q+/at2n5p7XYjMPYiLKHnDC+RE2b1qT20IZ
+FhuK/fTWLmKbfYFNNga6GC4qcaZJ7x0pbm4SDTYp0tkhzcHzwKhidfNB5J2vNz6l
+Ur6wiYwamFTLqcOwWo7rdvI+sSn05WQBv0QZlzFX+OAu0l7WQ7yU+noOxBhjvHds
+14+r9qcQZg2q9kG+evopYZqYXRUNNlZKo9MRBXhfrISulFAc5lRFQIXMXnglvAu+
+Ipz2gomEAOcOPNNVldhKAU94GAMJd/KfN0ZP7gX3YvPzuYU6XDhag5RTohXLm18w
+5AF+ES3DOQ6ixu3DTf0D+6qrDuK+prdX8ivcdTQVNOQ+MIZeGSc6NWWOTaMGJ3lg
+aZIxJUGdo6E7GBGiC1YTjgFKFbHzek1LRTh/LX3vbSudxwaG0HQxwsU9T4DWiMqa
+Fkf2KteLEUA6HrR+0XlAZrhwoqAmrJ+8lCFX3V0gE9lpENfVHlFXDGyx10DpTB28
+DdjnY3F7EPWNzwf9P3oNT69CKW3Bk6VVr3ROOJtDxVu1ioWo3TaXltQ0VOnap2Pu
+sa5wfrpfwBDuAS9JCDg4ttNp2nW3F7tgXC6xPqw5pvGwUppEw9XNrqV8TZrxduuv
+rQ3NyZ7KSzIpmFlD3UwV/fGfz3UQmHS6Ng1evrUID9DjfYNfRqSGIGjDfxGtYD+j
+Z1gLJZuhjJpNtwBkKRtlNtrCWCJK2hidK/foxwD7kwAPo2I9FjpltxCRywZUs07X
+KwXTfBR9v6ij1LV6K58hFS+8ezZyZ05CeVBFkMQdclTOSfuPxlMkQOtjp8QWDj+F
+j/MYziT5KBkHvcbrjdRtUJIAi4N7zCsPZtjik918AK1WBNRVqPbrgq/XSEXMfuvs
+6JbfK0B76vdBDRtJFC1JsvnIrGbUztxXzyQwFLaR/AjVJqpVlysLWzPKWVX6/+SJ
+u1NQOl2E8P6ycyBsuGnO89p0S4F8cMRcI2X1XQsZ7/q0NBrOMaEp5T3SrWo9GiQ3
+o2SBdbs3Y6MBPBtTu977Z/0RO63J3M5i2tjUiDfrFy7+VRLKr7qQ7JibohyB8QaR
+9tedgjn2f+of7PnP/PEl1cCphUZeHM7QKUMPT8dbqwmKtlYY43EHXcvNOT5IBk3X
+9lwJoZk/B2i+ZMRNSP34ztAwtxmasPt6RAWGQpWCn9qmttAHAnMfDqe7F7jVR6rS
+u58=
+-----END CERTIFICATE-----`
+
+func TestHandshakeRSATooBig(t *testing.T) {
+	testCert, _ := pem.Decode([]byte(largeRSAKeyCertPEM))
+
+	c := &Conn{conn: &discardConn{}, config: testConfig.Clone()}
+
+	expectedErr := "tls: server sent certificate containing RSA key larger than 8192 bits"
+	err := c.verifyServerCertificate([][]byte{testCert.Bytes})
+	if err == nil || err.Error() != expectedErr {
+		t.Errorf("Conn.verifyServerCertificate unexpected error: want %q, got %q", expectedErr, err)
+	}
+
+	expectedErr = "tls: client sent certificate containing RSA key larger than 8192 bits"
+	err = c.processCertsFromClient(Certificate{Certificate: [][]byte{testCert.Bytes}})
+	if err == nil || err.Error() != expectedErr {
+		t.Errorf("Conn.processCertsFromClient unexpected error: want %q, got %q", expectedErr, err)
+	}
+}
+diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
+index b16415a..2e36840 100644
+--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
+@@ -738,6 +738,10 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
+ 			c.sendAlert(alertBadCertificate)
+ 			return errors.New("tls: failed to parse client certificate: " + err.Error())
+ 		}
+		if certs[i].PublicKeyAlgorithm == x509.RSA && certs[i].PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize {
+			c.sendAlert(alertBadCertificate)
+			return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", maxRSAKeySize)
+		}
+ 	}
+ 
+ 	if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
+-- 
+2.25.1
+
--- a/meta/recipes-devtools/ninja/ninja_1.10.0.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.10.0.bb
@@ -29,3 +29,6 @@ do_install() {
 }

 BBCLASSEXTEND = "native nativesdk"
+
+# This is a different Ninja
+CVE_CHECK_WHITELIST += "CVE-2021-4336"
--- a/Show More
+++ b/Show More