build-appliance-image: Update to scarthgap head revision

(From OE-Core rev: f888dd911529a828820799a7a1b75dfd3a44847c)

Signed-off-by: Steve Sakoman <steve@sakoman.com>

bitbake/lib/bb/data_smart.py

@@ -272,12 +272,9 @@ class VariableHistory(object):
             return
         if 'op' not in loginfo or not loginfo['op']:
             loginfo['op'] = 'set'
-        if 'detail' in loginfo:
-            loginfo['detail'] = str(loginfo['detail'])
         if 'variable' not in loginfo or 'file' not in loginfo:
             raise ValueError("record() missing variable or file.")
         var = loginfo['variable']
-
         if var not in self.variables:
             self.variables[var] = []
         if not isinstance(self.variables[var], list):
@@ -336,7 +333,8 @@ class VariableHistory(object):
                     flag = '[%s] ' % (event['flag'])
                 else:
                     flag = ''
-                o.write("#   %s %s:%s%s\n#     %s\"%s\"\n" % (event['op'], event['file'], event['line'], display_func, flag, re.sub('\n', '\n#     ', event['detail'])))
+                o.write("#   %s %s:%s%s\n#     %s\"%s\"\n" % \
+                    (event['op'], event['file'], event['line'], display_func, flag, re.sub('\n', '\n#     ', str(event['detail']))))
             if len(history) > 1:
                 o.write("# pre-expansion value:\n")
                 o.write('#   "%s"\n' % (commentVal))
@@ -390,7 +388,7 @@ class VariableHistory(object):
             if isset and event['op'] == 'set?':
                 continue
             isset = True
-            items = d.expand(event['detail']).split()
+            items = d.expand(str(event['detail'])).split()
             for item in items:
                 # This is a little crude but is belt-and-braces to avoid us
                 # having to handle every possible operation type specifically

documentation/migration-guides/release-4.0.rst

@@ -26,3 +26,5 @@ Release 4.0 (kirkstone)
    release-notes-4.0.17
    release-notes-4.0.18
    release-notes-4.0.19
+   release-notes-4.0.20
+

documentation/migration-guides/release-5.0.rst

@@ -9,3 +9,4 @@ Release 5.0 (scarthgap)
    release-notes-5.0
    release-notes-5.0.1
    release-notes-5.0.2
+   release-notes-5.0.3

documentation/migration-guides/release-notes-4.0.20.rst

@@ -0,0 +1,130 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+Release notes for Yocto-4.0.20 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.20
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  acpica: Fix :cve:`2024-24856`
+-  glib-2.0: Fix :cve:`2024-34397`
+-  gstreamer1.0-plugins-base: Fix :cve:`2024-4453`
+-  libxml2: Fix :cve:`2024-34459`
+-  openssh: fix :cve:`2024-6387`
+-  openssl: Fix :cve_mitre:`2024-4741` and :cve:`2024-5535`
+-  ruby: fix :cve:`2024-27280`
+-  wget: Fix for :cve:`2024-38428`
+
+
+Fixes in Yocto-4.0.20
+~~~~~~~~~~~~~~~~~~~~~
+
+-  bitbake: tests/fetch: Tweak test to match upstream repo url change Upstream changed their urls, update our test to match.
+-  build-appliance-image: Update to kirkstone head revision
+-  glibc-tests: Add missing bash ptest dependency
+-  glibc-tests: correctly pull in the actual tests when installing -ptest package
+-  glibc: stable 2.35 branch updates
+-  gobject-introspection: Do not hardcode objdump name
+-  linuxloader: add -armhf on arm only for :term:`TARGET_FPU` 'hard'
+-  man-pages: add an alternative link name for crypt_r.3
+-  man-pages: remove conflict pages
+-  migration-guides: add release notes for 4.0.19
+-  openssl: Upgrade 3.0.13 -> 3.0.14
+-  poky.conf: bump version for 4.0.20
+
+
+Known Issues in Yocto-4.0.20
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.20
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Archana Polampalli
+-  Changqing Li
+-  Deepthi Hemraj
+-  Jonas Gorski
+-  Jose Quaresma
+-  Khem Raj
+-  Lee Chee Yang
+-  Peter Marko
+-  Poonam Jadhav
+-  Siddharth Doshi
+-  Steve Sakoman
+-  Thomas Perrot
+-  Vijay Anusuri
+-  Yogita Urade
+
+
+Repositories / Downloads for Yocto-4.0.20
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.20 </poky/log/?h=yocto-4.0.20>`
+-  Git Revision: :yocto_git:`6bd3969d32730538608e680653e032e66958fe84 </poky/commit/?id=6bd3969d32730538608e680653e032e66958fe84>`
+-  Release Artefact: poky-6bd3969d32730538608e680653e032e66958fe84
+-  sha: b7ef1bd5ba1af257c4eb07a59b51d69e147723aea010eb2da99ea30dcbbbe2d9
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.20/poky-6bd3969d32730538608e680653e032e66958fe84.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.20/poky-6bd3969d32730538608e680653e032e66958fe84.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.20 </openembedded-core/log/?h=yocto-4.0.20>`
+-  Git Revision: :oe_git:`5d97b0576e98a2cf402abab1a1edcab223545d87 </openembedded-core/commit/?id=5d97b0576e98a2cf402abab1a1edcab223545d87>`
+-  Release Artefact: oecore-5d97b0576e98a2cf402abab1a1edcab223545d87
+-  sha: 4064a32b8ff1ad8a98aa15e75b27585d2b27236c8cdfa4a28af6d6fef99b93c0
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.20/oecore-5d97b0576e98a2cf402abab1a1edcab223545d87.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.20/oecore-5d97b0576e98a2cf402abab1a1edcab223545d87.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.20 </meta-mingw/log/?h=yocto-4.0.20>`
+-  Git Revision: :yocto_git:`f6b38ce3c90e1600d41c2ebb41e152936a0357d7 </meta-mingw/commit/?id=f6b38ce3c90e1600d41c2ebb41e152936a0357d7>`
+-  Release Artefact: meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7
+-  sha: 7d57167c19077f4ab95623d55a24c2267a3a3fb5ed83688659b4c03586373b25
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.20/meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.20/meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.20 </meta-gplv2/log/?h=yocto-4.0.20>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.20/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.20/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.20 </bitbake/log/?h=yocto-4.0.20>`
+-  Git Revision: :oe_git:`734b0ea3dfe45eb16ee60f0c2c388e22af4040e0 </bitbake/commit/?id=734b0ea3dfe45eb16ee60f0c2c388e22af4040e0>`
+-  Release Artefact: bitbake-734b0ea3dfe45eb16ee60f0c2c388e22af4040e0
+-  sha: 99f4c6786fec790fd6c4577b5dea3c97c580cc4815bd409ce554a68ee99b0180
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.20/bitbake-734b0ea3dfe45eb16ee60f0c2c388e22af4040e0.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.20/bitbake-734b0ea3dfe45eb16ee60f0c2c388e22af4040e0.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.20 </yocto-docs/log/?h=yocto-4.0.20>`
+-  Git Revision: :yocto_git:`b15b1d369edf33cd91232fefa0278e7e89653a01 </yocto-docs/commit/?id=b15b1d369edf33cd91232fefa0278e7e89653a01>`
+

documentation/ref-manual/features.rst

@@ -146,7 +146,7 @@ metadata, as extra layers can define their own:
 
 -  *directfb:* Include DirectFB support.
 
--  *ext2:* Include tools for supporting for devices with internal
+-  *ext2:* Include tools for supporting devices with internal
    HDD/Microdrive for storing files (instead of Flash only devices).
 
 -  *gobject-introspection-data:* Include data to support
@@ -197,6 +197,10 @@ metadata, as extra layers can define their own:
 
 -  *pcmcia:* Include PCMCIA/CompactFlash support.
 
+-  *pni-names:* Enable generation of persistent network interface names, i.e.
+   the system tries hard to have the same but unique names for the network
+   interfaces even after a reinstall.
+
 -  *polkit:* Include :wikipedia:`Polkit <Polkit>` support.
 
 -  *ppp:* Include PPP dialup support.

documentation/ref-manual/variables.rst

@@ -8536,6 +8536,35 @@ system and gives an overview of their function and contents.
              /sysroot-only \
              "
 
+      Consider the following example in which you need to manipulate this variable.
+      Assume you have a recipe ``A`` that provides a shared library ``.so.*`` that is
+      installed into a custom folder other than "``${libdir}``"
+      or "``${base_libdir}``", let's say "``/opt/lib``".
+
+      .. note::
+
+         This is not a recommended way to deal with shared libraries, but this
+         is just to show the usefulness of setting :term:`SYSROOT_DIRS`.
+
+      When a recipe ``B`` :term:`DEPENDS` on ``A``, it means what is in
+      :term:`SYSROOT_DIRS` will be copied from :term:`D` of the recipe ``A``
+      into ``B``'s :term:`SYSROOT_DESTDIR` that is "``${WORKDIR}/sysroot-destdir``".
+
+      Now, since ``/opt/lib`` is not in :term:`SYSROOT_DIRS`, it will never be copied to
+      ``A``'s :term:`RECIPE_SYSROOT`, which is "``${WORKDIR}/recipe-sysroot``". So,
+      the linking process will fail.
+
+      To fix this, you need to add ``/opt/lib`` to :term:`SYSROOT_DIRS`::
+
+         SYSROOT_DIRS:append = " /opt/lib"
+
+      .. note::
+         Even after setting ``/opt/lib`` to :term:`SYSROOT_DIRS`, the linking process will still fail
+         because the linker does not know that location, since :term:`TARGET_LDFLAGS`
+         doesn't contain it (if your recipe is for the target). Therefore, so you should add::
+
+            TARGET_LDFLAGS:append = " -L${RECIPE_SYSROOT}/opt/lib"
+
    :term:`SYSROOT_DIRS_IGNORE`
       Directories that are not staged into the sysroot by the
       :ref:`ref-tasks-populate_sysroot` task. You
@@ -8559,35 +8588,6 @@ system and gives an overview of their function and contents.
              ${libdir}/${BPN}/ptest \
              "
 
-      Consider the following example in which you need to manipulate this variable.
-      Assume you have a recipe ``A`` that provides a shared library ``.so.*`` that is
-      installed into a custom folder other than "``${libdir}``"
-      or "``${base_libdir}``", let's say "``/opt/lib``".
-
-      .. note::
-
-         This is not a recommended way to deal with shared libraries, but this
-         is just to show the usefulness of setting :term:`SYSROOT_DIRS`.
-
-      When a recipe ``B`` :term:`DEPENDS` on ``A``, it means what is in
-      :term:`SYSROOT_DIRS` will be copied from :term:`D` of the recipe ``B``
-      into ``B``'s :term:`SYSROOT_DESTDIR` that is "``${WORKDIR}/sysroot-destdir``".
-
-      Now, since ``/opt/lib`` is not in :term:`SYSROOT_DIRS`, it will never be copied to
-      ``A``'s :term:`RECIPE_SYSROOT`, which is "``${WORKDIR}/recipe-sysroot``". So,
-      the linking process will fail.
-
-      To fix this, you need to add ``/opt/lib`` to :term:`SYSROOT_DIRS`::
-
-         SYSROOT_DIRS:append = " /opt/lib"
-
-      .. note::
-         Even after setting ``/opt/lib`` to :term:`SYSROOT_DIRS`, the linking process will still fail
-         because the linker does not know that location, since :term:`TARGET_LDFLAGS`
-         doesn't contain it (if your recipe is for the target). Therefore, so you should add::
-
-            TARGET_LDFLAGS:append = " -L${RECIPE_SYSROOT}/opt/lib"
-
    :term:`SYSROOT_DIRS_NATIVE`
       Extra directories staged into the sysroot by the
       :ref:`ref-tasks-populate_sysroot` task for

meta-poky/conf/distro/poky.conf

@@ -1,6 +1,6 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "5.0.3"
+DISTRO_VERSION = "5.0.4"
 DISTRO_CODENAME = "scarthgap"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"

meta/classes-global/sstate.bbclass

@@ -161,7 +161,10 @@ python () {
     d.setVar('SSTATETASKS', " ".join(unique_tasks))
     for task in unique_tasks:
         d.prependVarFlag(task, 'prefuncs', "sstate_task_prefunc ")
-        d.appendVarFlag(task, 'postfuncs', " sstate_task_postfunc")
+        # Generally sstate should be last, execpt for buildhistory functions
+        postfuncs = (d.getVarFlag(task, 'postfuncs') or "").split()
+        newpostfuncs = [p for p in postfuncs if "buildhistory" not in p] + ["sstate_task_postfunc"] + [p for p in postfuncs if "buildhistory" in p]
+        d.setVarFlag(task, 'postfuncs', " ".join(newpostfuncs))
         d.setVarFlag(task, 'network', '1')
         d.setVarFlag(task + "_setscene", 'network', '1')
 }

meta/classes-recipe/image_types.bbclass

@@ -335,8 +335,8 @@ CONVERSION_CMD:lzma = "lzma -k -f -7 ${IMAGE_NAME}.${type}"
 CONVERSION_CMD:gz = "gzip -f -9 -n -c --rsyncable ${IMAGE_NAME}.${type} > ${IMAGE_NAME}.${type}.gz"
 CONVERSION_CMD:bz2 = "pbzip2 -f -k ${IMAGE_NAME}.${type}"
 CONVERSION_CMD:xz = "xz -f -k -c ${XZ_COMPRESSION_LEVEL} ${XZ_DEFAULTS} --check=${XZ_INTEGRITY_CHECK} ${IMAGE_NAME}.${type} > ${IMAGE_NAME}.${type}.xz"
-CONVERSION_CMD:lz4 = "lz4 -9 -z -l ${IMAGE_NAME}.${type} ${IMAGE_NAME}.${type}.lz4"
-CONVERSION_CMD:lzo = "lzop -9 ${IMAGE_NAME}.${type}"
+CONVERSION_CMD:lz4 = "lz4 -f -9 -z -l ${IMAGE_NAME}.${type} ${IMAGE_NAME}.${type}.lz4"
+CONVERSION_CMD:lzo = "lzop -f -9 ${IMAGE_NAME}.${type}"
 CONVERSION_CMD:zip = "zip ${ZIP_COMPRESSION_LEVEL} ${IMAGE_NAME}.${type}.zip ${IMAGE_NAME}.${type}"
 CONVERSION_CMD:7zip = "7za a -mx=${7ZIP_COMPRESSION_LEVEL} -mm=${7ZIP_COMPRESSION_METHOD} ${IMAGE_NAME}.${type}.${7ZIP_EXTENSION} ${IMAGE_NAME}.${type}"
 CONVERSION_CMD:zst = "zstd -f -k -c ${ZSTD_DEFAULTS} ${IMAGE_NAME}.${type} > ${IMAGE_NAME}.${type}.zst"

meta/classes-recipe/populate_sdk_ext.bbclass

@@ -732,7 +732,7 @@ sdk_ext_postinst() {
 		echo "# Save and reset OECORE_NATIVE_SYSROOT as buildtools may change it" >> $env_setup_script
 		echo "SAVED=\"\$OECORE_NATIVE_SYSROOT\"" >> $env_setup_script
 		echo ". $target_sdk_dir/buildtools/environment-setup*" >> $env_setup_script
-		echo "OECORE_NATIVE_SYSROOT=\"\$SAVED\"" >> $env_setup_script
+		echo "export OECORE_NATIVE_SYSROOT=\"\$SAVED\"" >> $env_setup_script
 	fi
 
 	# Allow bitbake environment setup to be ran as part of this sdk.

meta/classes-recipe/qemuboot.bbclass

@@ -129,7 +129,8 @@ addtask do_write_qemuboot_conf after do_rootfs before do_image
 
 def qemuboot_vars(d):
     build_vars = ['MACHINE', 'TUNE_ARCH', 'DEPLOY_DIR_IMAGE',
-                'KERNEL_IMAGETYPE', 'IMAGE_NAME', 'IMAGE_LINK_NAME',
+                'KERNEL_IMAGETYPE', 'KERNEL_IMAGE_NAME',
+                'KERNEL_IMAGE_BIN_EXT', 'IMAGE_NAME', 'IMAGE_LINK_NAME',
                 'STAGING_DIR_NATIVE', 'STAGING_BINDIR_NATIVE',
                 'STAGING_DIR_HOST', 'SERIAL_CONSOLES', 'UNINATIVE_LOADER']
     return build_vars + [k for k in d.keys() if k.startswith('QB_')]

meta/classes/buildhistory.bbclass

@@ -47,11 +47,18 @@ BUILDHISTORY_PUSH_REPO ?= ""
 BUILDHISTORY_TAG ?= "build"
 BUILDHISTORY_PATH_PREFIX_STRIP ?= ""
 
-SSTATEPOSTINSTFUNCS:append = " buildhistory_emit_pkghistory"
-# We want to avoid influencing the signatures of sstate tasks - first the function itself:
-sstate_install[vardepsexclude] += "buildhistory_emit_pkghistory"
-# then the value added to SSTATEPOSTINSTFUNCS:
-SSTATEPOSTINSTFUNCS[vardepvalueexclude] .= "| buildhistory_emit_pkghistory"
+# We want to avoid influencing the signatures of the task so use vardepsexclude
+do_populate_sysroot[postfuncs] += "buildhistory_emit_sysroot"
+do_populate_sysroot_setscene[postfuncs] += "buildhistory_emit_sysroot"
+do_populate_sysroot[vardepsexclude] += "buildhistory_emit_sysroot"
+
+do_package[postfuncs] += "buildhistory_list_pkg_files"
+do_package_setscene[postfuncs] += "buildhistory_list_pkg_files"
+do_package[vardepsexclude] += "buildhistory_list_pkg_files"
+
+do_packagedata[postfuncs] += "buildhistory_emit_pkghistory"
+do_packagedata_setscene[postfuncs] += "buildhistory_emit_pkghistory"
+do_packagedata[vardepsexclude] += "buildhistory_emit_pkghistory"
 
 # Similarly for our function that gets the output signatures
 SSTATEPOSTUNPACKFUNCS:append = " buildhistory_emit_outputsigs"
@@ -91,25 +98,14 @@ buildhistory_emit_sysroot() {
 # Write out metadata about this package for comparison when writing future packages
 #
 python buildhistory_emit_pkghistory() {
-    if d.getVar('BB_CURRENTTASK') in ['populate_sysroot', 'populate_sysroot_setscene']:
-        bb.build.exec_func("buildhistory_emit_sysroot", d)
-        return 0
-
-    if not "package" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
-        return 0
-
-    if d.getVar('BB_CURRENTTASK') in ['package', 'package_setscene']:
-        # Create files-in-<package-name>.txt files containing a list of files of each recipe's package
-        bb.build.exec_func("buildhistory_list_pkg_files", d)
-        return 0
-
-    if not d.getVar('BB_CURRENTTASK') in ['packagedata', 'packagedata_setscene']:
-        return 0
-
     import re
     import json
     import shlex
     import errno
+    import shutil
+
+    if not "package" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
+        return 0
 
     pkghistdir = d.getVar('BUILDHISTORY_DIR_PACKAGE')
     oldpkghistdir = d.getVar('BUILDHISTORY_OLD_DIR_PACKAGE')
@@ -223,6 +219,20 @@ python buildhistory_emit_pkghistory() {
         items.sort()
         return ' '.join(items)
 
+    def preservebuildhistoryfiles(pkg, preserve):
+        if os.path.exists(os.path.join(oldpkghistdir, pkg)):
+            listofobjs = os.listdir(os.path.join(oldpkghistdir, pkg))
+            for obj in listofobjs:
+                if obj not in preserve:
+                    continue
+                try:
+                    bb.utils.mkdirhier(os.path.join(pkghistdir, pkg))
+                    shutil.copyfile(os.path.join(oldpkghistdir, pkg, obj), os.path.join(pkghistdir, pkg, obj))
+                except IOError as e:
+                    bb.note("Unable to copy file. %s" % e)
+                except EnvironmentError as e:
+                    bb.note("Unable to copy file. %s" % e)
+
     pn = d.getVar('PN')
     pe = d.getVar('PE') or "0"
     pv = d.getVar('PV')
@@ -250,6 +260,14 @@ python buildhistory_emit_pkghistory() {
     if not os.path.exists(pkghistdir):
         bb.utils.mkdirhier(pkghistdir)
     else:
+        # We need to make sure that all files kept in
+        # buildhistory/old are restored successfully
+        # otherwise next block of code wont have files to
+        # check and purge
+        if d.getVar("BUILDHISTORY_RESET"):
+            for pkg in packagelist:
+                preservebuildhistoryfiles(pkg, preserve)
+
         # Remove files for packages that no longer exist
         for item in os.listdir(pkghistdir):
             if item not in preserve:
@@ -598,16 +616,17 @@ buildhistory_list_files_no_owners() {
 }
 
 buildhistory_list_pkg_files() {
+	if [ "${@bb.utils.contains('BUILDHISTORY_FEATURES', 'package', '1', '0', d)}" = "0" ] ; then
+		return
+	fi
+
 	# Create individual files-in-package for each recipe's package
-	for pkgdir in $(find ${PKGDEST}/* -maxdepth 0 -type d); do
+	pkgdirlist=$(find ${PKGDEST}/* -maxdepth 0 -type d)
+	for pkgdir in $pkgdirlist; do
 		pkgname=$(basename $pkgdir)
 		outfolder="${BUILDHISTORY_DIR_PACKAGE}/$pkgname"
 		outfile="$outfolder/files-in-package.txt"
-		# Make sure the output folder exists so we can create the file
-		if [ ! -d $outfolder ] ; then
-			bbdebug 2 "Folder $outfolder does not exist, file $outfile not created"
-			continue
-		fi
+		mkdir -p $outfolder
 		buildhistory_list_files $pkgdir $outfile fakeroot
 	done
 }

meta/classes/create-spdx-2.2.bbclass

@@ -315,7 +315,8 @@ def add_package_sources_from_debug(d, package_doc, spdx_package, package, packag
                     debugsrc_path = search / debugsrc.replace('/usr/src/kernel/', '')
                 else:
                     debugsrc_path = search / debugsrc.lstrip("/")
-                if not debugsrc_path.exists():
+                # We can only hash files below, skip directories, links, etc.
+                if not os.path.isfile(debugsrc_path):
                     continue
 
                 file_sha256 = bb.utils.sha256_file(debugsrc_path)

meta/conf/distro/include/maintainers.inc

@@ -697,12 +697,12 @@ RECIPE_MAINTAINER:pn-python3-rpds-py = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-ruamel-yaml = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-python3-scons = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-semantic-version = "Tim Orling <tim.orling@konsulko.com>"
-RECIPE_MAINTAINER:pn-python3-setuptools = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-python3-setuptools = "Trevor Gamblin <tgamblin@baylibre.com>"
 RECIPE_MAINTAINER:pn-python3-setuptools-rust = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-setuptools-scm = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-six = "Zang Ruochen <zangruochen@loongson.cn>"
 RECIPE_MAINTAINER:pn-python3-smartypants = "Alexander Kanavin <alex.kanavin@gmail.com>"
-RECIPE_MAINTAINER:pn-python3-smmap = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-python3-smmap = "Trevor Gamblin <tgamblin@baylibre.com>"
 RECIPE_MAINTAINER:pn-python3-snowballstemmer = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-sortedcontainers = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-spdx-tools = "Marta Rybczynska <mrybczynska@syslinbit.com>"
@@ -715,8 +715,8 @@ RECIPE_MAINTAINER:pn-python3-sphinxcontrib-jquery = "Tim Orling <tim.orling@kons
 RECIPE_MAINTAINER:pn-python3-sphinxcontrib-qthelp = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-sphinxcontrib-serializinghtml = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-sphinx-rtd-theme = "Tim Orling <tim.orling@konsulko.com>"
-RECIPE_MAINTAINER:pn-python3-subunit = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-python3-testtools = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-python3-subunit = "Trevor Gamblin <tgamblin@baylibre.com>"
+RECIPE_MAINTAINER:pn-python3-testtools = "Trevor Gamblin <tgamblin@baylibre.com>"
 RECIPE_MAINTAINER:pn-python3-toml = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-tomli = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-trove-classifiers = "Trevor Gamblin <tgamblin@baylibre.com>"

meta/conf/distro/include/yocto-uninative.inc

@@ -6,10 +6,10 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.39"
-UNINATIVE_VERSION = "4.5"
+UNINATIVE_MAXGLIBCVERSION = "2.40"
+UNINATIVE_VERSION = "4.6"
 
 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "df2e29e2e6feb187a3499abf3b1322a3b251da819c77a7b19d4fe952351365ab"
-UNINATIVE_CHECKSUM[i686] ?= "8ef3eda53428b484c20157f6ec3c130b03080b3d4b3889067e0e184e05102d35"
-UNINATIVE_CHECKSUM[x86_64] ?= "43ee6a25bcf5fce16ea87076d6a96e79ead6ced90690a058d07432f902773473"
+UNINATIVE_CHECKSUM[aarch64] ?= "c2d36338272eba101580f648dd8dff5352cdb4c1809db7dedf8fc4d7e7df716c"
+UNINATIVE_CHECKSUM[i686] ?= "0041584678109c18deca48fb59eaf14cf725cf024a170ab537b354b63240c504"
+UNINATIVE_CHECKSUM[x86_64] ?= "6bf00154c5a7bc48adbf63fd17684bb87eb07f4814fbb482a3fbd817c1ccf4c5"

meta/lib/oeqa/runtime/cases/ssh.py

@@ -4,6 +4,9 @@
 # SPDX-License-Identifier: MIT
 #
 
+import time
+import signal
+
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.depends import OETestDepends
 from oeqa.runtime.decorator.package import OEHasPackage
@@ -13,12 +16,22 @@ class SSHTest(OERuntimeTestCase):
     @OETestDepends(['ping.PingTest.test_ping'])
     @OEHasPackage(['dropbear', 'openssh-sshd'])
     def test_ssh(self):
-        (status, output) = self.target.run('sleep 20', timeout=2)
-        msg='run() timed out but return code was zero.'
-        self.assertNotEqual(status, 0, msg=msg)
-        (status, output) = self.target.run('uname -a')
-        self.assertEqual(status, 0, msg='SSH Test failed: %s' % output)
-        (status, output) = self.target.run('cat /etc/controllerimage')
-        msg = "This isn't the right image  - /etc/controllerimage " \
-              "shouldn't be here %s" % output
-        self.assertEqual(status, 1, msg=msg)
+        for i in range(20):
+          status, output = self.target.run("uname -a", timeout=5)
+          if status == 0:
+              break
+          elif status == 255 or status == -signal.SIGTERM:
+              # ssh returns 255 only if a ssh error occurs.  This could
+              # be an issue with "Connection refused" because the port
+              # isn't open yet, and this could check explicitly for that
+              # here.  However, let's keep it simple and just retry for
+              # all errors a limited amount of times with a sleep to
+              # give it time for the port to open.
+              # We sometimes see -15 (SIGTERM) on slow emulation machines too, likely
+              # from boot/init not being 100% complete, retry for these too.
+              time.sleep(5)
+              continue
+          else:
+              self.fail("uname failed with \"%s\" (exit code %s)" % (output, status))
+        if status != 0:
+            self.fail("ssh failed with \"%s\" (exit code %s)" % (output, status))

meta/lib/oeqa/selftest/cases/reproducible.py

@@ -133,7 +133,8 @@ class ReproducibleTests(OESelftestTestCase):
     max_report_size = 250 * 1024 * 1024
 
     # targets are the things we want to test the reproducibility of
-    targets = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline', 'core-image-weston', 'world']
+    # Have to add the virtual targets manually for now as builds may or may not include them as they're exclude from world
+    targets = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline', 'core-image-weston', 'world', 'virtual/librpc', 'virtual/libsdl2', 'virtual/crypt']
 
     # sstate targets are things to pull from sstate to potentially cut build/debugging time
     sstate_targets = []

meta/lib/oeqa/utils/postactions.py

@@ -62,17 +62,16 @@ def get_artifacts_list(target, raw_list):
     return result
 
 def retrieve_test_artifacts(target, artifacts_list, target_dir):
+    import io, subprocess
     local_artifacts_dir = os.path.join(target_dir, "artifacts")
-    for artifact_path in artifacts_list:
-        if not os.path.isabs(artifact_path):
-            bb.warn(f"{artifact_path} is not an absolute path")
-            continue
-        try:
-            dest_dir = os.path.join(local_artifacts_dir, os.path.dirname(artifact_path[1:]))
-            os.makedirs(dest_dir, exist_ok=True)
-            target.copyFrom(artifact_path, dest_dir)
-        except Exception as e:
-            bb.warn(f"Can not retrieve {artifact_path} from test target: {e}")
+    try:
+        cmd = "tar zcf - " + " ".join(artifacts_list)
+        (status, output) = target.run(cmd, raw = True)
+        if status != 0 or not output:
+            raise Exception("Error while fetching compressed artifacts")
+        p = subprocess.run(["tar", "zxf", "-", "-C", local_artifacts_dir], input=output)
+    except Exception as e:
+        bb.warn(f"Can not retrieve artifacts from test target: {e}")
 
 def list_and_fetch_failed_tests_artifacts(d, tc):
     artifacts_list = get_artifacts_list(tc.target, d.getVar("TESTIMAGE_FAILED_QA_ARTIFACTS"))

meta/recipes-bsp/u-boot/u-boot-configure.inc

@@ -18,23 +18,35 @@ do_configure () {
             for type in ${UBOOT_CONFIG}; do
                 j=$(expr $j + 1);
                 if [ $j -eq $i ]; then
-                    oe_runmake -C ${S} O=${B}/${config} ${config}
-                    if [ -n "${@' '.join(find_cfgs(d))}" ]; then
-                        merge_config.sh -m -O ${B}/${config} ${B}/${config}/.config ${@" ".join(find_cfgs(d))}
-                        oe_runmake -C ${S} O=${B}/${config} oldconfig
-                    fi
+                    uboot_configure_config $config $type
                 fi
             done
             unset j
         done
         unset i
     else
-        if [ -n "${UBOOT_MACHINE}" ]; then
-            oe_runmake -C ${S} O=${B} ${UBOOT_MACHINE}
-        else
-            oe_runmake -C ${S} O=${B} oldconfig
-        fi
-        merge_config.sh -m .config ${@" ".join(find_cfgs(d))}
-        cml1_do_configure
+        uboot_configure
     fi
 }
+
+uboot_configure_config () {
+    config=$1
+    type=$2
+
+    oe_runmake -C ${S} O=${B}/${config} ${config}
+    if [ -n "${@' '.join(find_cfgs(d))}" ]; then
+        merge_config.sh -m -O ${B}/${config} ${B}/${config}/.config ${@" ".join(find_cfgs(d))}
+        oe_runmake -C ${S} O=${B}/${config} oldconfig
+    fi
+}
+
+uboot_configure () {
+    if [ -n "${UBOOT_MACHINE}" ]; then
+        oe_runmake -C ${S} O=${B} ${UBOOT_MACHINE}
+    else
+        oe_runmake -C ${S} O=${B} oldconfig
+    fi
+    merge_config.sh -m .config ${@" ".join(find_cfgs(d))}
+    cml1_do_configure
+}
+

meta/recipes-bsp/u-boot/u-boot.inc

@@ -54,40 +54,21 @@ do_compile () {
 
     if [ -n "${UBOOT_CONFIG}" -o -n "${UBOOT_DELTA_CONFIG}" ]
     then
-        unset i j k
+        unset i j
         for config in ${UBOOT_MACHINE}; do
             i=$(expr $i + 1);
             for type in ${UBOOT_CONFIG}; do
                 j=$(expr $j + 1);
                 if [ $j -eq $i ]
                 then
-                    oe_runmake -C ${S} O=${B}/${config} ${UBOOT_MAKE_TARGET}
-                    for binary in ${UBOOT_BINARIES}; do
-                        k=$(expr $k + 1);
-                        if [ $k -eq $i ]; then
-                            cp ${B}/${config}/${binary} ${B}/${config}/${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
-                        fi
-                    done
-
-                    # Generate the uboot-initial-env
-                    if [ -n "${UBOOT_INITIAL_ENV}" ]; then
-                        oe_runmake -C ${S} O=${B}/${config} u-boot-initial-env
-                        cp ${B}/${config}/u-boot-initial-env ${B}/${config}/u-boot-initial-env-${type}
-                    fi
-
-                    unset k
+                    uboot_compile_config $i $config $type
                 fi
             done
             unset j
         done
         unset i
     else
-        oe_runmake -C ${S} O=${B} ${UBOOT_MAKE_TARGET}
-
-        # Generate the uboot-initial-env
-        if [ -n "${UBOOT_INITIAL_ENV}" ]; then
-            oe_runmake -C ${S} O=${B} u-boot-initial-env
-        fi
+        uboot_compile
     fi
 
     if [ -n "${UBOOT_ENV}" ] && [ "${UBOOT_ENV_SUFFIX}" = "scr" ]
@@ -96,6 +77,46 @@ do_compile () {
     fi
 }
 
+uboot_compile_config () {
+    i=$1
+    config=$2
+    type=$3
+
+    oe_runmake -C ${S} O=${B}/${config} ${UBOOT_MAKE_TARGET}
+
+    unset k
+    for binary in ${UBOOT_BINARIES}; do
+        k=$(expr $k + 1);
+        if [ $k -eq $i ]; then
+            uboot_compile_config_copy_binary $config $type $binary
+        fi
+    done
+    unset k
+
+    # Generate the uboot-initial-env
+    if [ -n "${UBOOT_INITIAL_ENV}" ]; then
+        oe_runmake -C ${S} O=${B}/${config} u-boot-initial-env
+        cp ${B}/${config}/u-boot-initial-env ${B}/${config}/u-boot-initial-env-${type}
+    fi
+}
+
+uboot_compile_config_copy_binary () {
+    config=$1
+    type=$2
+    binary=$3
+
+    cp ${B}/${config}/${binary} ${B}/${config}/${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
+}
+
+uboot_compile () {
+    oe_runmake -C ${S} O=${B} ${UBOOT_MAKE_TARGET}
+
+    # Generate the uboot-initial-env
+    if [ -n "${UBOOT_INITIAL_ENV}" ]; then
+        oe_runmake -C ${S} O=${B} u-boot-initial-env
+    fi
+}
+
 do_install () {
     if [ -n "${UBOOT_CONFIG}" ]
     then
@@ -105,32 +126,14 @@ do_install () {
                 j=$(expr $j + 1);
                 if [ $j -eq $i ]
                 then
-                    install -D -m 644 ${B}/${config}/${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX} ${D}/boot/${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
-                    ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${D}/boot/${UBOOT_BINARY}-${type}
-                    ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${D}/boot/${UBOOT_BINARY}
-
-                    # Install the uboot-initial-env
-                    if [ -n "${UBOOT_INITIAL_ENV}" ]; then
-                        install -D -m 644 ${B}/${config}/u-boot-initial-env-${type} ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR}
-                        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR} ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}-${MACHINE}-${type}
-                        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR} ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}-${type}
-                        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR} ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}
-                    fi
+                    uboot_install_config $config $type
                 fi
             done
             unset j
         done
         unset i
     else
-        install -D -m 644 ${B}/${UBOOT_BINARY} ${D}/boot/${UBOOT_IMAGE}
-        ln -sf ${UBOOT_IMAGE} ${D}/boot/${UBOOT_BINARY}
-
-        # Install the uboot-initial-env
-        if [ -n "${UBOOT_INITIAL_ENV}" ]; then
-            install -D -m 644 ${B}/u-boot-initial-env ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}-${MACHINE}-${PV}-${PR}
-            ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${PV}-${PR} ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}-${MACHINE}
-            ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${PV}-${PR} ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}
-        fi
+        uboot_install
     fi
 
     if [ -n "${UBOOT_ELF}" ]
@@ -143,17 +146,14 @@ do_install () {
                     j=$(expr $j + 1);
                     if [ $j -eq $i ]
                     then
-                        install -m 644 ${B}/${config}/${UBOOT_ELF} ${D}/boot/u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX}
-                        ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX} ${D}/boot/${UBOOT_BINARY}-${type}
-                        ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX} ${D}/boot/${UBOOT_BINARY}
+                        uboot_install_elf_config $config $type
                     fi
                 done
                 unset j
             done
             unset i
         else
-            install -m 644 ${B}/${UBOOT_ELF} ${D}/boot/${UBOOT_ELF_IMAGE}
-            ln -sf ${UBOOT_ELF_IMAGE} ${D}/boot/${UBOOT_ELF_BINARY}
+            uboot_install_elf
         fi
     fi
 
@@ -172,17 +172,14 @@ do_install () {
                     j=$(expr $j + 1);
                     if [ $j -eq $i ]
                     then
-                         install -m 644 ${B}/${config}/${SPL_BINARY} ${D}/boot/${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX}
-                         ln -sf ${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX} ${D}/boot/${SPL_BINARYFILE}-${type}
-                         ln -sf ${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX} ${D}/boot/${SPL_BINARYFILE}
+                        uboot_install_spl_config $config $type
                     fi
                 done
                 unset j
             done
             unset i
         else
-            install -m 644 ${B}/${SPL_BINARY} ${D}/boot/${SPL_IMAGE}
-            ln -sf ${SPL_IMAGE} ${D}/boot/${SPL_BINARYFILE}
+            uboot_install_spl
         fi
     fi
 
@@ -198,6 +195,63 @@ do_install () {
     fi
 }
 
+uboot_install_config () {
+    config=$1
+    type=$2
+
+    install -D -m 644 ${B}/${config}/${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX} ${D}/boot/${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
+    ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${D}/boot/${UBOOT_BINARY}-${type}
+    ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${D}/boot/${UBOOT_BINARY}
+
+    # Install the uboot-initial-env
+    if [ -n "${UBOOT_INITIAL_ENV}" ]; then
+        install -D -m 644 ${B}/${config}/u-boot-initial-env-${type} ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR}
+        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR} ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}-${MACHINE}-${type}
+        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR} ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}-${type}
+        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR} ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}
+    fi
+}
+
+uboot_install () {
+    install -D -m 644 ${B}/${UBOOT_BINARY} ${D}/boot/${UBOOT_IMAGE}
+    ln -sf ${UBOOT_IMAGE} ${D}/boot/${UBOOT_BINARY}
+
+    # Install the uboot-initial-env
+    if [ -n "${UBOOT_INITIAL_ENV}" ]; then
+        install -D -m 644 ${B}/u-boot-initial-env ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}-${MACHINE}-${PV}-${PR}
+        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${PV}-${PR} ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}-${MACHINE}
+        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${PV}-${PR} ${D}/${sysconfdir}/${UBOOT_INITIAL_ENV}
+    fi
+}
+
+uboot_install_elf_config () {
+    config=$1
+    type=$2
+
+    install -m 644 ${B}/${config}/${UBOOT_ELF} ${D}/boot/u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX}
+    ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX} ${D}/boot/${UBOOT_BINARY}-${type}
+    ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX} ${D}/boot/${UBOOT_BINARY}
+}
+
+uboot_install_elf () {
+    install -m 644 ${B}/${UBOOT_ELF} ${D}/boot/${UBOOT_ELF_IMAGE}
+    ln -sf ${UBOOT_ELF_IMAGE} ${D}/boot/${UBOOT_ELF_BINARY}
+}
+
+uboot_install_spl_config () {
+    config=$1
+    type=$2
+
+    install -m 644 ${B}/${config}/${SPL_BINARY} ${D}/boot/${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX}
+    ln -sf ${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX} ${D}/boot/${SPL_BINARYFILE}-${type}
+    ln -sf ${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX} ${D}/boot/${SPL_BINARYFILE}
+}
+
+uboot_install_spl () {
+    install -m 644 ${B}/${SPL_BINARY} ${D}/boot/${SPL_IMAGE}
+    ln -sf ${SPL_IMAGE} ${D}/boot/${SPL_BINARYFILE}
+}
+
 PACKAGE_BEFORE_PN += "${PN}-env ${PN}-extlinux"
 
 RPROVIDES:${PN}-env += "u-boot-default-env"
@@ -223,40 +277,14 @@ do_deploy () {
                 j=$(expr $j + 1);
                 if [ $j -eq $i ]
                 then
-                    install -D -m 644 ${B}/${config}/${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX} ${DEPLOYDIR}/${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
-                    cd ${DEPLOYDIR}
-                    ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_SYMLINK}-${type}
-                    ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_SYMLINK}
-                    ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARY}-${type}
-                    ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARY}
-
-                    # Deploy the uboot-initial-env
-                    if [ -n "${UBOOT_INITIAL_ENV}" ]; then
-                        install -D -m 644 ${B}/${config}/u-boot-initial-env-${type} ${DEPLOYDIR}/${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR}
-                        cd ${DEPLOYDIR}
-                        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR} ${UBOOT_INITIAL_ENV}-${MACHINE}-${type}
-                        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR} ${UBOOT_INITIAL_ENV}-${type}
-                    fi
+                    uboot_deploy_config $config $type
                 fi
             done
             unset j
         done
         unset i
     else
-        install -D -m 644 ${B}/${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE}
-
-        cd ${DEPLOYDIR}
-        rm -f ${UBOOT_BINARY} ${UBOOT_SYMLINK}
-        ln -sf ${UBOOT_IMAGE} ${UBOOT_SYMLINK}
-        ln -sf ${UBOOT_IMAGE} ${UBOOT_BINARY}
-
-        # Deploy the uboot-initial-env
-        if [ -n "${UBOOT_INITIAL_ENV}" ]; then
-            install -D -m 644 ${B}/u-boot-initial-env ${DEPLOYDIR}/${UBOOT_INITIAL_ENV}-${MACHINE}-${PV}-${PR}
-            cd ${DEPLOYDIR}
-            ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${PV}-${PR} ${UBOOT_INITIAL_ENV}-${MACHINE}
-            ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${PV}-${PR} ${UBOOT_INITIAL_ENV}
-        fi
+        uboot_deploy
     fi
 
     if [ -e ${WORKDIR}/fw_env.config ] ; then
@@ -276,20 +304,14 @@ do_deploy () {
                     j=$(expr $j + 1);
                     if [ $j -eq $i ]
                     then
-                        install -m 644 ${B}/${config}/${UBOOT_ELF} ${DEPLOYDIR}/u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX}
-                        ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX} ${DEPLOYDIR}/${UBOOT_ELF_BINARY}-${type}
-                        ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX} ${DEPLOYDIR}/${UBOOT_ELF_BINARY}
-                        ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX} ${DEPLOYDIR}/${UBOOT_ELF_SYMLINK}-${type}
-                        ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX} ${DEPLOYDIR}/${UBOOT_ELF_SYMLINK}
+                        uboot_deploy_elf_config $config $type
                     fi
                 done
                 unset j
             done
             unset i
         else
-            install -m 644 ${B}/${UBOOT_ELF} ${DEPLOYDIR}/${UBOOT_ELF_IMAGE}
-            ln -sf ${UBOOT_ELF_IMAGE} ${DEPLOYDIR}/${UBOOT_ELF_BINARY}
-            ln -sf ${UBOOT_ELF_IMAGE} ${DEPLOYDIR}/${UBOOT_ELF_SYMLINK}
+            uboot_deploy_elf
         fi
     fi
 
@@ -304,21 +326,14 @@ do_deploy () {
                     j=$(expr $j + 1);
                     if [ $j -eq $i ]
                     then
-                        install -m 644 ${B}/${config}/${SPL_BINARY} ${DEPLOYDIR}/${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX}
-                        rm -f ${DEPLOYDIR}/${SPL_BINARYFILE} ${DEPLOYDIR}/${SPL_SYMLINK}
-                        ln -sf ${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX} ${DEPLOYDIR}/${SPL_BINARYFILE}-${type}
-                        ln -sf ${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX} ${DEPLOYDIR}/${SPL_BINARYFILE}
-                        ln -sf ${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX} ${DEPLOYDIR}/${SPL_SYMLINK}-${type}
-                        ln -sf ${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX} ${DEPLOYDIR}/${SPL_SYMLINK}
+                        uboot_deploy_spl_config $config $type
                     fi
                 done
                 unset j
             done
             unset i
         else
-            install -m 644 ${B}/${SPL_BINARY} ${DEPLOYDIR}/${SPL_IMAGE}
-            ln -sf ${SPL_IMAGE} ${DEPLOYDIR}/${SPL_BINARYNAME}
-            ln -sf ${SPL_IMAGE} ${DEPLOYDIR}/${SPL_SYMLINK}
+            uboot_deploy_spl
         fi
     fi
 
@@ -342,4 +357,76 @@ do_deploy () {
     fi
 }
 
+uboot_deploy_config () {
+    config=$1
+    type=$2
+
+    install -D -m 644 ${B}/${config}/${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX} ${DEPLOYDIR}/${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
+    cd ${DEPLOYDIR}
+    ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_SYMLINK}-${type}
+    ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_SYMLINK}
+    ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARY}-${type}
+    ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARY}
+
+    # Deploy the uboot-initial-env
+    if [ -n "${UBOOT_INITIAL_ENV}" ]; then
+        install -D -m 644 ${B}/${config}/u-boot-initial-env-${type} ${DEPLOYDIR}/${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR}
+        cd ${DEPLOYDIR}
+        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR} ${UBOOT_INITIAL_ENV}-${MACHINE}-${type}
+        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${type}-${PV}-${PR} ${UBOOT_INITIAL_ENV}-${type}
+    fi
+}
+
+uboot_deploy () {
+    install -D -m 644 ${B}/${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE}
+
+    cd ${DEPLOYDIR}
+    rm -f ${UBOOT_BINARY} ${UBOOT_SYMLINK}
+    ln -sf ${UBOOT_IMAGE} ${UBOOT_SYMLINK}
+    ln -sf ${UBOOT_IMAGE} ${UBOOT_BINARY}
+
+    # Deploy the uboot-initial-env
+    if [ -n "${UBOOT_INITIAL_ENV}" ]; then
+        install -D -m 644 ${B}/u-boot-initial-env ${DEPLOYDIR}/${UBOOT_INITIAL_ENV}-${MACHINE}-${PV}-${PR}
+        cd ${DEPLOYDIR}
+        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${PV}-${PR} ${UBOOT_INITIAL_ENV}-${MACHINE}
+        ln -sf ${UBOOT_INITIAL_ENV}-${MACHINE}-${PV}-${PR} ${UBOOT_INITIAL_ENV}
+    fi
+}
+
+uboot_deploy_elf_config () {
+    config=$1
+    type=$2
+
+    install -m 644 ${B}/${config}/${UBOOT_ELF} ${DEPLOYDIR}/u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX}
+    ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX} ${DEPLOYDIR}/${UBOOT_ELF_BINARY}-${type}
+    ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX} ${DEPLOYDIR}/${UBOOT_ELF_BINARY}
+    ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX} ${DEPLOYDIR}/${UBOOT_ELF_SYMLINK}-${type}
+    ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_ELF_SUFFIX} ${DEPLOYDIR}/${UBOOT_ELF_SYMLINK}
+}
+
+uboot_deploy_elf () {
+    install -m 644 ${B}/${UBOOT_ELF} ${DEPLOYDIR}/${UBOOT_ELF_IMAGE}
+    ln -sf ${UBOOT_ELF_IMAGE} ${DEPLOYDIR}/${UBOOT_ELF_BINARY}
+    ln -sf ${UBOOT_ELF_IMAGE} ${DEPLOYDIR}/${UBOOT_ELF_SYMLINK}
+}
+
+uboot_deploy_spl_config () {
+    config=$1
+    type=$2
+
+    install -m 644 ${B}/${config}/${SPL_BINARY} ${DEPLOYDIR}/${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX}
+    rm -f ${DEPLOYDIR}/${SPL_BINARYFILE} ${DEPLOYDIR}/${SPL_SYMLINK}
+    ln -sf ${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX} ${DEPLOYDIR}/${SPL_BINARYFILE}-${type}
+    ln -sf ${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX} ${DEPLOYDIR}/${SPL_BINARYFILE}
+    ln -sf ${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX} ${DEPLOYDIR}/${SPL_SYMLINK}-${type}
+    ln -sf ${SPL_BINARYNAME}-${type}-${PV}-${PR}${SPL_DELIMITER}${SPL_SUFFIX} ${DEPLOYDIR}/${SPL_SYMLINK}
+}
+
+uboot_deploy_spl () {
+    install -m 644 ${B}/${SPL_BINARY} ${DEPLOYDIR}/${SPL_IMAGE}
+    ln -sf ${SPL_IMAGE} ${DEPLOYDIR}/${SPL_BINARYNAME}
+    ln -sf ${SPL_IMAGE} ${DEPLOYDIR}/${SPL_SYMLINK}
+}
+
 addtask deploy before do_build after do_compile

meta/recipes-connectivity/bind/bind_9.18.28.bb

@@ -34,7 +34,7 @@ inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-a
 
 # PACKAGECONFIGs readline and libedit should NOT be set at same time
 PACKAGECONFIG ?= "readline"
-PACKAGECONFIG[httpstats] = "--with-libxml2=${STAGING_DIR_HOST}${prefix},--without-libxml2,libxml2"
+PACKAGECONFIG[httpstats] = "--with-libxml2,--without-libxml2,libxml2"
 PACKAGECONFIG[readline] = "--with-readline=readline,,readline"
 PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit"
 PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2"

meta/recipes-connectivity/bluez5/bluez5.inc

@@ -54,7 +54,6 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
            ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
            file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
            file://0001-test-gatt-Fix-hung-issue.patch \
-           file://0004-src-shared-util.c-include-linux-limits.h.patch \
            "
 S = "${WORKDIR}/bluez-${PV}"
 

meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch

@@ -1,27 +0,0 @@
-From b53df61b41088b68c127ac76cc71683ac3453b9d Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex@linutronix.de>
-Date: Mon, 12 Dec 2022 13:10:19 +0100
-Subject: [PATCH] src/shared/util.c: include linux/limits.h
-
-MAX_INPUT is defined in that file. This matters on non-glibc
-systems such as those using musl.
-
-Upstream-Status: Submitted [to linux-bluetooth@vger.kernel.org,luiz.von.dentz@intel.com,frederic.danis@collabora.com]
-Signed-off-by: Alexander Kanavin <alex@linutronix.de>
-
----
- src/shared/util.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/shared/util.c b/src/shared/util.c
-index c0c2c4a..036dc0d 100644
---- a/src/shared/util.c
-+++ b/src/shared/util.c
-@@ -23,6 +23,7 @@
- #include <unistd.h>
- #include <dirent.h>
- #include <limits.h>
-+#include <linux/limits.h>
- #include <string.h>
- 
- #ifdef HAVE_SYS_RANDOM_H

meta/recipes-connectivity/iw/iw_6.7.bb

@@ -4,7 +4,7 @@ wireless devices. It supports almost all new drivers that have been added \
 to the kernel recently. "
 HOMEPAGE = "https://wireless.wiki.kernel.org/en/users/documentation/iw"
 SECTION = "base"
-LICENSE = "BSD-2-Clause"
+LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://COPYING;md5=878618a5c4af25e9b93ef0be1a93f774"
 
 DEPENDS = "libnl"

meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256-pre1.patch

@@ -0,0 +1,37 @@
+From 73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f Mon Sep 17 00:00:00 2001
+From: Rose <83477269+AtariDreams@users.noreply.github.com>
+Date: Tue, 16 May 2023 12:37:11 -0400
+Subject: [PATCH] Remove unused variable retval in sock_present2network
+
+This quiets the compiler since it is not even returned anyway, and is a misleading variable name.
+
+(cherry picked from commit c7b90298984c46d820d3cee79a96d24870b5f200)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/73da0d4d65ef0925772b7b7f82a5fbb3ff2c5e4f]
+CVE: CVE-2023-7256 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ sockutils.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sockutils.c b/sockutils.c
+index 1c07f76fd1..6752f296af 100644
+--- a/sockutils.c
++++ b/sockutils.c
+@@ -2082,7 +2082,6 @@ int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *addres
+  */
+ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr, int addr_family, char *errbuf, int errbuflen)
+ {
+-	int retval;
+ 	struct addrinfo *addrinfo;
+ 	struct addrinfo hints;
+ 
+@@ -2090,7 +2089,7 @@ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr,
+ 
+ 	hints.ai_family = addr_family;
+ 
+-	if ((retval = sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen)) == -1)
++	if (sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen) == -1)
+ 		return 0;
+ 
+ 	if (addrinfo->ai_family == PF_INET)

meta/recipes-connectivity/libpcap/libpcap/CVE-2023-7256.patch

@@ -0,0 +1,365 @@
+From 2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Thu, 28 Sep 2023 00:37:57 -0700
+Subject: [PATCH] Have sock_initaddress() return the list of addrinfo
+ structures or NULL.
+
+Its return address is currently 0 for success and -1 for failure, with a
+pointer to the first element of the list of struct addrinfos returned
+through a pointer on success; change it to return that pointer on
+success and NULL on failure.
+
+That way, we don't have to worry about what happens to the pointer
+pointeed to by the argument in question on failure; we know that we got
+NULL back if no struct addrinfos were found because getaddrinfo()
+failed.  Thus, we know that we have something to free iff
+sock_initaddress() returned a pointer to that something rather than
+returning NULL.
+
+This avoids a double-free in some cases.
+
+This is apparently CVE-2023-40400.
+
+(backported from commit 262e4f34979872d822ccedf9f318ed89c4d31c03)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/2aa69b04d8173b18a0e3492e0c8f2f7fabdf642d]
+CVE: CVE-2023-7256
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pcap-rpcap.c    | 48 ++++++++++++++++++++--------------------
+ rpcapd/daemon.c |  8 +++++--
+ rpcapd/rpcapd.c |  8 +++++--
+ sockutils.c     | 58 ++++++++++++++++++++++++++++---------------------
+ sockutils.h     |  5 ++---
+ 5 files changed, 72 insertions(+), 55 deletions(-)
+
+diff --git a/pcap-rpcap.c b/pcap-rpcap.c
+index ef0cd6e49c..f1992e4aea 100644
+--- a/pcap-rpcap.c
++++ b/pcap-rpcap.c
+@@ -1024,7 +1024,6 @@ rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
+ {
+ 	struct activehosts *temp;			/* temp var needed to scan the host list chain */
+ 	struct addrinfo hints, *addrinfo, *ai_next;	/* temp var needed to translate between hostname to its address */
+-	int retval;
+ 
+ 	/* retrieve the network address corresponding to 'host' */
+ 	addrinfo = NULL;
+@@ -1032,9 +1031,9 @@ rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
+ 	hints.ai_family = PF_UNSPEC;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
+-	retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf,
++	addrinfo = sock_initaddress(host, NULL, &hints, errbuf,
+ 	    PCAP_ERRBUF_SIZE);
+-	if (retval != 0)
++	if (addrinfo == NULL)
+ 	{
+ 		*error = 1;
+ 		return NULL;
+@@ -1186,7 +1185,9 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ 		hints.ai_flags = AI_PASSIVE;	/* Data connection is opened by the server toward the client */
+ 
+ 		/* Let's the server pick up a free network port for us */
+-		if (sock_initaddress(NULL, NULL, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
++		addrinfo = sock_initaddress(NULL, NULL, &hints, fp->errbuf,
++		    PCAP_ERRBUF_SIZE);
++		if (addrinfo == NULL)
+ 			goto error_nodiscard;
+ 
+ 		if ((sockdata = sock_open(NULL, addrinfo, SOCKOPEN_SERVER,
+@@ -1311,7 +1312,9 @@ static int pcap_startcapture_remote(pcap_t *fp)
+ 			snprintf(portstring, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
+ 
+ 			/* Let's the server pick up a free network port for us */
+-			if (sock_initaddress(host, portstring, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
++			addrinfo = sock_initaddress(host, portstring, &hints,
++			    fp->errbuf, PCAP_ERRBUF_SIZE);
++			if (addrinfo == NULL)
+ 				goto error;
+ 
+ 			if ((sockdata = sock_open(host, addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+@@ -2340,16 +2343,16 @@ rpcap_setup_session(const char *source, struct pcap_rmtauth *auth,
+ 		if (port[0] == 0)
+ 		{
+ 			/* the user chose not to specify the port */
+-			if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT,
+-			    &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
+-				return -1;
++			addrinfo = sock_initaddress(host, RPCAP_DEFAULT_NETPORT,
++			    &hints, errbuf, PCAP_ERRBUF_SIZE);
+ 		}
+ 		else
+ 		{
+-			if (sock_initaddress(host, port, &hints, &addrinfo,
+-			    errbuf, PCAP_ERRBUF_SIZE) == -1)
+-				return -1;
++			addrinfo = sock_initaddress(host, port, &hints,
++			    errbuf, PCAP_ERRBUF_SIZE);
+ 		}
++		if (addrinfo == NULL)
++			return -1;
+ 
+ 		if ((*sockctrlp = sock_open(host, addrinfo, SOCKOPEN_CLIENT, 0,
+ 		    errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+@@ -2950,19 +2953,19 @@ SOCKET pcap_remoteact_accept_ex(const char *address, const char *port, const cha
+ 	/* Do the work */
+ 	if ((port == NULL) || (port[0] == 0))
+ 	{
+-		if (sock_initaddress(address, RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
+-		{
+-			return (SOCKET)-2;
+-		}
++		addrinfo = sock_initaddress(address,
++		    RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, errbuf,
++		    PCAP_ERRBUF_SIZE);
+ 	}
+ 	else
+ 	{
+-		if (sock_initaddress(address, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
+-		{
+-			return (SOCKET)-2;
+-		}
++		addrinfo = sock_initaddress(address, port, &hints, errbuf,
++		    PCAP_ERRBUF_SIZE);
++	}
++	if (addrinfo == NULL)
++	{
++		return (SOCKET)-2;
+ 	}
+-
+ 
+ 	if ((sockmain = sock_open(NULL, addrinfo, SOCKOPEN_SERVER, 1, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+ 	{
+@@ -3122,7 +3125,6 @@ int pcap_remoteact_close(const char *host, char *errbuf)
+ {
+ 	struct activehosts *temp, *prev;	/* temp var needed to scan the host list chain */
+ 	struct addrinfo hints, *addrinfo, *ai_next;	/* temp var needed to translate between hostname to its address */
+-	int retval;
+ 
+ 	temp = activeHosts;
+ 	prev = NULL;
+@@ -3133,9 +3135,9 @@ int pcap_remoteact_close(const char *host, char *errbuf)
+ 	hints.ai_family = PF_UNSPEC;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
+-	retval = sock_initaddress(host, NULL, &hints, &addrinfo, errbuf,
++	addrinfo = sock_initaddress(host, NULL, &hints, errbuf,
+ 	    PCAP_ERRBUF_SIZE);
+-	if (retval != 0)
++	if (addrinfo == NULL)
+ 	{
+ 		return -1;
+ 	}
+diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c
+index 8d620dd604..b04b29f107 100644
+--- a/rpcapd/daemon.c
++++ b/rpcapd/daemon.c
+@@ -2085,7 +2085,9 @@ daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen,
+ 			goto error;
+ 		}
+ 
+-		if (sock_initaddress(peerhost, portdata, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1)
++		addrinfo = sock_initaddress(peerhost, portdata, &hints,
++		    errmsgbuf, PCAP_ERRBUF_SIZE);
++		if (addrinfo == NULL)
+ 			goto error;
+ 
+ 		if ((session->sockdata = sock_open(peerhost, addrinfo, SOCKOPEN_CLIENT, 0, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+@@ -2096,7 +2098,9 @@ daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen,
+ 		hints.ai_flags = AI_PASSIVE;
+ 
+ 		// Make the server socket pick up a free network port for us
+-		if (sock_initaddress(NULL, NULL, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1)
++		addrinfo = sock_initaddress(NULL, NULL, &hints, errmsgbuf,
++		    PCAP_ERRBUF_SIZE);
++		if (addrinfo == NULL)
+ 			goto error;
+ 
+ 		if ((session->sockdata = sock_open(NULL, addrinfo, SOCKOPEN_SERVER, 1 /* max 1 connection in queue */, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
+diff --git a/rpcapd/rpcapd.c b/rpcapd/rpcapd.c
+index e1f3f05299..d166522c9f 100644
+--- a/rpcapd/rpcapd.c
++++ b/rpcapd/rpcapd.c
+@@ -611,7 +611,9 @@ void main_startup(void)
+ 		//
+ 		// Get a list of sockets on which to listen.
+ 		//
+-		if (sock_initaddress((address[0]) ? address : NULL, port, &mainhints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
++		addrinfo = sock_initaddress((address[0]) ? address : NULL,
++		    port, &mainhints, errbuf, PCAP_ERRBUF_SIZE);
++		if (addrinfo == NULL)
+ 		{
+ 			rpcapd_log(LOGPRIO_DEBUG, "%s", errbuf);
+ 			return;
+@@ -1350,7 +1352,9 @@ main_active(void *ptr)
+ 	memset(errbuf, 0, sizeof(errbuf));
+ 
+ 	// Do the work
+-	if (sock_initaddress(activepars->address, activepars->port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
++	addrinfo = sock_initaddress(activepars->address, activepars->port,
++	    &hints, errbuf, PCAP_ERRBUF_SIZE);
++	if (addrinfo == NULL)
+ 	{
+ 		rpcapd_log(LOGPRIO_DEBUG, "%s", errbuf);
+ 		return 0;
+diff --git a/sockutils.c b/sockutils.c
+index a1bfa1b5e2..823c2363e0 100644
+--- a/sockutils.c
++++ b/sockutils.c
+@@ -1069,20 +1069,21 @@ get_gai_errstring(char *errbuf, int errbuflen, const char *prefix, int err,
+  * \param errbuflen: length of the buffer that will contains the error. The error message cannot be
+  * larger than 'errbuflen - 1' because the last char is reserved for the string terminator.
+  *
+- * \return '0' if everything is fine, '-1' if some errors occurred. The error message is returned
+- * in the 'errbuf' variable. The addrinfo variable that has to be used in the following sockets calls is
+- * returned into the addrinfo parameter.
++ * \return a pointer to the first element in a list of addrinfo structures
++ * if everything is fine, NULL if some errors occurred. The error message
++ * is returned in the 'errbuf' variable.
+  *
+- * \warning The 'addrinfo' variable has to be deleted by the programmer by calling freeaddrinfo() when
+- * it is no longer needed.
++ * \warning The list of addrinfo structures returned has to be deleted by
++ * the programmer by calling freeaddrinfo() when it is no longer needed.
+  *
+  * \warning This function requires the 'hints' variable as parameter. The semantic of this variable is the same
+  * of the one of the corresponding variable used into the standard getaddrinfo() socket function. We suggest
+  * the programmer to look at that function in order to set the 'hints' variable appropriately.
+  */
+-int sock_initaddress(const char *host, const char *port,
+-    struct addrinfo *hints, struct addrinfo **addrinfo, char *errbuf, int errbuflen)
++struct addrinfo *sock_initaddress(const char *host, const char *port,
++    struct addrinfo *hints, char *errbuf, int errbuflen)
+ {
++	struct addrinfo *addrinfo;
+ 	int retval;
+ 
+ 	/*
+@@ -1094,9 +1095,13 @@ int sock_initaddress(const char *host, const char *port,
+ 	 * as those messages won't talk about a problem with the port if
+ 	 * no port was specified.
+ 	 */
+-	retval = getaddrinfo(host, port == NULL ? "0" : port, hints, addrinfo);
++	retval = getaddrinfo(host, port == NULL ? "0" : port, hints, &addrinfo);
+ 	if (retval != 0)
+ 	{
++		/*
++		 * That call failed.
++		 * Determine whether the problem is that the host is bad.
++		 */
+ 		if (errbuf)
+ 		{
+ 			if (host != NULL && port != NULL) {
+@@ -1108,7 +1113,7 @@ int sock_initaddress(const char *host, const char *port,
+ 				int try_retval;
+ 
+ 				try_retval = getaddrinfo(host, NULL, hints,
+-				    addrinfo);
++				    &addrinfo);
+ 				if (try_retval == 0) {
+ 					/*
+ 					 * Worked with just the host,
+@@ -1117,14 +1122,16 @@ int sock_initaddress(const char *host, const char *port,
+ 					 *
+ 					 * Free up the address info first.
+ 					 */
+-					freeaddrinfo(*addrinfo);
++					freeaddrinfo(addrinfo);
+ 					get_gai_errstring(errbuf, errbuflen,
+ 					    "", retval, NULL, port);
+ 				} else {
+ 					/*
+ 					 * Didn't work with just the host,
+ 					 * so assume the problem is
+-					 * with the host.
++					 * with the host; we assume
++					 * the original error indicates
++					 * the underlying problem.
+ 					 */
+ 					get_gai_errstring(errbuf, errbuflen,
+ 					    "", retval, host, NULL);
+@@ -1132,13 +1139,14 @@ int sock_initaddress(const char *host, const char *port,
+ 			} else {
+ 				/*
+ 				 * Either the host or port was null, so
+-				 * there's nothing to determine.
++				 * there's nothing to determine; report
++				 * the error from the original call.
+ 				 */
+ 				get_gai_errstring(errbuf, errbuflen, "",
+ 				    retval, host, port);
+ 			}
+ 		}
+-		return -1;
++		return NULL;
+ 	}
+ 	/*
+ 	 * \warning SOCKET: I should check all the accept() in order to bind to all addresses in case
+@@ -1153,30 +1161,28 @@ int sock_initaddress(const char *host, const char *port,
+ 	 * ignore all addresses that are neither?  (What, no IPX
+ 	 * support? :-))
+ 	 */
+-	if (((*addrinfo)->ai_family != PF_INET) &&
+-	    ((*addrinfo)->ai_family != PF_INET6))
++	if ((addrinfo->ai_family != PF_INET) &&
++	    (addrinfo->ai_family != PF_INET6))
+ 	{
+ 		if (errbuf)
+ 			snprintf(errbuf, errbuflen, "getaddrinfo(): socket type not supported");
+-		freeaddrinfo(*addrinfo);
+-		*addrinfo = NULL;
+-		return -1;
++		freeaddrinfo(addrinfo);
++		return NULL;
+ 	}
+ 
+ 	/*
+ 	 * You can't do multicast (or broadcast) TCP.
+ 	 */
+-	if (((*addrinfo)->ai_socktype == SOCK_STREAM) &&
+-	    (sock_ismcastaddr((*addrinfo)->ai_addr) == 0))
++	if ((addrinfo->ai_socktype == SOCK_STREAM) &&
++	    (sock_ismcastaddr(addrinfo->ai_addr) == 0))
+ 	{
+ 		if (errbuf)
+ 			snprintf(errbuf, errbuflen, "getaddrinfo(): multicast addresses are not valid when using TCP streams");
+-		freeaddrinfo(*addrinfo);
+-		*addrinfo = NULL;
+-		return -1;
++		freeaddrinfo(addrinfo);
++		return NULL;
+ 	}
+ 
+-	return 0;
++	return addrinfo;
+ }
+ 
+ /*
+@@ -2089,7 +2095,9 @@ int sock_present2network(const char *address, struct sockaddr_storage *sockaddr,
+ 
+ 	hints.ai_family = addr_family;
+ 
+-	if (sock_initaddress(address, "22222" /* fake port */, &hints, &addrinfo, errbuf, errbuflen) == -1)
++	addrinfo = sock_initaddress(address, "22222" /* fake port */, &hints,
++	    errbuf, errbuflen);
++	if (addrinfo == NULL)
+ 		return 0;
+ 
+ 	if (addrinfo->ai_family == PF_INET)
+diff --git a/sockutils.h b/sockutils.h
+index a488d8fcb4..30b8cfe0b7 100644
+--- a/sockutils.h
++++ b/sockutils.h
+@@ -138,9 +138,8 @@ void sock_fmterrmsg(char *errbuf, size_t errbuflen, int errcode,
+     PCAP_FORMAT_STRING(const char *fmt), ...) PCAP_PRINTFLIKE(4, 5);
+ void sock_geterrmsg(char *errbuf, size_t errbuflen,
+     PCAP_FORMAT_STRING(const char *fmt), ...)  PCAP_PRINTFLIKE(3, 4);
+-int sock_initaddress(const char *address, const char *port,
+-    struct addrinfo *hints, struct addrinfo **addrinfo,
+-    char *errbuf, int errbuflen);
++struct addrinfo *sock_initaddress(const char *address, const char *port,
++    struct addrinfo *hints, char *errbuf, int errbuflen);
+ int sock_recv(SOCKET sock, SSL *, void *buffer, size_t size, int receiveall,
+     char *errbuf, int errbuflen);
+ int sock_recv_dgram(SOCKET sock, SSL *, void *buffer, size_t size,

meta/recipes-connectivity/libpcap/libpcap/CVE-2024-8006.patch

@@ -0,0 +1,42 @@
+From 8a633ee5b9ecd9d38a587ac9b204e2380713b0d6 Mon Sep 17 00:00:00 2001
+From: Nicolas Badoux <n.badoux@hotmail.com>
+Date: Mon, 19 Aug 2024 12:31:53 +0200
+Subject: [PATCH] makes pcap_findalldevs_ex errors out if the directory does
+ not exist
+
+(backported from commit 0f8a103469ce87d2b8d68c5130a46ddb7fb5eb29)
+
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/8a633ee5b9ecd9d38a587ac9b204e2380713b0d6]
+CVE: CVE-2024-8006
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pcap-new.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/pcap-new.c b/pcap-new.c
+index be91b3f8db..d449ee623c 100644
+--- a/pcap-new.c
++++ b/pcap-new.c
+@@ -230,6 +230,13 @@ int pcap_findalldevs_ex(const char *source, struct pcap_rmtauth *auth, pcap_if_t
+ #else
+ 		/* opening the folder */
+ 		unixdir= opendir(path);
++		if (unixdir == NULL) {
++			DIAG_OFF_FORMAT_TRUNCATION
++			snprintf(errbuf, PCAP_ERRBUF_SIZE,
++			    "Error when listing files: does folder '%s' exist?", path);
++			DIAG_ON_FORMAT_TRUNCATION
++			return -1;
++		}
+ 
+ 		/* get the first file into it */
+ 		filedata= readdir(unixdir);
+@@ -237,7 +244,7 @@ int pcap_findalldevs_ex(const char *source, struct pcap_rmtauth *auth, pcap_if_t
+ 		if (filedata == NULL)
+ 		{
+ 			DIAG_OFF_FORMAT_TRUNCATION
+-			snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error when listing files: does folder '%s' exist?", path);
++			snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error when listing files: does folder '%s' contain files?", path);
+ 			DIAG_ON_FORMAT_TRUNCATION
+ 			closedir(unixdir);
+ 			return -1;

meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb

@@ -10,7 +10,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \
                     file://pcap.h;beginline=1;endline=32;md5=39af3510e011f34b8872f120b1dc31d2"
 DEPENDS = "flex-native bison-native"
 
-SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz"
+SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \
+           file://CVE-2023-7256-pre1.patch \
+           file://CVE-2023-7256.patch \
+           file://CVE-2024-8006.patch \
+          "
+
 SRC_URI[sha256sum] = "ed19a0383fad72e3ad435fd239d7cd80d64916b87269550159d20e47160ebe5f"
 
 inherit autotools binconfig-disabled pkgconfig

meta/recipes-connectivity/openssh/openssh/0001-Fix-missing-header-for-systemd-notification.patch

@@ -0,0 +1,27 @@
+From 88351eca17dcc55189991ba60e50819b6d4193c1 Mon Sep 17 00:00:00 2001
+From: 90 <hi@90.gripe>
+Date: Fri, 5 Apr 2024 19:36:06 +0100
+Subject: [PATCH] Fix missing header for systemd notification
+
+Upstream-Status: Backport [88351eca17dcc55189991ba60e50819b6d4193c1]
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+
+---
+ openbsd-compat/port-linux.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index df7290246df6..4c024c6d2d61 100644
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -33,6 +33,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <time.h>
++#include <unistd.h>
+ 
+ #include "log.h"
+ #include "xmalloc.h"
+-- 
+2.39.2
+

meta/recipes-connectivity/openssh/openssh_9.6p1.bb

@@ -28,6 +28,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://0001-notify-systemd-on-listen-and-reload.patch \
            file://CVE-2024-6387.patch \
            file://CVE-2024-39894.patch \
+           file://0001-Fix-missing-header-for-systemd-notification.patch \
            "
 SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"
 

meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch

@@ -6,6 +6,7 @@ Subject: [PATCH] Added handshake history reporting when test fails
 Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
 
 Signed-off-by: William Lyu <William.Lyu@windriver.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
 ---
  test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++----------
  test/helpers/handshake.h |  70 +++++++++++++++++++-
@@ -16,13 +17,6 @@ diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
 index e0422469e4..ae2ad59dd4 100644
 --- a/test/helpers/handshake.c
 +++ b/test/helpers/handshake.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
 @@ -24,6 +24,102 @@
  #include <netinet/sctp.h>
  #endif

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch

@@ -1,113 +0,0 @@
-From b63b4db52e10677db4ab46b608aabd55a44668aa Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:14:33 +0100
-Subject: [PATCH 01/10] Fix SSL_select_next_proto
-
-Ensure that the provided client list is non-NULL and starts with a valid
-entry. When called from the ALPN callback the client list should already
-have been validated by OpenSSL so this should not cause a problem. When
-called from the NPN callback the client list is locally configured and
-will not have already been validated. Therefore SSL_select_next_proto
-should not assume that it is correctly formatted.
-
-We implement stricter checking of the client protocol list. We also do the
-same for the server list while we are about it.
-
-CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
- 1 file changed, 40 insertions(+), 23 deletions(-)
-
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 016135f..cf52b31 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
-                           unsigned int server_len,
-                           const unsigned char *client, unsigned int client_len)
- {
--    unsigned int i, j;
--    const unsigned char *result;
--    int status = OPENSSL_NPN_UNSUPPORTED;
-+    PACKET cpkt, csubpkt, spkt, ssubpkt;
-+
-+    if (!PACKET_buf_init(&cpkt, client, client_len)
-+            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
-+            || PACKET_remaining(&csubpkt) == 0) {
-+        *out = NULL;
-+        *outlen = 0;
-+        return OPENSSL_NPN_NO_OVERLAP;
-+    }
-+
-+    /*
-+     * Set the default opportunistic protocol. Will be overwritten if we find
-+     * a match.
-+     */
-+    *out = (unsigned char *)PACKET_data(&csubpkt);
-+    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
- 
-     /*
-      * For each protocol in server preference order, see if we support it.
-      */
--    for (i = 0; i < server_len;) {
--        for (j = 0; j < client_len;) {
--            if (server[i] == client[j] &&
--                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
--                /* We found a match */
--                result = &server[i];
--                status = OPENSSL_NPN_NEGOTIATED;
--                goto found;
-+    if (PACKET_buf_init(&spkt, server, server_len)) {
-+        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
-+            if (PACKET_remaining(&ssubpkt) == 0)
-+                continue; /* Invalid - ignore it */
-+            if (PACKET_buf_init(&cpkt, client, client_len)) {
-+                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
-+                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
-+                                     PACKET_remaining(&ssubpkt))) {
-+                        /* We found a match */
-+                        *out = (unsigned char *)PACKET_data(&ssubpkt);
-+                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
-+                        return OPENSSL_NPN_NEGOTIATED;
-+                    }
-+                }
-+                /* Ignore spurious trailing bytes in the client list */
-+            } else {
-+                /* This should never happen */
-+                return OPENSSL_NPN_NO_OVERLAP;
-             }
--            j += client[j];
--            j++;
-         }
--        i += server[i];
--        i++;
-+        /* Ignore spurious trailing bytes in the server list */
-     }
- 
--    /* There's no overlap between our protocols and the server's list. */
--    result = client;
--    status = OPENSSL_NPN_NO_OVERLAP;
--
-- found:
--    *out = (unsigned char *)result + 1;
--    *outlen = result[0];
--    return status;
-+    /*
-+     * There's no overlap between our protocols and the server's list. We use
-+     * the default opportunistic protocol selected earlier
-+     */
-+    return OPENSSL_NPN_NO_OVERLAP;
- }
- 
- #ifndef OPENSSL_NO_NEXTPROTONEG
--- 
-2.44.0
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch

@@ -1,203 +0,0 @@
-From 61cad53901703944d22f1cd6a1b57460f2270599 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 14:29:26 +0100
-Subject: [PATCH 10/10] Add a test for an empty NextProto message
-
-It is valid according to the spec for a NextProto message to have no
-protocols listed in it. The OpenSSL implementation however does not allow
-us to create such a message. In order to check that we work as expected
-when communicating with a client that does generate such messages we have
-to use a TLSProxy test.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/301b870546d1c7b2d8f0d66e04a2596142f0399f]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- test/recipes/70-test_npn.t      | 73 +++++++++++++++++++++++++++++++++
- util/perl/TLSProxy/Message.pm   |  9 ++++
- util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++
- util/perl/TLSProxy/Proxy.pm     |  1 +
- 4 files changed, 137 insertions(+)
- create mode 100644 test/recipes/70-test_npn.t
- create mode 100644 util/perl/TLSProxy/NextProto.pm
-
-diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
-new file mode 100644
-index 0000000..f82e71a
---- /dev/null
-+++ b/test/recipes/70-test_npn.t
-@@ -0,0 +1,73 @@
-+#! /usr/bin/env perl
-+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License").  You may not use
-+# this file except in compliance with the License.  You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use strict;
-+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
-+use OpenSSL::Test::Utils;
-+
-+use TLSProxy::Proxy;
-+
-+my $test_name = "test_npn";
-+setup($test_name);
-+
-+plan skip_all => "TLSProxy isn't usable on $^O"
-+    if $^O =~ /^(VMS)$/;
-+
-+plan skip_all => "$test_name needs the dynamic engine feature enabled"
-+    if disabled("engine") || disabled("dynamic-engine");
-+
-+plan skip_all => "$test_name needs the sock feature enabled"
-+    if disabled("sock");
-+
-+plan skip_all => "$test_name needs NPN enabled"
-+    if disabled("nextprotoneg");
-+
-+plan skip_all => "$test_name needs TLSv1.2 enabled"
-+    if disabled("tls1_2");
-+
-+my $proxy = TLSProxy::Proxy->new(
-+    undef,
-+    cmdstr(app(["openssl"]), display => 1),
-+    srctop_file("apps", "server.pem"),
-+    (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
-+);
-+
-+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-+plan tests => 1;
-+
-+my $npnseen = 0;
-+
-+# Test 1: Check sending an empty NextProto message from the client works. This is
-+#         valid as per the spec, but OpenSSL does not allow you to send it.
-+#         Therefore we must be prepared to receive such a message but we cannot
-+#         generate it except via TLSProxy
-+$proxy->clear();
-+$proxy->filter(\&npn_filter);
-+$proxy->clientflags("-nextprotoneg foo -no_tls1_3");
-+$proxy->serverflags("-nextprotoneg foo");
-+$proxy->start();
-+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message");
-+
-+sub npn_filter
-+{
-+    my $proxy = shift;
-+    my $message;
-+
-+    # The NextProto message always appears in flight 2
-+    return if $proxy->flight != 2;
-+
-+    foreach my $message (@{$proxy->message_list}) {
-+        if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) {
-+            # Our TLSproxy NextProto message support doesn't support parsing of
-+            # the message. If we repack it just creates an empty NextProto
-+            # message - which is exactly the scenario we want to test here.
-+            $message->repack();
-+            $npnseen = 1;
-+        }
-+    }
-+}
-diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
-index ce22187..fb41b2f 100644
---- a/util/perl/TLSProxy/Message.pm
-+++ b/util/perl/TLSProxy/Message.pm
-@@ -384,6 +384,15 @@ sub create_message
-             [@message_frag_lens]
-         );
-         $message->parse();
-+    }  elsif ($mt == MT_NEXT_PROTO) {
-+        $message = TLSProxy::NextProto->new(
-+            $server,
-+            $data,
-+            [@message_rec_list],
-+            $startoffset,
-+            [@message_frag_lens]
-+        );
-+        $message->parse();
-     } else {
-         #Unknown message type
-         $message = TLSProxy::Message->new(
-diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm
-new file mode 100644
-index 0000000..0e18347
---- /dev/null
-+++ b/util/perl/TLSProxy/NextProto.pm
-@@ -0,0 +1,54 @@
-+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License").  You may not use
-+# this file except in compliance with the License.  You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use strict;
-+
-+package TLSProxy::NextProto;
-+
-+use vars '@ISA';
-+push @ISA, 'TLSProxy::Message';
-+
-+sub new
-+{
-+    my $class = shift;
-+    my ($server,
-+        $data,
-+        $records,
-+        $startoffset,
-+        $message_frag_lens) = @_;
-+
-+    my $self = $class->SUPER::new(
-+        $server,
-+        TLSProxy::Message::MT_NEXT_PROTO,
-+        $data,
-+        $records,
-+        $startoffset,
-+        $message_frag_lens);
-+
-+    return $self;
-+}
-+
-+sub parse
-+{
-+    # We don't support parsing at the moment
-+}
-+
-+# This is supposed to reconstruct the on-the-wire message data following changes.
-+# For now though since we don't support parsing we just create an empty NextProto
-+# message - this capability is used in test_npn
-+sub set_message_contents
-+{
-+    my $self = shift;
-+    my $data;
-+
-+    $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+                 0x00, 0x00, 0x00);
-+    $self->data($data);
-+}
-+1;
-diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
-index 3de10ec..b707722 100644
---- a/util/perl/TLSProxy/Proxy.pm
-+++ b/util/perl/TLSProxy/Proxy.pm
-@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest;
- use TLSProxy::CertificateVerify;
- use TLSProxy::ServerKeyExchange;
- use TLSProxy::NewSessionTicket;
-+use TLSProxy::NextProto;
- 
- my $have_IPv6;
- my $IP_factory;
--- 
-2.44.0
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch

@@ -1,43 +0,0 @@
-From 6de1d37cd129b0af5b4a247c76f97b98e70b108b Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:18:27 +0100
-Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when
- processing NPN
-
-In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
-the selected_len is 0 we should fail. Previously this would fail with an
-internal_error alert because calling OPENSSL_malloc(selected_len) will
-return NULL when selected_len is 0. We make this error detection more
-explicit and return a handshake failure alert.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/015255851371757d54c2560643eb3b3a88123cf1]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/statem/extensions_clnt.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
-index 381a6c9..1ab3c13 100644
---- a/ssl/statem/extensions_clnt.c
-+++ b/ssl/statem/extensions_clnt.c
-@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
-     if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
-                                 &selected, &selected_len,
-                                 PACKET_data(pkt), PACKET_remaining(pkt),
--                                sctx->ext.npn_select_cb_arg) !=
--             SSL_TLSEXT_ERR_OK) {
-+                                sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
-+            || selected_len == 0) {
-         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
-         return 0;
-     }
--- 
-2.44.0
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch

@@ -1,38 +0,0 @@
-From 4f9334a33da89949f97927c8fe7df1003c42cda4 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:22:13 +0100
-Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver
-
-The QUIC test server was using incorrectly formatted ALPN data. With the
-previous implementation of SSL_select_next_proto this went unnoticed. With
-the new stricter implemenation it was failing.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/6cc511826f09e513b4ec066d9b95acaf4f86d991]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/quic/quic_tserver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
-index 86187d0..15694e7 100644
---- a/ssl/quic/quic_tserver.c
-+++ b/ssl/quic/quic_tserver.c
-@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out,
- 
-     if (srv->args.alpn == NULL) {
-         alpn = alpndeflt;
--        alpnlen = sizeof(alpn);
-+        alpnlen = sizeof(alpndeflt);
-     } else {
-         alpn = srv->args.alpn;
-         alpnlen = srv->args.alpnlen;
--- 
-2.44.0
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch

@@ -1,82 +0,0 @@
-From 5145a1f50e44c9f86127a76f01519a9f25157290 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:46:38 +0100
-Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation
-
-We clarify the input preconditions and the expected behaviour in the event
-of no overlap.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/8e81c57adbbf703dfb63955f65599765fdacc741]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
- 1 file changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-index 05fee2f..79e1a25 100644
---- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
- SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
- set the list of protocols available to be negotiated. The B<protos> must be in
- protocol-list format, described below. The length of B<protos> is specified in
--B<protos_len>.
-+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
-+protocols and no ALPN extension will be sent to the server.
- 
- SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
- server to select which protocol to use for the incoming connection. When B<cb>
-@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
- described below. The first item in the B<server>, B<server_len> list that
- matches an item in the B<client>, B<client_len> list is selected, and returned
- in B<out>, B<outlen>. The B<out> value will point into either B<server> or
--B<client>, so it should be copied immediately. If no match is found, the first
--item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
--function can also be used in the NPN callback.
-+B<client>, so it should be copied immediately. The client list must include at
-+least one valid (nonempty) protocol entry in the list.
-+
-+The SSL_select_next_proto() helper function can be useful from either the ALPN
-+callback or the NPN callback (described below). If no match is found, the first
-+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
-+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
-+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
-+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
-+SSL_select_next_proto().
- 
- SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
- client needs to select a protocol from the server's provided list, and a
-@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
- The length of the protocol name must be written into B<outlen>. The
- server's advertised protocols are provided in B<in> and B<inlen>. The
- callback can assume that B<in> is syntactically valid. The client must
--select a protocol. It is fatal to the connection if this callback returns
--a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
--set via SSL_CTX_set_next_proto_select_cb().
-+select a protocol (although it may be an empty, zero length protocol). It is
-+fatal to the connection if this callback returns a value other than
-+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
-+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
- 
- SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
- when a TLS server needs a list of supported protocols for Next Protocol
-@@ -154,7 +163,8 @@ A match was found and is returned in B<out>, B<outlen>.
- =item OPENSSL_NPN_NO_OVERLAP
- 
- No match was found. The first item in B<client>, B<client_len> is returned in
--B<out>, B<outlen>.
-+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
-+B<client> is invalid).
- 
- =back
- 
--- 
-2.44.0
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch

@@ -1,176 +0,0 @@
-From 01d44bc7f50670002cad495654fd99a6371d7662 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 16:35:16 +0100
-Subject: [PATCH 05/10] Add a test for SSL_select_next_proto
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/add5c52a25c549cec4a730cdf96e2252f0a1862d]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 137 insertions(+)
-
-diff --git a/test/sslapitest.c b/test/sslapitest.c
-index ce16332..15cb906 100644
---- a/test/sslapitest.c
-+++ b/test/sslapitest.c
-@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx)
-     return testresult;
- }
- 
-+static struct next_proto_st {
-+    int serverlen;
-+    unsigned char server[40];
-+    int clientlen;
-+    unsigned char client[40];
-+    int expected_ret;
-+    size_t selectedlen;
-+    unsigned char selected[40];
-+} next_proto_tests[] = {
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
-+        7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
-+        7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-+        OPENSSL_NPN_NEGOTIATED,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'b', 'c', 'd' },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        0, { 0 },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        -1, { 0 },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        0, { 0 },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        0, { 0 }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        -1, { 0 },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        0, { 0 }
-+    },
-+    {
-+        3, { 3, 'a', 'b', 'c' },
-+        4, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        3, { 'a', 'b', 'c' }
-+    },
-+    {
-+        4, { 3, 'a', 'b', 'c' },
-+        3, { 3, 'a', 'b', 'c' },
-+        OPENSSL_NPN_NO_OVERLAP,
-+        0, { 0 }
-+    }
-+};
-+
-+static int test_select_next_proto(int idx)
-+{
-+    struct next_proto_st *np = &next_proto_tests[idx];
-+    int ret = 0;
-+    unsigned char *out, *client, *server;
-+    unsigned char outlen;
-+    unsigned int clientlen, serverlen;
-+
-+    if (np->clientlen == -1) {
-+        client = NULL;
-+        clientlen = 0;
-+    } else {
-+        client = np->client;
-+        clientlen = (unsigned int)np->clientlen;
-+    }
-+    if (np->serverlen == -1) {
-+        server = NULL;
-+        serverlen = 0;
-+    } else {
-+        server = np->server;
-+        serverlen = (unsigned int)np->serverlen;
-+    }
-+
-+    if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
-+                                           client, clientlen),
-+                     np->expected_ret))
-+        goto err;
-+
-+    if (np->selectedlen == 0) {
-+        if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
-+            goto err;
-+    } else {
-+        if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
-+            goto err;
-+    }
-+
-+    ret = 1;
-+ err:
-+    return ret;
-+}
-+
- OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
- 
- int setup_tests(void)
-@@ -12053,6 +12189,7 @@ int setup_tests(void)
-     ADD_ALL_TESTS(test_handshake_retry, 16);
-     ADD_TEST(test_data_retry);
-     ADD_ALL_TESTS(test_multi_resume, 5);
-+    ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
-     return 1;
- 
-  err:
--- 
-2.44.0
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch

@@ -1,43 +0,0 @@
-From 86351b8dd4c499de7a0c02313ee54966e978150f Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 10:41:55 +0100
-Subject: [PATCH 07/10] Correct return values for
- tls_construct_stoc_next_proto_neg
-
-Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
-rather than EXT_RETURN_SENT. This actually makes no difference at all to
-the current control flow since this return value is ignored in this case
-anyway. But lets make it correct anyway.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/53f5677f358c4a4f69830d944ea40e71950673b8]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/statem/extensions_srvr.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
-index 64ccb3e..b821c7c 100644
---- a/ssl/statem/extensions_srvr.c
-+++ b/ssl/statem/extensions_srvr.c
-@@ -1496,9 +1496,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
-             return EXT_RETURN_FAIL;
-         }
-         s->s3.npn_seen = 1;
-+        return EXT_RETURN_SENT;
-     }
- 
--    return EXT_RETURN_SENT;
-+    return EXT_RETURN_NOT_SENT;
- }
- #endif
- 
--- 
-2.44.0
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch

@@ -1,66 +0,0 @@
-From 29f860914824cde6b0aea6ad818b93132930137f Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 11:51:54 +0100
-Subject: [PATCH 08/10] Add ALPN validation in the client
-
-The ALPN protocol selected by the server must be one that we originally
-advertised. We should verify that it is.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/195e15421df113d7283aab2ccff8b8fb06df5465]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
-index 1ab3c13..ff9c009 100644
---- a/ssl/statem/extensions_clnt.c
-+++ b/ssl/statem/extensions_clnt.c
-@@ -1590,6 +1590,8 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
-                         X509 *x, size_t chainidx)
- {
-     size_t len;
-+    PACKET confpkt, protpkt;
-+    int valid = 0;
- 
-     /* We must have requested it. */
-     if (!s->s3.alpn_sent) {
-@@ -1608,6 +1610,28 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
-         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
-         return 0;
-     }
-+
-+    /* It must be a protocol that we sent */
-+    if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
-+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
-+        return 0;
-+    }
-+    while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
-+        if (PACKET_remaining(&protpkt) != len)
-+            continue;
-+        if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
-+            /* Valid protocol found */
-+            valid = 1;
-+            break;
-+        }
-+    }
-+
-+    if (!valid) {
-+        /* The protocol sent from the server does not match one we advertised */
-+        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
-+        return 0;
-+    }
-+
-     OPENSSL_free(s->s3.alpn_selected);
-     s->s3.alpn_selected = OPENSSL_malloc(len);
-     if (s->s3.alpn_selected == NULL) {
--- 
-2.44.0
-

meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch

@@ -1,271 +0,0 @@
-From 6a5484b0d3fcf9a868c7e3e5b62e5eedc90b6080 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 10:09:41 +0100
-Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest
-
-We already had some tests elsewhere - but this extends that testing with
-additional tests.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
-
-Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/7c95191434415d1c9b7fe9b130df13cce630b6b5]
-CVE: CVE-2024-5535
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 229 insertions(+)
-
-diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 15cb906..7a55a2b 100644
---- a/test/sslapitest.c
-+++ b/test/sslapitest.c
-@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx)
-     return ret;
- }
- 
-+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
-+static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
-+
-+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
-+static int npn_advert_cb(SSL *ssl, const unsigned char **out,
-+                         unsigned int *outlen, void *arg)
-+{
-+    int *idx = (int *)arg;
-+
-+    switch (*idx) {
-+    default:
-+    case 0:
-+        *out = fooprot;
-+        *outlen = sizeof(fooprot);
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 1:
-+        *outlen = 0;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 2:
-+        return SSL_TLSEXT_ERR_NOACK;
-+    }
-+}
-+
-+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
-+                         const unsigned char *in, unsigned int inlen, void *arg)
-+{
-+    int *idx = (int *)arg;
-+
-+    switch (*idx) {
-+    case 0:
-+    case 1:
-+        *out = (unsigned char *)(fooprot + 1);
-+        *outlen = *fooprot;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 3:
-+        *out = (unsigned char *)(barprot + 1);
-+        *outlen = *barprot;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 4:
-+        *outlen = 0;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    default:
-+    case 2:
-+        return SSL_TLSEXT_ERR_ALERT_FATAL;
-+    }
-+}
-+
-+/*
-+ * Test the NPN callbacks
-+ * Test 0: advert = foo, select = foo
-+ * Test 1: advert = <empty>, select = foo
-+ * Test 2: no advert
-+ * Test 3: advert = foo, select = bar
-+ * Test 4: advert = foo, select = <empty> (should fail)
-+ */
-+static int test_npn(int idx)
-+{
-+    SSL_CTX *sctx = NULL, *cctx = NULL;
-+    SSL *serverssl = NULL, *clientssl = NULL;
-+    int testresult = 0;
-+
-+    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-+                                       TLS_client_method(), 0, TLS1_2_VERSION,
-+                                       &sctx, &cctx, cert, privkey)))
-+        goto end;
-+
-+    SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
-+    SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
-+
-+    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
-+                                      NULL)))
-+        goto end;
-+
-+    if (idx == 4) {
-+        /* We don't allow empty selection of NPN, so this should fail */
-+        if (!TEST_false(create_ssl_connection(serverssl, clientssl,
-+                                              SSL_ERROR_NONE)))
-+            goto end;
-+    } else {
-+        const unsigned char *prot;
-+        unsigned int protlen;
-+
-+        if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-+                                             SSL_ERROR_NONE)))
-+            goto end;
-+
-+        SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
-+        switch (idx) {
-+        case 0:
-+        case 1:
-+            if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
-+                goto end;
-+            break;
-+        case 2:
-+            if (!TEST_uint_eq(protlen, 0))
-+                goto end;
-+            break;
-+        case 3:
-+            if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
-+                goto end;
-+            break;
-+        default:
-+            TEST_error("Should not get here");
-+            goto end;
-+        }
-+    }
-+
-+    testresult = 1;
-+ end:
-+    SSL_free(serverssl);
-+    SSL_free(clientssl);
-+    SSL_CTX_free(sctx);
-+    SSL_CTX_free(cctx);
-+
-+    return testresult;
-+}
-+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
-+
-+static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
-+                           unsigned char *outlen, const unsigned char *in,
-+                           unsigned int inlen, void *arg)
-+{
-+    int *idx = (int *)arg;
-+
-+    switch (*idx) {
-+    case 0:
-+        *out = (unsigned char *)(fooprot + 1);
-+        *outlen = *fooprot;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 2:
-+        *out = (unsigned char *)(barprot + 1);
-+        *outlen = *barprot;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    case 3:
-+        *outlen = 0;
-+        return SSL_TLSEXT_ERR_OK;
-+
-+    default:
-+    case 1:
-+        return SSL_TLSEXT_ERR_ALERT_FATAL;
-+    }
-+    return 0;
-+}
-+
-+/*
-+ * Test the ALPN callbacks
-+ * Test 0: client = foo, select = foo
-+ * Test 1: client = <empty>, select = none
-+ * Test 2: client = foo, select = bar (should fail)
-+ * Test 3: client = foo, select = <empty> (should fail)
-+ */
-+static int test_alpn(int idx)
-+{
-+    SSL_CTX *sctx = NULL, *cctx = NULL;
-+    SSL *serverssl = NULL, *clientssl = NULL;
-+    int testresult = 0;
-+    const unsigned char *prots = fooprot;
-+    unsigned int protslen = sizeof(fooprot);
-+
-+    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-+                                       TLS_client_method(), 0, 0,
-+                                       &sctx, &cctx, cert, privkey)))
-+        goto end;
-+
-+    SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
-+
-+    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
-+                                      NULL)))
-+        goto end;
-+
-+    if (idx == 1) {
-+        prots = NULL;
-+        protslen = 0;
-+    }
-+
-+    /* SSL_set_alpn_protos returns 0 for success! */
-+    if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
-+        goto end;
-+
-+    if (idx == 2 || idx == 3) {
-+        /* We don't allow empty selection of NPN, so this should fail */
-+        if (!TEST_false(create_ssl_connection(serverssl, clientssl,
-+                                              SSL_ERROR_NONE)))
-+            goto end;
-+    } else {
-+        const unsigned char *prot;
-+        unsigned int protlen;
-+
-+        if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-+                                             SSL_ERROR_NONE)))
-+            goto end;
-+
-+        SSL_get0_alpn_selected(clientssl, &prot, &protlen);
-+        switch (idx) {
-+        case 0:
-+            if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
-+                goto end;
-+            break;
-+        case 1:
-+            if (!TEST_uint_eq(protlen, 0))
-+                goto end;
-+            break;
-+        default:
-+            TEST_error("Should not get here");
-+            goto end;
-+        }
-+    }
-+
-+    testresult = 1;
-+ end:
-+    SSL_free(serverssl);
-+    SSL_free(clientssl);
-+    SSL_CTX_free(sctx);
-+    SSL_CTX_free(cctx);
-+
-+    return testresult;
-+}
-+
- OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
- 
- int setup_tests(void)
-@@ -12190,6 +12415,10 @@ int setup_tests(void)
-     ADD_TEST(test_data_retry);
-     ADD_ALL_TESTS(test_multi_resume, 5);
-     ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
-+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
-+    ADD_ALL_TESTS(test_npn, 5);
-+#endif
-+    ADD_ALL_TESTS(test_alpn, 4);
-     return 1;
- 
-  err:
--- 
-2.44.0
-

meta/recipes-connectivity/openssl/openssl_3.2.3.bb

@@ -7,28 +7,18 @@ SECTION = "libs/network"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
 
-SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
+SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
            file://0001-Added-handshake-history-reporting-when-test-fails.patch \
-           file://CVE-2024-5535_1.patch \
-           file://CVE-2024-5535_2.patch \
-           file://CVE-2024-5535_3.patch \
-           file://CVE-2024-5535_4.patch \
-           file://CVE-2024-5535_5.patch \
-           file://CVE-2024-5535_6.patch \
-           file://CVE-2024-5535_7.patch \
-           file://CVE-2024-5535_8.patch \
-           file://CVE-2024-5535_9.patch \
-           file://CVE-2024-5535_10.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "197149c18d9e9f292c43f0400acaba12e5f52cacfe050f3d199277ea738ec2e7"
+SRC_URI[sha256sum] = "52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"

meta/recipes-core/busybox/busybox/0001-cut-Fix-s-flag-to-omit-blank-lines.patch

@@ -0,0 +1,66 @@
+From 199606e960942c29fd8085be812edd3d3697825c Mon Sep 17 00:00:00 2001
+From: Colin McAllister <colinmca242@gmail.com>
+Date: Wed, 17 Jul 2024 07:58:52 -0500
+Subject: [PATCH 1/1] cut: Fix "-s" flag to omit blank lines
+
+Using cut with the delimiter flag ("-d") with the "-s" flag to only
+output lines containing the delimiter will print blank lines. This is
+deviant behavior from cut provided by GNU Coreutils. Blank lines should
+be omitted if "-s" is used with "-d".
+
+This change introduces a somewhat naiive, yet efficient solution, where
+line length is checked before looping though bytes. If line length is
+zero and the "-s" flag is used, the code will jump to parsing the next
+line to avoid printing a newline character.
+
+In addition, a test to cut.tests has been added to ensure that this
+regression is fixed and will not happen again in the future.
+
+Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2024-July/090834.html]
+
+Signed-off-by: Colin McAllister <colinmca242@gmail.com>
+---
+ coreutils/cut.c     | 6 ++++++
+ testsuite/cut.tests | 9 +++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/coreutils/cut.c b/coreutils/cut.c
+index 55bdd9386..b7f986f26 100644
+--- a/coreutils/cut.c
++++ b/coreutils/cut.c
+@@ -152,6 +152,12 @@ static void cut_file(FILE *file, const char *delim, const char *odelim,
+ 			unsigned uu = 0, start = 0, end = 0, out = 0;
+ 			int dcount = 0;
+ 
++			/* Blank line? */
++			if (!linelen) {
++				if (option_mask32 & CUT_OPT_SUPPRESS_FLGS)
++					goto next_line;
++			}
++
+ 			/* Loop through bytes, finding next delimiter */
+ 			for (;;) {
+ 				/* End of current range? */
+diff --git a/testsuite/cut.tests b/testsuite/cut.tests
+index 2458c019c..0b401bc00 100755
+--- a/testsuite/cut.tests
++++ b/testsuite/cut.tests
+@@ -65,6 +65,15 @@ testing "cut with -d -f( ) -s" "cut -d' ' -f3 -s input && echo yes" "yes\n" "$in
+ testing "cut with -d -f(a) -s" "cut -da -f3 -s input" "n\nsium:Jim\n\ncion:Ed\n" "$input" ""
+ testing "cut with -d -f(a) -s -n" "cut -da -f3 -s -n input" "n\nsium:Jim\n\ncion:Ed\n" "$input" ""
+ 
++input="\
++
++foo bar baz
++
++bing bong boop
++
++"
++testing "cut with -d -s omits blank lines" "cut -d' ' -f2 -s input" "bar\nbong\n" "$input" ""
++
+ # substitute for awk
+ optional FEATURE_CUT_REGEX
+ testing "cut -DF" "cut -DF 2,7,5" \
+-- 
+2.43.0
+

meta/recipes-core/busybox/busybox_1.36.1.bb

@@ -56,6 +56,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0001-awk-fix-precedence-of-relative-to.patch \
            file://0002-awk-fix-ternary-operator-and-precedence-of.patch \
            file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \
+           file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html

meta/recipes-core/expat/expat_2.6.3.bb

@@ -15,7 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
 GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
 UPSTREAM_CHECK_REGEX = "releases/tag/R_(?P<pver>.+)"
 
-SRC_URI[sha256sum] = "9c7c1b5dcbc3c237c500a8fb1493e14d9582146dd9b42aa8d3ffb856a3b927e0"
+SRC_URI[sha256sum] = "b8baef92f328eebcf731f4d18103951c61fa8c8ec21d5ff4202fb6f2198aeb2d"
 
 EXTRA_OECMAKE:class-native += "-DEXPAT_BUILD_DOCS=OFF"
 

meta/recipes-core/glibc/glibc-package.inc

@@ -39,7 +39,7 @@ FILES:sln = "${base_sbindir}/sln"
 FILES:${PN}-pic = "${libdir}/*_pic.a ${libdir}/*_pic.map ${libdir}/libc_pic/*.o"
 FILES:libsotruss = "${libdir}/audit/sotruss-lib.so"
 FILES_SOLIBSDEV = "${libdir}/lib*${SOLIBSDEV}"
-FILES:${PN}-dev += "${libdir}/libpthread.a ${libdir}/libdl.a ${libdir}/libutil.a ${libdir}/libanl.a ${libdir}/*_nonshared.a ${base_libdir}/*_nonshared.a ${base_libdir}/*.o ${datadir}/aclocal"
+FILES:${PN}-dev += "${libdir}/libpthread.a ${libdir}/libdl.a ${libdir}/libutil.a ${libdir}/libanl.a ${libdir}/*_nonshared.a ${base_libdir}/*_nonshared.a ${base_libdir}/*.o ${datadir}/aclocal ${libdir}/gcc/${TARGET_SYS}/*/finclude"
 RDEPENDS:${PN}-dev = "linux-libc-headers-dev"
 FILES:${PN}-staticdev += "${libdir}/*.a ${base_libdir}/*.a"
 FILES:nscd = "${sbindir}/nscd* ${sysconfdir}/init.d/nscd ${systemd_system_unitdir}/nscd* ${nonarch_libdir}/tmpfiles.d/nscd.conf \
@@ -169,6 +169,12 @@ do_install_armmultilib () {
 	oe_multilib_header sys/elf.h sys/procfs.h sys/ptrace.h sys/ucontext.h sys/user.h
 }
 
+do_install_armmultilib:append:class-target() {
+    gcc_version=$($CC -dumpversion)
+    mkdir -p ${D}${libdir}/gcc/${TARGET_SYS}/${gcc_version}/finclude
+    mv ${D}${includedir}/finclude/math-vector-fortran.h ${D}${libdir}/gcc/${TARGET_SYS}/${gcc_version}/finclude/
+    rmdir --ignore-fail-on-non-empty ${D}${includedir}/finclude
+}
 
 LOCALESTASH = "${WORKDIR}/stashed-locale"
 bashscripts = "mtrace sotruss xtrace"

meta/recipes-core/images/build-appliance-image_15.0.0.bb

@@ -26,7 +26,7 @@ inherit core-image setuptools3 features_check
 
 REQUIRED_DISTRO_FEATURES += "xattr"
 
-SRCREV ?= "af5205d1b804ae916619d74ca3a656ca5a727ca5"
+SRCREV ?= "bf88a67b45235236d6655dce604e632eb94a813c"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=scarthgap \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \

meta/recipes-core/initrdscripts/initramfs-framework/init

@@ -117,7 +117,7 @@ if grep -q devtmpfs /proc/filesystems; then
 	mount -t devtmpfs devtmpfs /dev
 else
 	if [ ! -d /dev ]; then
-		fatal "ERROR: /dev doesn't exist and kernel doesn't has devtmpfs enabled."
+		fatal "ERROR: /dev doesn't exist and kernel doesn't have devtmpfs enabled."
 	fi
 fi
 

meta/recipes-core/initrdscripts/initramfs-framework/rootfs

@@ -59,7 +59,7 @@ rootfs_run() {
 				fi
 			fi
 		fi
-		debug "Sleeping for $delay second(s) to wait root to settle..."
+		debug "Sleeping for $delay second(s) to wait for root to settle..."
 		sleep $delay
 		C=$(( $C + 1 ))
 	done

meta/recipes-core/os-release/os-release.bb

@@ -24,7 +24,7 @@ ID = "${DISTRO}"
 NAME = "${DISTRO_NAME}"
 VERSION = "${DISTRO_VERSION}${@' (%s)' % DISTRO_CODENAME if 'DISTRO_CODENAME' in d else ''}"
 VERSION_ID = "${DISTRO_VERSION}"
-VERSION_CODENAME = "${DISTRO_CODENAME}"
+VERSION_CODENAME = "${@d.getVar('DISTRO_CODENAME') or ''}"
 PRETTY_NAME = "${DISTRO_NAME} ${VERSION}"
 
 # The vendor field is hardcoded to "openembedded" deliberately. We'd

meta/recipes-core/systemd/systemd/00-create-volatile.conf

@@ -6,3 +6,4 @@
 d		/run/lock		1777	-	-	-
 d		/var/volatile/log		-	-	-	-
 d		/var/volatile/tmp		1777	-	-
+L		/var/tmp		-	-	-	-	/var/volatile/tmp

meta/recipes-core/systemd/systemd_255.4.bb

@@ -307,9 +307,10 @@ do_install() {
 	fi
 
 	if "${@'true' if oe.types.boolean(d.getVar('VOLATILE_LOG_DIR')) else 'false'}"; then
-		# /var/log is typically a symbolic link to inside /var/volatile,
-		# which is expected to be empty.
+		# base-files recipe provides /var/log which is a symlink to /var/volatile/log
 		rm -rf ${D}${localstatedir}/log
+		printf 'L\t\t%s/log\t\t-\t-\t-\t-\t%s/volatile/log\n' "${localstatedir}" \
+			"${localstatedir}" >>${D}${nonarch_libdir}/tmpfiles.d/00-create-volatile.conf
 	elif [ -e ${D}${localstatedir}/log/journal ]; then
 		chown root:systemd-journal ${D}${localstatedir}/log/journal
 

meta/recipes-core/udev/udev-extraconf/mount.sh

@@ -98,7 +98,7 @@ automount_systemd() {
         ;;
     esac
 
-    if ! $MOUNT --no-block -t auto $DEVNAME "$MOUNT_BASE/$name"
+    if ! $MOUNT --collect --no-block -t auto $DEVNAME "$MOUNT_BASE/$name"
     then
         #logger "mount.sh/automount" "$MOUNT -t auto $DEVNAME \"$MOUNT_BASE/$name\" failed!"
         rm_dir "$MOUNT_BASE/$name"

meta/recipes-core/util-linux/util-linux_2.39.3.bb

@@ -90,7 +90,10 @@ EXTRA_OECONF:append = " --disable-hwclock-gplv3"
 # build host versions during development
 #
 PACKAGECONFIG ?= "pcre2"
-PACKAGECONFIG:class-target ?= "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'chfn-chsh pam', '', d)}"
+PACKAGECONFIG:class-target ?= "\
+    libmount-mountfd-support \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'chfn-chsh pam', '', d)} \
+"
 # inherit manpages requires this to be present, however util-linux does not have
 # configuration options, and installs manpages always
 PACKAGECONFIG[manpages] = ""
@@ -106,6 +109,13 @@ PACKAGECONFIG[pcre2] = ",,libpcre2"
 PACKAGECONFIG[cryptsetup] = "--with-cryptsetup,--without-cryptsetup,cryptsetup"
 PACKAGECONFIG[chfn-chsh] = "--enable-chfn-chsh,--disable-chfn-chsh,"
 PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux"
+# Using the new file descriptors based mount kernel API can cause rootfs remount failure with some older kernels.
+# Of currently supported LTS kernels, the old mount API should be used with:
+# - versions prior to 6.6.18 in the 6.6.y series.
+# - versions prior to 6.1.79 in the 6.1.y series.
+# - versions till at least 5.15.164 in the 5.15.y series.
+# - with 5.10.y, 5.4.y and 4.19.y series kernels, libmount seemed to use the old API regardless of this option.
+PACKAGECONFIG[libmount-mountfd-support] = "--enable-libmount-mountfd-support,--disable-libmount-mountfd-support"
 
 EXTRA_OEMAKE = "ARCH=${TARGET_ARCH} CPU= CPUOPT= 'OPT=${CFLAGS}'"
 

meta/recipes-devtools/dejagnu/dejagnu_1.6.3.bb

@@ -2,7 +2,7 @@ SUMMARY = "GNU unit testing framework, written in Expect and Tcl"
 DESCRIPTION = "DejaGnu is a framework for testing other programs. Its purpose \
 is to provide a single front end for all tests."
 HOMEPAGE = "https://www.gnu.org/software/dejagnu/"
-LICENSE = "GPL-2.0-only"
+LICENSE = "GPL-3.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 SECTION = "devel"
 

meta/recipes-devtools/expect/expect_5.45.4.bb

@@ -85,4 +85,4 @@ BBCLASSEXTEND = "native nativesdk"
 
 # http://errors.yoctoproject.org/Errors/Details/766950/
 # expect5.45.4/exp_chan.c:62:5: error: initialization of 'struct Tcl_ChannelTypeVersion_ *' from incompatible pointer type 'int (*)(void *, int)' [-Wincompatible-pointer-types]
-CFLAGS += "-Wno-error=incompatible-pointer-types"
+CFLAGS:append = " -Wno-error=incompatible-pointer-types"

meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch

@@ -1,4 +1,4 @@
-From aacfd6e14dd583b1fdc65691def61c5e1bc89708 Mon Sep 17 00:00:00 2001
+From 4067ae345f0ff1fbf37c0348f2af09257513b817 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Fri, 29 Mar 2013 09:24:50 +0400
 Subject: [PATCH] Define GLIBC_DYNAMIC_LINKER and UCLIBC_DYNAMIC_LINKER
@@ -185,7 +185,7 @@ index aecaa02a199..62f88f7f9a2 100644
  #undef GNU_USER_TARGET_LINK_SPEC
  #define GNU_USER_TARGET_LINK_SPEC \
 diff --git a/gcc/config/microblaze/linux.h b/gcc/config/microblaze/linux.h
-index e2e2c421c52..6f26480e3b5 100644
+index 5ed8ee518be..299d1a62c81 100644
 --- a/gcc/config/microblaze/linux.h
 +++ b/gcc/config/microblaze/linux.h
 @@ -28,7 +28,7 @@
@@ -193,7 +193,7 @@ index e2e2c421c52..6f26480e3b5 100644
  #define TLS_NEEDS_GOT 1
  
 -#define GLIBC_DYNAMIC_LINKER "/lib/ld.so.1"
-+#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "/ld.so.1"
++#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld.so.1"
  #define UCLIBC_DYNAMIC_LINKER "/lib/ld-uClibc.so.0"
  
  #if TARGET_BIG_ENDIAN_DEFAULT == 0 /* LE */

meta/recipes-devtools/gcc/libgfortran.inc

@@ -47,8 +47,9 @@ do_install () {
 	chown -R root:root ${D}
 }
 
+# avoid virtual/libc
 INHIBIT_DEFAULT_DEPS = "1"
-DEPENDS = "gcc-runtime gcc-cross-${TARGET_ARCH}"
+DEPENDS = "virtual/${HOST_PREFIX}gcc virtual/${HOST_PREFIX}compilerlibs"
 
 BBCLASSEXTEND = "nativesdk"
 

meta/recipes-devtools/go/go-1.22.6.inc

@@ -15,4 +15,4 @@ SRC_URI += "\
     file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \
     file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
 "
-SRC_URI[main.sha256sum] = "ac9c723f224969aee624bc34fd34c9e13f2a212d75c71c807de644bb46e112f6"
+SRC_URI[main.sha256sum] = "9e48d99d519882579917d8189c17e98c373ce25abaebb98772e2927088992a51"

meta/recipes-devtools/go/go-binary-native_1.22.6.bb

@@ -9,9 +9,9 @@ PROVIDES = "go-native"
 
 # Checksums available at https://go.dev/dl/
 SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
-SRC_URI[go_linux_amd64.sha256sum] = "904b924d435eaea086515bc63235b192ea441bd8c9b198c507e85009e6e4c7f0"
-SRC_URI[go_linux_arm64.sha256sum] = "8d21325bfcf431be3660527c1a39d3d9ad71535fabdf5041c826e44e31642b5a"
-SRC_URI[go_linux_ppc64le.sha256sum] = "5312bb420ac0b59175a58927e70b4660b14ab7319aab54398b6071fabcbfbb09"
+SRC_URI[go_linux_amd64.sha256sum] = "999805bed7d9039ec3da1a53bfbcafc13e367da52aa823cb60b68ba22d44c616"
+SRC_URI[go_linux_arm64.sha256sum] = "c15fa895341b8eaf7f219fada25c36a610eb042985dc1a912410c1c90098eaf2"
+SRC_URI[go_linux_ppc64le.sha256sum] = "9d99fce3f6f72a76630fe91ec0884dfe3db828def4713368424900fa98bb2bd6"
 
 UPSTREAM_CHECK_URI = "https://golang.org/dl/"
 UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"

meta/recipes-devtools/libdnf/libdnf_0.73.2.bb

@@ -13,7 +13,7 @@ SRC_URI = "git://github.com/rpm-software-management/libdnf;branch=dnf-4-master;p
            file://armarch.patch \
            "
 
-SRCREV = "0120e70747dcf05e716792e2e846c62eccd44319"
+SRCREV = "86bbb159732e43dd6dff98c96e99382843f7c63b"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(?!4\.90)\d+(\.\d+)+)"
 
 S = "${WORKDIR}/git"

meta/recipes-devtools/libedit/libedit_20230828-3.1.bb

@@ -15,6 +15,13 @@ SRC_URI = "http://www.thrysoee.dk/editline/${BP}.tar.gz \
           "
 SRC_URI[sha256sum] = "4ee8182b6e569290e7d1f44f0f78dac8716b35f656b76528f699c69c98814dad"
 
+# configure hardcodes /usr/bin search path bypassing HOSTTOOLS
+CACHED_CONFIGUREVARS += "ac_cv_path_NROFF=/bin/false"
+
+# remove at next version upgrade or when output changes
+PR = "r1"
+HASHEQUIV_HASH_VERSION .= ".1"
+
 BBCLASSEXTEND = "native nativesdk"
 
 inherit update-alternatives

meta/recipes-devtools/llvm/llvm_18.1.6.bb

@@ -55,7 +55,6 @@ def get_llvm_host_arch(bb, d):
     return get_llvm_arch(bb, d, 'HOST_ARCH')
 
 PACKAGECONFIG ??= "libllvm"
-PACKAGECONFIG:class-native = "${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'libllvm', '', d)}"
 # if optviewer OFF, force the modules to be not found or the ones on the host would be found
 PACKAGECONFIG[optviewer] = ",-DPY_PYGMENTS_FOUND=OFF -DPY_PYGMENTS_LEXERS_C_CPP_FOUND=OFF -DPY_YAML_FOUND=OFF,python3-pygments python3-pyyaml,python3-pygments python3-pyyaml"
 PACKAGECONFIG[libllvm] = ""

meta/recipes-devtools/python/python3-certifi/CVE-2024-39689.patch

@@ -0,0 +1,69 @@
+From bd8153872e9c6fc98f4023df9c2deaffea2fa463 Mon Sep 17 00:00:00 2001
+From: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
+Date: Wed, 3 Jul 2024 21:34:29 -0400
+Subject: [PATCH] 2024.07.04 (#295)
+
+Co-authored-by: alex <772+alex@users.noreply.github.com>
+
+CVE: CVE-2024-39689
+
+Upstream-Status: Backport [https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ certifi/cacert.pem | 40 ----------------------------------------
+ 1 file changed, 40 deletions(-)
+
+diff --git a/certifi/cacert.pem b/certifi/cacert.pem
+index 1bec256..6bb8cf8 100644
+--- a/certifi/cacert.pem
++++ b/certifi/cacert.pem
+@@ -3857,46 +3857,6 @@ DgQWBBQxCpCPtsad0kRLgLWi5h+xEk8blTAKBggqhkjOPQQDAwNoADBlAjEA31SQ
+ +RHUjE7AwWHCFUyqqx0LMV87HOIAl0Qx5v5zli/altP+CAezNIm8BZ/3Hobui3A=
+ -----END CERTIFICATE-----
+
+-# Issuer: CN=GLOBALTRUST 2020 O=e-commerce monitoring GmbH
+-# Subject: CN=GLOBALTRUST 2020 O=e-commerce monitoring GmbH
+-# Label: "GLOBALTRUST 2020"
+-# Serial: 109160994242082918454945253
+-# MD5 Fingerprint: 8a:c7:6f:cb:6d:e3:cc:a2:f1:7c:83:fa:0e:78:d7:e8
+-# SHA1 Fingerprint: d0:67:c1:13:51:01:0c:aa:d0:c7:6a:65:37:31:16:26:4f:53:71:a2
+-# SHA256 Fingerprint: 9a:29:6a:51:82:d1:d4:51:a2:e3:7f:43:9b:74:da:af:a2:67:52:33:29:f9:0f:9a:0d:20:07:c3:34:e2:3c:9a
+------BEGIN CERTIFICATE-----
+-MIIFgjCCA2qgAwIBAgILWku9WvtPilv6ZeUwDQYJKoZIhvcNAQELBQAwTTELMAkG
+-A1UEBhMCQVQxIzAhBgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkw
+-FwYDVQQDExBHTE9CQUxUUlVTVCAyMDIwMB4XDTIwMDIxMDAwMDAwMFoXDTQwMDYx
+-MDAwMDAwMFowTTELMAkGA1UEBhMCQVQxIzAhBgNVBAoTGmUtY29tbWVyY2UgbW9u
+-aXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVTVCAyMDIwMIICIjANBgkq
+-hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAri5WrRsc7/aVj6B3GyvTY4+ETUWiD59b
+-RatZe1E0+eyLinjF3WuvvcTfk0Uev5E4C64OFudBc/jbu9G4UeDLgztzOG53ig9Z
+-YybNpyrOVPu44sB8R85gfD+yc/LAGbaKkoc1DZAoouQVBGM+uq/ufF7MpotQsjj3
+-QWPKzv9pj2gOlTblzLmMCcpL3TGQlsjMH/1WljTbjhzqLL6FLmPdqqmV0/0plRPw
+-yJiT2S0WR5ARg6I6IqIoV6Lr/sCMKKCmfecqQjuCgGOlYx8ZzHyyZqjC0203b+J+
+-BlHZRYQfEs4kUmSFC0iAToexIiIwquuuvuAC4EDosEKAA1GqtH6qRNdDYfOiaxaJ
+-SaSjpCuKAsR49GiKweR6NrFvG5Ybd0mN1MkGco/PU+PcF4UgStyYJ9ORJitHHmkH
+-r96i5OTUawuzXnzUJIBHKWk7buis/UDr2O1xcSvy6Fgd60GXIsUf1DnQJ4+H4xj0
+-4KlGDfV0OoIu0G4skaMxXDtG6nsEEFZegB31pWXogvziB4xiRfUg3kZwhqG8k9Me
+-dKZssCz3AwyIDMvUclOGvGBG85hqwvG/Q/lwIHfKN0F5VVJjjVsSn8VoxIidrPIw
+-q7ejMZdnrY8XD2zHc+0klGvIg5rQmjdJBKuxFshsSUktq6HQjJLyQUp5ISXbY9e2
+-nKd+Qmn7OmMCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
+-AQYwHQYDVR0OBBYEFNwuH9FhN3nkq9XVsxJxaD1qaJwiMB8GA1UdIwQYMBaAFNwu
+-H9FhN3nkq9XVsxJxaD1qaJwiMA0GCSqGSIb3DQEBCwUAA4ICAQCR8EICaEDuw2jA
+-VC/f7GLDw56KoDEoqoOOpFaWEhCGVrqXctJUMHytGdUdaG/7FELYjQ7ztdGl4wJC
+-XtzoRlgHNQIw4Lx0SsFDKv/bGtCwr2zD/cuz9X9tAy5ZVp0tLTWMstZDFyySCstd
+-6IwPS3BD0IL/qMy/pJTAvoe9iuOTe8aPmxadJ2W8esVCgmxcB9CpwYhgROmYhRZf
+-+I/KARDOJcP5YBugxZfD0yyIMaK9MOzQ0MAS8cE54+X1+NZK3TTN+2/BT+MAi1bi
+-kvcoskJ3ciNnxz8RFbLEAwW+uxF7Cr+obuf/WEPPm2eggAe2HcqtbepBEX4tdJP7
+-wry+UUTF72glJ4DjyKDUEuzZpTcdN3y0kcra1LGWge9oXHYQSa9+pTeAsRxSvTOB
+-TI/53WXZFM2KJVj04sWDpQmQ1GwUY7VA3+vA/MRYfg0UFodUJ25W5HCEuGwyEn6C
+-MUO+1918oa2u1qsgEu8KwxCMSZY13At1XrFP1U80DhEgB3VDRemjEdqso5nCtnkn
+-4rnvyOL2NSl6dPrFf4IFYqYK6miyeUcGbvJXqBUzxvd4Sj1Ce2t+/vdG6tHrju+I
+-aFvowdlxfv1k7/9nR4hYJS8+hge9+6jlgqispdNpQ80xiEmEU5LAsTkbOYMBMMTy
+-qfrQA71yN2BWHzZ8vTmR9W0Nv3vXkg==
+------END CERTIFICATE-----
+-
+ # Issuer: CN=ANF Secure Server Root CA O=ANF Autoridad de Certificacion OU=ANF CA Raiz
+ # Subject: CN=ANF Secure Server Root CA O=ANF Autoridad de Certificacion OU=ANF CA Raiz
+ # Label: "ANF Secure Server Root CA"
+--
+2.40.0

meta/recipes-devtools/python/python3-certifi_2024.2.2.bb

@@ -7,6 +7,9 @@ HOMEPAGE = " http://certifi.io/"
 LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=11618cb6a975948679286b1211bd573c"
 
+SRC_URI += "file://CVE-2024-39689.patch \
+           "
+
 SRC_URI[sha256sum] = "0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f"
 
 inherit pypi setuptools3

meta/recipes-devtools/python/python3-maturin/0001-Extract-extension-architecture-name-resolvation-code.patch

@@ -0,0 +1,107 @@
+From 42a97ee7100ad158d4b1ba6133ea13cc864a567f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?=
+ <vesa.jaaskelainen@vaisala.com>
+Date: Sun, 1 Sep 2024 09:23:10 +0300
+Subject: [PATCH 1/5] Extract extension architecture name resolvation code as
+ helper
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This commit introduces helper InterpreterConfig.get_python_ext_arch() that
+can be used to determine the extension architecture name python uses in
+`ext_suffix` for this architecture.
+
+Upstream-Status: Backport [https://github.com/PyO3/maturin/commit/42a97ee7100ad158d4b1ba6133ea13cc864a567f]
+
+Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
+---
+ src/python_interpreter/config.rs | 18 ++++++------------
+ src/target.rs                    | 16 ++++++++++++++++
+ 2 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/src/python_interpreter/config.rs b/src/python_interpreter/config.rs
+index 912f9218..d76606f2 100644
+--- a/src/python_interpreter/config.rs
++++ b/src/python_interpreter/config.rs
+@@ -47,15 +47,7 @@ impl InterpreterConfig {
+             // Python 2 is not supported
+             return None;
+         }
+-        let python_arch = if matches!(target.target_arch(), Arch::Armv6L | Arch::Armv7L) {
+-            "arm"
+-        } else if matches!(target.target_arch(), Arch::Powerpc64Le) && python_impl == PyPy {
+-            "ppc_64"
+-        } else if matches!(target.target_arch(), Arch::X86) && python_impl == PyPy {
+-            "x86"
+-        } else {
+-            target.get_python_arch()
+-        };
++        let python_ext_arch = target.get_python_ext_arch(python_impl);
+         // See https://github.com/pypa/auditwheel/issues/349
+         let target_env = match python_impl {
+             CPython => {
+@@ -77,7 +69,7 @@ impl InterpreterConfig {
+                 let ldversion = format!("{}{}{}", major, minor, abiflags);
+                 let ext_suffix = format!(
+                     ".cpython-{}-{}-linux-{}.so",
+-                    ldversion, python_arch, target_env
++                    ldversion, python_ext_arch, target_env
+                 );
+                 Some(Self {
+                     major,
+@@ -90,7 +82,8 @@ impl InterpreterConfig {
+             }
+             (Os::Linux, PyPy) => {
+                 let abi_tag = format!("pypy{}{}-{}", major, minor, PYPY_ABI_TAG);
+-                let ext_suffix = format!(".{}-{}-linux-{}.so", abi_tag, python_arch, target_env);
++                let ext_suffix =
++                    format!(".{}-{}-linux-{}.so", abi_tag, python_ext_arch, target_env);
+                 Some(Self {
+                     major,
+                     minor,
+@@ -204,7 +197,8 @@ impl InterpreterConfig {
+             }
+             (Os::Emscripten, CPython) => {
+                 let ldversion = format!("{}{}", major, minor);
+-                let ext_suffix = format!(".cpython-{}-{}-emscripten.so", ldversion, python_arch);
++                let ext_suffix =
++                    format!(".cpython-{}-{}-emscripten.so", ldversion, python_ext_arch);
+                 Some(Self {
+                     major,
+                     minor,
+diff --git a/src/target.rs b/src/target.rs
+index dc7df0cf..84bae559 100644
+--- a/src/target.rs
++++ b/src/target.rs
+@@ -1,4 +1,5 @@
+ use crate::cross_compile::is_cross_compiling;
++use crate::python_interpreter::InterpreterKind;
+ use crate::PlatformTag;
+ use anyhow::{anyhow, bail, format_err, Result};
+ use platform_info::*;
+@@ -368,6 +369,21 @@ impl Target {
+         }
+     }
+ 
++    /// Returns the extension architecture name python uses in `ext_suffix` for this architecture.
++    pub fn get_python_ext_arch(&self, python_impl: InterpreterKind) -> &str {
++        if matches!(self.target_arch(), Arch::Armv6L | Arch::Armv7L) {
++            "arm"
++        } else if matches!(self.target_arch(), Arch::Powerpc64Le)
++            && python_impl == InterpreterKind::PyPy
++        {
++            "ppc_64"
++        } else if matches!(self.target_arch(), Arch::X86) && python_impl == InterpreterKind::PyPy {
++            "x86"
++        } else {
++            self.get_python_arch()
++        }
++    }
++
+     /// Returns the name python uses in `sys.platform` for this os
+     pub fn get_python_os(&self) -> &str {
+         match self.os {
+-- 
+2.34.1
+

meta/recipes-devtools/python/python3-maturin/0002-Fix-cross-compilation-issue-with-linux-armv7l-archit.patch

@@ -0,0 +1,76 @@
+From 0c6b8cc84eff72ed21098029aaba079b899dbee2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?=
+ <vesa.jaaskelainen@vaisala.com>
+Date: Sun, 1 Sep 2024 09:23:40 +0300
+Subject: [PATCH 2/5] Fix cross compilation issue with linux-armv7l
+ architecture
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When compiling under Yocto project for linux-armv7l target architecture
+.so files were generated incorrectly as:
+
+  rpds.cpython-312-armv7l-linux-gnueabihf.so
+
+Where as platform and EXT_SUFFIX are defined as:
+
+  >>> sysconfig.get_platform()
+  'linux-armv7l'
+  >>> sysconfig.get_config_vars()['EXT_SUFFIX']
+  '.cpython-312-arm-linux-gnueabihf.so'
+
+Which should have caused the .so files as:
+
+  rpds.cpython-312-arm-linux-gnueabihf.so
+
+Upstream-Status: Backport [https://github.com/PyO3/maturin/commit/0c6b8cc84eff72ed21098029aaba079b899dbee2]
+
+Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
+---
+ src/python_interpreter/config.rs | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/python_interpreter/config.rs b/src/python_interpreter/config.rs
+index d76606f2..5736aedc 100644
+--- a/src/python_interpreter/config.rs
++++ b/src/python_interpreter/config.rs
+@@ -306,7 +306,7 @@ impl InterpreterConfig {
+                     format!(
+                         ".cpython-{}-{}-{}-{}.{}",
+                         abi_tag,
+-                        target.get_python_arch(),
++                        target.get_python_ext_arch(interpreter_kind),
+                         target.get_python_os(),
+                         target_env,
+                         file_ext,
+@@ -319,7 +319,7 @@ impl InterpreterConfig {
+                         major,
+                         minor,
+                         abi_tag,
+-                        target.get_python_arch(),
++                        target.get_python_ext_arch(interpreter_kind),
+                         target.get_python_os(),
+                         target_env,
+                         file_ext,
+@@ -330,7 +330,7 @@ impl InterpreterConfig {
+                     format!(
+                         ".{}-{}-{}.{}",
+                         abi_tag.replace('_', "-"),
+-                        target.get_python_arch(),
++                        target.get_python_ext_arch(interpreter_kind),
+                         target.get_python_os(),
+                         file_ext,
+                     )
+@@ -341,7 +341,7 @@ impl InterpreterConfig {
+                 format!(
+                     ".cpython-{}-{}-{}.{}",
+                     abi_tag,
+-                    target.get_python_arch(),
++                    target.get_python_ext_arch(interpreter_kind),
+                     target.get_python_os(),
+                     file_ext
+                 )
+-- 
+2.34.1
+

meta/recipes-devtools/python/python3-maturin/0003-Extract-extension-ABI-name-resolvation-code-as-helpe.patch

@@ -0,0 +1,98 @@
+From fa64426f3a98a0455721c23ec86bd2240708b45e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?=
+ <vesa.jaaskelainen@vaisala.com>
+Date: Sun, 1 Sep 2024 15:55:07 +0300
+Subject: [PATCH 3/5] Extract extension ABI name resolvation code as helper
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This commit introduces helper InterpreterConfig.get_python_target_env()
+that can be used to determine the extension ABI python uses in
+`ext_suffix` for this architecture.
+
+Upstream-Status: Backport [https://github.com/PyO3/maturin/commit/fa64426f3a98a0455721c23ec86bd2240708b45e]
+
+Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
+---
+ src/python_interpreter/config.rs | 19 ++-----------------
+ src/target.rs                    | 20 ++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 17 deletions(-)
+
+diff --git a/src/python_interpreter/config.rs b/src/python_interpreter/config.rs
+index 5736aedc..938e9955 100644
+--- a/src/python_interpreter/config.rs
++++ b/src/python_interpreter/config.rs
+@@ -48,17 +48,7 @@ impl InterpreterConfig {
+             return None;
+         }
+         let python_ext_arch = target.get_python_ext_arch(python_impl);
+-        // See https://github.com/pypa/auditwheel/issues/349
+-        let target_env = match python_impl {
+-            CPython => {
+-                if python_version >= (3, 11) {
+-                    target.target_env().to_string()
+-                } else {
+-                    target.target_env().to_string().replace("musl", "gnu")
+-                }
+-            }
+-            PyPy | GraalPy => "gnu".to_string(),
+-        };
++        let target_env = target.get_python_target_env(python_impl, python_version);
+         match (target.target_os(), python_impl) {
+             (Os::Linux, CPython) => {
+                 let abiflags = if python_version < (3, 8) {
+@@ -294,12 +284,7 @@ impl InterpreterConfig {
+         };
+         let file_ext = if target.is_windows() { "pyd" } else { "so" };
+         let ext_suffix = if target.is_linux() || target.is_macos() {
+-            // See https://github.com/pypa/auditwheel/issues/349
+-            let target_env = if (major, minor) >= (3, 11) {
+-                target.target_env().to_string()
+-            } else {
+-                target.target_env().to_string().replace("musl", "gnu")
+-            };
++            let target_env = target.get_python_target_env(interpreter_kind, (major, minor));
+             match interpreter_kind {
+                 InterpreterKind::CPython => ext_suffix.unwrap_or_else(|| {
+                     // Eg: .cpython-38-x86_64-linux-gnu.so
+diff --git a/src/target.rs b/src/target.rs
+index 84bae559..ad8ebaba 100644
+--- a/src/target.rs
++++ b/src/target.rs
+@@ -1,5 +1,6 @@
+ use crate::cross_compile::is_cross_compiling;
+ use crate::python_interpreter::InterpreterKind;
++use crate::python_interpreter::InterpreterKind::{CPython, GraalPy, PyPy};
+ use crate::PlatformTag;
+ use anyhow::{anyhow, bail, format_err, Result};
+ use platform_info::*;
+@@ -384,6 +385,25 @@ impl Target {
+         }
+     }
+ 
++    /// Returns the environment python uses in `ext_suffix` for this architecture.
++    pub fn get_python_target_env(
++        &self,
++        python_impl: InterpreterKind,
++        python_version: (usize, usize),
++    ) -> String {
++        match python_impl {
++            CPython => {
++                // For musl handling see https://github.com/pypa/auditwheel/issues/349
++                if python_version >= (3, 11) {
++                    self.target_env().to_string()
++                } else {
++                    self.target_env().to_string().replace("musl", "gnu")
++                }
++            }
++            PyPy | GraalPy => "gnu".to_string(),
++        }
++    }
++
+     /// Returns the name python uses in `sys.platform` for this os
+     pub fn get_python_os(&self) -> &str {
+         match self.os {
+-- 
+2.34.1
+

meta/recipes-devtools/python/python3-maturin/0004-Fix-cross-compilation-issue-with-linux-ppc-architect.patch

@@ -0,0 +1,68 @@
+From f2c892109a05db144e8b18bcbcf9c24fe8d977c4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?=
+ <vesa.jaaskelainen@vaisala.com>
+Date: Sun, 1 Sep 2024 15:55:16 +0300
+Subject: [PATCH 4/5] Fix cross compilation issue with linux-ppc architecture
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When compiling under Yocto project for linux-ppc target architecture
+.so files were generated incorrectly as:
+
+  rpds.cpython-312-ppc-linux-gnu.so
+
+Where as platform and EXT_SUFFIX are defined as:
+
+  >>> sysconfig.get_platform()
+  'linux-ppc'
+  >>> sysconfig.get_config_vars()['EXT_SUFFIX']
+  '.cpython-312-powerpc-linux-gnu.so'
+
+Which should have caused the .so files as:
+
+  rpds.cpython-312-powerpc-linux-gnu.so
+
+Upstream-Status: Backport [https://github.com/PyO3/maturin/commit/f2c892109a05db144e8b18bcbcf9c24fe8d977c4]
+
+Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
+---
+ src/python_interpreter/config.rs | 8 ++++++++
+ src/target.rs                    | 2 ++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/src/python_interpreter/config.rs b/src/python_interpreter/config.rs
+index 938e9955..8f883887 100644
+--- a/src/python_interpreter/config.rs
++++ b/src/python_interpreter/config.rs
+@@ -424,6 +424,14 @@ mod test {
+             ".cpython-310-powerpc64le-linux-gnu.so"
+         );
+ 
++        let sysconfig = InterpreterConfig::lookup_one(
++            &Target::from_target_triple(Some("powerpc-unknown-linux-gnu".to_string())).unwrap(),
++            InterpreterKind::CPython,
++            (3, 10),
++        )
++        .unwrap();
++        assert_eq!(sysconfig.ext_suffix, ".cpython-310-powerpc-linux-gnu.so");
++
+         let sysconfig = InterpreterConfig::lookup_one(
+             &Target::from_target_triple(Some("s390x-unknown-linux-gnu".to_string())).unwrap(),
+             InterpreterKind::CPython,
+diff --git a/src/target.rs b/src/target.rs
+index ad8ebaba..93afd9bb 100644
+--- a/src/target.rs
++++ b/src/target.rs
+@@ -380,6 +380,8 @@ impl Target {
+             "ppc_64"
+         } else if matches!(self.target_arch(), Arch::X86) && python_impl == InterpreterKind::PyPy {
+             "x86"
++        } else if matches!(self.target_arch(), Arch::Powerpc) {
++            "powerpc"
+         } else {
+             self.get_python_arch()
+         }
+-- 
+2.34.1
+

meta/recipes-devtools/python/python3-maturin/0005-Fix-cross-compilation-issue-with-linux-mips64-archit.patch

@@ -0,0 +1,82 @@
+From 5fe643579bcc63d824f6a0f0936fff451c622903 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?=
+ <vesa.jaaskelainen@vaisala.com>
+Date: Sun, 1 Sep 2024 15:55:54 +0300
+Subject: [PATCH 5/5] Fix cross compilation issue with linux-mips64
+ architecture
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When compiling under Yocto project for linux-mips64 target architecture
+.so files were generated incorrectly as:
+
+  rpds.cpython-312-mips64-linux-gnu.so
+
+Where as platform and EXT_SUFFIX are defined as:
+
+  >>> sysconfig.get_platform()
+  'linux-mips64'
+  >>> sysconfig.get_config_vars()['EXT_SUFFIX']
+  '.cpython-312-mips64-linux-gnuabi64.so'
+
+Which should have caused the .so files as:
+
+  rpds.cpython-312-mips64-linux-gnuabi64.so
+
+Upstream-Status: Backport [https://github.com/PyO3/maturin/commit/5fe643579bcc63d824f6a0f0936fff451c622903]
+
+Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
+---
+ src/python_interpreter/config.rs | 19 +++++++++++++++++++
+ src/target.rs                    |  4 +++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/python_interpreter/config.rs b/src/python_interpreter/config.rs
+index 8f883887..ef656010 100644
+--- a/src/python_interpreter/config.rs
++++ b/src/python_interpreter/config.rs
+@@ -432,6 +432,25 @@ mod test {
+         .unwrap();
+         assert_eq!(sysconfig.ext_suffix, ".cpython-310-powerpc-linux-gnu.so");
+ 
++        let sysconfig = InterpreterConfig::lookup_one(
++            &Target::from_target_triple(Some("mips64-unknown-linux-gnu".to_string())).unwrap(),
++            InterpreterKind::CPython,
++            (3, 10),
++        )
++        .unwrap();
++        assert_eq!(
++            sysconfig.ext_suffix,
++            ".cpython-310-mips64-linux-gnuabi64.so"
++        );
++
++        let sysconfig = InterpreterConfig::lookup_one(
++            &Target::from_target_triple(Some("mips-unknown-linux-gnu".to_string())).unwrap(),
++            InterpreterKind::CPython,
++            (3, 10),
++        )
++        .unwrap();
++        assert_eq!(sysconfig.ext_suffix, ".cpython-310-mips-linux-gnu.so");
++
+         let sysconfig = InterpreterConfig::lookup_one(
+             &Target::from_target_triple(Some("s390x-unknown-linux-gnu".to_string())).unwrap(),
+             InterpreterKind::CPython,
+diff --git a/src/target.rs b/src/target.rs
+index 93afd9bb..25fc6c07 100644
+--- a/src/target.rs
++++ b/src/target.rs
+@@ -396,7 +396,9 @@ impl Target {
+         match python_impl {
+             CPython => {
+                 // For musl handling see https://github.com/pypa/auditwheel/issues/349
+-                if python_version >= (3, 11) {
++                if matches!(self.target_arch(), Arch::Mips64 | Arch::Mips64el) && self.is_linux() {
++                    "gnuabi64".to_string()
++                } else if python_version >= (3, 11) {
+                     self.target_env().to_string()
+                 } else {
+                     self.target_env().to_string().replace("musl", "gnu")
+-- 
+2.34.1
+

meta/recipes-devtools/python/python3-maturin_1.4.0.bb

@@ -7,6 +7,13 @@ LIC_FILES_CHKSUM = "file://license-apache;md5=1836efb2eb779966696f473ee8540542 \
 
 SRC_URI += "file://0001-Add-32-bit-RISC-V-support.patch"
 SRC_URI[sha256sum] = "ed12e1768094a7adeafc3a74ebdb8dc2201fa64c4e7e31f14cfc70378bf93790"
+SRC_URI:append = "\
+    file://0001-Extract-extension-architecture-name-resolvation-code.patch \
+    file://0002-Fix-cross-compilation-issue-with-linux-armv7l-archit.patch \
+    file://0003-Extract-extension-ABI-name-resolvation-code-as-helpe.patch \
+    file://0004-Fix-cross-compilation-issue-with-linux-ppc-architect.patch \
+    file://0005-Fix-cross-compilation-issue-with-linux-mips64-archit.patch \
+"
 
 S = "${WORKDIR}/maturin-${PV}"
 

meta/recipes-devtools/python/python3-pycryptodome_3.20.0.bb

@@ -1,5 +1,5 @@
 require python-pycryptodome.inc
-inherit setuptools3
+inherit python_setuptools_build_meta
 
 SRC_URI[sha256sum] = "09609209ed7de61c2b560cc5c8c4fbf892f8b15b1faf7e4cbffac97db1fffda7"
 

meta/recipes-devtools/python/python3-pycryptodomex_3.20.0.bb

@@ -1,5 +1,5 @@
 require python-pycryptodome.inc
-inherit setuptools3
+inherit python_setuptools_build_meta
 
 SRC_URI[sha256sum] = "7a710b79baddd65b806402e14766c721aee8fb83381769c27920f26476276c1e"
 

meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch

@@ -0,0 +1,312 @@
+From 88807c7062788254f654ea8c03427adc859321f0 Mon Sep 17 00:00:00 2001
+From: Jason R. Coombs <jaraco@jaraco.com>
+Date: Mon Apr 29 20:01:38 2024 -0400
+Subject: [PATCH] Merge pull request #4332 from pypa/debt/package-index-vcs
+
+Modernize package_index VCS handling
+
+CVE: CVE-2024-6345
+
+Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ setup.cfg                             |   1 +
+ setuptools/package_index.py           | 145 ++++++++++++++------------
+ setuptools/tests/test_packageindex.py |  56 +++++-----
+ 3 files changed, 106 insertions(+), 96 deletions(-)
+
+diff --git a/setup.cfg b/setup.cfg
+index edf9798..238d00a 100644
+--- a/setup.cfg
++++ b/setup.cfg
+@@ -65,6 +65,7 @@ testing =
+ 	sys_platform != "cygwin"
+ 	jaraco.develop >= 7.21; python_version >= "3.9" and sys_platform != "cygwin"
+ 	pytest-home >= 0.5
++	pytest-subprocess
+ testing-integration = 
+ 	pytest
+ 	pytest-xdist
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 271aa97..00a972d 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -1,6 +1,7 @@
+ """PyPI and direct package downloading."""
+ 
+ import sys
++import subprocess
+ import os
+ import re
+ import io
+@@ -585,7 +586,7 @@ class PackageIndex(Environment):
+             scheme = URL_SCHEME(spec)
+             if scheme:
+                 # It's a url, download it to tmpdir
+-                found = self._download_url(scheme.group(1), spec, tmpdir)
++                found = self._download_url(spec, tmpdir)
+                 base, fragment = egg_info_for_url(spec)
+                 if base.endswith('.py'):
+                     found = self.gen_setup(found, fragment, tmpdir)
+@@ -814,7 +815,7 @@ class PackageIndex(Environment):
+             else:
+                 raise DistutilsError("Download error for %s: %s" % (url, v)) from v
+ 
+-    def _download_url(self, scheme, url, tmpdir):
++    def _download_url(self, url, tmpdir):
+         # Determine download filename
+         #
+         name, fragment = egg_info_for_url(url)
+@@ -829,19 +830,59 @@ class PackageIndex(Environment):
+ 
+         filename = os.path.join(tmpdir, name)
+ 
+-        # Download the file
+-        #
+-        if scheme == 'svn' or scheme.startswith('svn+'):
+-            return self._download_svn(url, filename)
+-        elif scheme == 'git' or scheme.startswith('git+'):
+-            return self._download_git(url, filename)
+-        elif scheme.startswith('hg+'):
+-            return self._download_hg(url, filename)
+-        elif scheme == 'file':
+-            return urllib.request.url2pathname(urllib.parse.urlparse(url)[2])
+-        else:
+-            self.url_ok(url, True)  # raises error if not allowed
+-            return self._attempt_download(url, filename)
++        return self._download_vcs(url, filename) or self._download_other(url, filename)
++
++    @staticmethod
++    def _resolve_vcs(url):
++        """
++        >>> rvcs = PackageIndex._resolve_vcs
++        >>> rvcs('git+http://foo/bar')
++        'git'
++        >>> rvcs('hg+https://foo/bar')
++        'hg'
++        >>> rvcs('git:myhost')
++        'git'
++        >>> rvcs('hg:myhost')
++        >>> rvcs('http://foo/bar')
++        """
++        scheme = urllib.parse.urlsplit(url).scheme
++        pre, sep, post = scheme.partition('+')
++        # svn and git have their own protocol; hg does not
++        allowed = set(['svn', 'git'] + ['hg'] * bool(sep))
++        return next(iter({pre} & allowed), None)
++
++    def _download_vcs(self, url, spec_filename):
++        vcs = self._resolve_vcs(url)
++        if not vcs:
++            return
++        if vcs == 'svn':
++            raise DistutilsError(
++                f"Invalid config, SVN download is not supported: {url}"
++            )
++
++        filename, _, _ = spec_filename.partition('#')
++        url, rev = self._vcs_split_rev_from_url(url)
++
++        self.info(f"Doing {vcs} clone from {url} to {filename}")
++        subprocess.check_call([vcs, 'clone', '--quiet', url, filename])
++
++        co_commands = dict(
++            git=[vcs, '-C', filename, 'checkout', '--quiet', rev],
++            hg=[vcs, '--cwd', filename, 'up', '-C', '-r', rev, '-q'],
++        )
++        if rev is not None:
++            self.info(f"Checking out {rev}")
++            subprocess.check_call(co_commands[vcs])
++
++        return filename
++
++    def _download_other(self, url, filename):
++        scheme = urllib.parse.urlsplit(url).scheme
++        if scheme == 'file':  # pragma: no cover
++            return urllib.request.url2pathname(urllib.parse.urlparse(url).path)
++        # raise error if not allowed
++        self.url_ok(url, True)
++        return self._attempt_download(url, filename)
+ 
+     def scan_url(self, url):
+         self.process_url(url, True)
+@@ -857,64 +898,36 @@ class PackageIndex(Environment):
+         os.unlink(filename)
+         raise DistutilsError(f"Unexpected HTML page found at {url}")
+ 
+-    def _download_svn(self, url, _filename):
+-        raise DistutilsError(f"Invalid config, SVN download is not supported: {url}")
+-
+     @staticmethod
+-    def _vcs_split_rev_from_url(url, pop_prefix=False):
+-        scheme, netloc, path, query, frag = urllib.parse.urlsplit(url)
++    def _vcs_split_rev_from_url(url):
++        """
++        Given a possible VCS URL, return a clean URL and resolved revision if any.
++        >>> vsrfu = PackageIndex._vcs_split_rev_from_url
++        >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools')
++        ('https://github.com/pypa/setuptools', 'v69.0.0')
++        >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools')
++        ('https://github.com/pypa/setuptools', None)
++        >>> vsrfu('http://foo/bar')
++        ('http://foo/bar', None)
++        """
++        parts = urllib.parse.urlsplit(url)
+ 
+-        scheme = scheme.split('+', 1)[-1]
++        clean_scheme = parts.scheme.split('+', 1)[-1]
+ 
+         # Some fragment identification fails
+-        path = path.split('#', 1)[0]
+-
+-        rev = None
+-        if '@' in path:
+-            path, rev = path.rsplit('@', 1)
+-
+-        # Also, discard fragment
+-        url = urllib.parse.urlunsplit((scheme, netloc, path, query, ''))
+-
+-        return url, rev
+-
+-    def _download_git(self, url, filename):
+-        filename = filename.split('#', 1)[0]
+-        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+-
+-        self.info("Doing git clone from %s to %s", url, filename)
+-        os.system("git clone --quiet %s %s" % (url, filename))
+-
+-        if rev is not None:
+-            self.info("Checking out %s", rev)
+-            os.system(
+-                "git -C %s checkout --quiet %s"
+-                % (
+-                    filename,
+-                    rev,
+-                )
+-            )
++        no_fragment_path, _, _ = parts.path.partition('#')
+ 
+-        return filename
++        pre, sep, post = no_fragment_path.rpartition('@')
++        clean_path, rev = (pre, post) if sep else (post, None)
+ 
+-    def _download_hg(self, url, filename):
+-        filename = filename.split('#', 1)[0]
+-        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
++        resolved = parts._replace(
++            scheme=clean_scheme,
++            path=clean_path,
++            # discard the fragment
++            fragment='',
++        ).geturl()
+ 
+-        self.info("Doing hg clone from %s to %s", url, filename)
+-        os.system("hg clone --quiet %s %s" % (url, filename))
+-
+-        if rev is not None:
+-            self.info("Updating to %s", rev)
+-            os.system(
+-                "hg --cwd %s up -C -r %s -q"
+-                % (
+-                    filename,
+-                    rev,
+-                )
+-            )
+-
+-        return filename
++        return resolved, rev
+ 
+     def debug(self, msg, *args):
+         log.debug(msg, *args)
+diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
+index 41b9661..e4cd91a 100644
+--- a/setuptools/tests/test_packageindex.py
++++ b/setuptools/tests/test_packageindex.py
+@@ -2,7 +2,6 @@ import distutils.errors
+ import urllib.request
+ import urllib.error
+ import http.client
+-from unittest import mock
+ 
+ import pytest
+ 
+@@ -171,49 +170,46 @@ class TestPackageIndex:
+             assert dists[0].version == ''
+             assert dists[1].version == vc
+ 
+-    def test_download_git_with_rev(self, tmpdir):
++    def test_download_git_with_rev(self, tmp_path, fp):
+         url = 'git+https://github.example/group/project@master#egg=foo'
+         index = setuptools.package_index.PackageIndex()
+ 
+-        with mock.patch("os.system") as os_system_mock:
+-            result = index.download(url, str(tmpdir))
++        expected_dir = tmp_path / 'project@master'
++        fp.register([
++            'git',
++            'clone',
++            '--quiet',
++            'https://github.example/group/project',
++            expected_dir,
++        ])
++        fp.register(['git', '-C', expected_dir, 'checkout', '--quiet', 'master'])
+ 
+-        os_system_mock.assert_called()
++        result = index.download(url, tmp_path)
+ 
+-        expected_dir = str(tmpdir / 'project@master')
+-        expected = (
+-            'git clone --quiet ' 'https://github.example/group/project {expected_dir}'
+-        ).format(**locals())
+-        first_call_args = os_system_mock.call_args_list[0][0]
+-        assert first_call_args == (expected,)
++        assert result == str(expected_dir)
++        assert len(fp.calls) == 2
+ 
+-        tmpl = 'git -C {expected_dir} checkout --quiet master'
+-        expected = tmpl.format(**locals())
+-        assert os_system_mock.call_args_list[1][0] == (expected,)
+-        assert result == expected_dir
+-
+-    def test_download_git_no_rev(self, tmpdir):
++    def test_download_git_no_rev(self, tmp_path, fp):
+         url = 'git+https://github.example/group/project#egg=foo'
+         index = setuptools.package_index.PackageIndex()
+ 
+-        with mock.patch("os.system") as os_system_mock:
+-            result = index.download(url, str(tmpdir))
+-
+-        os_system_mock.assert_called()
+-
+-        expected_dir = str(tmpdir / 'project')
+-        expected = (
+-            'git clone --quiet ' 'https://github.example/group/project {expected_dir}'
+-        ).format(**locals())
+-        os_system_mock.assert_called_once_with(expected)
+-
+-    def test_download_svn(self, tmpdir):
++        expected_dir = tmp_path / 'project'
++        fp.register([
++            'git',
++            'clone',
++            '--quiet',
++            'https://github.example/group/project',
++            expected_dir,
++        ])
++        index.download(url, tmp_path)
++
++    def test_download_svn(self, tmp_path):
+         url = 'svn+https://svn.example/project#egg=foo'
+         index = setuptools.package_index.PackageIndex()
+ 
+         msg = r".*SVN download is not supported.*"
+         with pytest.raises(distutils.errors.DistutilsError, match=msg):
+-            index.download(url, str(tmpdir))
++            index.download(url, tmp_path)
+ 
+ 
+ class TestContentCheckers:
+-- 
+2.40.0
+

meta/recipes-devtools/python/python3-setuptools_69.1.1.bb

@@ -9,7 +9,9 @@ inherit pypi python_setuptools_build_meta
 SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch"
 
 SRC_URI += " \
-            file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch"
+            file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch \
+            file://CVE-2024-6345.patch \
+"
 
 SRC_URI[sha256sum] = "5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"
 

meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch

@@ -0,0 +1,38 @@
+From d9d916d5ea946c945323679d1709de1b87029b96 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <tgamblin@baylibre.com>
+Date: Tue, 13 Aug 2024 11:07:05 -0400
+Subject: [PATCH] test_readline: skip limited history test
+
+This test was added recently and is failing on the ptest image when
+using the default PACKAGECONFIG settings (i.e. with editline instead of
+readline).. Disable it until the proper fix is determined.
+
+A bug has been opened upstream: https://github.com/python/cpython/issues/123018
+
+Upstream-Status: Inappropriate [OE-specific]
+
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
+---
+ Lib/test/test_readline.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: Python-3.12.6/Lib/test/test_readline.py
+===================================================================
+--- Python-3.12.6.orig/Lib/test/test_readline.py
++++ Python-3.12.6/Lib/test/test_readline.py
+@@ -133,6 +133,7 @@ class TestHistoryManipulation (unittest.
+         self.assertEqual(readline.get_history_item(1), "entrée 1")
+         self.assertEqual(readline.get_history_item(2), "entrée 22")
+ 
++    @unittest.skip("Skipping problematic test")
+     def test_write_read_limited_history(self):
+         previous_length = readline.get_history_length()
+         self.addCleanup(readline.set_history_length, previous_length)
+@@ -371,6 +372,7 @@ readline.write_history_file(history_file
+         self.assertIn(b"done", output)
+ 
+ 
++    @unittest.skip("Skipping problematic test")
+     def test_write_read_limited_history(self):
+         previous_length = readline.get_history_length()
+         self.addCleanup(readline.set_history_length, previous_length)

meta/recipes-devtools/python/python3_3.12.6.bb

@@ -34,13 +34,14 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \
 	   file://0001-test_deadlock-skip-problematic-test.patch \
 	   file://0001-test_active_children-skip-problematic-test.patch \
+           file://0001-test_readline-skip-limited-history-test.patch \
            "
 
 SRC_URI:append:class-native = " \
            file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
            "
 
-SRC_URI[sha256sum] = "f6d419a6d8743ab26700801b4908d26d97e8b986e14f95de31b32de2b0e79554"
+SRC_URI[sha256sum] = "1999658298cf2fb837dffed8ff3c033ef0c98ef20cf73c5d5f66bed5ab89697c"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"

meta/recipes-devtools/qemu/qemu.inc

@@ -40,6 +40,18 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch \
            file://qemu-guest-agent.init \
            file://qemu-guest-agent.udev \
+           file://CVE-2024-4467-0001.patch \
+           file://CVE-2024-4467-0002.patch \
+           file://CVE-2024-4467-0003.patch \
+           file://CVE-2024-4467-0004.patch \
+           file://CVE-2024-4467-0005.patch \
+           file://CVE-2024-7409-0001.patch \
+           file://CVE-2024-7409-0002.patch \
+           file://CVE-2024-7409-0003.patch \
+           file://CVE-2024-7409-0004.patch \
+           file://0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch \
+           file://0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch \
+           file://0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 

meta/recipes-devtools/qemu/qemu/0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch

@@ -0,0 +1,75 @@
+From bbdcc89678daa5cb131ef22a6cd41a5f7f9dcea9 Mon Sep 17 00:00:00 2001
+From: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Date: Fri, 8 Dec 2023 15:38:31 -0300
+Subject: [PATCH 1/3] target/riscv/kvm: change KVM_REG_RISCV_FP_F to u32
+
+KVM_REG_RISCV_FP_F regs have u32 size according to the API, but by using
+kvm_riscv_reg_id() in RISCV_FP_F_REG() we're returning u64 sizes when
+running with TARGET_RISCV64. The most likely reason why no one noticed
+this is because we're not implementing kvm_cpu_synchronize_state() in
+RISC-V yet.
+
+Create a new helper that returns a KVM ID with u32 size and use it in
+RISCV_FP_F_REG().
+
+Reported-by: Andrew Jones <ajones@ventanamicro.com>
+Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
+Message-ID: <20231208183835.2411523-2-dbarboza@ventanamicro.com>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+(cherry picked from commit 49c211ffca00fdf7c0c29072c224e88527a14838)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+
+Upstream-Status: Backport [bbdcc89678daa5cb131ef22a6cd41a5f7f9dcea9]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ target/riscv/kvm/kvm-cpu.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c
+index c1675158fe..2eef2be86a 100644
+--- a/target/riscv/kvm/kvm-cpu.c
++++ b/target/riscv/kvm/kvm-cpu.c
+@@ -72,6 +72,11 @@ static uint64_t kvm_riscv_reg_id(CPURISCVState *env, uint64_t type,
+     return id;
+ }
+ 
++static uint64_t kvm_riscv_reg_id_u32(uint64_t type, uint64_t idx)
++{
++    return KVM_REG_RISCV | KVM_REG_SIZE_U32 | type | idx;
++}
++
+ #define RISCV_CORE_REG(env, name)  kvm_riscv_reg_id(env, KVM_REG_RISCV_CORE, \
+                  KVM_REG_RISCV_CORE_REG(name))
+ 
+@@ -81,7 +86,7 @@ static uint64_t kvm_riscv_reg_id(CPURISCVState *env, uint64_t type,
+ #define RISCV_TIMER_REG(env, name)  kvm_riscv_reg_id(env, KVM_REG_RISCV_TIMER, \
+                  KVM_REG_RISCV_TIMER_REG(name))
+ 
+-#define RISCV_FP_F_REG(env, idx)  kvm_riscv_reg_id(env, KVM_REG_RISCV_FP_F, idx)
++#define RISCV_FP_F_REG(idx)  kvm_riscv_reg_id_u32(KVM_REG_RISCV_FP_F, idx)
+ 
+ #define RISCV_FP_D_REG(env, idx)  kvm_riscv_reg_id(env, KVM_REG_RISCV_FP_D, idx)
+ 
+@@ -586,7 +591,7 @@ static int kvm_riscv_get_regs_fp(CPUState *cs)
+     if (riscv_has_ext(env, RVF)) {
+         uint32_t reg;
+         for (i = 0; i < 32; i++) {
+-            ret = kvm_get_one_reg(cs, RISCV_FP_F_REG(env, i), &reg);
++            ret = kvm_get_one_reg(cs, RISCV_FP_F_REG(i), &reg);
+             if (ret) {
+                 return ret;
+             }
+@@ -620,7 +625,7 @@ static int kvm_riscv_put_regs_fp(CPUState *cs)
+         uint32_t reg;
+         for (i = 0; i < 32; i++) {
+             reg = env->fpr[i];
+-            ret = kvm_set_one_reg(cs, RISCV_FP_F_REG(env, i), &reg);
++            ret = kvm_set_one_reg(cs, RISCV_FP_F_REG(i), &reg);
+             if (ret) {
+                 return ret;
+             }
+-- 
+2.25.1
+

meta/recipes-devtools/qemu/qemu/0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch

@@ -0,0 +1,73 @@
+From 125b95d79e746cbab6b72683b3382dd372e38c61 Mon Sep 17 00:00:00 2001
+From: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Date: Fri, 8 Dec 2023 15:38:32 -0300
+Subject: [PATCH 2/3] target/riscv/kvm: change KVM_REG_RISCV_FP_D to u64
+
+KVM_REG_RISCV_FP_D regs are always u64 size. Using kvm_riscv_reg_id() in
+RISCV_FP_D_REG() ends up encoding the wrong size if we're running with
+TARGET_RISCV32.
+
+Create a new helper that returns a KVM ID with u64 size and use it with
+RISCV_FP_D_REG().
+
+Reported-by: Andrew Jones <ajones@ventanamicro.com>
+Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
+Message-ID: <20231208183835.2411523-3-dbarboza@ventanamicro.com>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+(cherry picked from commit 450bd6618fda3d2e2ab02b2fce1c79efd5b66084)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+
+Upstream-Status: Backport [125b95d79e746cbab6b72683b3382dd372e38c61]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ target/riscv/kvm/kvm-cpu.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c
+index 2eef2be86a..82ed4455a5 100644
+--- a/target/riscv/kvm/kvm-cpu.c
++++ b/target/riscv/kvm/kvm-cpu.c
+@@ -77,6 +77,11 @@ static uint64_t kvm_riscv_reg_id_u32(uint64_t type, uint64_t idx)
+     return KVM_REG_RISCV | KVM_REG_SIZE_U32 | type | idx;
+ }
+ 
++static uint64_t kvm_riscv_reg_id_u64(uint64_t type, uint64_t idx)
++{
++    return KVM_REG_RISCV | KVM_REG_SIZE_U64 | type | idx;
++}
++
+ #define RISCV_CORE_REG(env, name)  kvm_riscv_reg_id(env, KVM_REG_RISCV_CORE, \
+                  KVM_REG_RISCV_CORE_REG(name))
+ 
+@@ -88,7 +93,7 @@ static uint64_t kvm_riscv_reg_id_u32(uint64_t type, uint64_t idx)
+ 
+ #define RISCV_FP_F_REG(idx)  kvm_riscv_reg_id_u32(KVM_REG_RISCV_FP_F, idx)
+ 
+-#define RISCV_FP_D_REG(env, idx)  kvm_riscv_reg_id(env, KVM_REG_RISCV_FP_D, idx)
++#define RISCV_FP_D_REG(idx)  kvm_riscv_reg_id_u64(KVM_REG_RISCV_FP_D, idx)
+ 
+ #define KVM_RISCV_GET_CSR(cs, env, csr, reg) \
+     do { \
+@@ -579,7 +584,7 @@ static int kvm_riscv_get_regs_fp(CPUState *cs)
+     if (riscv_has_ext(env, RVD)) {
+         uint64_t reg;
+         for (i = 0; i < 32; i++) {
+-            ret = kvm_get_one_reg(cs, RISCV_FP_D_REG(env, i), &reg);
++            ret = kvm_get_one_reg(cs, RISCV_FP_D_REG(i), &reg);
+             if (ret) {
+                 return ret;
+             }
+@@ -613,7 +618,7 @@ static int kvm_riscv_put_regs_fp(CPUState *cs)
+         uint64_t reg;
+         for (i = 0; i < 32; i++) {
+             reg = env->fpr[i];
+-            ret = kvm_set_one_reg(cs, RISCV_FP_D_REG(env, i), &reg);
++            ret = kvm_set_one_reg(cs, RISCV_FP_D_REG(i), &reg);
+             if (ret) {
+                 return ret;
+             }
+-- 
+2.25.1
+

meta/recipes-devtools/qemu/qemu/0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch

@@ -0,0 +1,107 @@
+From cbae1080988e0f1af0fb4c816205f7647f6de16f Mon Sep 17 00:00:00 2001
+From: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Date: Fri, 8 Dec 2023 15:38:33 -0300
+Subject: [PATCH 3/3] target/riscv/kvm: change timer regs size to u64
+
+KVM_REG_RISCV_TIMER regs are always u64 according to the KVM API, but at
+this moment we'll return u32 regs if we're running a RISCV32 target.
+
+Use the kvm_riscv_reg_id_u64() helper in RISCV_TIMER_REG() to fix it.
+
+Reported-by: Andrew Jones <ajones@ventanamicro.com>
+Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
+Message-ID: <20231208183835.2411523-4-dbarboza@ventanamicro.com>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+(cherry picked from commit 10f86d1b845087d14b58d65dd2a6e3411d1b6529)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+
+Upstream-Status: Backport [cbae1080988e0f1af0fb4c816205f7647f6de16f]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ target/riscv/kvm/kvm-cpu.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c
+index 82ed4455a5..ddbe820e10 100644
+--- a/target/riscv/kvm/kvm-cpu.c
++++ b/target/riscv/kvm/kvm-cpu.c
+@@ -88,7 +88,7 @@ static uint64_t kvm_riscv_reg_id_u64(uint64_t type, uint64_t idx)
+ #define RISCV_CSR_REG(env, name)  kvm_riscv_reg_id(env, KVM_REG_RISCV_CSR, \
+                  KVM_REG_RISCV_CSR_REG(name))
+ 
+-#define RISCV_TIMER_REG(env, name)  kvm_riscv_reg_id(env, KVM_REG_RISCV_TIMER, \
++#define RISCV_TIMER_REG(name)  kvm_riscv_reg_id_u64(KVM_REG_RISCV_TIMER, \
+                  KVM_REG_RISCV_TIMER_REG(name))
+ 
+ #define RISCV_FP_F_REG(idx)  kvm_riscv_reg_id_u32(KVM_REG_RISCV_FP_F, idx)
+@@ -111,17 +111,17 @@ static uint64_t kvm_riscv_reg_id_u64(uint64_t type, uint64_t idx)
+         } \
+     } while (0)
+ 
+-#define KVM_RISCV_GET_TIMER(cs, env, name, reg) \
++#define KVM_RISCV_GET_TIMER(cs, name, reg) \
+     do { \
+-        int ret = kvm_get_one_reg(cs, RISCV_TIMER_REG(env, name), &reg); \
++        int ret = kvm_get_one_reg(cs, RISCV_TIMER_REG(name), &reg); \
+         if (ret) { \
+             abort(); \
+         } \
+     } while (0)
+ 
+-#define KVM_RISCV_SET_TIMER(cs, env, name, reg) \
++#define KVM_RISCV_SET_TIMER(cs, name, reg) \
+     do { \
+-        int ret = kvm_set_one_reg(cs, RISCV_TIMER_REG(env, name), &reg); \
++        int ret = kvm_set_one_reg(cs, RISCV_TIMER_REG(name), &reg); \
+         if (ret) { \
+             abort(); \
+         } \
+@@ -649,10 +649,10 @@ static void kvm_riscv_get_regs_timer(CPUState *cs)
+         return;
+     }
+ 
+-    KVM_RISCV_GET_TIMER(cs, env, time, env->kvm_timer_time);
+-    KVM_RISCV_GET_TIMER(cs, env, compare, env->kvm_timer_compare);
+-    KVM_RISCV_GET_TIMER(cs, env, state, env->kvm_timer_state);
+-    KVM_RISCV_GET_TIMER(cs, env, frequency, env->kvm_timer_frequency);
++    KVM_RISCV_GET_TIMER(cs, time, env->kvm_timer_time);
++    KVM_RISCV_GET_TIMER(cs, compare, env->kvm_timer_compare);
++    KVM_RISCV_GET_TIMER(cs, state, env->kvm_timer_state);
++    KVM_RISCV_GET_TIMER(cs, frequency, env->kvm_timer_frequency);
+ 
+     env->kvm_timer_dirty = true;
+ }
+@@ -666,8 +666,8 @@ static void kvm_riscv_put_regs_timer(CPUState *cs)
+         return;
+     }
+ 
+-    KVM_RISCV_SET_TIMER(cs, env, time, env->kvm_timer_time);
+-    KVM_RISCV_SET_TIMER(cs, env, compare, env->kvm_timer_compare);
++    KVM_RISCV_SET_TIMER(cs, time, env->kvm_timer_time);
++    KVM_RISCV_SET_TIMER(cs, compare, env->kvm_timer_compare);
+ 
+     /*
+      * To set register of RISCV_TIMER_REG(state) will occur a error from KVM
+@@ -676,7 +676,7 @@ static void kvm_riscv_put_regs_timer(CPUState *cs)
+      * TODO If KVM changes, adapt here.
+      */
+     if (env->kvm_timer_state) {
+-        KVM_RISCV_SET_TIMER(cs, env, state, env->kvm_timer_state);
++        KVM_RISCV_SET_TIMER(cs, state, env->kvm_timer_state);
+     }
+ 
+     /*
+@@ -685,7 +685,7 @@ static void kvm_riscv_put_regs_timer(CPUState *cs)
+      * during the migration.
+      */
+     if (migration_is_running(migrate_get_current()->state)) {
+-        KVM_RISCV_GET_TIMER(cs, env, frequency, reg);
++        KVM_RISCV_GET_TIMER(cs, frequency, reg);
+         if (reg != env->kvm_timer_frequency) {
+             error_report("Dst Hosts timer frequency != Src Hosts");
+         }
+-- 
+2.25.1
+

meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0001.patch

@@ -0,0 +1,112 @@
+From bd385a5298d7062668e804d73944d52aec9549f1 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Fri, 16 Aug 2024 08:29:04 +0000
+Subject: [PATCH] qcow2: Don't open data_file with BDRV_O_NO_IO
+
+One use case for 'qemu-img info' is verifying that untrusted images
+don't reference an unwanted external file, be it as a backing file or an
+external data file. To make sure that calling 'qemu-img info' can't
+already have undesired side effects with a malicious image, just don't
+open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do
+I/O, we don't need to have it open.
+
+This changes the output of iotests case 061, which used 'qemu-img info'
+to show that opening an image with an invalid data file fails. After
+this patch, it succeeds. Replace this part of the test with a qemu-io
+call, but keep the final 'qemu-img info' to show that the invalid data
+file is correctly displayed in the output.
+
+Fixes: CVE-2024-4467
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
+
+CVE: CVE-2024-4667
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/bd385a5298d7062668e804d73944d52aec9549f1]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ block/qcow2.c              | 17 ++++++++++++++++-
+ tests/qemu-iotests/061     |  6 ++++--
+ tests/qemu-iotests/061.out |  8 ++++++--
+ 3 files changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/block/qcow2.c b/block/qcow2.c
+index 13e032bd5..7af7c0bee 100644
+--- a/block/qcow2.c
++++ b/block/qcow2.c
+@@ -1636,7 +1636,22 @@ qcow2_do_open(BlockDriverState *bs, QDict *options, int flags,
+         goto fail;
+     }
+
+-    if (open_data_file) {
++    if (open_data_file && (flags & BDRV_O_NO_IO)) {
++        /*
++         * Don't open the data file for 'qemu-img info' so that it can be used
++         * to verify that an untrusted qcow2 image doesn't refer to external
++         * files.
++         *
++         * Note: This still makes has_data_file() return true.
++         */
++        if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) {
++            s->data_file = NULL;
++        } else {
++            s->data_file = bs->file;
++        }
++        qdict_extract_subqdict(options, NULL, "data-file.");
++        qdict_del(options, "data-file");
++    } else if (open_data_file) {
+         /* Open external data file */
+         bdrv_graph_co_rdunlock();
+         s->data_file = bdrv_co_open_child(NULL, options, "data-file", bs,
+diff --git a/tests/qemu-iotests/061 b/tests/qemu-iotests/061
+index 53c7d428e..b71ac097d 100755
+--- a/tests/qemu-iotests/061
++++ b/tests/qemu-iotests/061
+@@ -326,12 +326,14 @@ $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
+ echo
+ _make_test_img -o "compat=1.1,data_file=$TEST_IMG.data" 64M
+ $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
+-_img_info --format-specific
++$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
++$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io
+ TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts
+
+ echo
+ $QEMU_IMG amend -o "data_file=" --image-opts "data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG"
+-_img_info --format-specific
++$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
++$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io
+ TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts
+
+ echo
+diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out
+index 139fc6817..24c33add7 100644
+--- a/tests/qemu-iotests/061.out
++++ b/tests/qemu-iotests/061.out
+@@ -545,7 +545,9 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+ qemu-img: data-file can only be set for images that use an external data file
+
+ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 data_file=TEST_DIR/t.IMGFMT.data
+-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': Could not open 'foo': No such file or directory
++qemu-io: can't open device TEST_DIR/t.IMGFMT: Could not open 'foo': No such file or directory
++read 4096/4096 bytes at offset 0
++4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+ image: TEST_DIR/t.IMGFMT
+ file format: IMGFMT
+ virtual size: 64 MiB (67108864 bytes)
+@@ -560,7 +562,9 @@ Format specific information:
+     corrupt: false
+     extended l2: false
+
+-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'data-file' is required for this image
++qemu-io: can't open device TEST_DIR/t.IMGFMT: 'data-file' is required for this image
++read 4096/4096 bytes at offset 0
++4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+ image: TEST_DIR/t.IMGFMT
+ file format: IMGFMT
+ virtual size: 64 MiB (67108864 bytes)
+--
+2.40.0

meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0002.patch

@@ -0,0 +1,55 @@
+From 2eb42a728d27a43fdcad5f37d3f65706ce6deba5 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Fri, 16 Aug 2024 09:35:24 +0000
+Subject: [PATCH] iotests/244: Don't store data-file with protocol in image
+
+We want to disable filename parsing for data files because it's too easy
+to abuse in malicious image files. Make the test ready for the change by
+passing the data file explicitly in command line options.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
+
+CVE: CVE-2024-4467
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/2eb42a728d27a43fdcad5f37d3f65706ce6deba5]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tests/qemu-iotests/244 | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/tests/qemu-iotests/244 b/tests/qemu-iotests/244
+index 3e61fa25b..bb9cc6512 100755
+--- a/tests/qemu-iotests/244
++++ b/tests/qemu-iotests/244
+@@ -215,9 +215,22 @@ $QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG"
+ $QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG"
+
+ # blkdebug doesn't support copy offloading, so this tests the error path
+-$QEMU_IMG amend -f $IMGFMT -o "data_file=blkdebug::$TEST_IMG.data" "$TEST_IMG"
+-$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG"
+-$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG"
++test_img_with_blkdebug="json:{
++    'driver': 'qcow2',
++    'file': {
++        'driver': 'file',
++        'filename': '$TEST_IMG'
++    },
++    'data-file': {
++        'driver': 'blkdebug',
++        'image': {
++            'driver': 'file',
++            'filename': '$TEST_IMG.data'
++        }
++    }
++}"
++$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$test_img_with_blkdebug"
++$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$test_img_with_blkdebug"
+
+ echo
+ echo "=== Flushing should flush the data file ==="
+--
+2.40.0

meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0003.patch

@@ -0,0 +1,57 @@
+From 7e1110664ecbc4826f3c978ccb06b6c1bce823e6 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Fri, 16 Aug 2024 10:24:58 +0000
+Subject: [PATCH] iotests/270: Don't store data-file with json: prefix in image
+
+We want to disable filename parsing for data files because it's too easy
+to abuse in malicious image files. Make the test ready for the change by
+passing the data file explicitly in command line options.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
+
+CVE: CVE-2024-4467
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7e1110664ecbc4826f3c978ccb06b6c1bce823e6]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tests/qemu-iotests/270 | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/tests/qemu-iotests/270 b/tests/qemu-iotests/270
+index 74352342d..c37b674aa 100755
+--- a/tests/qemu-iotests/270
++++ b/tests/qemu-iotests/270
+@@ -60,8 +60,16 @@ _make_test_img -o cluster_size=2M,data_file="$TEST_IMG.orig" \
+ # "write" 2G of data without using any space.
+ # (qemu-img create does not like it, though, because null-co does not
+ # support image creation.)
+-$QEMU_IMG amend -o data_file="json:{'driver':'null-co',,'size':'4294967296'}" \
+-    "$TEST_IMG"
++test_img_with_null_data="json:{
++    'driver': '$IMGFMT',
++    'file': {
++        'filename': '$TEST_IMG'
++    },
++    'data-file': {
++        'driver': 'null-co',
++        'size':'4294967296'
++    }
++}"
+
+ # This gives us a range of:
+ #   2^31 - 512 + 768 - 1 = 2^31 + 255 > 2^31
+@@ -74,7 +82,7 @@ $QEMU_IMG amend -o data_file="json:{'driver':'null-co',,'size':'4294967296'}" \
+ # on L2 boundaries, we need large L2 tables; hence the cluster size of
+ # 2 MB.  (Anything from 256 kB should work, though, because then one L2
+ # table covers 8 GB.)
+-$QEMU_IO -c "write 768 $((2 ** 31 - 512))" "$TEST_IMG" | _filter_qemu_io
++$QEMU_IO -c "write 768 $((2 ** 31 - 512))" "$test_img_with_null_data" | _filter_qemu_io
+
+ _check_test_img
+
+--
+2.40.0

meta/recipes-devtools/qemu/qemu/CVE-2024-4467-0005.patch

@@ -0,0 +1,239 @@
+From 7ead946998610657d38d1a505d5f25300d4ca613 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Thu, 25 Apr 2024 14:56:02 +0000
+Subject: [PATCH] block: Parse filenames only when explicitly requested
+
+When handling image filenames from legacy options such as -drive or from
+tools, these filenames are parsed for protocol prefixes, including for
+the json:{} pseudo-protocol.
+
+This behaviour is intended for filenames that come directly from the
+command line and for backing files, which may come from the image file
+itself. Higher level management tools generally take care to verify that
+untrusted images don't contain a bad (or any) backing file reference;
+'qemu-img info' is a suitable tool for this.
+
+However, for other files that can be referenced in images, such as
+qcow2 data files or VMDK extents, the string from the image file is
+usually not verified by management tools - and 'qemu-img info' wouldn't
+be suitable because in contrast to backing files, it already opens these
+other referenced files. So here the string should be interpreted as a
+literal local filename. More complex configurations need to be specified
+explicitly on the command line or in QMP...
+
+CVE: CVE-2024-4467
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7ead946998610657d38d1a505d5f25300d4ca613]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ block.c | 94 ++++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 57 insertions(+), 37 deletions(-)
+
+diff --git a/block.c b/block.c
+index 25e1ebc60..f3cb32cd7 100644
+--- a/block.c
++++ b/block.c
+@@ -86,6 +86,7 @@ static BlockDriverState *bdrv_open_inherit(const char *filename,
+                                            BlockDriverState *parent,
+                                            const BdrvChildClass *child_class,
+                                            BdrvChildRole child_role,
++                                           bool parse_filename,
+                                            Error **errp);
+
+ static bool bdrv_recurse_has_child(BlockDriverState *bs,
+@@ -2047,7 +2048,8 @@ static void parse_json_protocol(QDict *options, const char **pfilename,
+  * block driver has been specified explicitly.
+  */
+ static int bdrv_fill_options(QDict **options, const char *filename,
+-                             int *flags, Error **errp)
++                             int *flags, bool allow_parse_filename,
++                             Error **errp)
+ {
+     const char *drvname;
+     bool protocol = *flags & BDRV_O_PROTOCOL;
+@@ -2089,7 +2091,7 @@ static int bdrv_fill_options(QDict **options, const char *filename,
+     if (protocol && filename) {
+         if (!qdict_haskey(*options, "filename")) {
+             qdict_put_str(*options, "filename", filename);
+-            parse_filename = true;
++            parse_filename = allow_parse_filename;
+         } else {
+             error_setg(errp, "Can't specify 'file' and 'filename' options at "
+                              "the same time");
+@@ -3675,7 +3677,8 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDict *parent_options,
+     }
+
+     backing_hd = bdrv_open_inherit(backing_filename, reference, options, 0, bs,
+-                                   &child_of_bds, bdrv_backing_role(bs), errp);
++                                   &child_of_bds, bdrv_backing_role(bs), true,
++                                   errp);
+     if (!backing_hd) {
+         bs->open_flags |= BDRV_O_NO_BACKING;
+         error_prepend(errp, "Could not open backing file: ");
+@@ -3712,7 +3715,8 @@ free_exit:
+ static BlockDriverState *
+ bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key,
+                    BlockDriverState *parent, const BdrvChildClass *child_class,
+-                   BdrvChildRole child_role, bool allow_none, Error **errp)
++                   BdrvChildRole child_role, bool allow_none,
++                   bool parse_filename, Error **errp)
+ {
+     BlockDriverState *bs = NULL;
+     QDict *image_options;
+@@ -3743,7 +3747,8 @@ bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key,
+     }
+
+     bs = bdrv_open_inherit(filename, reference, image_options, 0,
+-                           parent, child_class, child_role, errp);
++                           parent, child_class, child_role, parse_filename,
++                           errp);
+     if (!bs) {
+         goto done;
+     }
+@@ -3753,6 +3758,33 @@ done:
+     return bs;
+ }
+
++static BdrvChild *bdrv_open_child_common(const char *filename,
++                                         QDict *options, const char *bdref_key,
++                                         BlockDriverState *parent,
++                                         const BdrvChildClass *child_class,
++                                         BdrvChildRole child_role,
++                                         bool allow_none, bool parse_filename,
++                                         Error **errp)
++{
++    BlockDriverState *bs;
++    BdrvChild *child;
++
++    GLOBAL_STATE_CODE();
++
++    bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class,
++                            child_role, allow_none, parse_filename, errp);
++    if (bs == NULL) {
++        return NULL;
++    }
++
++    bdrv_graph_wrlock();
++    child = bdrv_attach_child(parent, bs, bdref_key, child_class, child_role,
++                              errp);
++    bdrv_graph_wrunlock();
++
++    return child;
++}
++
+ /*
+  * Opens a disk image whose options are given as BlockdevRef in another block
+  * device's options.
+@@ -3778,31 +3810,15 @@ BdrvChild *bdrv_open_child(const char *filename,
+                            BdrvChildRole child_role,
+                            bool allow_none, Error **errp)
+ {
+-    BlockDriverState *bs;
+-    BdrvChild *child;
+-    AioContext *ctx;
+-
+-    GLOBAL_STATE_CODE();
+-
+-    bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class,
+-                            child_role, allow_none, errp);
+-    if (bs == NULL) {
+-        return NULL;
+-    }
+-
+-    bdrv_graph_wrlock();
+-    ctx = bdrv_get_aio_context(bs);
+-    aio_context_acquire(ctx);
+-    child = bdrv_attach_child(parent, bs, bdref_key, child_class, child_role,
+-                              errp);
+-    aio_context_release(ctx);
+-    bdrv_graph_wrunlock();
+-
+-    return child;
++   return bdrv_open_child_common(filename, options, bdref_key, parent,
++                                  child_class, child_role, allow_none, false,
++                                  errp);
+ }
+
+ /*
+- * Wrapper on bdrv_open_child() for most popular case: open primary child of bs.
++ * This does mostly the same as bdrv_open_child(), but for opening the primary
++ * child of a node. A notable difference from bdrv_open_child() is that it
++ * enables filename parsing for protocol names (including json:).
+  *
+  * The caller must hold the lock of the main AioContext and no other AioContext.
+  * @parent can move to a different AioContext in this function. Callers must
+@@ -3819,8 +3835,8 @@ int bdrv_open_file_child(const char *filename,
+     role = parent->drv->is_filter ?
+         (BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY) : BDRV_CHILD_IMAGE;
+
+-    if (!bdrv_open_child(filename, options, bdref_key, parent,
+-                         &child_of_bds, role, false, errp))
++    if (!bdrv_open_child_common(filename, options, bdref_key, parent,
++                                &child_of_bds, role, false, true, errp))
+     {
+         return -EINVAL;
+     }
+@@ -3865,7 +3881,8 @@ BlockDriverState *bdrv_open_blockdev_ref(BlockdevRef *ref, Error **errp)
+
+     }
+
+-    bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, errp);
++    bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, false,
++                           errp);
+     obj = NULL;
+     qobject_unref(obj);
+     visit_free(v);
+@@ -3962,7 +3979,7 @@ static BlockDriverState * no_coroutine_fn
+ bdrv_open_inherit(const char *filename, const char *reference, QDict *options,
+                   int flags, BlockDriverState *parent,
+                   const BdrvChildClass *child_class, BdrvChildRole child_role,
+-                  Error **errp)
++                  bool parse_filename, Error **errp)
+ {
+     int ret;
+     BlockBackend *file = NULL;
+@@ -4011,9 +4028,11 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options,
+     }
+
+     /* json: syntax counts as explicit options, as if in the QDict */
+-    parse_json_protocol(options, &filename, &local_err);
+-    if (local_err) {
+-        goto fail;
++    if (parse_filename) {
++        parse_json_protocol(options, &filename, &local_err);
++        if (local_err) {
++            goto fail;
++        }
+     }
+
+     bs->explicit_options = qdict_clone_shallow(options);
+@@ -4038,7 +4057,8 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options,
+                                      parent->open_flags, parent->options);
+     }
+
+-    ret = bdrv_fill_options(&options, filename, &flags, &local_err);
++    ret = bdrv_fill_options(&options, filename, &flags, parse_filename,
++                            &local_err);
+     if (ret < 0) {
+         goto fail;
+     }
+@@ -4107,7 +4127,7 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options,
+
+         file_bs = bdrv_open_child_bs(filename, options, "file", bs,
+                                      &child_of_bds, BDRV_CHILD_IMAGE,
+-                                     true, &local_err);
++                                     true, true, &local_err);
+         if (local_err) {
+             goto fail;
+         }
+@@ -4270,7 +4290,7 @@ BlockDriverState *bdrv_open(const char *filename, const char *reference,
+     GLOBAL_STATE_CODE();
+
+     return bdrv_open_inherit(filename, reference, options, flags, NULL,
+-                             NULL, 0, errp);
++                             NULL, 0, true, errp);
+ }
+
+ /* Return true if the NULL-terminated @list contains @str */
+--
+2.40.0

meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0001.patch

@@ -0,0 +1,167 @@
+From fb1c2aaa981e0a2fa6362c9985f1296b74f055ac Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 7 Aug 2024 08:50:01 -0500
+Subject: [PATCH] nbd/server: Plumb in new args to nbd_client_add()
+
+Upcoming patches to fix a CVE need to track an opaque pointer passed
+in by the owner of a client object, as well as request for a time
+limit on how fast negotiation must complete.  Prepare for that by
+changing the signature of nbd_client_new() and adding an accessor to
+get at the opaque pointer, although for now the two servers
+(qemu-nbd.c and blockdev-nbd.c) do not change behavior even though
+they pass in a new default timeout value.
+
+Suggested-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240807174943.771624-11-eblake@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+[eblake: s/LIMIT/MAX_SECS/ as suggested by Dan]
+Signed-off-by: Eric Blake <eblake@redhat.com>
+
+CVE: CVE-2024-7409
+
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/fb1c2aaa981e0a2fa6362c9985f1296b74f055ac]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ blockdev-nbd.c      |  6 ++++--
+ include/block/nbd.h | 11 ++++++++++-
+ nbd/server.c        | 20 +++++++++++++++++---
+ qemu-nbd.c          |  4 +++-
+ 4 files changed, 34 insertions(+), 7 deletions(-)
+
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index 213012435..267a1de90 100644
+--- a/blockdev-nbd.c
++++ b/blockdev-nbd.c
+@@ -64,8 +64,10 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+     nbd_update_server_watch(nbd_server);
+
+     qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
+-    nbd_client_new(cioc, nbd_server->tlscreds, nbd_server->tlsauthz,
+-                   nbd_blockdev_client_closed);
++    /* TODO - expose handshake timeout as QMP option */
++    nbd_client_new(cioc, NBD_DEFAULT_HANDSHAKE_MAX_SECS,
++                   nbd_server->tlscreds, nbd_server->tlsauthz,
++                   nbd_blockdev_client_closed, NULL);
+ }
+
+ static void nbd_update_server_watch(NBDServerData *s)
+diff --git a/include/block/nbd.h b/include/block/nbd.h
+index 4e7bd6342..1d4d65922 100644
+--- a/include/block/nbd.h
++++ b/include/block/nbd.h
+@@ -33,6 +33,12 @@ typedef struct NBDMetaContexts NBDMetaContexts;
+
+ extern const BlockExportDriver blk_exp_nbd;
+
++/*
++ * NBD_DEFAULT_HANDSHAKE_MAX_SECS: Number of seconds in which client must
++ * succeed at NBD_OPT_GO before being forcefully dropped as too slow.
++ */
++#define NBD_DEFAULT_HANDSHAKE_MAX_SECS 10
++
+ /* Handshake phase structs - this struct is passed on the wire */
+
+ typedef struct NBDOption {
+@@ -403,9 +409,12 @@ AioContext *nbd_export_aio_context(NBDExport *exp);
+ NBDExport *nbd_export_find(const char *name);
+
+ void nbd_client_new(QIOChannelSocket *sioc,
++                    uint32_t handshake_max_secs,
+                     QCryptoTLSCreds *tlscreds,
+                     const char *tlsauthz,
+-                    void (*close_fn)(NBDClient *, bool));
++                    void (*close_fn)(NBDClient *, bool),
++                    void *owner);
++void *nbd_client_owner(NBDClient *client);
+ void nbd_client_get(NBDClient *client);
+ void nbd_client_put(NBDClient *client);
+
+diff --git a/nbd/server.c b/nbd/server.c
+index 091b57119..f8881936e 100644
+--- a/nbd/server.c
++++ b/nbd/server.c
+@@ -124,12 +124,14 @@ struct NBDMetaContexts {
+ struct NBDClient {
+     int refcount; /* atomic */
+     void (*close_fn)(NBDClient *client, bool negotiated);
++    void *owner;
+
+     QemuMutex lock;
+
+     NBDExport *exp;
+     QCryptoTLSCreds *tlscreds;
+     char *tlsauthz;
++    uint32_t handshake_max_secs;
+     QIOChannelSocket *sioc; /* The underlying data channel */
+     QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */
+
+@@ -3160,6 +3162,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
+
+     qemu_co_mutex_init(&client->send_lock);
+
++    /* TODO - utilize client->handshake_max_secs */
+     if (nbd_negotiate(client, &local_err)) {
+         if (local_err) {
+             error_report_err(local_err);
+@@ -3174,14 +3177,17 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
+ }
+
+ /*
+- * Create a new client listener using the given channel @sioc.
++ * Create a new client listener using the given channel @sioc and @owner.
+  * Begin servicing it in a coroutine.  When the connection closes, call
+- * @close_fn with an indication of whether the client completed negotiation.
++ * @close_fn with an indication of whether the client completed negotiation
++ * within @handshake_max_secs seconds (0 for unbounded).
+  */
+ void nbd_client_new(QIOChannelSocket *sioc,
++                    uint32_t handshake_max_secs,
+                     QCryptoTLSCreds *tlscreds,
+                     const char *tlsauthz,
+-                    void (*close_fn)(NBDClient *, bool))
++                    void (*close_fn)(NBDClient *, bool),
++                    void *owner)
+ {
+     NBDClient *client;
+     Coroutine *co;
+@@ -3194,13 +3200,21 @@ void nbd_client_new(QIOChannelSocket *sioc,
+         object_ref(OBJECT(client->tlscreds));
+     }
+     client->tlsauthz = g_strdup(tlsauthz);
++    client->handshake_max_secs = handshake_max_secs;
+     client->sioc = sioc;
+     qio_channel_set_delay(QIO_CHANNEL(sioc), false);
+     object_ref(OBJECT(client->sioc));
+     client->ioc = QIO_CHANNEL(sioc);
+     object_ref(OBJECT(client->ioc));
+     client->close_fn = close_fn;
++    client->owner = owner;
+
+     co = qemu_coroutine_create(nbd_co_client_start, client);
+     qemu_coroutine_enter(co);
+ }
++
++void *
++nbd_client_owner(NBDClient *client)
++{
++    return client->owner;
++}
+diff --git a/qemu-nbd.c b/qemu-nbd.c
+index 186e6468b..5fa399c0b 100644
+--- a/qemu-nbd.c
++++ b/qemu-nbd.c
+@@ -389,7 +389,9 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+
+     nb_fds++;
+     nbd_update_server_watch();
+-    nbd_client_new(cioc, tlscreds, tlsauthz, nbd_client_closed);
++    /* TODO - expose handshake timeout as command line option */
++    nbd_client_new(cioc, NBD_DEFAULT_HANDSHAKE_MAX_SECS,
++                   tlscreds, tlsauthz, nbd_client_closed, NULL);
+ }
+
+ static void nbd_update_server_watch(void)
+--
+2.40.0

meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0002.patch

@@ -0,0 +1,175 @@
+From c8a76dbd90c2f48df89b75bef74917f90a59b623 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Tue, 6 Aug 2024 13:53:00 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Cap default max-connections to 100
+
+Allowing an unlimited number of clients to any web service is a recipe
+for a rudimentary denial of service attack: the client merely needs to
+open lots of sockets without closing them, until qemu no longer has
+any more fds available to allocate.
+
+For qemu-nbd, we default to allowing only 1 connection unless more are
+explicitly asked for (-e or --shared); this was historically picked as
+a nice default (without an explicit -t, a non-persistent qemu-nbd goes
+away after a client disconnects, without needing any additional
+follow-up commands), and we are not going to change that interface now
+(besides, someday we want to point people towards qemu-storage-daemon
+instead of qemu-nbd).
+
+But for qemu proper, and the newer qemu-storage-daemon, the QMP
+nbd-server-start command has historically had a default of unlimited
+number of connections, in part because unlike qemu-nbd it is
+inherently persistent until nbd-server-stop.  Allowing multiple client
+sockets is particularly useful for clients that can take advantage of
+MULTI_CONN (creating parallel sockets to increase throughput),
+although known clients that do so (such as libnbd's nbdcopy) typically
+use only 8 or 16 connections (the benefits of scaling diminish once
+more sockets are competing for kernel attention).  Picking a number
+large enough for typical use cases, but not unlimited, makes it
+slightly harder for a malicious client to perform a denial of service
+merely by opening lots of connections withot progressing through the
+handshake.
+
+This change does not eliminate CVE-2024-7409 on its own, but reduces
+the chance for fd exhaustion or unlimited memory usage as an attack
+surface.  On the other hand, by itself, it makes it more obvious that
+with a finite limit, we have the problem of an unauthenticated client
+holding 100 fds opened as a way to block out a legitimate client from
+being able to connect; thus, later patches will further add timeouts
+to reject clients that are not making progress.
+
+This is an INTENTIONAL change in behavior, and will break any client
+of nbd-server-start that was not passing an explicit max-connections
+parameter, yet expects more than 100 simultaneous connections.  We are
+not aware of any such client (as stated above, most clients aware of
+MULTI_CONN get by just fine on 8 or 16 connections, and probably cope
+with later connections failing by relying on the earlier connections;
+libvirt has not yet been passing max-connections, but generally
+creates NBD servers with the intent for a single client for the sake
+of live storage migration; meanwhile, the KubeSAN project anticipates
+a large cluster sharing multiple clients [up to 8 per node, and up to
+100 nodes in a cluster], but it currently uses qemu-nbd with an
+explicit --shared=0 rather than qemu-storage-daemon with
+nbd-server-start).
+
+We considered using a deprecation period (declare that omitting
+max-parameters is deprecated, and make it mandatory in 3 releases -
+then we don't need to pick an arbitrary default); that has zero risk
+of breaking any apps that accidentally depended on more than 100
+connections, and where such breakage might not be noticed under unit
+testing but only under the larger loads of production usage.  But it
+does not close the denial-of-service hole until far into the future,
+and requires all apps to change to add the parameter even if 100 was
+good enough.  It also has a drawback that any app (like libvirt) that
+is accidentally relying on an unlimited default should seriously
+consider their own CVE now, at which point they are going to change to
+pass explicit max-connections sooner than waiting for 3 qemu releases.
+Finally, if our changed default breaks an app, that app can always
+pass in an explicit max-parameters with a larger value.
+
+It is also intentional that the HMP interface to nbd-server-start is
+not changed to expose max-connections (any client needing to fine-tune
+things should be using QMP).
+
+Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240807174943.771624-12-eblake@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+[ericb: Expand commit message to summarize Dan's argument for why we
+break corner-case back-compat behavior without a deprecation period]
+Signed-off-by: Eric Blake <eblake@redhat.com>
+
+CVE: CVE-2024-7409
+
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/c8a76dbd90c2f48df89b75bef74917f90a59b623]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ block/monitor/block-hmp-cmds.c | 3 ++-
+ blockdev-nbd.c                 | 8 ++++++++
+ include/block/nbd.h            | 7 +++++++
+ qapi/block-export.json         | 4 ++--
+ 4 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
+index c729cbf1e..78a697585 100644
+--- a/block/monitor/block-hmp-cmds.c
++++ b/block/monitor/block-hmp-cmds.c
+@@ -415,7 +415,8 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict)
+         goto exit;
+     }
+
+-    nbd_server_start(addr, NULL, NULL, 0, &local_err);
++    nbd_server_start(addr, NULL, NULL, NBD_DEFAULT_MAX_CONNECTIONS,
++                     &local_err);
+     qapi_free_SocketAddress(addr);
+     if (local_err != NULL) {
+         goto exit;
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index 267a1de90..24ba5382d 100644
+--- a/blockdev-nbd.c
++++ b/blockdev-nbd.c
+@@ -170,6 +170,10 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds,
+
+ void nbd_server_start_options(NbdServerOptions *arg, Error **errp)
+ {
++    if (!arg->has_max_connections) {
++        arg->max_connections = NBD_DEFAULT_MAX_CONNECTIONS;
++    }
++
+     nbd_server_start(arg->addr, arg->tls_creds, arg->tls_authz,
+                      arg->max_connections, errp);
+ }
+@@ -182,6 +186,10 @@ void qmp_nbd_server_start(SocketAddressLegacy *addr,
+ {
+     SocketAddress *addr_flat = socket_address_flatten(addr);
+
++    if (!has_max_connections) {
++        max_connections = NBD_DEFAULT_MAX_CONNECTIONS;
++    }
++
+     nbd_server_start(addr_flat, tls_creds, tls_authz, max_connections, errp);
+     qapi_free_SocketAddress(addr_flat);
+ }
+diff --git a/include/block/nbd.h b/include/block/nbd.h
+index 1d4d65922..d4f8b21ae 100644
+--- a/include/block/nbd.h
++++ b/include/block/nbd.h
+@@ -39,6 +39,13 @@ extern const BlockExportDriver blk_exp_nbd;
+  */
+ #define NBD_DEFAULT_HANDSHAKE_MAX_SECS 10
+
++/*
++ * NBD_DEFAULT_MAX_CONNECTIONS: Number of client sockets to allow at
++ * once; must be large enough to allow a MULTI_CONN-aware client like
++ * nbdcopy to create its typical number of 8-16 sockets.
++ */
++#define NBD_DEFAULT_MAX_CONNECTIONS 100
++
+ /* Handshake phase structs - this struct is passed on the wire */
+
+ typedef struct NBDOption {
+diff --git a/qapi/block-export.json b/qapi/block-export.json
+index 7874a49ba..1d255d77e 100644
+--- a/qapi/block-export.json
++++ b/qapi/block-export.json
+@@ -28,7 +28,7 @@
+ # @max-connections: The maximum number of connections to allow at the
+ #     same time, 0 for unlimited.  Setting this to 1 also stops the
+ #     server from advertising multiple client support (since 5.2;
+-#     default: 0)
++#     default: 100)
+ #
+ # Since: 4.2
+ ##
+@@ -63,7 +63,7 @@
+ # @max-connections: The maximum number of connections to allow at the
+ #     same time, 0 for unlimited.  Setting this to 1 also stops the
+ #     server from advertising multiple client support (since 5.2;
+-#     default: 0).
++#     default: 100).
+ #
+ # Returns: error if the server is already running.
+ #
+--
+2.40.0

meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0003.patch

@@ -0,0 +1,126 @@
+From b9b72cb3ce15b693148bd09cef7e50110566d8a0 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 8 Aug 2024 16:05:08 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Drop non-negotiating clients
+
+A client that opens a socket but does not negotiate is merely hogging
+qemu's resources (an open fd and a small amount of memory); and a
+malicious client that can access the port where NBD is listening can
+attempt a denial of service attack by intentionally opening and
+abandoning lots of unfinished connections.  The previous patch put a
+default bound on the number of such ongoing connections, but once that
+limit is hit, no more clients can connect (including legitimate ones).
+The solution is to insist that clients complete handshake within a
+reasonable time limit, defaulting to 10 seconds.  A client that has
+not successfully completed NBD_OPT_GO by then (including the case of
+where the client didn't know TLS credentials to even reach the point
+of NBD_OPT_GO) is wasting our time and does not deserve to stay
+connected.  Later patches will allow fine-tuning the limit away from
+the default value (including disabling it for doing integration
+testing of the handshake process itself).
+
+Note that this patch in isolation actually makes it more likely to see
+qemu SEGV after nbd-server-stop, as any client socket still connected
+when the server shuts down will now be closed after 10 seconds rather
+than at the client's whims.  That will be addressed in the next patch.
+
+For a demo of this patch in action:
+$ qemu-nbd -f raw -r -t -e 10 file &
+$ nbdsh --opt-mode -c '
+H = list()
+for i in range(20):
+  print(i)
+  H.insert(i, nbd.NBD())
+  H[i].set_opt_mode(True)
+  H[i].connect_uri("nbd://localhost")
+'
+$ kill $!
+
+where later connections get to start progressing once earlier ones are
+forcefully dropped for taking too long, rather than hanging.
+
+Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240807174943.771624-13-eblake@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+[eblake: rebase to changes earlier in series, reduce scope of timer]
+Signed-off-by: Eric Blake <eblake@redhat.com>
+
+CVE: CVE-2024-7409
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/b9b72cb3ce15b693148bd09cef7e50110566d8a0]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ nbd/server.c     | 28 +++++++++++++++++++++++++++-
+ nbd/trace-events |  1 +
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/nbd/server.c b/nbd/server.c
+index f8881936e..6155e329a 100644
+--- a/nbd/server.c
++++ b/nbd/server.c
+@@ -3155,22 +3155,48 @@ static void nbd_client_receive_next_request(NBDClient *client)
+     }
+ }
+
++static void nbd_handshake_timer_cb(void *opaque)
++{
++    QIOChannel *ioc = opaque;
++
++    trace_nbd_handshake_timer_cb();
++    qio_channel_shutdown(ioc, QIO_CHANNEL_SHUTDOWN_BOTH, NULL);
++}
++
+ static coroutine_fn void nbd_co_client_start(void *opaque)
+ {
+     NBDClient *client = opaque;
+     Error *local_err = NULL;
++    QEMUTimer *handshake_timer = NULL;
+
+     qemu_co_mutex_init(&client->send_lock);
+
+-    /* TODO - utilize client->handshake_max_secs */
++    /*
++     * Create a timer to bound the time spent in negotiation. If the
++     * timer expires, it is likely nbd_negotiate will fail because the
++     * socket was shutdown.
++     */
++    if (client->handshake_max_secs > 0) {
++        handshake_timer = aio_timer_new(qemu_get_aio_context(),
++                                        QEMU_CLOCK_REALTIME,
++                                        SCALE_NS,
++                                        nbd_handshake_timer_cb,
++                                        client->sioc);
++        timer_mod(handshake_timer,
++                  qemu_clock_get_ns(QEMU_CLOCK_REALTIME) +
++                  client->handshake_max_secs * NANOSECONDS_PER_SECOND);
++    }
++
+     if (nbd_negotiate(client, &local_err)) {
+         if (local_err) {
+             error_report_err(local_err);
+         }
++        timer_free(handshake_timer);
+         client_close(client, false);
+         return;
+     }
+
++    timer_free(handshake_timer);
+     WITH_QEMU_LOCK_GUARD(&client->lock) {
+         nbd_client_receive_next_request(client);
+     }
+diff --git a/nbd/trace-events b/nbd/trace-events
+index 00ae3216a..cbd0a4ab7 100644
+--- a/nbd/trace-events
++++ b/nbd/trace-events
+@@ -76,6 +76,7 @@ nbd_co_receive_request_payload_received(uint64_t cookie, uint64_t len) "Payload
+ nbd_co_receive_ext_payload_compliance(uint64_t from, uint64_t len) "client sent non-compliant write without payload flag: from=0x%" PRIx64 ", len=0x%" PRIx64
+ nbd_co_receive_align_compliance(const char *op, uint64_t from, uint64_t len, uint32_t align) "client sent non-compliant unaligned %s request: from=0x%" PRIx64 ", len=0x%" PRIx64 ", align=0x%" PRIx32
+ nbd_trip(void) "Reading request"
++nbd_handshake_timer_cb(void) "client took too long to negotiate"
+
+ # client-connection.c
+ nbd_connect_thread_sleep(uint64_t timeout) "timeout %" PRIu64
+--
+2.40.0

meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0004.patch

@@ -0,0 +1,164 @@
+From 3e7ef738c8462c45043a1d39f702a0990406a3b3 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 7 Aug 2024 12:23:13 -0500
+Subject: [PATCH] nbd/server: CVE-2024-7409: Close stray clients at server-stop
+
+A malicious client can attempt to connect to an NBD server, and then
+intentionally delay progress in the handshake, including if it does
+not know the TLS secrets.  Although the previous two patches reduce
+this behavior by capping the default max-connections parameter and
+killing slow clients, they did not eliminate the possibility of a
+client waiting to close the socket until after the QMP nbd-server-stop
+command is executed, at which point qemu would SEGV when trying to
+dereference the NULL nbd_server global which is no longer present.
+This amounts to a denial of service attack.  Worse, if another NBD
+server is started before the malicious client disconnects, I cannot
+rule out additional adverse effects when the old client interferes
+with the connection count of the new server (although the most likely
+is a crash due to an assertion failure when checking
+nbd_server->connections > 0).
+
+For environments without this patch, the CVE can be mitigated by
+ensuring (such as via a firewall) that only trusted clients can
+connect to an NBD server.  Note that using frameworks like libvirt
+that ensure that TLS is used and that nbd-server-stop is not executed
+while any trusted clients are still connected will only help if there
+is also no possibility for an untrusted client to open a connection
+but then stall on the NBD handshake.
+
+Given the previous patches, it would be possible to guarantee that no
+clients remain connected by having nbd-server-stop sleep for longer
+than the default handshake deadline before finally freeing the global
+nbd_server object, but that could make QMP non-responsive for a long
+time.  So intead, this patch fixes the problem by tracking all client
+sockets opened while the server is running, and forcefully closing any
+such sockets remaining without a completed handshake at the time of
+nbd-server-stop, then waiting until the coroutines servicing those
+sockets notice the state change.  nbd-server-stop now has a second
+AIO_WAIT_WHILE_UNLOCKED (the first is indirectly through the
+blk_exp_close_all_type() that disconnects all clients that completed
+handshakes), but forced socket shutdown is enough to progress the
+coroutines and quickly tear down all clients before the server is
+freed, thus finally fixing the CVE.
+
+This patch relies heavily on the fact that nbd/server.c guarantees
+that it only calls nbd_blockdev_client_closed() from the main loop
+(see the assertion in nbd_client_put() and the hoops used in
+nbd_client_put_nonzero() to achieve that); if we did not have that
+guarantee, we would also need a mutex protecting our accesses of the
+list of connections to survive re-entrancy from independent iothreads.
+
+Although I did not actually try to test old builds, it looks like this
+problem has existed since at least commit 862172f45c (v2.12.0, 2017) -
+even back when that patch started using a QIONetListener to handle
+listening on multiple sockets, nbd_server_free() was already unaware
+that the nbd_blockdev_client_closed callback can be reached later by a
+client thread that has not completed handshakes (and therefore the
+client's socket never got added to the list closed in
+nbd_export_close_all), despite that patch intentionally tearing down
+the QIONetListener to prevent new clients.
+
+Reported-by: Alexander Ivanov <alexander.ivanov@virtuozzo.com>
+Fixes: CVE-2024-7409
+CC: qemu-stable@nongnu.org
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Message-ID: <20240807174943.771624-14-eblake@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+
+CVE: CVE-2024-7409
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/3e7ef738c8462c45043a1d39f702a0990406a3b3]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ blockdev-nbd.c | 35 ++++++++++++++++++++++++++++++++++-
+ 1 file changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/blockdev-nbd.c b/blockdev-nbd.c
+index 24ba5382d..f73409ae4 100644
+--- a/blockdev-nbd.c
++++ b/blockdev-nbd.c
+@@ -21,12 +21,18 @@
+ #include "io/channel-socket.h"
+ #include "io/net-listener.h"
+
++typedef struct NBDConn {
++    QIOChannelSocket *cioc;
++    QLIST_ENTRY(NBDConn) next;
++} NBDConn;
++
+ typedef struct NBDServerData {
+     QIONetListener *listener;
+     QCryptoTLSCreds *tlscreds;
+     char *tlsauthz;
+     uint32_t max_connections;
+     uint32_t connections;
++    QLIST_HEAD(, NBDConn) conns;
+ } NBDServerData;
+
+ static NBDServerData *nbd_server;
+@@ -51,6 +57,14 @@ int nbd_server_max_connections(void)
+
+ static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)
+ {
++    NBDConn *conn = nbd_client_owner(client);
++
++    assert(qemu_in_main_thread() && nbd_server);
++
++    object_unref(OBJECT(conn->cioc));
++    QLIST_REMOVE(conn, next);
++    g_free(conn);
++
+     nbd_client_put(client);
+     assert(nbd_server->connections > 0);
+     nbd_server->connections--;
+@@ -60,14 +74,20 @@ static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)
+ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
+                        gpointer opaque)
+ {
++    NBDConn *conn = g_new0(NBDConn, 1);
++
++    assert(qemu_in_main_thread() && nbd_server);
+     nbd_server->connections++;
++    object_ref(OBJECT(cioc));
++    conn->cioc = cioc;
++    QLIST_INSERT_HEAD(&nbd_server->conns, conn, next);
+     nbd_update_server_watch(nbd_server);
+
+     qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
+     /* TODO - expose handshake timeout as QMP option */
+     nbd_client_new(cioc, NBD_DEFAULT_HANDSHAKE_MAX_SECS,
+                    nbd_server->tlscreds, nbd_server->tlsauthz,
+-                   nbd_blockdev_client_closed, NULL);
++                   nbd_blockdev_client_closed, conn);
+ }
+
+ static void nbd_update_server_watch(NBDServerData *s)
+@@ -81,12 +101,25 @@ static void nbd_update_server_watch(NBDServerData *s)
+
+ static void nbd_server_free(NBDServerData *server)
+ {
++    NBDConn *conn, *tmp;
++
+     if (!server) {
+         return;
+     }
+
++    /*
++     * Forcefully close the listener socket, and any clients that have
++     * not yet disconnected on their own.
++     */
+     qio_net_listener_disconnect(server->listener);
+     object_unref(OBJECT(server->listener));
++    QLIST_FOREACH_SAFE(conn, &server->conns, next, tmp) {
++        qio_channel_shutdown(QIO_CHANNEL(conn->cioc), QIO_CHANNEL_SHUTDOWN_BOTH,
++                             NULL);
++    }
++
++    AIO_WAIT_WHILE_UNLOCKED(NULL, server->connections > 0);
++
+     if (server->tlscreds) {
+         object_unref(OBJECT(server->tlscreds));
+     }
+--
+2.40.0

meta/recipes-devtools/ruby/ruby/CVE-2024-27282.patch

@@ -0,0 +1,28 @@
+From 989a2355808a63fc45367785c82ffd46d18c900a Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 12 Apr 2024 15:01:47 +1000
+Subject: [PATCH] Fix Use-After-Free issue for Regexp
+
+Co-authored-by: Isaac Peka <7493006+isaac-peka@users.noreply.github.com>
+
+Upstream-Status: Backport [https://github.com/ruby/ruby/commit/989a2355808a63fc45367785c82ffd46d18c900a]
+CVE: CVE-2024-27282
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ regexec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/regexec.c b/regexec.c
+index 73694ab14a0b0a..140691ad42489f 100644
+--- a/regexec.c
++++ b/regexec.c
+@@ -3449,8 +3449,8 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
+     CASE(OP_MEMORY_END_PUSH_REC)  MOP_IN(OP_MEMORY_END_PUSH_REC);
+       GET_MEMNUM_INC(mem, p);
+       STACK_GET_MEM_START(mem, stkp); /* should be before push mem-end. */
+-      STACK_PUSH_MEM_END(mem, s);
+       mem_start_stk[mem] = GET_STACK_INDEX(stkp);
++      STACK_PUSH_MEM_END(mem, s);
+       MOP_OUT;
+       JUMP;
+ 

meta/recipes-devtools/ruby/ruby_3.2.2.bb

@@ -34,6 +34,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
            file://CVE-2023-36617_1.patch \
            file://CVE-2023-36617_2.patch \
            file://CVE-2024-27281.patch \
+           file://CVE-2024-27282.patch \
            "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
 
@@ -74,6 +75,7 @@ EXTRA_OECONF = "\
     --enable-load-relative \
     --with-pkg-config=pkg-config \
     --with-static-linked-ext \
+    --with-mantype=man \
 "
 
 EXTRA_OECONF:append:libc-musl = "\

meta/recipes-extended/cups/cups/0001-use-echo-only-in-init.patch

@@ -1,7 +1,7 @@
-From a3f4d8ba97f4669a95943a7e65eb61aa44ce7999 Mon Sep 17 00:00:00 2001
+From ddfe6ed6a89226985e8c9f0751c026aabc0927a0 Mon Sep 17 00:00:00 2001
 From: Saul Wold <sgw@linux.intel.com>
 Date: Thu, 13 Dec 2012 19:03:52 -0800
-Subject: [PATCH 1/4] use echo only in init
+Subject: [PATCH] use echo only in init
 
 Upstream-Status: Inappropriate [embedded specific]
 Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
@@ -10,10 +10,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/scheduler/cups.sh.in b/scheduler/cups.sh.in
-index 89ac36d..6618a0f 100644
+index 74cce18..c57f0db 100644
 --- a/scheduler/cups.sh.in
 +++ b/scheduler/cups.sh.in
-@@ -50,7 +50,7 @@ case "`uname`" in
+@@ -51,7 +51,7 @@ case "`uname`" in
  		ECHO_ERROR=:
  		;;
  
@@ -22,6 +22,3 @@ index 89ac36d..6618a0f 100644
  		IS_ON=/bin/true
  		if test -f /etc/init.d/functions; then
  			. /etc/init.d/functions
--- 
-2.17.1
-

meta/recipes-extended/cups/cups/0002-don-t-try-to-run-generated-binaries.patch

@@ -1,21 +1,20 @@
-From 3e9a965dcd65ab2d40b753b6f792a1a4559182aa Mon Sep 17 00:00:00 2001
+From ff6c7168c3f26094b3a18298208a28831d1c1fd5 Mon Sep 17 00:00:00 2001
 From: Koen Kooi <koen@dominion.thruhere.net>
 Date: Sun, 30 Jan 2011 16:37:27 +0100
-Subject: [PATCH 2/4] don't try to run generated binaries
+Subject: [PATCH] don't try to run generated binaries
 
 Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
-
 ---
- ppdc/Makefile | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
+ ppdc/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/ppdc/Makefile b/ppdc/Makefile
-index 32e2e0b..f1478d4 100644
+index e36ed11..3fe97e1 100644
 --- a/ppdc/Makefile
 +++ b/ppdc/Makefile
-@@ -186,8 +186,8 @@ genstrings:		genstrings.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) \
+@@ -187,8 +187,8 @@ genstrings:		genstrings.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) \
  	$(LD_CXX) $(ARCHFLAGS) $(ALL_LDFLAGS) -o genstrings genstrings.o \
  		libcupsppdc.a $(LINKCUPSSTATIC)
  	$(CODE_SIGN) -s "$(CODE_SIGN_IDENTITY)" $@
@@ -26,6 +25,3 @@ index 32e2e0b..f1478d4 100644
  
  
  #
--- 
-2.17.1
-