CVE Packages Update

Move libfastjson to the rsyslog directory

rsyslog 8.2002.0 -> 8.2206.0

add ntp4.2.8 recipe with fixed CVEs

update cryptsetup to 2.4.3

fix libxml2 CVE-2016-3709

curl 7.75.0 -> 7.86.0

strongswan 5.8.4 -> 5.9.8

libmodbus 3.1.6 -> 3.1.7

libesmtp 1.0.6 -> 1.1.0

cifs-utils 6.1 -> 7.0

update libtirpc to version 1.3.3

update rsync to version 3.2.5

Add zlib 1.2.13

upgrade gnutls to 3.7.8

upgrade openssh to 8.9p1

Add cmake 3.24.2 and cmake-native 3.24.2 to avoid loop dependecies building expat

Add expat 2.5.0 to fix CVE-2022-40674 and CVE-2022-43680

openvpn 2.4.9 -> 2.4.12

hostapd 2.9 -> 2.10

[GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28)
Openssh 8.9p1 no longer needed, because all necessary CVE fixes, backports and whitelists are present for current Openssh 8.4p1. There are no new CVE's in report.

[GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28)
Backported CVE patches for python3 component. Need to remove after upgrading Yocto to version more than 3.1.21.

[GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28)
Backported CVE patch for sudo component.
Added 2 CVE's to whitelist for OpenVPN component.

16 files changed, 727 insertions, 0 deletions

diff --git a/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/recipes-extended/libtirpc/libtirpc_1.3.3.bb
new file mode 100644
index 0000000..8c6c207
--- /dev/null
+++ b/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -0,0 +1,28 @@
+SUMMARY = "Transport-Independent RPC library"
+DESCRIPTION = "Libtirpc is a port of Suns Transport-Independent RPC library to Linux"
+SECTION = "libs/network"
+HOMEPAGE = "http://sourceforge.net/projects/libtirpc/"
+BUGTRACKER = "http://sourceforge.net/tracker/?group_id=183075&atid=903784"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=f835cce8852481e4b2bbbdd23b5e47f3 \
+                    file://src/netname.c;beginline=1;endline=27;md5=f8a8cd2cb25ac5aa16767364fb0e3c24"
+
+PROVIDES = "virtual/librpc"
+
+SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2"
+UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
+UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
+SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
+
+# Was fixed in 1.3.3rc1 so not present in 1.3.3
+CVE_CHECK_IGNORE += "CVE-2021-46828"
+
+inherit autotools pkgconfig
+
+EXTRA_OECONF = "--disable-gssapi"
+
+do_install:append() {
+	chown root:root ${D}${sysconfdir}/netconfig
+}
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch b/recipes-extended/rsyslog/libfastjson/CVE-2020-12762.patch
index 84e8206..84e8206 100644
--- a/recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch
+++ b/recipes-extended/rsyslog/libfastjson/CVE-2020-12762.patch
diff --git a/recipes-extended/libfastjson/libfastjson_%.bbappend b/recipes-extended/rsyslog/libfastjson_%.bbappend
index 103c92e..103c92e 100644
--- a/recipes-extended/libfastjson/libfastjson_%.bbappend
+++ b/recipes-extended/rsyslog/libfastjson_%.bbappend
diff --git a/recipes-extended/rsyslog/libfastjson_0.99.9.bb b/recipes-extended/rsyslog/libfastjson_0.99.9.bb
new file mode 100644
index 0000000..24ad172
--- /dev/null
+++ b/recipes-extended/rsyslog/libfastjson_0.99.9.bb
@@ -0,0 +1,15 @@
+SUMMARY = "A fork of json-c library"
+HOMEPAGE = "https://github.com/rsyslog/libfastjson"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://COPYING;md5=a958bb07122368f3e1d9b2efe07d231f"
+
+DEPENDS = ""
+
+SRC_URI = "git://github.com/rsyslog/libfastjson.git;protocol=https;branch=master"
+
+SRCREV = "0293afb3913f760c449348551cca4d2df59c1a00"
+
+S = "${WORKDIR}/git"
+
+inherit autotools
diff --git a/recipes-extended/rsyslog/librelp_1.10.0.bb b/recipes-extended/rsyslog/librelp_1.10.0.bb
new file mode 100644
index 0000000..acdbbb7
--- /dev/null
+++ b/recipes-extended/rsyslog/librelp_1.10.0.bb
@@ -0,0 +1,18 @@
+SUMMARY = "A reliable logging library"
+HOMEPAGE = "https://github.com/rsyslog/librelp"
+
+LICENSE = "GPL-3.0-only"
+LIC_FILES_CHKSUM = "file://COPYING;md5=1fb9c10ed9fd6826757615455ca893a9"
+
+DEPENDS = "gmp nettle libidn zlib gnutls openssl"
+
+SRC_URI = "git://github.com/rsyslog/librelp.git;protocol=https;branch=stable \
+"
+
+SRCREV = "9e749453d51d602d8159717f8a7c27971dcb4c6c"
+
+S = "${WORKDIR}/git"
+
+inherit autotools pkgconfig
+
+CPPFLAGS += "-Wno-error"
diff --git a/recipes-extended/rsyslog/rsyslog/0001-Include-sys-time-h.patch b/recipes-extended/rsyslog/rsyslog/0001-Include-sys-time-h.patch
new file mode 100644
index 0000000..6ce8b7a
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/0001-Include-sys-time-h.patch
@@ -0,0 +1,32 @@
+From 7baf35b88d742032a2dc456c396843e17e866f8e Mon Sep 17 00:00:00 2001
+From: Ming Liu <peter.x.liu@external.atlascopco.com>
+Date: Wed, 27 Jun 2018 14:04:57 +0800
+Subject: [PATCH] Include sys/time.h
+
+struct timeval is defined in sys/time.h with a musl libc.
+
+Upstream-Status: Inappropriate [musl libc specific]
+
+Signed-off-by: Ming Liu <peter.x.liu@external.atlascopco.com>
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ tests/msleep.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/tests/msleep.c b/tests/msleep.c
+index 98dbece..96f6950 100644
+--- a/tests/msleep.c
++++ b/tests/msleep.c
+@@ -26,11 +26,7 @@
+ #include "config.h"
+ #include <stdio.h>
+ #include <stdlib.h>
+-#if defined(__FreeBSD__)
+ #include <sys/time.h>
+-#else
+-#include <time.h>
+-#endif
+ #if defined(HAVE_SYS_SELECT_H)
+ #include <sys/select.h>
+ #endif
+2.7.4
diff --git a/recipes-extended/rsyslog/rsyslog/0001-tests-disable-the-check-for-inotify.patch b/recipes-extended/rsyslog/rsyslog/0001-tests-disable-the-check-for-inotify.patch
new file mode 100644
index 0000000..552172d
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/0001-tests-disable-the-check-for-inotify.patch
@@ -0,0 +1,46 @@
+From 194e199ce08acc2192f6a63420ff24d9064666e5 Mon Sep 17 00:00:00 2001
+From: Yi Fan Yu <yifan.yu@windriver.com>
+Date: Sat, 27 Mar 2021 19:18:25 -0400
+Subject: [PATCH] tests: disable the check for inotify
+
+We don't need to check inotify.h.
+Assume it is present since it is part of the linux kernel
+since 2.6.13 [1].
+
+[1](https://kernelnewbies.org/Linux_2_6_13)
+
+(it would require installing the libc headers otherwise,
+ for the test  to detect /usr/include/sys/inotify.h.)
+
+Upstream-Status: Inappropriate[OE-specific]
+
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
+---
+ tests/diag.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/diag.sh b/tests/diag.sh
+index 6cd60ea88..7424f48c5 100755
+--- a/tests/diag.sh
++++ b/tests/diag.sh
+@@ -2672,7 +2672,7 @@ case $1 in
+ 		fi
+ 		;;
+ 	'check-inotify') # Check for inotify/fen support 
+-		if [ -n "$(find /usr/include -name 'inotify.h' -print -quit)" ]; then
++		if true; then
+ 			echo [inotify mode]
+ 		elif [ -n "$(find /usr/include/sys/ -name 'port.h' -print -quit)" ]; then
+ 			grep -qF "PORT_SOURCE_FILE" < /usr/include/sys/port.h
+@@ -2687,7 +2687,7 @@ case $1 in
+ 		fi
+ 		;;
+ 	'check-inotify-only') # Check for ONLY inotify support 
+-		if [ -n "$(find /usr/include -name 'inotify.h' -print -quit)" ]; then
++		if true; then
+ 			echo [inotify mode]
+ 		else
+ 			echo [inotify not supported, skipping...]
+-- 
+2.29.2
+
diff --git a/recipes-extended/rsyslog/rsyslog/initscript b/recipes-extended/rsyslog/rsyslog/initscript
new file mode 100644
index 0000000..7a8f8f9
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/initscript
@@ -0,0 +1,118 @@
+#! /bin/sh
+#
+# This is an init script for openembedded
+# Copy it to /etc/init.d/rsyslog and type
+# > update-rc.d rsyslog defaults 5
+#
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+NAME=rsyslog
+RSYSLOGD=rsyslogd
+RSYSLOGD_BIN=/usr/sbin/rsyslogd
+RSYSLOGD_OPTIONS=""
+RSYSLOGD_PIDFILE=/var/run/rsyslogd.pid
+SCRIPTNAME=/etc/init.d/$NAME
+# Exit if the package is not installed
+[ -x "$RSYSLOGD_BIN" ] || exit 0
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+        DAEMON=$1
+        DAEMON_ARGS=$2
+        PIDFILE=$3
+        # Return
+        #   0 if daemon has been started
+        #   1 if daemon could not be started
+        #   if daemon had already been started, start-stop-daemon will return 1
+        #   so add -o/--oknodo(if nothing is done, exit 0)
+        start-stop-daemon -S --quiet --pidfile $PIDFILE --exec $DAEMON \
+                             --oknodo -- $DAEMON_ARGS || return 1
+}
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+        NAME=$1
+        PIDFILE=$2
+        # Return
+        #   0 if daemon has been stopped
+        #   1 if daemon was already stopped
+        #   2 if daemon could not be stopped
+        #   other if a failure occurred
+        # QUIT/TERM/INT should work here, but they don't ????? 
+        start-stop-daemon -K --quiet --signal KILL --pidfile $PIDFILE --name $NAME
+        RETVAL="$?"
+        rm -f $PIDFILE
+        return "$RETVAL"
+}
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+        NAME=$1
+        PIDFILE=$2
+        start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME
+        return 0
+}
+
+do_status() {
+        NAME=$1
+        PIDFILE=$2
+        # -t: test only but not stop
+        start-stop-daemon -K -t --quiet --pidfile $PIDFILE --name $NAME
+        # exit with status 0 if process is found
+        if [ "$?" = "0" ]; then
+                return 0
+        else
+                return 1
+        fi
+}
+
+case "$1" in
+  start)
+        echo -n "starting $RSYSLOGD ... "
+        do_start "$RSYSLOGD_BIN" "$RSYSLOGD_OPTIONS" "$RSYSLOGD_PIDFILE"
+        case "$?" in
+                0) echo "done" ;;
+                1) echo "failed" ;;
+        esac
+        ;;
+  stop)
+        echo -n "stopping $RSYSLOGD ... "
+        do_stop "$RSYSLOGD" "$RSYSLOGD_PIDFILE"
+        case "$?" in
+                0|1) echo "done" ;;
+                2) echo "failed" ;;
+        esac
+        ;;
+  reload|force-reload)
+        echo -n "reloading $RSYSLOGD ... "
+        do_reload "$RSYSLOGD" "$RSYSLOGD_PIDFILE"
+        echo "done"
+        ;;
+  restart)
+        $0 stop
+        $0 start
+        ;;
+  status)
+        echo -n "status $RSYSLOGD ... "
+        do_status "$RSYSLOGD" "$RSYSLOGD_PIDFILE"
+        if [ "$?" = "0" ]; then
+                echo "running"
+                exit 0        
+        else
+                echo "stopped"
+                exit 1        
+        fi
+        ;;
+  *)
+        echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2
+        exit 3
+        ;;
+esac
+exit 0
diff --git a/recipes-extended/rsyslog/rsyslog/rsyslog.conf b/recipes-extended/rsyslog/rsyslog/rsyslog.conf
new file mode 100644
index 0000000..dbfefb7
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/rsyslog.conf
@@ -0,0 +1,91 @@
+# if you experience problems, check
+# http://www.rsyslog.com/troubleshoot for assistance
+
+# rsyslog v3: load input modules
+# If you do not load inputs, nothing happens!
+# You may need to set the module load path if modules are not found.
+#
+# Ported from debian's sysklogd.conf
+
+$ModLoad immark   # provides --MARK-- message capability
+$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
+$ModLoad imklog   # kernel logging (formerly provided by rklogd)
+
+#
+# Set the default permissions
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+auth,authpriv.*                 /var/log/auth.log
+*.*;auth,authpriv.none          -/var/log/syslog
+cron.*                          /var/log/cron.log
+daemon.*                        -/var/log/daemon.log
+kern.*                          -/var/log/kern.log
+lpr.*                           -/var/log/lpr.log
+mail.*                          -/var/log/mail.log
+user.*                          -/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info                       -/var/log/mail.info
+mail.warn                       -/var/log/mail.warn
+mail.err                        /var/log/mail.err
+
+# Logging for INN news system
+#
+news.crit                       /var/log/news.crit
+news.err                        /var/log/news.err
+news.notice                     -/var/log/news.notice
+
+#
+# Some `catch-all' logfiles.
+#
+*.=debug;\
+        auth,authpriv.none;\
+        news.none;mail.none     -/var/log/debug
+*.=info;*.=notice;*.=warn;\
+        auth,authpriv.none;\
+        cron,daemon.none;\
+        mail,news.none          -/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg                         :omusrmsg:*
+
+# Save boot messages also to boot.log
+local7.*                                                /var/log/boot.log
+
+# Remote Logging (we use TCP for reliable delivery)
+# An on-disk queue is created for this action. If the remote host is
+# down, messages are spooled to disk and sent when it is up again.
+#$WorkDirectory /var/spool/rsyslog # where to place spool files
+#$ActionQueueFileName uniqName # unique name prefix for spool files
+$ActionQueueMaxDiskSpace 10m   # 1gb space limit (use as much as possible)
+#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
+#$ActionQueueType LinkedList   # run asynchronously
+#$ActionResumeRetryCount -1    # infinite retries if host is down
+# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
+#*.* @@remote-host:514
+
+
+# ######### Receiving Messages from Remote Hosts ##########
+# TCP Syslog Server:
+# provides TCP syslog reception and GSS-API (if compiled to support it)
+#$ModLoad imtcp.so  # load module
+#$InputTCPServerRun 514 # start up TCP listener at port 514
+
+# UDP Syslog Server:
+#$ModLoad imudp.so  # provides UDP syslog reception
+#$UDPServerRun 514 # start a UDP syslog server at standard port 514
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
diff --git a/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate b/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
new file mode 100644
index 0000000..5f8568f
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
@@ -0,0 +1,39 @@
+# /etc/logrotate.d/rsyslog - Ported from Debian
+
+/var/log/syslog
+{
+        rotate 7
+        daily
+        missingok
+        notifempty
+        delaycompress
+        compress
+        postrotate
+		@BINDIR@/pkill -HUP rsyslogd 2> /dev/null || true
+        endscript
+}
+
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/auth.log
+/var/log/user.log
+/var/log/lpr.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+{
+        rotate 4
+        weekly
+        missingok
+        notifempty
+        compress
+        delaycompress
+        sharedscripts
+        postrotate
+		@BINDIR@/pkill -HUP rsyslogd 2> /dev/null || true
+        endscript
+}
diff --git a/recipes-extended/rsyslog/rsyslog/rsyslog.service b/recipes-extended/rsyslog/rsyslog/rsyslog.service
new file mode 100644
index 0000000..0aacff3
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/rsyslog.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=System Logging Service
+Requires=syslog.socket
+Wants=network.target network-online.target
+After=network.target network-online.target
+Documentation=man:rsyslogd(8)
+Documentation=http://www.rsyslog.com/doc/
+
+[Service]
+Type=notify
+ExecStart=@sbindir@/rsyslogd -n -iNONE
+StandardOutput=null
+Restart=on-failure
+
+# Increase the default a bit in order to allow many simultaneous
+# files to be monitored, we might need a lot of fds.
+LimitNOFILE=16384
+
+[Install]
+WantedBy=multi-user.target
+Alias=syslog.service
diff --git a/recipes-extended/rsyslog/rsyslog/run-ptest b/recipes-extended/rsyslog/rsyslog/run-ptest
new file mode 100644
index 0000000..efa9ba3
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/run-ptest
@@ -0,0 +1,12 @@
+#!/bin/sh
+#
+set -e
+set -o pipefail
+
+SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
+cd ${SCRIPTPATH}
+useradd tester  || echo "user already exists"
+ln -sf /usr/sbin/logrotate /usr/bin/logrotate
+su tester -c "make -C tests -k check-TESTS"
+userdel tester
+rm -f /usr/bin/logrotate
diff --git a/recipes-extended/rsyslog/rsyslog/use-pkgconfig-to-check-libgcrypt.patch b/recipes-extended/rsyslog/rsyslog/use-pkgconfig-to-check-libgcrypt.patch
new file mode 100644
index 0000000..0352587
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/use-pkgconfig-to-check-libgcrypt.patch
@@ -0,0 +1,43 @@
+From d0852006bf3d305e8984b85b41997d43d4476937 Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Wed, 18 Jun 2014 13:46:52 +0800
+Subject: [PATCH] use pkgconfig to check libgcrypt
+
+Upstream-Status: Inappropriate [configuration]
+
+libgcrypt does no longer provide libgcrypt-config, and provide
+*.pc, so we should use pkgconfig to check
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+
+---
+ configure.ac | 15 +--------------
+ 1 file changed, 1 insertion(+), 14 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 62178c3..b56c9c7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -889,20 +889,7 @@ AC_ARG_ENABLE(libgcrypt,
+         [enable_libgcrypt=yes]
+ )
+ if test "x$enable_libgcrypt" = "xyes"; then
+-	AC_PATH_PROG([LIBGCRYPT_CONFIG],[libgcrypt-config],[no])
+-        if test "x${LIBGCRYPT_CONFIG}" = "xno"; then
+-           AC_MSG_FAILURE([libgcrypt-config not found in PATH])
+-        fi
+-        AC_CHECK_LIB(
+-		[gcrypt],
+-        	[gcry_cipher_open],
+-        	[LIBGCRYPT_CFLAGS="`${LIBGCRYPT_CONFIG} --cflags`"
+-        	LIBGCRYPT_LIBS="`${LIBGCRYPT_CONFIG} --libs`"
+-        	],
+-        	[AC_MSG_FAILURE([libgcrypt is missing])],
+-        	[`${LIBGCRYPT_CONFIG} --libs --cflags`]
+-        	)
+-	AC_DEFINE([ENABLE_LIBGCRYPT], [1], [Indicator that LIBGCRYPT is present])
++	PKG_CHECK_MODULES(LIBGCRYPT, libgcrypt)
+ fi
+ AM_CONDITIONAL(ENABLE_LIBGCRYPT, test x$enable_libgcrypt = xyes)
+ AC_SUBST(LIBGCRYPT_CFLAGS)
diff --git a/recipes-extended/rsyslog/rsyslog_8.2206.0.bb b/recipes-extended/rsyslog/rsyslog_8.2206.0.bb
new file mode 100644
index 0000000..f7604f8
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog_8.2206.0.bb
@@ -0,0 +1,204 @@
+SUMMARY = "Rsyslog is an enhanced multi-threaded syslogd"
+DESCRIPTION = "\
+Rsyslog is an enhanced syslogd supporting, among others, MySQL,\
+ PostgreSQL, failover log destinations, syslog/tcp, fine grain\
+ output format control, high precision timestamps, queued operations\
+ and the ability to filter on any message part. It is quite\
+ compatible to stock sysklogd and can be used as a drop-in replacement.\
+ Its advanced features make it suitable for enterprise-class,\
+ encryption protected syslog relay chains while at the same time being\
+ very easy to setup for the novice user."
+
+DEPENDS = "zlib libestr libfastjson bison-native flex-native liblogging"
+HOMEPAGE = "http://www.rsyslog.com/"
+LICENSE = "GPL-3.0+ & LGPL-3.0+ & Apache-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=51d9635e646fb75e1b74c074f788e973 \
+                    file://COPYING.LESSER;md5=cb7903f1e5c39ae838209e130dca270a \
+                    file://COPYING.ASL20;md5=052f8a09206615ab07326ff8ce2d9d32\
+"
+
+SRC_URI = "http://www.rsyslog.com/download/files/download/rsyslog/${BPN}-${PV}.tar.gz \
+           file://initscript \
+           file://rsyslog.conf \
+           file://rsyslog.logrotate \
+           file://rsyslog.service \
+           file://use-pkgconfig-to-check-libgcrypt.patch \
+           file://run-ptest \
+           file://0001-tests-disable-the-check-for-inotify.patch \
+"
+
+SRC_URI_append_libc-musl = " \
+    file://0001-Include-sys-time-h.patch \
+"
+
+SRC_URI[sha256sum] = "a1377218b26c0767a7a3f67d166d5338af7c24b455d35ec99974e18e6845ba27"
+
+UPSTREAM_CHECK_URI = "https://github.com/rsyslog/rsyslog/releases"
+UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)"
+
+inherit autotools pkgconfig systemd update-rc.d ptest
+
+EXTRA_OECONF += "--disable-generate-man-pages ap_cv_atomic_builtins=yes"
+EXTRA_OECONF += "--enable-imfile-tests"
+EXTRA_OECONF_remove_mipsarch = "ap_cv_atomic_builtins=yes"
+EXTRA_OECONF_remove_powerpc = "ap_cv_atomic_builtins=yes"
+EXTRA_OECONF_remove_riscv32 = "ap_cv_atomic_builtins=yes"
+
+# first line is default yes in configure
+PACKAGECONFIG ??= " \
+    rsyslogd rsyslogrt klog inet regexp uuid libgcrypt \
+    fmhttp imdiag gnutls imfile \
+    ${@bb.utils.filter('DISTRO_FEATURES', 'snmp systemd', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'testbench relp ${VALGRIND}', '', d)} \
+"
+
+# default yes in configure
+PACKAGECONFIG[relp] = "--enable-relp,--disable-relp,librelp,"
+PACKAGECONFIG[rsyslogd] = "--enable-rsyslogd,--disable-rsyslogd,,"
+PACKAGECONFIG[rsyslogrt] = "--enable-rsyslogrt,--disable-rsyslogrt,,"
+PACKAGECONFIG[fmhttp] = "--enable-fmhttp,--disable-fmhttp,curl,"
+PACKAGECONFIG[inet] = "--enable-inet,--disable-inet,,"
+PACKAGECONFIG[klog] = "--enable-klog,--disable-klog,,"
+PACKAGECONFIG[regexp] = "--enable-regexp,--disable-regexp,,"
+PACKAGECONFIG[uuid] = "--enable-uuid,--disable-uuid,util-linux,"
+PACKAGECONFIG[libgcrypt] = "--enable-libgcrypt,--disable-libgcrypt,libgcrypt,"
+PACKAGECONFIG[testbench] = "--enable-testbench --enable-omstdout,--disable-testbench --disable-omstdout,,"
+
+# default no in configure
+PACKAGECONFIG[debug] = "--enable-debug,--disable-debug,,"
+PACKAGECONFIG[imdiag] = "--enable-imdiag,--disable-imdiag,,"
+PACKAGECONFIG[imfile] = "--enable-imfile,--disable-imfile,,"
+PACKAGECONFIG[snmp] = "--enable-snmp,--disable-snmp,net-snmp,"
+PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls,"
+PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/,--without-systemdsystemunitdir,systemd,"
+PACKAGECONFIG[imjournal] = "--enable-imjournal,--disable-imjournal,"
+PACKAGECONFIG[mmjsonparse] = "--enable-mmjsonparse,--disable-mmjsonparse,"
+PACKAGECONFIG[mysql] = "--enable-mysql,--disable-mysql,mysql5,"
+PACKAGECONFIG[postgresql] = "--enable-pgsql,--disable-pgsql,postgresql,"
+PACKAGECONFIG[libdbi] = "--enable-libdbi,--disable-libdbi,libdbi,"
+PACKAGECONFIG[mail] = "--enable-mail,--disable-mail,,"
+PACKAGECONFIG[valgrind] = ",--without-valgrind-testbench,valgrind,"
+PACKAGECONFIG[imhttp] = "--enable-imhttp,--disable-imhttp,civetweb,"
+
+
+TESTDIR = "tests"
+do_compile_ptest() {
+    echo 'buildtest-TESTS: $(check_PROGRAMS)' >> ${TESTDIR}/Makefile
+    oe_runmake -C ${TESTDIR} buildtest-TESTS
+}
+
+do_install_ptest() {
+    # install the tests
+    cp -rf ${S}/${TESTDIR} ${D}${PTEST_PATH}
+    cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH}
+
+    # give permissions to all users
+    # some tests need to write to this directory as user 'daemon'
+    chmod 777 -R ${D}${PTEST_PATH}/tests
+
+    # do NOT need to rebuild Makefile itself
+    sed -i 's/^Makefile:.*$/Makefile:/' ${D}${PTEST_PATH}/${TESTDIR}/Makefile
+    # do NOT need to rebuild $(check_PROGRAMS)
+    sed -i 's/^check-TESTS:.*$/check-TESTS:/' ${D}${PTEST_PATH}/${TESTDIR}/Makefile
+
+    # fix the srcdir, top_srcdir
+    sed -i 's,^\(srcdir = \).*,\1${PTEST_PATH}/tests,' ${D}${PTEST_PATH}/${TESTDIR}/Makefile
+    sed -i 's,^\(top_srcdir = \).*,\1${PTEST_PATH}/tests,' ${D}${PTEST_PATH}/${TESTDIR}/Makefile
+    # fix the abs_top_builddir
+    sed -i 's,^\(abs_top_builddir = \).*,\1${PTEST_PATH}/,' ${D}${PTEST_PATH}/${TESTDIR}/Makefile
+
+    # install test-driver
+    install -m 644 ${S}/test-driver ${D}${PTEST_PATH}
+
+    # install necessary links
+    install -d ${D}${PTEST_PATH}/tools
+    ln -sf ${sbindir}/rsyslogd ${D}${PTEST_PATH}/tools/rsyslogd
+
+    install -d ${D}${PTEST_PATH}/runtime
+    install -d ${D}${PTEST_PATH}/runtime/.libs
+    (
+        cd ${D}/${libdir}/rsyslog
+        allso="*.so"
+        for i in $allso; do
+            ln -sf ${libdir}/rsyslog/$i ${D}${PTEST_PATH}/runtime/.libs/$i
+        done
+    )
+
+    # fix the module load path with runtime/.libs
+    find ${D}${PTEST_PATH}/${TESTDIR} -name "*.conf" -o -name "*.sh" -o -name "*.c" | xargs \
+        sed -i -e 's:../plugins/.*/.libs/:../runtime/.libs/:g'
+    # fix the python3 path for tests/set-envar
+    sed -i -e s:${HOSTTOOLS_DIR}:${bindir}:g ${D}${PTEST_PATH}/tests/set-envvars
+}
+
+do_install_append() {
+    install -d "${D}${sysconfdir}/init.d"
+    install -d "${D}${sysconfdir}/logrotate.d"
+    install -m 755 ${WORKDIR}/initscript ${D}${sysconfdir}/init.d/syslog
+    install -m 644 ${WORKDIR}/rsyslog.conf ${D}${sysconfdir}/rsyslog.conf
+    install -m 644 ${WORKDIR}/rsyslog.logrotate ${D}${sysconfdir}/logrotate.d/logrotate.rsyslog
+    sed -i -e "s#@BINDIR@#${bindir}#g" ${D}${sysconfdir}/logrotate.d/logrotate.rsyslog
+
+    if ${@bb.utils.contains('PACKAGECONFIG', 'imjournal', 'true', 'false', d)}; then
+        install -d 0755 ${D}${sysconfdir}/rsyslog.d
+        echo '$ModLoad imjournal' >> ${D}${sysconfdir}/rsyslog.d/imjournal.conf
+    fi
+    if ${@bb.utils.contains('PACKAGECONFIG', 'mmjsonparse', 'true', 'false', d)}; then
+        install -d 0755 ${D}${sysconfdir}/rsyslog.d
+        echo '$ModLoad mmjsonparse' >> ${D}${sysconfdir}/rsyslog.d/mmjsonparse.conf
+    fi
+    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+        install -d ${D}${systemd_system_unitdir}
+        install -m 644 ${WORKDIR}/rsyslog.service ${D}${systemd_system_unitdir}
+        sed -i -e "s,@sbindir@,${sbindir},g" ${D}${systemd_system_unitdir}/rsyslog.service
+    fi
+}
+
+FILES_${PN} += "${bindir}"
+
+INITSCRIPT_NAME = "syslog"
+INITSCRIPT_PARAMS = "defaults"
+
+CONFFILES_${PN} = "${sysconfdir}/rsyslog.conf"
+
+RCONFLICTS_${PN} = "busybox-syslog sysklogd syslog-ng"
+
+RPROVIDES_${PN} += "${PN}-systemd"
+RREPLACES_${PN} += "${PN}-systemd"
+RCONFLICTS_${PN} += "${PN}-systemd"
+SYSTEMD_SERVICE_${PN} = "${BPN}.service"
+
+RDEPENDS_${PN} += "logrotate"
+
+# for rsyslog-ptest
+VALGRIND = "valgrind"
+
+# valgrind supports armv7 and above
+VALGRIND_armv4 = ''
+VALGRIND_armv5 = ''
+VALGRIND_armv6 = ''
+
+# X32 isn't supported by valgrind at this time
+VALGRIND_linux-gnux32 = ''
+VALGRIND_linux-muslx32 = ''
+
+# Disable for some MIPS variants
+VALGRIND_mipsarchr6 = ''
+VALGRIND_linux-gnun32 = ''
+
+# Disable for powerpc64 with musl
+VALGRIND_libc-musl_powerpc64 = ''
+VALGRIND_libc-musl_powerpc64le = ''
+
+# RISC-V support for valgrind is not there yet
+VALGRIND_riscv64 = ""
+VALGRIND_riscv32 = ""
+
+# util-linux: logger needs the -d option
+RDEPENDS_${PN}-ptest += "\
+  make diffutils gzip bash gawk coreutils procps \
+  libgcc python3-core python3-io python3-json \
+  curl util-linux shadow \
+  "
+
+RRECOMMENDS_${PN}-ptest += "${TCLIBC}-dbg ${VALGRIND}"
diff --git a/recipes-extended/sudo/files/CVE-2022-43995.patch b/recipes-extended/sudo/files/CVE-2022-43995.patch
new file mode 100644
index 0000000..1336c77
--- /dev/null
+++ b/recipes-extended/sudo/files/CVE-2022-43995.patch
@@ -0,0 +1,59 @@
+From e1554d7996a59bf69544f3d8dd4ae683027948f9 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 15 Nov 2022 09:17:18 +0530
+Subject: [PATCH] CVE-2022-43995
+
+Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050]
+CVE: CVE-2022-43995
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+Potential heap overflow for passwords < 8
+characters. Starting with sudo 1.8.0 the plaintext password buffer is
+dynamically sized so it is not safe to assume that it is at least 9 bytes in
+size.
+Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
+---
+ plugins/sudoers/auth/passwd.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
+index 03c7a16..76a7824 100644
+--- a/plugins/sudoers/auth/passwd.c
++++ b/plugins/sudoers/auth/passwd.c
+@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
+ int
+ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
+ {
+-    char sav, *epass;
++    char des_pass[9], *epass;
+     char *pw_epasswd = auth->data;
+     size_t pw_len;
+     int matched = 0;
+@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
+ 
+     /*
+      * Truncate to 8 chars if standard DES since not all crypt()'s do this.
+-     * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
+      */
+-    sav = pass[8];
+     pw_len = strlen(pw_epasswd);
+-    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
+-	pass[8] = '\0';
++    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
++	strlcpy(des_pass, pass, sizeof(des_pass));
++	pass = des_pass;
++    }
+ 
+     /*
+      * Normal UN*X password check.
+@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
+      * only compare the first DESLEN characters in that case.
+      */
+     epass = (char *) crypt(pass, pw_epasswd);
+-    pass[8] = sav;
+     if (epass != NULL) {
+ 	if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+ 	    matched = !strncmp(pw_epasswd, epass, DESLEN);
+-- 
+2.25.1
+
diff --git a/recipes-extended/sudo/sudo_1.9.5p2.bb b/recipes-extended/sudo/sudo_1.9.5p2.bb
index a1164e9..e40c058 100644
--- a/recipes-extended/sudo/sudo_1.9.5p2.bb
+++ b/recipes-extended/sudo/sudo_1.9.5p2.bb
@@ -3,6 +3,7 @@ require sudo.inc
 SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
            file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
+           file://CVE-2022-43995.patch \
            "
 
 PAM_SRC_URI = "file://sudo.pam"