From 2eaa3fd064097eb221b56d5df0e7136ba705a0cd Mon Sep 17 00:00:00 2001
From: Andrii Davydenko <andrii.davydenko@globallogic.com>
Date: Wed, 14 Dec 2022 12:08:42 +0200
Subject: CVE Packages Update

Move libfastjson to the rsyslog directory

rsyslog 8.2002.0 -> 8.2206.0

add ntp4.2.8 recipe with fixed CVEs

update cryptsetup to 2.4.3

fix libxml2 CVE-2016-3709

curl 7.75.0 -> 7.86.0

strongswan 5.8.4 -> 5.9.8

libmodbus 3.1.6 -> 3.1.7

libesmtp 1.0.6 -> 1.1.0

cifs-utils 6.1 -> 7.0

update libtirpc to version 1.3.3

update rsync to version 3.2.5

Add zlib 1.2.13

upgrade gnutls to 3.7.8

upgrade openssh to 8.9p1

Add cmake 3.24.2 and cmake-native 3.24.2 to avoid loop dependecies building expat

Add expat 2.5.0 to fix CVE-2022-40674 and CVE-2022-43680

openvpn 2.4.9 -> 2.4.12

hostapd 2.9 -> 2.10

[GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28)
Openssh 8.9p1 no longer needed, because all necessary CVE fixes, backports and whitelists are present for current Openssh 8.4p1. There are no new CVE's in report.

[GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28)
Backported CVE patches for python3 component. Need to remove after upgrading Yocto to version more than 3.1.21.

[GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28)
Backported CVE patch for sudo component.
Added 2 CVE's to whitelist for OpenVPN component.
---
 .../0001-replace-krb5-config-with-pkg-config.patch | 30 +++++++
 recipes-support/curl/curl_7.86.0.bb                | 92 ++++++++++++++++++++++
 2 files changed, 122 insertions(+)
 create mode 100644 recipes-support/curl/curl/0001-replace-krb5-config-with-pkg-config.patch
 create mode 100644 recipes-support/curl/curl_7.86.0.bb

(limited to 'recipes-support/curl')

diff --git a/recipes-support/curl/curl/0001-replace-krb5-config-with-pkg-config.patch b/recipes-support/curl/curl/0001-replace-krb5-config-with-pkg-config.patch
new file mode 100644
index 0000000..bb07c65
--- /dev/null
+++ b/recipes-support/curl/curl/0001-replace-krb5-config-with-pkg-config.patch
@@ -0,0 +1,30 @@
+diff -uprN orig/configure.ac new/configure.ac
+--- orig/configure.ac	2021-02-02 10:26:24.000000000 +0200
++++ new/configure.ac	2021-02-10 16:20:17.078630690 +0200
+@@ -1442,7 +1442,7 @@ AC_ARG_WITH(gssapi,
+   fi
+ ])
+ 
+-: ${KRB5CONFIG:="$GSSAPI_ROOT/bin/krb5-config"}
++KRB5CONFIG=`which pkg-config`
+ 
+ save_CPPFLAGS="$CPPFLAGS"
+ AC_MSG_CHECKING([if GSS-API support is requested])
+@@ -1453,7 +1453,7 @@ if test x"$want_gss" = xyes; then
+      if test -n "$host_alias" -a -f "$GSSAPI_ROOT/bin/$host_alias-krb5-config"; then
+         GSSAPI_INCS=`$GSSAPI_ROOT/bin/$host_alias-krb5-config --cflags gssapi`
+      elif test -f "$KRB5CONFIG"; then
+-        GSSAPI_INCS=`$KRB5CONFIG --cflags gssapi`
++        GSSAPI_INCS=`$KRB5CONFIG --cflags mit-krb5-gssapi`
+      elif test "$GSSAPI_ROOT" != "yes"; then
+         GSSAPI_INCS="-I$GSSAPI_ROOT/include"
+      fi
+@@ -1546,7 +1546,7 @@ if test x"$want_gss" = xyes; then
+         elif test -f "$KRB5CONFIG"; then
+            dnl krb5-config doesn't have --libs-only-L or similar, put everything
+            dnl into LIBS
+-           gss_libs=`$KRB5CONFIG --libs gssapi`
++           gss_libs=`$KRB5CONFIG --libs mit-krb5-gssapi`
+            LIBS="$gss_libs $LIBS"
+         else
+            case $host in
diff --git a/recipes-support/curl/curl_7.86.0.bb b/recipes-support/curl/curl_7.86.0.bb
new file mode 100644
index 0000000..01a95fc
--- /dev/null
+++ b/recipes-support/curl/curl_7.86.0.bb
@@ -0,0 +1,92 @@
+SUMMARY = "Command line tool and library for client-side URL transfers"
+HOMEPAGE = "http://curl.haxx.se/"
+BUGTRACKER = "http://curl.haxx.se/mail/list.cgi?list=curl-tracker"
+SECTION = "console/network"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
+           file://0001-replace-krb5-config-with-pkg-config.patch \
+"
+
+SRC_URI[sha256sum] = "f5ca69db03eea17fa8705bdfb1a9f58d76a46c9010518109bb38f313137e0a28"
+
+# Curl has used many names over the years...
+CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
+
+inherit autotools pkgconfig binconfig multilib_header ptest
+
+# Entropy source for random PACKAGECONFIG option
+RANDOM ?= "/dev/urandom"
+
+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} libidn openssl proxy random threaded-resolver verbose zlib"
+PACKAGECONFIG_class-native = "ipv6 openssl proxy random threaded-resolver verbose zlib"
+PACKAGECONFIG_class-nativesdk = "ipv6 openssl proxy random threaded-resolver verbose zlib"
+
+# 'ares' and 'threaded-resolver' are mutually exclusive
+PACKAGECONFIG[ares] = "--enable-ares,--disable-ares,c-ares,,,threaded-resolver"
+PACKAGECONFIG[brotli] = "--with-brotli,--without-brotli,brotli"
+PACKAGECONFIG[builtinmanual] = "--enable-manual,--disable-manual"
+PACKAGECONFIG[dict] = "--enable-dict,--disable-dict,"
+PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls"
+PACKAGECONFIG[gopher] = "--enable-gopher,--disable-gopher,"
+PACKAGECONFIG[imap] = "--enable-imap,--disable-imap,"
+PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
+PACKAGECONFIG[krb5] = "--with-gssapi,--without-gssapi,krb5"
+PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,"
+PACKAGECONFIG[ldaps] = "--enable-ldaps,--disable-ldaps,"
+PACKAGECONFIG[libgsasl] = "--with-libgsasl,--without-libgsasl,libgsasl"
+PACKAGECONFIG[libidn] = "--with-libidn2,--without-libidn2,libidn2"
+PACKAGECONFIG[libssh2] = "--with-libssh2,--without-libssh2,libssh2"
+PACKAGECONFIG[mbedtls] = "--with-mbedtls=${STAGING_DIR_TARGET},--without-mbedtls,mbedtls"
+PACKAGECONFIG[mqtt] = "--enable-mqtt,--disable-mqtt,"
+PACKAGECONFIG[nghttp2] = "--with-nghttp2,--without-nghttp2,nghttp2"
+PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl"
+PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3,"
+PACKAGECONFIG[proxy] = "--enable-proxy,--disable-proxy,"
+PACKAGECONFIG[random] = "--with-random=${RANDOM},--without-random"
+PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump"
+PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp,"
+PACKAGECONFIG[smb] = "--enable-smb,--disable-smb,"
+PACKAGECONFIG[smtp] = "--enable-smtp,--disable-smtp,"
+PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss"
+PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet,"
+PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp,"
+PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver,,,,ares"
+PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose"
+PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib"
+PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd"
+
+EXTRA_OECONF = " \
+    --disable-libcurl-option \
+    --disable-ntlm-wb \
+    --enable-crypto-auth \
+    --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
+    --without-libpsl \
+    --enable-debug \
+    --enable-optimize \
+    --disable-curldebug \
+    ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls nss openssl', d) == '') else ''} \
+"
+
+do_install_append_class-target() {
+	# cleanup buildpaths from curl-config
+	sed -i \
+	    -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \
+	    -e 's,--with-libtool-sysroot=${STAGING_DIR_TARGET},,g' \
+	    -e 's|${DEBUG_PREFIX_MAP}||g' \
+	    -e 's|${@" ".join(d.getVar("DEBUG_PREFIX_MAP").split())}||g' \
+	    ${D}${bindir}/curl-config
+}
+
+PACKAGES =+ "lib${BPN}"
+
+FILES_lib${BPN} = "${libdir}/lib*.so.*"
+RRECOMMENDS_lib${BPN} += "ca-certificates"
+
+FILES_${PN} += "${datadir}/zsh"
+
+inherit multilib_script
+MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/curl-config"
+
+BBCLASSEXTEND = "native nativesdk"
\ No newline at end of file
-- 
cgit v1.2.3