From patchwork Tue Nov 11 14:58:09 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74190
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 191F9CCFA1A
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:58:49 +0000 (UTC)
Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com
 [209.85.216.46])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19308.1762873122545284723
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:42 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=m2BWvGZ8;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.46,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f46.google.com with SMTP id
 98e67ed59e1d1-3436d6ca17bso3508629a91.3
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873122;
 x=1763477922; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=yaGQ8K3Sf+eL8UJOWfx5m1LZznG5WArSRG9D+Eo0WSo=;
        b=m2BWvGZ8pQwsLP+nBmGj5m+8DTRiHuT53AM5CqbL2zXYZ8eVaTHkWcAuxb3gQD4tlu
         KnN4U4Awecsjs2MW4a0mdvXjsrnz2RZweGzbpDq1cZTxjJWaVgcnc8g8hmlFcaIEIymG
         +VM/tXgOiz/iFAMRGHepc4Dkhcf+Bohh3IZw5NCEY+ifI7pOXpdPujq+MS/HOJ9KKMtr
         XpYE9EFpHC2HYmaKyAFPaencSNIskLELF2gLKUzd8s4inDo+RLK8CBcqKisEBuCJ1OsX
         ZXSyZg0al4bu05r2QPf4eDd4X4oVnAWiTKfbIg/T2CfAe9ZyFyUcvIrPzGCBHkXGdoaZ
         uNpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873122; x=1763477922;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=yaGQ8K3Sf+eL8UJOWfx5m1LZznG5WArSRG9D+Eo0WSo=;
        b=h9szpYp4Gt25ra0W87PwS7nm0RMxNt6ipQpaNt0Fc6wvEIEaYJwr3A3KXO55TaPy4H
         KoZf1ZfOBF7oJCoIdZdII/luCwTc1apy3hqQfofugf5jdqYxp23+89z8c+Wn59eH0Lm3
         vdxly+7YtyDCJtTfuhQR0H/n2r0ayC/hJvUk8sk2ipVRojrebVM3O2fViJo8R/+JDj8M
         1UPUn0h5MnLFA8/jqcPKojbVd28EGMuS48bOnmIRAYxCidXo2AdkIqMz3L8ty/1AQ/Zg
         vUEKz/8lef/HVCQs3vtaMRcakgIbe6zqiZ9POZGdaHyaPVWehd3JTyxn2l/gV4ubmXl0
         Yy6g==
X-Gm-Message-State: AOJu0YwptJFvfxvFFeY9b+/htIzgWCOtYxc/XYATCRT2NN3GVqv8lb1X
	kLo/OhQFi7UUziJHYU5+b8wae+ZYTbkftGitOS3eY7luYP2QJW6hBFAQlXAEYrQ7Jy6jh32hp8d
	lvqf/qMM=
X-Gm-Gg: ASbGnct7NWDOf7/uVXlvBboCoXipMwe/3AMm+h1ls1JCLmadPFYJgTa0ZKZraWO4bYJ
	w0GH8MaRlgUZY7cyr47SuLWemLFrpWtDYFinJS75I6ZM3j1rYr61sJpU5YyrFTB6PhKUBov8FgD
	SL8NqnEfP+XijD9FnLO72OFw1HGA6oxgR1DICfuYzCD3TI++7ahgyZ5IdCKjOkWGmNNmQxhG9f3
	acNFJqMu2lTqtBrUVc/9jkbI3yMx5MCxx15OaGM4Z74NH+PG9hEzFdztZv+XiD0NDUBGXiJ1SWC
	qjllProwAAQeLHIerXpc834XWnSTk6NqAvpmKcMA8lteLwKgfFV9A5yO/pLOYuqsvVMT7skUq/V
	ng2G5u1xFB4Uab2Eo5jqzZUR6E/+4eTjemzOhRycaslpb/MZ4S/J5O6FvTOJGVoMDFzY=
X-Google-Smtp-Source: 
 AGHT+IEqzYuQALHYSYd97fr33zJMQioyKNAXazDSrpM5mVpxZKtvU6abG1Sybq10FgtHedRcnxAKIg==
X-Received: by 2002:a17:90b:1f8e:b0:340:a1a8:eb87 with SMTP id
 98e67ed59e1d1-3436cd15b96mr16492948a91.35.1762873121824;
        Tue, 11 Nov 2025 06:58:41 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.58.41
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:58:41 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 01/19] curl: ignore CVE-2025-10966
Date: Tue, 11 Nov 2025 06:58:09 -0800
Message-ID: 
 <3de9b86c295c88005d4df53e5137bb09ea104ed0.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:58:49 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226166

From: Peter Marko <peter.marko@siemens.com>

Per [1] this CVE applies only when wolfssl backed is used.
8.17.0 removed WolfSSL support completely.

[1] https://curl.se/docs/CVE-2025-10966.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/curl/curl_8.7.1.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 713d90a378..6c02746394 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -39,6 +39,7 @@ CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on go
 
 CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older"
 CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}"
+CVE_STATUS[CVE-2025-10966] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}"
 
 
 inherit autotools pkgconfig binconfig multilib_header ptest

From patchwork Tue Nov 11 14:58:10 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74192
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 26DA0CCFA18
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:58:49 +0000 (UTC)
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com
 [209.85.216.47])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19436.1762873125006093458
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:45 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=zsFXWFfM;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.47,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f47.google.com with SMTP id
 98e67ed59e1d1-340a5c58bf1so3018040a91.2
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873124;
 x=1763477924; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=DpfbwH+Qzdd2H7DupNakfnLty0xxekGy4I4OZlADvQc=;
        b=zsFXWFfMcCNtNk/QHngzgnhTvSVdKxLTJr1A/1XEuHXBk5FNMJSaErL1ZQB0c3PbzV
         NHdjKHUVA0CWBXZbg8we/jpiSyGGh/fgOfyqTjV9JkTnBzg+6pPb9f41N8CZL4UVBppr
         eCHp9egMb+6tJ2e0VARKQJORIl+63NjlOn7z6zYYCilZtETgWOBTVjlrXWR1V5ft86Kf
         ZUCLiuWtUaX7vhw78B7735xS2r6cy351qSB7lyi+n8fFlYfXoVVeWgLkuIqo43yfOjOH
         5kemxIZaS6/0hwuX01/BhTnBsnixYqfphNy4SHyupvzf4yzBa/g4q7hjsyQVpM3QStx6
         kd/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873124; x=1763477924;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=DpfbwH+Qzdd2H7DupNakfnLty0xxekGy4I4OZlADvQc=;
        b=jKmeY4yEM2UNhJF2/T8diMjTAlZSnYpGcY+7qkhBHdCZnVVHHvjVOtsBqA7EHt8Tis
         +cqAJObzaJgoAB+eLdbfMIAM25PEpWQhOoUU27J+nRf+2K3MvXkbhrlNhcOb0idHNo5a
         N0S9CKfC4K9V9ZCqLYuPt1e+yye46rG7vNXNAEC4eyG8FwM9msfGYPUrRWpeioXLVYOA
         75rwb2f0NHlpPuzxh/VRp+Ey+68d3hhDaXZr/Z3wvKcaPv1uNs07c8nuzg8ABqAE/ay3
         UEBqfRRq2Ws25J4JhS4T95fHLGdx5GrS0b7Dv5xWsEYjNxPzDgQDNChfTqoZeiYl8C1u
         F2pg==
X-Gm-Message-State: AOJu0YwwmM4XOT5dddxGVA8OXmB6BkN9gq92FJgYKvu7XDZuDANVRrND
	7gK6GlBTJcd2HHDlNBfLgVF4TAoYSleKbJ/eKs0YvMvXus/9ZR+71LUzAXhvpQ8pTYDS9N36rRe
	3K6kw3o0=
X-Gm-Gg: ASbGncuiW0Kiqsx/h02KuaasIW0ta7KZxQvsKWeauBSNT2DKT5Lwfr+jlPECQqaTa2C
	Rh1ACYYcy5NTS/okkiZWWn8ubG10TasU9qov6h+ZZm4PUn5JYB1UPs3Ry5vi2DYJvQ98MwzQmC/
	TR9i2Hrjtcoxxn0jp9jfLnt3WSUypkRYXl3aw8qXcRt/Vr1AJqcjPBCv13NCkRBoduhboIuaet+
	ounZ/THyWF3xfFqqLfN2ThgtpBTUEMd0cJsz+Syul+lJOw8eWSJELKCqST6UnXwGq/z3cBbBYtw
	mqiCc7DB1hKOaHHBp2N4CbTPI/s6xvdvxxZS8CGIrv38TYowcXNbJi1oFieamzEnxcGoCK8AeKM
	IQR/s9u3k6BS3U4nwIzG20e6M+TIIVO6IXNIj5zyq7jTqjakKHk2mgJ2WlQtTE6VJYlQWI4fz1p
	3qAQ==
X-Google-Smtp-Source: 
 AGHT+IHFIDpZRqkewMLWqndy19qGISZyStMxTAFnEZ5dRJhvLfHYcYsoHkIgk0yJJujEApkRwDEnJA==
X-Received: by 2002:a17:90b:4a10:b0:341:124f:474f with SMTP id
 98e67ed59e1d1-3436cd0c3e9mr14444046a91.32.1762873124106;
        Tue, 11 Nov 2025 06:58:44 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.58.43
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:58:43 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 02/19] go: fix CVE-2025-58185
Date: Tue, 11 Nov 2025 06:58:10 -0800
Message-ID: 
 <f27acc863ee34b56e2c49dc96ad2b58fb35e2d46.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:58:49 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226167

From: Archana Polampalli <archana.polampalli@windriver.com>

Parsing a maliciously crafted DER payload could allocate large amounts of memory,
causing memory exhaustion.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 meta/recipes-devtools/go/go-1.22.12.inc       |   1 +
 .../go/go/CVE-2025-58185.patch                | 142 ++++++++++++++++++
 2 files changed, 143 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58185.patch

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index a364e1aae8..38992219c8 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -21,6 +21,7 @@ SRC_URI += "\
     file://CVE-2025-47907-pre.patch \
     file://CVE-2025-47907.patch \
     file://CVE-2025-47906.patch \
+    file://CVE-2025-58185.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
 
diff --git a/meta/recipes-devtools/go/go/CVE-2025-58185.patch b/meta/recipes-devtools/go/go/CVE-2025-58185.patch
new file mode 100644
index 0000000000..63250614ce
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-58185.patch
@@ -0,0 +1,142 @@
+From 5c3d61c886f7ecfce9a6d6d3c97e6d5a8afb17d1 Mon Sep 17 00:00:00 2001
+From: Nicholas Husin <husin@google.com>
+Date: Wed, 3 Sep 2025 09:30:56 -0400
+Subject: [PATCH] [release-branch.go1.24] encoding/asn1: prevent memory
+ exhaustion when parsing using internal/saferio
+
+Within parseSequenceOf,
+reflect.MakeSlice is being used to pre-allocate a slice that is needed in
+order to fully validate the given DER payload. The size of the slice
+allocated are also multiple times larger than the input DER:
+
+- When using asn1.Unmarshal directly, the allocated slice is ~28x
+  larger.
+- When passing in DER using x509.ParseCertificateRequest, the allocated
+  slice is ~48x larger.
+- When passing in DER using ocsp.ParseResponse, the allocated slice is
+  ~137x larger.
+
+As a result, a malicious actor can craft a big empty DER payload,
+resulting in an unnecessary large allocation of memories. This can be a
+way to cause memory exhaustion.
+
+To prevent this, we now use SliceCapWithSize within internal/saferio to
+enforce a memory allocation cap.
+
+Thanks to Jakub Ciolek for reporting this issue.
+
+For #75671
+Fixes #75704
+Fixes CVE-2025-58185
+
+Change-Id: Id50e76187eda43f594be75e516b9ca1d2ae6f428
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2700
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2984
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/709841
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+
+CVE: CVE-2025-58185
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/5c3d61c886f7ecfce9a6d6d3c97e6d5a8afb17d1]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/encoding/asn1/asn1.go      | 10 ++++++++-
+ src/encoding/asn1/asn1_test.go | 38 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 47 insertions(+), 1 deletion(-)
+
+diff --git a/src/encoding/asn1/asn1.go b/src/encoding/asn1/asn1.go
+index 781ab87..16c7138 100644
+--- a/src/encoding/asn1/asn1.go
++++ b/src/encoding/asn1/asn1.go
+@@ -22,6 +22,7 @@ package asn1
+ import (
+	"errors"
+	"fmt"
++	"internal/saferio"
+	"math"
+	"math/big"
+	"reflect"
+@@ -643,10 +644,17 @@ func parseSequenceOf(bytes []byte, sliceType reflect.Type, elemType reflect.Type
+		offset += t.length
+		numElements++
+	}
+-	ret = reflect.MakeSlice(sliceType, numElements, numElements)
++	elemSize := uint64(elemType.Size())
++	safeCap := saferio.SliceCapWithSize(elemSize, uint64(numElements))
++	if safeCap < 0 {
++		err = SyntaxError{fmt.Sprintf("%s slice too big: %d elements of %d bytes", elemType.Kind(), numElements, elemSize)}
++		return
++	}
++	ret = reflect.MakeSlice(sliceType, 0, safeCap)
+	params := fieldParameters{}
+	offset := 0
+	for i := 0; i < numElements; i++ {
++		ret = reflect.Append(ret, reflect.Zero(elemType))
+		offset, err = parseField(ret.Index(i), bytes, offset, params)
+		if err != nil {
+			return
+diff --git a/src/encoding/asn1/asn1_test.go b/src/encoding/asn1/asn1_test.go
+index 9a605e2..249d4e4 100644
+--- a/src/encoding/asn1/asn1_test.go
++++ b/src/encoding/asn1/asn1_test.go
+@@ -7,10 +7,12 @@ package asn1
+ import (
+	"bytes"
+	"encoding/hex"
++	"errors"
+	"fmt"
+	"math"
+	"math/big"
+	"reflect"
++	"runtime"
+	"strings"
+	"testing"
+	"time"
+@@ -1175,3 +1177,39 @@ func BenchmarkObjectIdentifierString(b *testing.B) {
+		_ = oidPublicKeyRSA.String()
+	}
+ }
++
++func TestParsingMemoryConsumption(t *testing.T) {
++	// Craft a syntatically valid, but empty, ~10 MB DER bomb. A successful
++	// unmarshal of this bomb should yield ~280 MB. However, the parsing should
++	// fail due to the empty content; and, in such cases, we want to make sure
++	// that we do not unnecessarily allocate memories.
++	derBomb := make([]byte, 10_000_000)
++	for i := range derBomb {
++		derBomb[i] = 0x30
++	}
++	derBomb = append([]byte{0x30, 0x83, 0x98, 0x96, 0x80}, derBomb...)
++
++	var m runtime.MemStats
++	runtime.GC()
++	runtime.ReadMemStats(&m)
++	memBefore := m.TotalAlloc
++
++	var out []struct {
++		Id       []int
++		Critical bool `asn1:"optional"`
++		Value    []byte
++	}
++	_, err := Unmarshal(derBomb, &out)
++	if !errors.As(err, &SyntaxError{}) {
++		t.Fatalf("Incorrect error result: want (%v), but got (%v) instead", &SyntaxError{}, err)
++	}
++
++	runtime.ReadMemStats(&m)
++	memDiff := m.TotalAlloc - memBefore
++
++	// Ensure that the memory allocated does not exceed 10<<21 (~20 MB) when
++	// the parsing fails.
++	if memDiff > 10<<21 {
++		t.Errorf("Too much memory allocated while parsing DER: %v MiB", memDiff/1024/1024)
++	}
++}
+--
+2.40.0

From patchwork Tue Nov 11 14:58:11 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74193
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 30091CD13D2
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:58:49 +0000 (UTC)
Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com
 [209.85.216.41])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19313.1762873127154617045
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:47 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=RHXlP15P;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.41,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f41.google.com with SMTP id
 98e67ed59e1d1-343806688c5so2603589a91.0
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873126;
 x=1763477926; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=rO6YuutnoiS/TIEKraEwqdBzEss/Tmz9SLQUuLVhytM=;
        b=RHXlP15P2iEipvbfJZ77fQwh26rfmeRL7A7BxJdJKsTRUvRFKlccZ8j+6h5G/CvRkM
         i/M1uaqf1zASTHlKdEzBikN/WRgHjq12wsGPPlTww1eBG3L1GaGgjkuDYv+Id+MQsMgA
         jx6fx+gIuDyA7fZ4eIxNFRntyAqDIHSKqK+6uYw+Sys9adT97hv4jiYt9YP+y52pcb6C
         n7d7nEQJ54nSPoiDqbEZLpSgl7H4JNmMCvzfI78xwtViY50pCBI78Gw/hPb0wBctFkAM
         T8XJqxvYsIg6+E/SLIE7kaolYWUHuGpfDFnxDL9KD2m+VsPl2pxv/DbPIJw+DL2xDYSy
         AACw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873126; x=1763477926;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=rO6YuutnoiS/TIEKraEwqdBzEss/Tmz9SLQUuLVhytM=;
        b=TRobmY+IC0dSgBLixBAjgL8dSA5etmsqLjdl4MuGDbwJbGINOjUjUSJ/oc2u+T+Y2i
         Dc0/qEm9qZ9wWnnjtBhCsEOekIH6zl3xpcUnsC49sKFscTtw7A+FQVzchSgZCBh6uffM
         fdRh1aLCjqrkGEn5xNTTcxsqbwm36HgFukIzC45Yr851Bo7xH7V7H2sgr4d4FXz9pMUT
         NiM37GNXbbB7LSHRVwOE/qzv8Q1BWBPaL/UdDKNiLgm7gwTCB6BTkPn+jZ0tmsaTNXou
         RLcociCrJQ1oAK4a2oSHh82nmF+ao26VkdlSUBjhoASmRZYVEwgG2fuc9xR0cm9UCpV7
         Aivw==
X-Gm-Message-State: AOJu0YxTEGfMXimMfv9XnbMGlbb5MfuX/oKIgoe8mYfLnvJYzR7RhWql
	NPtFxflnR/i6KhKB79kSiVsNv8nluw5lztb/WAZCN+CvSbYu05IpxHe5lOUSWKwT2SloMD4ELhx
	rUTzHrMY=
X-Gm-Gg: ASbGnctT3rmgSNi9odxxXMtwEGD72AxyedK2WSondCaAf37UAz883GG6WCTE27vSzgx
	CiLuoCDA/4CjH9OJsSJIOFwliaczoimjVH1qcy1/UE0nq13JfDghwlgNmHwjTeaHtSRWm3wZ/c5
	Nz6tC2G7YqycdPIkKQWclHdGzYunWvos6L5rOq3OkABFU+epggQfRGby78sbU+k/bkPZlQmQrkh
	p7oIcVKF6q1pNAvyrG/O8QXmJJww9LfjWNyaeIy5Wlay6lVfmrT18nDMl7ETZWcfwoMlAnpA4zh
	IElvWNRcixqqBwTqXLcRUkFNg5XMpUZuwJ3fgq2PRMQeVByCEV5hBXYW223C6LC2zLWGPOXEj+d
	0bMUE9U2RQb44opNft1nwqZIjyHY8M5tJwcEHV99Z/UqqW3yl1LFbF8qAJTM74BescdiMsvcnIC
	GYYA==
X-Google-Smtp-Source: 
 AGHT+IEX8GAenUKrCWHWnI95G6QS9gxvlDK682V79fJfpXzLvBJAXU5jwR5H25QtbuTvpITalpWZrA==
X-Received: by 2002:a17:90a:e18b:b0:340:bb5c:7dd7 with SMTP id
 98e67ed59e1d1-3436cb7ad33mr13593775a91.5.1762873126243;
        Tue, 11 Nov 2025 06:58:46 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.58.45
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:58:45 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 03/19] go: fix CVE-2025-58187
Date: Tue, 11 Nov 2025 06:58:11 -0800
Message-ID: 
 <ce1626d1f1e232bc6da81e89088d0c0f5f3c52b4.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:58:49 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226168

From: Archana Polampalli <archana.polampalli@windriver.com>

Due to the design of the name constraint checking algorithm, the processing
time of some inputs scals non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 meta/recipes-devtools/go/go-1.22.12.inc       |   1 +
 .../go/go/CVE-2025-58187.patch                | 349 ++++++++++++++++++
 2 files changed, 350 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58187.patch

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index 38992219c8..a1c14ea684 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -22,6 +22,7 @@ SRC_URI += "\
     file://CVE-2025-47907.patch \
     file://CVE-2025-47906.patch \
     file://CVE-2025-58185.patch \
+    file://CVE-2025-58187.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
 
diff --git a/meta/recipes-devtools/go/go/CVE-2025-58187.patch b/meta/recipes-devtools/go/go/CVE-2025-58187.patch
new file mode 100644
index 0000000000..d3b7dd5264
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-58187.patch
@@ -0,0 +1,349 @@
+From f334417e71f8b078ad64035bddb6df7f8910da6c Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Mon, 15 Sep 2025 16:31:22 -0400
+Subject: [PATCH] [release-branch.go1.24] crypto/x509: improve domain name
+ verification
+
+Don't use domainToReverseLabels to check if domain names are
+valid, since it is not particularly performant, and can contribute to DoS
+vectors. Instead just iterate over the name and enforce the properties we
+care about.
+
+This also enforces that DNS names, both in SANs and name constraints,
+are valid. We previously allowed invalid SANs, because some
+intermediates had these weird names (see #23995), but there are
+currently no trusted intermediates that have this property, and since we
+target the web PKI, supporting this particular case is not a high
+priority.
+
+Thank you to Jakub Ciolek for reporting this issue.
+
+Fixes CVE-2025-58187
+For #75681
+Fixes #75714
+
+Change-Id: I6ebce847dcbe5fc63ef2f9a74f53f11c4c56d3d1
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2820
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2982
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/709839
+Auto-Submit: Michael Pratt <mpratt@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+
+CVE: CVE-2025-58187
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/f334417e71f8b078ad64035bddb6df7f8910da6c]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/crypto/x509/name_constraints_test.go | 66 ++------------------
+ src/crypto/x509/parser.go                | 77 ++++++++++++++----------
+ src/crypto/x509/parser_test.go           | 43 +++++++++++++
+ src/crypto/x509/verify.go                |  1 +
+ 4 files changed, 95 insertions(+), 92 deletions(-)
+
+diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go
+index 78263fc..9aaa6d7 100644
+--- a/src/crypto/x509/name_constraints_test.go
++++ b/src/crypto/x509/name_constraints_test.go
+@@ -1456,63 +1456,7 @@ var nameConstraintsTests = []nameConstraintsTest{
+		expectedError: "incompatible key usage",
+	},
+
+-	// An invalid DNS SAN should be detected only at validation time so
+-	// that we can process CA certificates in the wild that have invalid SANs.
+-	// See https://github.com/golang/go/issues/23995
+-
+-	// #77: an invalid DNS or mail SAN will not be detected if name constraint
+-	// checking is not triggered.
+-	{
+-		roots: make([]constraintsSpec, 1),
+-		intermediates: [][]constraintsSpec{
+-			{
+-				{},
+-			},
+-		},
+-		leaf: leafSpec{
+-			sans: []string{"dns:this is invalid", "email:this @ is invalid"},
+-		},
+-	},
+-
+-	// #78: an invalid DNS SAN will be detected if any name constraint checking
+-	// is triggered.
+-	{
+-		roots: []constraintsSpec{
+-			{
+-				bad: []string{"uri:"},
+-			},
+-		},
+-		intermediates: [][]constraintsSpec{
+-			{
+-				{},
+-			},
+-		},
+-		leaf: leafSpec{
+-			sans: []string{"dns:this is invalid"},
+-		},
+-		expectedError: "cannot parse dnsName",
+-	},
+-
+-	// #79: an invalid email SAN will be detected if any name constraint
+-	// checking is triggered.
+-	{
+-		roots: []constraintsSpec{
+-			{
+-				bad: []string{"uri:"},
+-			},
+-		},
+-		intermediates: [][]constraintsSpec{
+-			{
+-				{},
+-			},
+-		},
+-		leaf: leafSpec{
+-			sans: []string{"email:this @ is invalid"},
+-		},
+-		expectedError: "cannot parse rfc822Name",
+-	},
+-
+-	// #80: if several EKUs are requested, satisfying any of them is sufficient.
++	// #77: if several EKUs are requested, satisfying any of them is sufficient.
+	{
+		roots: make([]constraintsSpec, 1),
+		intermediates: [][]constraintsSpec{
+@@ -1527,7 +1471,7 @@ var nameConstraintsTests = []nameConstraintsTest{
+		requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth, ExtKeyUsageEmailProtection},
+	},
+
+-	// #81: EKUs that are not asserted in VerifyOpts are not required to be
++	// #78: EKUs that are not asserted in VerifyOpts are not required to be
+	// nested.
+	{
+		roots: make([]constraintsSpec, 1),
+@@ -1546,7 +1490,7 @@ var nameConstraintsTests = []nameConstraintsTest{
+		},
+	},
+
+-	// #82: a certificate without SANs and CN is accepted in a constrained chain.
++	// #79: a certificate without SANs and CN is accepted in a constrained chain.
+	{
+		roots: []constraintsSpec{
+			{
+@@ -1563,7 +1507,7 @@ var nameConstraintsTests = []nameConstraintsTest{
+		},
+	},
+
+-	// #83: a certificate without SANs and with a CN that does not parse as a
++	// #80: a certificate without SANs and with a CN that does not parse as a
+	// hostname is accepted in a constrained chain.
+	{
+		roots: []constraintsSpec{
+@@ -1582,7 +1526,7 @@ var nameConstraintsTests = []nameConstraintsTest{
+		},
+	},
+
+-	// #84: a certificate with SANs and CN is accepted in a constrained chain.
++	// #81: a certificate with SANs and CN is accepted in a constrained chain.
+	{
+		roots: []constraintsSpec{
+			{
+diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go
+index 812b0d2..9a3bcd6 100644
+--- a/src/crypto/x509/parser.go
++++ b/src/crypto/x509/parser.go
+@@ -378,10 +378,14 @@ func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string
+			if err := isIA5String(email); err != nil {
+				return errors.New("x509: SAN rfc822Name is malformed")
+			}
++			parsed, ok := parseRFC2821Mailbox(email)
++			if !ok || (ok && !domainNameValid(parsed.domain, false)) {
++				return errors.New("x509: SAN rfc822Name is malformed")
++			}
+			emailAddresses = append(emailAddresses, email)
+		case nameTypeDNS:
+			name := string(data)
+-			if err := isIA5String(name); err != nil {
++			if err := isIA5String(name); err != nil || (err == nil && !domainNameValid(name, false)) {
+				return errors.New("x509: SAN dNSName is malformed")
+			}
+			dnsNames = append(dnsNames, string(name))
+@@ -391,14 +395,9 @@ func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string
+				return errors.New("x509: SAN uniformResourceIdentifier is malformed")
+			}
+			uri, err := url.Parse(uriStr)
+-			if err != nil {
++			if err != nil || (err == nil && uri.Host != "" && !domainNameValid(uri.Host, false)) {
+				return fmt.Errorf("x509: cannot parse URI %q: %s", uriStr, err)
+			}
+-			if len(uri.Host) > 0 {
+-				if _, ok := domainToReverseLabels(uri.Host); !ok {
+-					return fmt.Errorf("x509: cannot parse URI %q: invalid domain", uriStr)
+-				}
+-			}
+			uris = append(uris, uri)
+		case nameTypeIP:
+			switch len(data) {
+@@ -538,15 +537,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
+					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
+				}
+
+-				trimmedDomain := domain
+-				if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
+-					// constraints can have a leading
+-					// period to exclude the domain
+-					// itself, but that's not valid in a
+-					// normal domain name.
+-					trimmedDomain = trimmedDomain[1:]
+-				}
+-				if _, ok := domainToReverseLabels(trimmedDomain); !ok {
++				if !domainNameValid(domain, true) {
+					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain)
+				}
+				dnsNames = append(dnsNames, domain)
+@@ -587,12 +578,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
+						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
+					}
+				} else {
+-					// Otherwise it's a domain name.
+-					domain := constraint
+-					if len(domain) > 0 && domain[0] == '.' {
+-						domain = domain[1:]
+-					}
+-					if _, ok := domainToReverseLabels(domain); !ok {
++					if !domainNameValid(constraint, true) {
+						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
+					}
+				}
+@@ -608,15 +594,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
+					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain)
+				}
+
+-				trimmedDomain := domain
+-				if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
+-					// constraints can have a leading
+-					// period to exclude the domain itself,
+-					// but that's not valid in a normal
+-					// domain name.
+-					trimmedDomain = trimmedDomain[1:]
+-				}
+-				if _, ok := domainToReverseLabels(trimmedDomain); !ok {
++				if !domainNameValid(domain, true) {
+					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain)
+				}
+				uriDomains = append(uriDomains, domain)
+@@ -1197,3 +1175,40 @@ func ParseRevocationList(der []byte) (*RevocationList, error) {
+
+	return rl, nil
+ }
++
++// domainNameValid does minimal domain name validity checking. In particular it
++// enforces the following properties:
++//   - names cannot have the trailing period
++//   - names can only have a leading period if constraint is true
++//   - names must be <= 253 characters
++//   - names cannot have empty labels
++//   - names cannot labels that are longer than 63 characters
++//
++// Note that this does not enforce the LDH requirements for domain names.
++func domainNameValid(s string, constraint bool) bool {
++	if len(s) == 0 && constraint {
++		return true
++	}
++	if len(s) == 0 || (!constraint && s[0] == '.') || s[len(s)-1] == '.' || len(s) > 253 {
++		return false
++	}
++	lastDot := -1
++	if constraint && s[0] == '.' {
++		s = s[1:]
++	}
++
++	for i := 0; i <= len(s); i++ {
++		if i == len(s) || s[i] == '.' {
++			labelLen := i
++			if lastDot >= 0 {
++				labelLen -= lastDot + 1
++			}
++			if labelLen == 0 || labelLen > 63 {
++				return false
++			}
++			lastDot = i
++		}
++	}
++
++	return true
++}
+diff --git a/src/crypto/x509/parser_test.go b/src/crypto/x509/parser_test.go
+index b31f9cd..a6cdfb8 100644
+--- a/src/crypto/x509/parser_test.go
++++ b/src/crypto/x509/parser_test.go
+@@ -6,6 +6,7 @@ package x509
+
+ import (
+	"encoding/asn1"
++	"strings"
+	"testing"
+
+	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
+@@ -101,3 +102,45 @@ func TestParseASN1String(t *testing.T) {
+		})
+	}
+ }
++
++func TestDomainNameValid(t *testing.T) {
++	for _, tc := range []struct {
++		name       string
++		dnsName    string
++		constraint bool
++		valid      bool
++	}{
++		{"empty name, name", "", false, false},
++		{"empty name, constraint", "", true, true},
++		{"empty label, name", "a..a", false, false},
++		{"empty label, constraint", "a..a", true, false},
++		{"period, name", ".", false, false},
++		{"period, constraint", ".", true, false}, // TODO(roland): not entirely clear if this is a valid constraint (require at least one label?)
++		{"valid, name", "a.b.c", false, true},
++		{"valid, constraint", "a.b.c", true, true},
++		{"leading period, name", ".a.b.c", false, false},
++		{"leading period, constraint", ".a.b.c", true, true},
++		{"trailing period, name", "a.", false, false},
++		{"trailing period, constraint", "a.", true, false},
++		{"bare label, name", "a", false, true},
++		{"bare label, constraint", "a", true, true},
++		{"254 char label, name", strings.Repeat("a.a", 84) + "aaa", false, false},
++		{"254 char label, constraint", strings.Repeat("a.a", 84) + "aaa", true, false},
++		{"253 char label, name", strings.Repeat("a.a", 84) + "aa", false, false},
++		{"253 char label, constraint", strings.Repeat("a.a", 84) + "aa", true, false},
++		{"64 char single label, name", strings.Repeat("a", 64), false, false},
++		{"64 char single label, constraint", strings.Repeat("a", 64), true, false},
++		{"63 char single label, name", strings.Repeat("a", 63), false, true},
++		{"63 char single label, constraint", strings.Repeat("a", 63), true, true},
++		{"64 char label, name", "a." + strings.Repeat("a", 64), false, false},
++		{"64 char label, constraint", "a." + strings.Repeat("a", 64), true, false},
++		{"63 char label, name", "a." + strings.Repeat("a", 63), false, true},
++		{"63 char label, constraint", "a." + strings.Repeat("a", 63), true, true},
++	} {
++		t.Run(tc.name, func(t *testing.T) {
++			if tc.valid != domainNameValid(tc.dnsName, tc.constraint) {
++				t.Errorf("domainNameValid(%q, %t) = %v; want %v", tc.dnsName, tc.constraint, !tc.valid, tc.valid)
++			}
++		})
++	}
++}
+diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
+index 2d2a271..4502d4c 100644
+--- a/src/crypto/x509/verify.go
++++ b/src/crypto/x509/verify.go
+@@ -360,6 +360,7 @@ func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
+ // domainToReverseLabels converts a textual domain name like foo.example.com to
+ // the list of labels in reverse order, e.g. ["com", "example", "foo"].
+ func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) {
++	reverseLabels = make([]string, 0, strings.Count(domain, ".")+1)
+	for len(domain) > 0 {
+		if i := strings.LastIndexByte(domain, '.'); i == -1 {
+			reverseLabels = append(reverseLabels, domain)
+--
+2.40.0

From patchwork Tue Nov 11 14:58:12 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74194
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 200C9CCFA1E
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:58:59 +0000 (UTC)
Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com
 [209.85.216.42])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19314.1762873128971808828
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:49 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=CY9CXpfj;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.42,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f42.google.com with SMTP id
 98e67ed59e1d1-3437af844afso2768928a91.0
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873128;
 x=1763477928; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=M7Vy68zM4f0zMTiOuF2Wop4jx25fQmxUsfovZOW2ICE=;
        b=CY9CXpfjNS3UQTUMaDo1NNUJLoL10FQVKL2qz31WoWu8e1X+nUc773HT1T21kiyJFQ
         6fZ5EtGeXrkGuB/mHLzePWHUWIDTCeHJ7U13GJRu480/BoGxg4MmRG6SxV20eAcm10qw
         hBObwoYKJg0SibVLidYxkX6huJSc/2wxCD+toMUku18U+gnUIDj6O7alONAxCHTV8o9i
         EAinmRMXKHkMOVU8Qh3jDZHEBts7KZ5rQfEf39wTwji/pbGzLL4AqJGy6HduNHceTgJd
         54XfaiJ6tx2b2CLeDwoX2GV9koZsbGcReEYsfmJ/ChKO4tM5ap36SAj6ls/G6vkXfKhv
         AqZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873128; x=1763477928;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=M7Vy68zM4f0zMTiOuF2Wop4jx25fQmxUsfovZOW2ICE=;
        b=ggGEtplNo3XINVsa1MN+olfhbzuMVEN3dY5PBHsmzTcyfT8qP+Ac3oyf+H62R4+wS5
         bufUI09cqKX3SopWO+BEGUQWnJVadHS4uVRPhgYu/ADcg6cS8WGtDxwzqYS/mPipqyyL
         +OVs1zqC3H49UysdTuNEpcHxH5m1JAl9WUw1DpRFF5dmOzp7gYC6nO8ITM1AOCGdejEp
         O6hszOTqSw6jXb1a05mnaUd0qz3T8w8ym3xJLTUxGJSzoa9oukIg2CrBOaLxCTxyq/LM
         HIW1x4KjmgD6tCpR4qG0d8nrhhOKofVbEYsJ/HcChLC/vjzMjeHxv6En3Y2NDPlRcbvz
         CJsA==
X-Gm-Message-State: AOJu0YwwiQZcEODSbrUs5OcUEjGzhdqzZt8jmFv0urFMqCS55Rx0n9Sq
	TnGid3LFbOUaVwfb0n/4iKrjiCanqFNwcJ0yIt8yC/zXKxRMo1yUEV2n5F93CaNhOz+tZ+CBmEs
	h9mjGApg=
X-Gm-Gg: ASbGnct9fGrE3WhxAbnEBYewyPLh5klIsOe5Vg8V97dGU8MQoApLvQGmnNtDLf0pq4P
	IIvJ2W1NRFXrpsIonAHEiqlc1jH3EYzSNJ8EToF+O5tUd3spX7dqr9kgvfrXEHHKu5cFw89TGnB
	9ZKn2fo8RNlBDE25V9FCmVt6TP3y6i51HP26UhS/XPhbiyHmbGCp0MrDRlWpEBffAFv9GfWrGAX
	FYYz1dFJi+gzTG9s2wsHCnCrmfOFJYe8S6gvgWDXRruTH9Cd3biGxXD5UT9VieXjsDfeSyY3+Ep
	+1l0j1iCulJzF/p2JfCxQ+uV4WWAK83W0YIyQhAsR+OVeaavouRnhFB/2CWp/q27hZRpd9snr6B
	8gqHpCNFzSdVQYi0W3DLGij418o65784jifzguo/VVlvFfdwDtTrP2Djn8I7hDy3gWOg=
X-Google-Smtp-Source: 
 AGHT+IFZZqAUPaR3K388VfhK0pk1dxPGeTHSrrxHjJTrC0P6EeA/OEAfLJfGgHpDW7dz7/jPtFqv5w==
X-Received: by 2002:a17:90b:38cf:b0:33b:bed8:891c with SMTP id
 98e67ed59e1d1-3436cbf892amr17544749a91.23.1762873128163;
        Tue, 11 Nov 2025 06:58:48 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.58.47
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:58:47 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 04/19] go: fix CVE-2025-58188
Date: Tue, 11 Nov 2025 06:58:12 -0800
Message-ID: 
 <b532fa208d0b102326642a2fba8b17661a14307e.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:58:59 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226169

From: Archana Polampalli <archana.polampalli@windriver.com>

Validating certificate chains which contain DSA public keys can cause
programs to panic, due to a interface cast that assumes they implement
the Equal method. This affects programs which validate arbitrary certificate chains.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 meta/recipes-devtools/go/go-1.22.12.inc       |   1 +
 .../go/go/CVE-2025-58188.patch                | 194 ++++++++++++++++++
 2 files changed, 195 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58188.patch

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index a1c14ea684..b619fc48f4 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -23,6 +23,7 @@ SRC_URI += "\
     file://CVE-2025-47906.patch \
     file://CVE-2025-58185.patch \
     file://CVE-2025-58187.patch \
+    file://CVE-2025-58188.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
 
diff --git a/meta/recipes-devtools/go/go/CVE-2025-58188.patch b/meta/recipes-devtools/go/go/CVE-2025-58188.patch
new file mode 100644
index 0000000000..5787527414
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-58188.patch
@@ -0,0 +1,194 @@
+From f9f198ab05e3282cbf6b13251d47d9141981e401 Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Thu, 11 Sep 2025 16:27:04 -0400
+Subject: [PATCH] [release-branch.go1.24] crypto/x509: mitigate DoS vector when
+ intermediate certificate contains DSA public key An attacker could craft an
+ intermediate X.509 certificate containing a DSA public key and can crash a
+ remote host with an unauthenticated call to any endpoint that verifies the
+ certificate chain.
+
+Thank you to Jakub Ciolek for reporting this issue.
+
+Fixes CVE-2025-58188
+For #75675
+Fixes #75702
+
+Change-Id: I2ecbb87b9b8268dbc55c8795891e596ab60f0088
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2780
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2964
+Reviewed-on: https://go-review.googlesource.com/c/go/+/709836
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+
+CVE: CVE-2025-58188
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/f9f198ab05e3282cbf6b13251d47d9141981e401]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/crypto/x509/verify.go      |   5 +-
+ src/crypto/x509/verify_test.go | 126 +++++++++++++++++++++++++++++++++
+ 2 files changed, 130 insertions(+), 1 deletion(-)
+
+diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
+index 4502d4c..14cd23f 100644
+--- a/src/crypto/x509/verify.go
++++ b/src/crypto/x509/verify.go
+@@ -868,7 +868,10 @@ func alreadyInChain(candidate *Certificate, chain []*Certificate) bool {
+		if !bytes.Equal(candidate.RawSubject, cert.RawSubject) {
+			continue
+		}
+-		if !candidate.PublicKey.(pubKeyEqual).Equal(cert.PublicKey) {
++		// We enforce the canonical encoding of SPKI (by only allowing the
++		// correct AI paremeter encodings in parseCertificate), so it's safe to
++		// directly compare the raw bytes.
++		if !bytes.Equal(candidate.RawSubjectPublicKeyInfo, cert.RawSubjectPublicKeyInfo) {
+			continue
+		}
+		var certSAN *pkix.Extension
+diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
+index 8a7a5f6..4a7d8da 100644
+--- a/src/crypto/x509/verify_test.go
++++ b/src/crypto/x509/verify_test.go
+@@ -6,6 +6,7 @@ package x509
+
+ import (
+	"crypto"
++	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+@@ -2811,3 +2812,128 @@ func TestVerifyNilPubKey(t *testing.T) {
+		t.Fatalf("buildChains returned unexpected error, got: %v, want %v", err, UnknownAuthorityError{})
+	}
+ }
++func TestCertificateChainSignedByECDSA(t *testing.T) {
++	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
++	if err != nil {
++		t.Fatal(err)
++	}
++	root := &Certificate{
++		SerialNumber:          big.NewInt(1),
++		Subject:               pkix.Name{CommonName: "X"},
++		NotBefore:             time.Now().Add(-time.Hour),
++		NotAfter:              time.Now().Add(365 * 24 * time.Hour),
++		IsCA:                  true,
++		KeyUsage:              KeyUsageCertSign | KeyUsageCRLSign,
++		BasicConstraintsValid: true,
++	}
++	caDER, err := CreateCertificate(rand.Reader, root, root, &caKey.PublicKey, caKey)
++	if err != nil {
++		t.Fatal(err)
++	}
++	root, err = ParseCertificate(caDER)
++	if err != nil {
++		t.Fatal(err)
++	}
++
++	leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
++	leaf := &Certificate{
++		SerialNumber:          big.NewInt(42),
++		Subject:               pkix.Name{CommonName: "leaf"},
++		NotBefore:             time.Now().Add(-10 * time.Minute),
++		NotAfter:              time.Now().Add(24 * time.Hour),
++		KeyUsage:              KeyUsageDigitalSignature,
++		ExtKeyUsage:           []ExtKeyUsage{ExtKeyUsageServerAuth},
++		BasicConstraintsValid: true,
++	}
++	leafDER, err := CreateCertificate(rand.Reader, leaf, root, &leafKey.PublicKey, caKey)
++	if err != nil {
++		t.Fatal(err)
++	}
++	leaf, err = ParseCertificate(leafDER)
++	if err != nil {
++		t.Fatal(err)
++	}
++
++	inter, err := ParseCertificate(dsaSelfSignedCNX(t))
++	if err != nil {
++		t.Fatal(err)
++	}
++
++	inters := NewCertPool()
++	inters.AddCert(root)
++	inters.AddCert(inter)
++
++	wantErr := "certificate signed by unknown authority"
++	_, err = leaf.Verify(VerifyOptions{Intermediates: inters, Roots: NewCertPool()})
++	if !strings.Contains(err.Error(), wantErr) {
++		t.Errorf("got %v, want %q", err, wantErr)
++	}
++}
++
++// dsaSelfSignedCNX produces DER-encoded
++// certificate with the properties:
++//
++//	Subject=Issuer=CN=X
++//	DSA SPKI
++//	Matching inner/outer signature OIDs
++//	Dummy ECDSA signature
++func dsaSelfSignedCNX(t *testing.T) []byte {
++	t.Helper()
++	var params dsa.Parameters
++	if err := dsa.GenerateParameters(&params, rand.Reader, dsa.L1024N160); err != nil {
++		t.Fatal(err)
++	}
++
++	var dsaPriv dsa.PrivateKey
++	dsaPriv.Parameters = params
++	if err := dsa.GenerateKey(&dsaPriv, rand.Reader); err != nil {
++		t.Fatal(err)
++	}
++	dsaPub := &dsaPriv.PublicKey
++
++	type dsaParams struct{ P, Q, G *big.Int }
++	paramDER, err := asn1.Marshal(dsaParams{dsaPub.P, dsaPub.Q, dsaPub.G})
++	if err != nil {
++		t.Fatal(err)
++	}
++	yDER, err := asn1.Marshal(dsaPub.Y)
++	if err != nil {
++		t.Fatal(err)
++	}
++
++	spki := publicKeyInfo{
++		Algorithm: pkix.AlgorithmIdentifier{
++			Algorithm:  oidPublicKeyDSA,
++			Parameters: asn1.RawValue{FullBytes: paramDER},
++		},
++		PublicKey: asn1.BitString{Bytes: yDER, BitLength: 8 * len(yDER)},
++	}
++
++	rdn := pkix.Name{CommonName: "X"}.ToRDNSequence()
++	b, err := asn1.Marshal(rdn)
++	if err != nil {
++		t.Fatal(err)
++	}
++	rawName := asn1.RawValue{FullBytes: b}
++
++	algoIdent := pkix.AlgorithmIdentifier{Algorithm: oidSignatureDSAWithSHA256}
++	tbs := tbsCertificate{
++		Version:            0,
++		SerialNumber:       big.NewInt(1002),
++		SignatureAlgorithm: algoIdent,
++		Issuer:             rawName,
++		Validity:           validity{NotBefore: time.Now().Add(-time.Hour), NotAfter: time.Now().Add(24 * time.Hour)},
++		Subject:            rawName,
++		PublicKey:          spki,
++	}
++	c := certificate{
++		TBSCertificate:     tbs,
++		SignatureAlgorithm: algoIdent,
++		SignatureValue:     asn1.BitString{Bytes: []byte{0}, BitLength: 8},
++	}
++	dsaDER, err := asn1.Marshal(c)
++	if err != nil {
++		t.Fatal(err)
++	}
++	return dsaDER
++}
+--
+2.40.0

From patchwork Tue Nov 11 14:58:13 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74195
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1F30CCCFA18
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:58:59 +0000 (UTC)
Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com
 [209.85.216.49])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19438.1762873130791092180
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:50 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=qhQuh6sQ;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.49,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f49.google.com with SMTP id
 98e67ed59e1d1-3418ac74bffso3093990a91.1
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873130;
 x=1763477930; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=5lC1clICtj5we1Yrjqv/svp5LqHH0wnvrbYwNLvoy7w=;
        b=qhQuh6sQb7lq2Cn9KFqSOv8UaNth1vODAOVvuzjG4U3A5zw0DEJutHuEKH7WP3l9ab
         pKx+0c/jx9CYOdFubj1Zp8QrZkOLnk85m5kxandqB9DYGYTTZXLQuGjuOcGqPobHbqMe
         Br0l6tTe7zY3g53NjhKkVNMpbm3oyfrql4iKr3c03o0Rsr9QGyHNWp6VW7aiaZS2tzWg
         DGsJwsVVxD6o/zSNFY+Zzj8fu1I6sW1sP1t2gjgVmtMTP9ttQWYCZBtLht99AL38MzvJ
         5XRL4COTxoxfMrGUo3o+Udv4+SnFz+sv95empx0aRRVncXsNCjRW4+KLZx42Gt74Fa8K
         YuoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873130; x=1763477930;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=5lC1clICtj5we1Yrjqv/svp5LqHH0wnvrbYwNLvoy7w=;
        b=uTCXIH36uZOs5CXdZ1XRySHUSf+PiBypev9Y/2J4BwWw097dK5SM9KDvF+xBYRNACa
         3jOqilh7Zo0VR1Yw04SQGvEbF3gD4w3VqQHsGLPOofjLs8aUlfa6LXSB3qQMAvxBuool
         y1g6iKivKXOXxOge+pplyuXJifV8JVK+fXrGL9VPcYDV2xcDIVYQuj7pJEJ0/jNBAqVI
         emqlcMYwuNSII0MwoEzvBMaw4u6Hf07fhR04BN4q9bKrfToT0yaZqDcokawXQCY3Q1FC
         O+8TIJ+kgXSau3g449LDxlvBBs9ufO7fVBkA39JMLLurMVHb+3Uwt4PfUL4/epzoAhLO
         cDZg==
X-Gm-Message-State: AOJu0Yyc1w0RPWVQ3FOVNbm+LfyVzJZY1vCbOYa44wuUTIScNw6hz5Pm
	JFnb/Ae3kHsHdULV5gAX8NNPKtobywHg8skuDHoCdWY18UGYsOmBBmW/exuNxyWidqodMcgSaQA
	l/G3paes=
X-Gm-Gg: ASbGncuBG/QY+5kq2uhAcoE4qIMAS0a2IntBqpwvoq+XaMLGsc/F2QpeonuWGmWXsjm
	hsAqzDfIIBW/3ioh+9O1XNE1b6Tf6aMpFgkPE2ptu3pRdAwKaxg3Fj3ZDi+1zZz0EF/9DgA2uDv
	Qzg2ml10FgMtppwmi4HDX6zSrqIicJ50n8i5TfRqhV4+5fLOWCsuDEJF9/Gpw0ZcXkDdkGOwi8D
	jyFVDnV1Wg8spGf+81+nXBY2rvKeGKRP7EROA1yY+04ZmP+zHlJl3o8Eizv5nIJUxFsJo4q8e+G
	i8ofImGetIq0eZXQYFbCcC5PXPSoNTRTosKdnds0nNSlzXqIWxKJcjG+hfT/D+vduGjUUkge41U
	4U5Zv67b5g/NA9f+yTbj2i5mQ3rWZkIrbqV/jQAbh81CDX+icQ9x3ujlkFD+cfyW1zyU=
X-Google-Smtp-Source: 
 AGHT+IFyI6cnzYZirkG+6g78qphnxo+c/yi89qsZ4cSlmhLiXilX8MBdO1nOaJ1aSlfxf79oXK6pWw==
X-Received: by 2002:a17:90b:258c:b0:340:4abf:391d with SMTP id
 98e67ed59e1d1-3436cbab15dmr16510521a91.16.1762873129990;
        Tue, 11 Nov 2025 06:58:49 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.58.49
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:58:49 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 05/19] go: fix CVE-2025-58189
Date: Tue, 11 Nov 2025 06:58:13 -0800
Message-ID: 
 <e734cf62f24640d116c901dd97e09ddbb1f0cc4f.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:58:59 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226170

From: Archana Polampalli <archana.polampalli@windriver.com>

When Conn.Handshake fails during ALPN negotiation the error contains attacker
controlled information (the ALPN protocols sent by the client) which is not escaped.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 meta/recipes-devtools/go/go-1.22.12.inc       |  1 +
 .../go/go/CVE-2025-58189.patch                | 50 +++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58189.patch

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index b619fc48f4..1e4139148e 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -24,6 +24,7 @@ SRC_URI += "\
     file://CVE-2025-58185.patch \
     file://CVE-2025-58187.patch \
     file://CVE-2025-58188.patch \
+    file://CVE-2025-58189.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
 
diff --git a/meta/recipes-devtools/go/go/CVE-2025-58189.patch b/meta/recipes-devtools/go/go/CVE-2025-58189.patch
new file mode 100644
index 0000000000..4908cf6400
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-58189.patch
@@ -0,0 +1,50 @@
+From 2e1e356e33b9c792a9643749a7626a1789197bb9 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 29 Sep 2025 10:11:56 -0700
+Subject: [PATCH] crypto/tls: quote protocols in ALPN error message
+
+Quote the protocols sent by the client when returning the ALPN
+negotiation error message.
+
+Fixes CVE-2025-58189
+Updates #75652
+Fixes #75660
+
+Change-Id: Ie7b3a1ed0b6efcc1705b71f0f1e8417126661330
+Reviewed-on: https://go-review.googlesource.com/c/go/+/707776
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-by: Nicholas Husin <nsh@golang.org>
+Auto-Submit: Nicholas Husin <nsh@golang.org>
+Reviewed-by: Nicholas Husin <husin@google.com>
+TryBot-Bypass: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
+(cherry picked from commit 4e9006a716533fe1c7ee08df02dfc73078f7dc19)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/708096
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+
+CVE: CVE-2025-58189
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/crypto/tls/handshake_server.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
+index 4e84aa9..17b6891 100644
+--- a/src/crypto/tls/handshake_server.go
++++ b/src/crypto/tls/handshake_server.go
+@@ -312,7 +312,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro
+	if http11fallback {
+		return "", nil
+	}
+-	return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
++	return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos)
+ }
+
+ // supportsECDHE returns whether ECDHE key exchanges can be used with this
+--
+2.40.0

From patchwork Tue Nov 11 14:58:14 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74198
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2F157CCFA1A
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:58:59 +0000 (UTC)
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com
 [209.85.216.51])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19315.1762873132908418140
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:52 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=B20vwJHL;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.51,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f51.google.com with SMTP id
 98e67ed59e1d1-34361025290so2980677a91.1
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873132;
 x=1763477932; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=07A1Yt44Cj12ABg6lxP67i3HDjbvxHT4FypeG8zxZ58=;
        b=B20vwJHL5CF7epLK2RMpPpfJ+18uRo5kOSITbscjrGfj9+GWNX3tNBd2N69/4fZSwY
         7AdiS9WfUBOwPXjj2DhlcVdc5xfzgUuCWjhLDbIz3qgMaP7O0PeFGMLCxd+TZbkDFWUx
         a0qLMM03eGCVbuEcV2kH2v4SJnXl1v+7j/1hBaNtQwo/fbcc7iOuxsQiJJccaceS9k/w
         YKG2BneR8wPLN2i7+8fsbodzOXLkmoRseWElE0FivgIYvjPwG5miheYaQDEXdzdYbt/x
         WDVcoA48iJzRN2SZfpAYWNYfWef1IBAnsfIs+oq/akBGjbqG28S5fcjHX3aCw2sF4RFq
         9rtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873132; x=1763477932;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=07A1Yt44Cj12ABg6lxP67i3HDjbvxHT4FypeG8zxZ58=;
        b=UUmWxCO2Rc5KwV0aDr5VKv2/HvWEBTlmju9D3VUIj0j1zTUbL52DjhgRlEs1p61Qab
         5xchib+3WvN08SKwPYb8l0X+ZGpPdOES6WwPIzYuiLhjRhPLtvWc+6oi6W3IsEOQlqRl
         nScF88xsV6E9I0L18Km12IsPEzzGuD35rVmbnJpaUpBN6TfRHFz+rz227SgSmxb+zHV+
         8ZnpJ57Ufa/oq8Trl8EAqL0LF++MI8vfItcc1vK/VRsR/quPqf9qUxF/3u3r+hJFvJAx
         pcOpI8EnBUWQdTG4Pq1emJ05L62oBDgPMDqYd+DdDSkr4yYCxtP5tVgaZwfGOCEoOoAp
         6C/w==
X-Gm-Message-State: AOJu0Yz8BpzvjCDfvAWouNay6y8TJGRRxy/OWN4MlLv/2J1FYzMuyuKI
	CTEVeKznRNAhrCcBtbHBDNOg+T2ZQOe9IcdPjLcklx2coOLMeIdQx0TVIh+FFPFhrMKVTcktxem
	NZTb3oxo=
X-Gm-Gg: ASbGncvbbkPqzvKBKsYW8qOBDo+T1imD6HALtys40JNlsA93CtGUF/RdORtne9HrEgh
	ytLZEDVYoB2z0x1MBXQVHBCGy2NzwojexPOgmXn7tVrYXj8nA4Wn1ZwAfS1k+U+HmGesM7wdG7L
	PAPaIN0vrez2fJBETNRTNlDGEYwsozTt8WM7bgNONg+NkhodDrTeBLqyjloxuPzyM7XojBpL0gZ
	wVUggRCKU2Ek4orFcssVOcUOTCVOVNdBoYpKoa55jESqTOMitErldqihnlJiJKDGLPA7MmuqN5V
	Mdm67Aw64It8TJXr8GJaMqtWvbLQg4IauSPR6FNTlnuDv6QEG6VxDA+xEBp/n3YGB3nQL7sCDIQ
	i0vOpMTYfj91Z7WpOkvGLw3aEKUdxh14xXpJbccq/8SMc6GZCW5mN5RRy7pGrVm4UhYIjEEaWB/
	/z2Q==
X-Google-Smtp-Source: 
 AGHT+IGyOYVt/M19wNDl8HFacZD7yf7eiA8tfDKBut+m1oqDcSweoSCdKtuzbKm6E5g7zKwEndbnlg==
X-Received: by 2002:a17:90b:38cf:b0:33b:bed8:891c with SMTP id
 98e67ed59e1d1-3436cbf892amr17545061a91.23.1762873132080;
        Tue, 11 Nov 2025 06:58:52 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.58.50
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:58:51 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 06/19] go: fix CVE-2025-47912
Date: Tue, 11 Nov 2025 06:58:14 -0800
Message-ID: 
 <c5fc59eb87d0f92ba8596b7848d16d59773582a0.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:58:59 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226171

From: Archana Polampalli <archana.polampalli@windriver.com>

The Parse function permits values other than IPv6 addresses to be included
in square brackets within the host component of a URL. RFC 3986 permits
IPv6 addresses to be included within the host component, enclosed within
square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames
must not appear within square brackets. Parse did not enforce this requirement.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 meta/recipes-devtools/go/go-1.22.12.inc       |   1 +
 .../go/go/CVE-2025-47912.patch                | 226 ++++++++++++++++++
 2 files changed, 227 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go/CVE-2025-47912.patch

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index 1e4139148e..2be5c8b519 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -25,6 +25,7 @@ SRC_URI += "\
     file://CVE-2025-58187.patch \
     file://CVE-2025-58188.patch \
     file://CVE-2025-58189.patch \
+    file://CVE-2025-47912.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
 
diff --git a/meta/recipes-devtools/go/go/CVE-2025-47912.patch b/meta/recipes-devtools/go/go/CVE-2025-47912.patch
new file mode 100644
index 0000000000..bc63b323ca
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-47912.patch
@@ -0,0 +1,226 @@
+From d6d2f7bf76718f1db05461cd912ae5e30d7b77ea Mon Sep 17 00:00:00 2001
+From: Ethan Lee <ethanalee@google.com>
+Date: Fri, 29 Aug 2025 17:35:55 +0000
+Subject: [PATCH] [release-branch.go1.24] net/url: enforce stricter parsing of
+
+ bracketed IPv6 hostnames - Previously, url.Parse did not enforce validation
+ of hostnames within   square brackets. - RFC 3986 stipulates that only IPv6
+ hostnames can be embedded within   square brackets in a URL. - Now, the
+ parsing logic should strictly enforce that only IPv6   hostnames can be
+ resolved when in square brackets. IPv4, IPv4-mapped   addresses and other
+ input will be rejected. - Update url_test to add test cases that cover the
+ above scenarios.
+
+Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua
+University for reporting this issue.
+
+Fixes CVE-2025-47912
+Fixes #75678
+Fixes #75712
+
+Change-Id: Iaa41432bf0ee86de95a39a03adae5729e4deb46c
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2680
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2968
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/709838
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+
+CVE: CVE-2025-47912
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/d6d2f7bf76718f1db05461cd912ae5e30d7b77ea]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/go/build/deps_test.go |  9 ++++++---
+ src/net/url/url.go        | 42 +++++++++++++++++++++++++++++----------
+ src/net/url/url_test.go   | 39 ++++++++++++++++++++++++++++++++++++
+ 3 files changed, 77 insertions(+), 13 deletions(-)
+
+diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
+index 7ce8d34..9f2663f 100644
+--- a/src/go/build/deps_test.go
++++ b/src/go/build/deps_test.go
+@@ -209,7 +209,6 @@ var depsRules = `
+	  internal/types/errors,
+	  mime/quotedprintable,
+	  net/internal/socktest,
+-	  net/url,
+	  runtime/trace,
+	  text/scanner,
+	  text/tabwriter;
+@@ -252,6 +251,12 @@ var depsRules = `
+	FMT
+	< text/template/parse;
+
++	internal/bytealg, internal/itoa, math/bits, slices, strconv, unique
++	< net/netip;
++
++	FMT, net/netip
++	< net/url;
++
+	net/url, text/template/parse
+	< text/template
+	< internal/lazytemplate;
+@@ -367,8 +372,6 @@ var depsRules = `
+	internal/godebug
+	< internal/intern;
+
+-	internal/bytealg, internal/intern, internal/itoa, math/bits, sort, strconv
+-	< net/netip;
+
+	# net is unavoidable when doing any networking,
+	# so large dependencies must be kept out.
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index f362958..d2ae032 100644
+--- a/src/net/url/url.go
++++ b/src/net/url/url.go
+@@ -13,6 +13,7 @@ package url
+ import (
+	"errors"
+	"fmt"
++	"net/netip"
+	"path"
+	"sort"
+	"strconv"
+@@ -621,40 +622,61 @@ func parseAuthority(authority string) (user *Userinfo, host string, err error) {
+ // parseHost parses host as an authority without user
+ // information. That is, as host[:port].
+ func parseHost(host string) (string, error) {
+-	if strings.HasPrefix(host, "[") {
++	if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx != -1 {
+		// Parse an IP-Literal in RFC 3986 and RFC 6874.
+		// E.g., "[fe80::1]", "[fe80::1%25en0]", "[fe80::1]:80".
+-		i := strings.LastIndex(host, "]")
+-		if i < 0 {
++		closeBracketIdx := strings.LastIndex(host, "]")
++		if closeBracketIdx < 0 {
+			return "", errors.New("missing ']' in host")
+		}
+-		colonPort := host[i+1:]
++
++		colonPort := host[closeBracketIdx+1:]
+		if !validOptionalPort(colonPort) {
+			return "", fmt.Errorf("invalid port %q after host", colonPort)
+		}
++		unescapedColonPort, err := unescape(colonPort, encodeHost)
++		if err != nil {
++			return "", err
++		}
+
++		hostname := host[openBracketIdx+1 : closeBracketIdx]
++		var unescapedHostname string
+		// RFC 6874 defines that %25 (%-encoded percent) introduces
+		// the zone identifier, and the zone identifier can use basically
+		// any %-encoding it likes. That's different from the host, which
+		// can only %-encode non-ASCII bytes.
+		// We do impose some restrictions on the zone, to avoid stupidity
+		// like newlines.
+-		zone := strings.Index(host[:i], "%25")
+-		if zone >= 0 {
+-			host1, err := unescape(host[:zone], encodeHost)
++		zoneIdx := strings.Index(hostname, "%25")
++		if zoneIdx >= 0 {
++			hostPart, err := unescape(hostname[:zoneIdx], encodeHost)
+			if err != nil {
+				return "", err
+			}
+-			host2, err := unescape(host[zone:i], encodeZone)
++			zonePart, err := unescape(hostname[zoneIdx:], encodeZone)
+			if err != nil {
+				return "", err
+			}
+-			host3, err := unescape(host[i:], encodeHost)
++			unescapedHostname = hostPart + zonePart
++		} else {
++			var err error
++			unescapedHostname, err = unescape(hostname, encodeHost)
+			if err != nil {
+				return "", err
+			}
+-			return host1 + host2 + host3, nil
+		}
++
++		// Per RFC 3986, only a host identified by a valid
++		// IPv6 address can be enclosed by square brackets.
++		// This excludes any IPv4 or IPv4-mapped addresses.
++		addr, err := netip.ParseAddr(unescapedHostname)
++		if err != nil {
++			return "", fmt.Errorf("invalid host: %w", err)
++		}
++		if addr.Is4() || addr.Is4In6() {
++			return "", errors.New("invalid IPv6 host")
++		}
++		return "[" + unescapedHostname + "]" + unescapedColonPort, nil
+	} else if i := strings.LastIndex(host, ":"); i != -1 {
+		colonPort := host[i:]
+		if !validOptionalPort(colonPort) {
+diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
+index 4aa20bb..fef236e 100644
+--- a/src/net/url/url_test.go
++++ b/src/net/url/url_test.go
+@@ -383,6 +383,16 @@ var urltests = []URLTest{
+		},
+		"",
+	},
++	// valid IPv6 host with port and path
++	{
++		"https://[2001:db8::1]:8443/test/path",
++		&URL{
++			Scheme: "https",
++			Host:   "[2001:db8::1]:8443",
++			Path:   "/test/path",
++		},
++		"",
++	},
+	// host subcomponent; IPv6 address with zone identifier in RFC 6874
+	{
+		"http://[fe80::1%25en0]/", // alphanum zone identifier
+@@ -707,6 +717,24 @@ var parseRequestURLTests = []struct {
+	// RFC 6874.
+	{"http://[fe80::1%en0]/", false},
+	{"http://[fe80::1%en0]:8080/", false},
++
++	// Tests exercising RFC 3986 compliance
++	{"https://[1:2:3:4:5:6:7:8]", true},             // full IPv6 address
++	{"https://[2001:db8::a:b:c:d]", true},           // compressed IPv6 address
++	{"https://[fe80::1%25eth0]", true},              // link-local address with zone ID (interface name)
++	{"https://[fe80::abc:def%254]", true},           // link-local address with zone ID (interface index)
++	{"https://[2001:db8::1]/path", true},            // compressed IPv6 address with path
++	{"https://[fe80::1%25eth0]/path?query=1", true}, // link-local with zone, path, and query
++
++	{"https://[::ffff:192.0.2.1]", false},
++	{"https://[:1] ", false},
++	{"https://[1:2:3:4:5:6:7:8:9]", false},
++	{"https://[1::1::1]", false},
++	{"https://[1:2:3:]", false},
++	{"https://[ffff::127.0.0.4000]", false},
++	{"https://[0:0::test.com]:80", false},
++	{"https://[2001:db8::test.com]", false},
++	{"https://[test.com]", false},
+ }
+
+ func TestParseRequestURI(t *testing.T) {
+@@ -1635,6 +1663,17 @@ func TestParseErrors(t *testing.T) {
+		{"cache_object:foo", true},
+		{"cache_object:foo/bar", true},
+		{"cache_object/:foo/bar", false},
++
++		{"http://[192.168.0.1]/", true},             // IPv4 in brackets
++		{"http://[192.168.0.1]:8080/", true},        // IPv4 in brackets with port
++		{"http://[::ffff:192.168.0.1]/", true},      // IPv4-mapped IPv6 in brackets
++		{"http://[::ffff:192.168.0.1]:8080/", true}, // IPv4-mapped IPv6 in brackets with port
++		{"http://[::ffff:c0a8:1]/", true},           // IPv4-mapped IPv6 in brackets (hex)
++		{"http://[not-an-ip]/", true},               // invalid IP string in brackets
++		{"http://[fe80::1%foo]/", true},             // invalid zone format in brackets
++		{"http://[fe80::1", true},                   // missing closing bracket
++		{"http://fe80::1]/", true},                  // missing opening bracket
++		{"http://[test.com]/", true},                // domain name in brackets
+	}
+	for _, tt := range tests {
+		u, err := Parse(tt.in)
+--
+2.40.0

From patchwork Tue Nov 11 14:58:15 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74199
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3AEB5CD13D8
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:58:59 +0000 (UTC)
Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com
 [209.85.210.175])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19439.1762873134724098381
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:54 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=2XR3tA3i;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.175,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f175.google.com with SMTP id
 d2e1a72fcca58-7af6a6f20easo3489820b3a.0
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873134;
 x=1763477934; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=PfE/2R5OSmz1OXS2a9yR6anIB3l/IGwhLiwrX+exU4k=;
        b=2XR3tA3i1PaqSW1g54AwGDTG41G0qtypsj5dX8vQjpB+4RVJ5x6UqyLQVJvNDRljbQ
         iDwULWhdlbB95jvk9tR+cclbn1TfdkEYxqq2+tevDl5ViFJNRhBi/FmGdyFdGudUDa8v
         64XkB5StEGuHmZO7a3rzOS8ACLafW07STNqM2fwXQIQDtFlSWLedc0s88sfHGd/ytKzx
         EZDDudc9y8XgASmWtx6QEUnmngihT7Qx5/W2zQhPE8QovG+tMj+HiAD3VcG8FHMrBqoh
         FPLF1lVRPR9IZ40LhZKniixWJXER+D1tAccGdGiQ62+XSxURhFpvQ3ARM+UpmrLbI50u
         ryNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873134; x=1763477934;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=PfE/2R5OSmz1OXS2a9yR6anIB3l/IGwhLiwrX+exU4k=;
        b=WMl5Ss/TGIBnQLSBMeLHDxckSiqj9knUZVojiY8wdr33TVUcq5xRFVDN25L7abKkhz
         jo7eCw/gkp3TKor8XlzwFnIEU/ucqkiSEoqKPOYU1gQ2AgcEk266bVbZ8ALoXiSyFbRC
         vXxHj+ZsMw9fNBaq8LFO/Cf/6iTKiOy0kb4Z+t7P/CFRtLRqTnkpYBKozjIIR0ShbFt+
         iCo5Q+EbVOdRNGcsu7wXob4LnireT0tT5FDejzpGqHCFrfdOCVDGMYPjd0WOz8qmv3xd
         PGoXyTx7lX7g1S3TRxJpdQReP4lh/V8gneXC2LnOJGY+8JNOXBSg/Bbn0n6DUQDR2Lz2
         grAw==
X-Gm-Message-State: AOJu0Yx2FjlEjI9R8ke8W0I/GkpCJ7XbAU8Ve3dAwaNrw20vzsBYUjae
	wPQEgMMRG1eGoVhlDJezd4mCpxeEZo7RehKAl3a10K95wyepVTeK0YdMAkRQgwZOb9C5745mZw4
	hdRJx11Y=
X-Gm-Gg: ASbGncsTD4LvYP7mLlBSc9NHcpJhwnun1yO6Gu5EpWPcu5B+7Jaft38fRYjPKtip02G
	rz9NfnyeNbMXhUEeVPdSeTR1T4j54If6dlwQ4OIDJHSrEW9AfvTi3mPDUlTWAxR0VsuZPtDVy3o
	t/yFZ+7XG6e6aaRz/I8qgWK1QzCnmY4PbQP5PzqHi4F73/ziAT3guUEZY7Gn5cv/5bMUTwaTeV/
	kRETldO838ZkQznuZlh6LtZm2IHQacAHHEisWZALbkGQL/6m0Q+nsGiwKnak0cPA+ZI6Pp8LIa3
	JVhaVsVuB8LCcAH0Vqvxofi0v2oe3xWl397VhbLeW2fQ6ZRjFLlylMbcVVLjMSjjee2OG+L5l2U
	8GVA34y3sPVnUsEiiU1ZQMUo6qJXnjSTA5dX87Nn4RMRPHMEDX8rM09iA5O/NVhaAW5A=
X-Google-Smtp-Source: 
 AGHT+IFnUvD6lPGHR135eAEXTv3dXldGtSTf8/rZuzVJT+OBTn/mEMhp2z6wjly+UWvqNr3fM1fBKg==
X-Received: by 2002:a17:90b:2d48:b0:340:d511:e167 with SMTP id
 98e67ed59e1d1-3436ca9ad15mr16239749a91.0.1762873133892;
        Tue, 11 Nov 2025 06:58:53 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.58.53
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:58:53 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 07/19] go: fix CVE-2025-61723
Date: Tue, 11 Nov 2025 06:58:15 -0800
Message-ID: 
 <228e4aa70743b92eaf1abd5526827b34b33f3419.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:58:59 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226172

From: Archana Polampalli <archana.polampalli@windriver.com>

The processing time for parsing some invalid inputs scales non-linearly with
respect to the size of the input. This affects programs which parse untrusted PEM inputs.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 meta/recipes-devtools/go/go-1.22.12.inc       |   1 +
 .../go/go/CVE-2025-61723.patch                | 223 ++++++++++++++++++
 2 files changed, 224 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61723.patch

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index 2be5c8b519..9996cfb870 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -26,6 +26,7 @@ SRC_URI += "\
     file://CVE-2025-58188.patch \
     file://CVE-2025-58189.patch \
     file://CVE-2025-47912.patch \
+    file://CVE-2025-61723.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
 
diff --git a/meta/recipes-devtools/go/go/CVE-2025-61723.patch b/meta/recipes-devtools/go/go/CVE-2025-61723.patch
new file mode 100644
index 0000000000..b1664e701d
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-61723.patch
@@ -0,0 +1,223 @@
+From 74d4d836b91318a8764b94bc2b4b66ff599eb5f2 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Tue, 30 Sep 2025 11:16:56 -0700
+Subject: [PATCH] encoding/pem: make Decode complexity linear
+
+Because Decode scanned the input first for the first BEGIN line, and
+then the first END line, the complexity of Decode is quadratic. If the
+input contained a large number of BEGINs and then a single END right at
+the end of the input, we would find the first BEGIN, and then scan the
+entire input for the END, and fail to parse the block, so move onto the
+next BEGIN, scan the entire input for the END, etc.
+
+Instead, look for the first END in the input, and then the first BEGIN
+that precedes the found END. We then process the bytes between the BEGIN
+and END, and move onto the bytes after the END for further processing.
+This gives us linear complexity.
+
+Fixes CVE-2025-61723
+For #75676
+Fixes #75708
+
+Change-Id: I813c4f63e78bca4054226c53e13865c781564ccf
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2921
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2986
+Reviewed-on: https://go-review.googlesource.com/c/go/+/709842
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+
+CVE: CVE-2025-61723
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/74d4d836b91318a8764b94bc2b4b66ff599eb5f2]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/encoding/pem/pem.go      | 67 ++++++++++++++++++++----------------
+ src/encoding/pem/pem_test.go | 13 +++----
+ 2 files changed, 44 insertions(+), 36 deletions(-)
+
+diff --git a/src/encoding/pem/pem.go b/src/encoding/pem/pem.go
+index 4b4f749..d365012 100644
+--- a/src/encoding/pem/pem.go
++++ b/src/encoding/pem/pem.go
+@@ -37,7 +37,7 @@ type Block struct {
+ // line bytes. The remainder of the byte array (also not including the new line
+ // bytes) is also returned and this will always be smaller than the original
+ // argument.
+-func getLine(data []byte) (line, rest []byte) {
++func getLine(data []byte) (line, rest []byte, consumed int) {
+	i := bytes.IndexByte(data, '\n')
+	var j int
+	if i < 0 {
+@@ -49,7 +49,7 @@ func getLine(data []byte) (line, rest []byte) {
+			i--
+		}
+	}
+-	return bytes.TrimRight(data[0:i], " \t"), data[j:]
++	return bytes.TrimRight(data[0:i], " \t"), data[j:], j
+ }
+
+ // removeSpacesAndTabs returns a copy of its input with all spaces and tabs
+@@ -90,20 +90,32 @@ func Decode(data []byte) (p *Block, rest []byte) {
+	// pemStart begins with a newline. However, at the very beginning of
+	// the byte array, we'll accept the start string without it.
+	rest = data
++
+	for {
+-		if bytes.HasPrefix(rest, pemStart[1:]) {
+-			rest = rest[len(pemStart)-1:]
+-		} else if _, after, ok := bytes.Cut(rest, pemStart); ok {
+-			rest = after
+-		} else {
++		// Find the first END line, and then find the last BEGIN line before
++		// the end line. This lets us skip any repeated BEGIN lines that don't
++		// have a matching END.
++		endIndex := bytes.Index(rest, pemEnd)
++		if endIndex < 0 {
++			return nil, data
++		}
++		endTrailerIndex := endIndex + len(pemEnd)
++		beginIndex := bytes.LastIndex(rest[:endIndex], pemStart[1:])
++		if beginIndex < 0 || beginIndex > 0 && rest[beginIndex-1] != '\n' {
+			return nil, data
+		}
++		rest = rest[beginIndex+len(pemStart)-1:]
++		endIndex -= beginIndex + len(pemStart) - 1
++		endTrailerIndex -= beginIndex + len(pemStart) - 1
+
+		var typeLine []byte
+-		typeLine, rest = getLine(rest)
++		var consumed int
++		typeLine, rest, consumed = getLine(rest)
+		if !bytes.HasSuffix(typeLine, pemEndOfLine) {
+			continue
+		}
++		endIndex -= consumed
++		endTrailerIndex -= consumed
+		typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]
+
+		p = &Block{
+@@ -117,7 +129,7 @@ func Decode(data []byte) (p *Block, rest []byte) {
+			if len(rest) == 0 {
+				return nil, data
+			}
+-			line, next := getLine(rest)
++			line, next, consumed := getLine(rest)
+
+			key, val, ok := bytes.Cut(line, colon)
+			if !ok {
+@@ -129,21 +141,13 @@ func Decode(data []byte) (p *Block, rest []byte) {
+			val = bytes.TrimSpace(val)
+			p.Headers[string(key)] = string(val)
+			rest = next
++			endIndex -= consumed
++			endTrailerIndex -= consumed
+		}
+
+-		var endIndex, endTrailerIndex int
+-
+-		// If there were no headers, the END line might occur
+-		// immediately, without a leading newline.
+-		if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
+-			endIndex = 0
+-			endTrailerIndex = len(pemEnd) - 1
+-		} else {
+-			endIndex = bytes.Index(rest, pemEnd)
+-			endTrailerIndex = endIndex + len(pemEnd)
+-		}
+-
+-		if endIndex < 0 {
++		// If there were headers, there must be a newline between the headers
++		// and the END line, so endIndex should be >= 0.
++		if len(p.Headers) > 0 && endIndex < 0 {
+			continue
+		}
+
+@@ -163,21 +167,24 @@ func Decode(data []byte) (p *Block, rest []byte) {
+		}
+
+		// The line must end with only whitespace.
+-		if s, _ := getLine(restOfEndLine); len(s) != 0 {
++		if s, _, _ := getLine(restOfEndLine); len(s) != 0 {
+			continue
+		}
+
+-		base64Data := removeSpacesAndTabs(rest[:endIndex])
+-		p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
+-		n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
+-		if err != nil {
+-			continue
++		p.Bytes = []byte{}
++		if endIndex > 0 {
++			base64Data := removeSpacesAndTabs(rest[:endIndex])
++			p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
++			n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
++			if err != nil {
++				continue
++			}
++			p.Bytes = p.Bytes[:n]
+		}
+-		p.Bytes = p.Bytes[:n]
+
+		// the -1 is because we might have only matched pemEnd without the
+		// leading newline if the PEM block was empty.
+-		_, rest = getLine(rest[endIndex+len(pemEnd)-1:])
++		_, rest, _ = getLine(rest[endIndex+len(pemEnd)-1:])
+		return p, rest
+	}
+ }
+diff --git a/src/encoding/pem/pem_test.go b/src/encoding/pem/pem_test.go
+index 56a7754..7025277 100644
+--- a/src/encoding/pem/pem_test.go
++++ b/src/encoding/pem/pem_test.go
+@@ -34,7 +34,7 @@ var getLineTests = []GetLineTest{
+
+ func TestGetLine(t *testing.T) {
+	for i, test := range getLineTests {
+-		x, y := getLine([]byte(test.in))
++		x, y, _ := getLine([]byte(test.in))
+		if string(x) != test.out1 || string(y) != test.out2 {
+			t.Errorf("#%d got:%+v,%+v want:%s,%s", i, x, y, test.out1, test.out2)
+		}
+@@ -46,6 +46,7 @@ func TestDecode(t *testing.T) {
+	if !reflect.DeepEqual(result, certificate) {
+		t.Errorf("#0 got:%#v want:%#v", result, certificate)
+	}
++
+	result, remainder = Decode(remainder)
+	if !reflect.DeepEqual(result, privateKey) {
+		t.Errorf("#1 got:%#v want:%#v", result, privateKey)
+@@ -68,7 +69,7 @@ func TestDecode(t *testing.T) {
+	}
+
+	result, remainder = Decode(remainder)
+-	if result == nil || result.Type != "HEADERS" || len(result.Headers) != 1 {
++	if result == nil || result.Type != "VALID HEADERS" || len(result.Headers) != 1 {
+		t.Errorf("#5 expected single header block but got :%v", result)
+	}
+
+@@ -381,15 +382,15 @@ ZWAaUoVtWIQ52aKS0p19G99hhb+IVANC4akkdHV4SP8i7MVNZhfUmg==
+
+ # This shouldn't be recognised because of the missing newline after the
+ headers.
+------BEGIN HEADERS-----
++-----BEGIN INVALID HEADERS-----
+ Header: 1
+------END HEADERS-----
++-----END INVALID HEADERS-----
+
+ # This should be valid, however.
+------BEGIN HEADERS-----
++-----BEGIN VALID HEADERS-----
+ Header: 1
+
+------END HEADERS-----`)
++-----END VALID HEADERS-----`)
+
+ var certificate = &Block{Type: "CERTIFICATE",
+	Headers: map[string]string{},
+--
+2.40.0

From patchwork Tue Nov 11 14:58:16 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74197
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3AE76CD13D2
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:58:59 +0000 (UTC)
Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com
 [209.85.216.52])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19440.1762873136063706097
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:56 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=CwK0LnO9;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.52,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f52.google.com with SMTP id
 98e67ed59e1d1-343514c7854so959759a91.1
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873135;
 x=1763477935; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=CJRqeP9i2oPT3xv7hEPgEA7CwqGRGS+Mu+lCEkhZpHs=;
        b=CwK0LnO9L+UvxuGd1GJmk3TmDxz768yImbafXLUqcrPuifE8mR9kMBn3195q9psqDB
         a6cCO1F9xAUr/qxXpl3s5Q2Cz1HqWwJM64ZX9tpaKzSissy3f0/3eAJgJsG3X2dVxMmo
         gMvEXf2fQddC9oxH7ZgO3lmFiDrbTdOx5/fVgSJPzXPb44H0OpFxtbeKa1mWxRiWqpCL
         wTrVCGVSQmwy3C/BONYCPEpsNJdLy5GhW4VUZF0B9O9DTJBwablph+5MhxJG2WWATp84
         yF0NuAz9m2U0qvuEQVYSM6nxj0T84CNd2R9nNm1RlJMypDDX8/KRIGOuDJlziwN3v2/2
         OmNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873135; x=1763477935;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=CJRqeP9i2oPT3xv7hEPgEA7CwqGRGS+Mu+lCEkhZpHs=;
        b=QlLSdsf1zHJXKQmVk5oFxtYW2H+nq5krEE27uIyZi127NjVoDBFPNUg1zXGZyR2g+A
         59WKKCwMPy1R/od/8REWCmZglfvUGnQbJXtnWVCWuneTDOTVlKu9DVJg6C1dIMc+9UmG
         VnTD4TmlW3EGPBQHPMWGk/2B34pJFbhL7gtrsNA1MwBd7NFGhOB3HWL/Utd3t0nvsBmF
         83LASr4TnUxUnE5seSx4UDVnEsQ4bxmwfZyCeVy6xX0naOuiWXkxXVXo3wy0uXwFe52d
         F/SD5O1oNwf6pYTJ88Oz0XDdFX5x5j9E8lsoFvVfJfLaa6ELkyceMD11tWCDaprlMmpl
         8Wkg==
X-Gm-Message-State: AOJu0Yz90M1mnPqt39ZhOZfniO9WSJzyFAa6HMJiUa3Qe6KRGoGy11G3
	m72hDxBaUNyWyMpffuEC+EZS/agENX76rdI1LPCOr3sgSUVIXUu0UILWuPT0yEBPmzuQUhHi5PH
	0AQsEgFg=
X-Gm-Gg: ASbGncvWXXLafln2qbrrg/nGn1I0RHHO9tF2UWqKOPIOj6evforeV32OTv7ZrQLDuRM
	513HG4C12YuSqWvRJFUDZWNR2tamgjPdWsMpG2/wwKQyY21FCSGQ8Ew+XvV53qWephb8CN7RePP
	9HhS6PkQ3MnOIYlB6uLIZmFioYke6N8MXBx78LdHhpfOk61UNWT7RkJO3OClSitg+Rm5yyaLe7r
	Vy8FxCoXA3xwltkYkyLWgVG5cEaGZR4/FirfxdfmLfyGQE5SCLM3wqH3Kk2qCcU207wsyB+Pd9Y
	CQGns5jXzu/5MIS5ivcFr6t/cUG/DDo2adkX/Z0AdAOf/6g6lTSdb6S7FSyX5U7nX6G4d8opPEy
	wZo/+3ChDW+8qfZPKS5SU+gJgkDj5LxD1l08//SI87beqY0EynTOiyxgaHlc37Hiufpu/Om3ka7
	LT0A==
X-Google-Smtp-Source: 
 AGHT+IEN8/Nf2RcsW0sxLW5QqcfmtuxQiB/hVCCXlH4res9QdYhvgROK/DLM3inwHGSBLuPG+9IjhA==
X-Received: by 2002:a17:90b:4c8b:b0:343:85eb:4fc7 with SMTP id
 98e67ed59e1d1-343bf0bbc72mr4290315a91.6.1762873135285;
        Tue, 11 Nov 2025 06:58:55 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.58.54
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:58:54 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 08/19] go: fix CVE-2025-61724
Date: Tue, 11 Nov 2025 06:58:16 -0800
Message-ID: 
 <512c36af3b9d344606b2ebf54bc2f99b88dfea63.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:58:59 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226173

From: Archana Polampalli <archana.polampalli@windriver.com>

The Reader.ReadResponse function constructs a response string through
repeated string concatenation of lines. When the number of lines in a
response is large, this can cause excessive CPU consumption.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 meta/recipes-devtools/go/go-1.22.12.inc       |  1 +
 .../go/go/CVE-2025-61724.patch                | 75 +++++++++++++++++++
 2 files changed, 76 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61724.patch

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index 9996cfb870..825b8f4d68 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -27,6 +27,7 @@ SRC_URI += "\
     file://CVE-2025-58189.patch \
     file://CVE-2025-47912.patch \
     file://CVE-2025-61723.patch \
+    file://CVE-2025-61724.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
 
diff --git a/meta/recipes-devtools/go/go/CVE-2025-61724.patch b/meta/recipes-devtools/go/go/CVE-2025-61724.patch
new file mode 100644
index 0000000000..a91c24508e
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-61724.patch
@@ -0,0 +1,75 @@
+From a402f4ad285514f5f3db90516d72047d591b307a Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Tue, 30 Sep 2025 15:11:16 -0700
+Subject: [PATCH] net/textproto: avoid quadratic complexity in
+ Reader.ReadResponse
+
+Reader.ReadResponse constructed a response string from repeated
+string concatenation, permitting a malicious sender to cause excessive
+memory allocation and CPU consumption by sending a response consisting
+of many short lines.
+
+Use a strings.Builder to construct the string instead.
+
+Thanks to Jakub Ciolek for reporting this issue.
+
+Fixes CVE-2025-61724
+For #75716
+Fixes #75717
+
+Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2940
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2980
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/709837
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+
+CVE: CVE-2025-61724
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/a402f4ad285514f5f3db90516d72047d591b307a]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/net/textproto/reader.go | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index 7930211..0027efe 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -283,8 +283,10 @@ func (r *Reader) ReadCodeLine(expectCode int) (code int, message string, err err
+ //
+ // An expectCode <= 0 disables the check of the status code.
+ func (r *Reader) ReadResponse(expectCode int) (code int, message string, err error) {
+-	code, continued, message, err := r.readCodeLine(expectCode)
++	code, continued, first, err := r.readCodeLine(expectCode)
+	multi := continued
++	var messageBuilder strings.Builder
++	messageBuilder.WriteString(first)
+	for continued {
+		line, err := r.ReadLine()
+		if err != nil {
+@@ -295,12 +297,15 @@ func (r *Reader) ReadResponse(expectCode int) (code int, message string, err err
+		var moreMessage string
+		code2, continued, moreMessage, err = parseCodeLine(line, 0)
+		if err != nil || code2 != code {
+-			message += "\n" + strings.TrimRight(line, "\r\n")
++			messageBuilder.WriteByte('\n')
++			messageBuilder.WriteString(strings.TrimRight(line, "\r\n"))
+			continued = true
+			continue
+		}
+-		message += "\n" + moreMessage
++		messageBuilder.WriteByte('\n')
++		messageBuilder.WriteString(moreMessage)
+	}
++	message = messageBuilder.String()
+	if err != nil && multi && message != "" {
+		// replace one line error message with all lines (full message)
+		err = &Error{code, message}
+--
+2.40.0

From patchwork Tue Nov 11 14:58:17 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74200
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4A056CD13D3
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:58:59 +0000 (UTC)
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19441.1762873137589431940
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:57 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=CWZTvpTT;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.182,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-ba599137cf7so3325723a12.0
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873137;
 x=1763477937; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=0pV9+acGqOu6gVLsJUYYQwOo84y2QEXi2OnJnSjDwDs=;
        b=CWZTvpTTrl/nYZ+M6Tyq7l6zaChMQSUIdUjdITN8U8FZloR3jr4ANSAyHxSj92B6Vd
         wtdiNW3b4eEYvF44QSSmw/FEIZe1DsuZUPyyJhMn1EcyARaLsertQRHasdRb/Y9wzpIL
         WqjkNADcxTxJU2g65Lp2oSDOTO9SEiSl5YWzdi8c7Rak9Mwe/B5gzGgeyJyTYYz6lyon
         a6qhiid8g6rZrSiGnpMOSol9XbhFLzXgff9+9YShRX6SQ/PkLDwSLYEJj9qog5V2ESlf
         u6NO8FFdQA0atl4AouMiBofBkJY/VaJuq1jyKDQWqk+QuovabkLZ5QFKLAXPErbz2t7D
         mNfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873137; x=1763477937;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=0pV9+acGqOu6gVLsJUYYQwOo84y2QEXi2OnJnSjDwDs=;
        b=P73rVvRlJSuyr+lUZEFlciS9Nb8dShzUvk3d/aLPDIRJvqyO/yCzSg3tyn+LfCO6Bk
         mY0/bzXl90duJZLsse1v6qWOaxdqa4mLlLigeC//p2ImB51agtCNzMNELTX9MTDL34J3
         9EkevFimvJony6MGtmpoxYK5mFTpITa8NR/5eqf+eens6+LyxUSVpU3qk0HkzfxG9jY8
         lTEovITfuspnvBYaLopgy+A75JT4wBaA9rWk8wjWVogIt+VzeccKxYcI9QpXGcVfF3Mq
         tAMHS+e/NrliLXktc0I7fwQZK8/V9fGMg0FNMP6ahWw/2oGzfcZ8k+j4h6mntwMY3og2
         Cceg==
X-Gm-Message-State: AOJu0Yx4HN+0jPPnGA5Kb858rZE3fcwegHHsV7EN/M8beQ2ROv+FHSeF
	WqGRSawtiZA09Nn1kRB/WZSClJaaTI17z0vThvBn/XDa2P+kvnxScrp0xPkwHWSNJD/fQVr+Y3w
	0ItmmA+c=
X-Gm-Gg: ASbGncsZKw3j48yG9sbM1Qh/t/hgS/sKje1AAzpbHVqAHha39rqtxGQrhsQcaPswNzz
	r5fUXzBXMcBAOa+Pi81UjFykw1UsGpyPcv2f8T/GL5612MeitDaB1sZabXeIHtMV14EMx/BNFmD
	Ag/C00a9sajAY60iZhLBptIrnU/AJ9uuMF1rSizWdRvzcIAc2NhJF3FOQCRIY64TnLrvX46wiJT
	+uNrEeJzlxH+MB4rH450AxhHPz7UGex4zrXCKEfWNFcc7Riw3TieDRr4jp1w7VycSUAJwKINWAz
	dABgyKW5263X30k1ugSeUbwXiiN0YUuWKOa/RrFmf+u7lbm5YQAcshSHtgJHd5tqgXre0ULR8Zr
	ux/3C0l9brghGuu52nzFrpZiUbCNrbexjFRBggDxq0/YKmhQeCDuHFexPmOFZGzsJsD5HGsh35h
	p2CQ==
X-Google-Smtp-Source: 
 AGHT+IFMvMtqgEZsOeNCD6DQshWsF4BkFYvM82ThJxu6jSYv0x52DOc0HbFM5qKqLgTqtrxUi+ZEyQ==
X-Received: by 2002:a17:90b:3a91:b0:33e:2d0f:479b with SMTP id
 98e67ed59e1d1-3436cb7bcfcmr16261155a91.6.1762873136816;
        Tue, 11 Nov 2025 06:58:56 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.58.56
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:58:56 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 09/19] webkitgtk: upgrade 2.44.3 -> 2.44.4
Date: Tue, 11 Nov 2025 06:58:17 -0800
Message-ID: 
 <59cd37dc19548845804f29d37621f7435e206c43.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:58:59 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226174

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Bug fixes only:
https://www.webkitgtk.org/release/webkitgtk-2.44.4.html

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../webkit/{webkitgtk_2.44.3.bb => webkitgtk_2.44.4.bb}         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-sato/webkit/{webkitgtk_2.44.3.bb => webkitgtk_2.44.4.bb} (98%)

diff --git a/meta/recipes-sato/webkit/webkitgtk_2.44.3.bb b/meta/recipes-sato/webkit/webkitgtk_2.44.4.bb
similarity index 98%
rename from meta/recipes-sato/webkit/webkitgtk_2.44.3.bb
rename to meta/recipes-sato/webkit/webkitgtk_2.44.4.bb
index a8f825e164..ac9ff41c91 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.44.3.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.44.4.bb
@@ -17,7 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
            file://t6-not-declared.patch \
            file://30e1d5e22213fdaca2a29ec3400c927d710a37a8.patch \
            "
-SRC_URI[sha256sum] = "dc82d042ecaca981a4852357c06e5235743319cf10a94cd36ad41b97883a0b54"
+SRC_URI[sha256sum] = "2ce4ec1b78413035037aba8326b31ed72696626b7bea7bace5e46ac0d8cbe796"
 
 inherit cmake pkgconfig gobject-introspection perlnative features_check upstream-version-is-even gi-docgen
 

From patchwork Tue Nov 11 14:58:18 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74196
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4D6EBCD13D9
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:58:59 +0000 (UTC)
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com
 [209.85.216.51])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19317.1762873138969816813
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:59 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=sHyFsTcG;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.51,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f51.google.com with SMTP id
 98e67ed59e1d1-3437ea05540so2732172a91.0
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:58:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873138;
 x=1763477938; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=CCjbwG/buJ6fhPkS+a7QGiYz2UiALoQcBdpT65EQyEQ=;
        b=sHyFsTcG+KstjIIo+nANOfUf45FtgGOivAEHb9w9igNAKLyxuuS2tVaXZWCqPDLS7F
         g+txyBOrX/EGLkga1dkLtzkWsnQ2dUaXmA1YUI2kIm6q9OeB93owygubNL6tRpqstElz
         i2E/rbwE0k4r1pghqkclv01tmQBhUnModhg4FYVZ09tpK0p+aPy1GfBC36ftOSpL73gx
         9z/E2ASbsO4F1kexxxxPAMXwK/bfnUSksIUfWpV2VJlKmX0QHACOrL3jthsdLz9CxZ4O
         r1nPdzITVCbqLWgjpVx9mPCS3rm4DrFmEiNBQJrvCRv5YjKilhwYp3jiqWrdhGudaeYr
         likg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873138; x=1763477938;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=CCjbwG/buJ6fhPkS+a7QGiYz2UiALoQcBdpT65EQyEQ=;
        b=mCF5M7gEdoRJjszQ6E1lt1Gcb7liizN9yX1LQFWFwXUzBB3IIYfdN+BtCpcZmpXMBb
         gU/4z960rSw9/eqg+cLP0llaLFFZATSI798tFSYLgAsTT5rKH4UR8lxsNyd3g2sgTZvH
         T1Z+J5bxhifdWA0S1TgErvt03DrR4MrPKsf969DltUUKmbPHK4EUIBr+NVpJvQ+bjBU3
         D83YXpDRJfnGptZyvfOodtytBAHmHL4XL5pgydEQDQB8U806aYz7mTBeXPZhJngU7V9k
         kRBkTPwRnrtw2uBKCk467c9zwjQ5gPpHhXSbGPtrZboXQEBgX2tzdAwtzN+qWg7nPXo+
         8WPw==
X-Gm-Message-State: AOJu0YwRwSsBmwnfLWhZZF8YRqRkSYtwBwqSbjLJl+W9WYmt4rsjN7lC
	uRkIzoWKtIJPVVCHFmcs58wEVtPW05XuULvQJYruUbQyypv9rjwhMeBk1RxnJCMrZ0QmL2txOl5
	sld2qUJ8=
X-Gm-Gg: ASbGncsBvIswxtSMvo1zkjEpf0gTG4wo+CGnjgNkc3YHqjECSOMlS0UaZsOZp6CTryQ
	OlhL6ILKLwuQvp9IRXqxMvLsDYZZMq78IkkA420UbKdUD8Qh8p8hoaKHH0dX9DVYFm8r0ueZWMd
	XJpq9xpiey0YvbkNDFbBTVK74wEwP4XS4xFsK8ng6IecjFG49XFHAEloTQmckof9+Zzyio82FwB
	k/jsJGNCeZQrgrEmpLsrv4Pbfc1az2GlfBKnLWbjrj7e0rG+y07y1i9cGkqV0B8TDONAHgMp4p6
	H+cM+YUWhKTW6ZQXo5/4SmMxsg0av/s3fftGCKfI4eJIEIKW/ENclwDEZ7r8tBaa6rUmzUi5MDd
	NNoEYKm4nwyko1bADYSlM1d4FDw/79yobE5h+bc4VNHZjnqAa8xIUDlTHrKloiI3wjRJnz7Wh3N
	u3qg==
X-Google-Smtp-Source: 
 AGHT+IFfmNJjPwF28qnmwaAg0EGe+chCnguJD7xeJ+o924iGUaOfZOsMkOxUY8TE7yLtAGelrdQLiA==
X-Received: by 2002:a17:90b:2358:b0:343:a631:28a8 with SMTP id
 98e67ed59e1d1-343a6312b31mr6187963a91.37.1762873138177;
        Tue, 11 Nov 2025 06:58:58 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.58.57
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:58:57 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 10/19] wireless-regdb: upgrade 2024.10.07 ->
 2025.10.07
Date: Tue, 11 Nov 2025 06:58:18 -0800
Message-ID: 
 <e0bdf9b4134b1c1f90687fb6e12e33bf77d4192c.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:58:59 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226175

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...ireless-regdb_2024.10.07.bb => wireless-regdb_2025.10.07.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2024.10.07.bb => wireless-regdb_2025.10.07.bb} (94%)

diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.10.07.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2025.10.07.bb
similarity index 94%
rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.10.07.bb
rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2025.10.07.bb
index 0e4100fba7..68ae3b0464 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.10.07.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2025.10.07.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
 
 SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "f76f2bd79a653e9f9dd50548d99d03a4a4eb157da056dfd5892f403ec28fb3d5"
+SRC_URI[sha256sum] = "d4c872a44154604c869f5851f7d21d818d492835d370af7f58de8847973801c3"
 
 inherit bin_package allarch
 

From patchwork Tue Nov 11 14:58:19 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74202
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 43ECCCCFA1E
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:59:09 +0000 (UTC)
Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com
 [209.85.216.42])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.19319.1762873140547792734
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:00 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=G3H6n8TQ;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.42,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f42.google.com with SMTP id
 98e67ed59e1d1-340a5c58bf1so3018179a91.2
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873140;
 x=1763477940; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=xTMFUifx+TJfTFU72YaoOWp2HIO61WumH/tcNsD+lpw=;
        b=G3H6n8TQHA22s0rFOuJIMKGJ7Ce/xjiigJWezarFdG28Y5iyCwr0A0ZJxVL7LLnQqM
         mBdjxqsEaO6YM57kCFDLaCsI41875GkPU2LtJhf28zDsdYjUF6BNZyetekf1SXglpWY/
         IMwhOb7pDdP2Vtb9K9Qku/QJsWnKyf8/kpGyHOOI8iBKMB7nzVgGadV7IETgGlEwq3Pa
         2Onz9EVbNNmoj7CyD9lIAs31NeKS0ex0Hf/huQ15onw7Yx0WEyo8meIIeXaDgPrSue47
         GQssiAm4GBkDakvMKl4wrB2UoNhAzwqBq1JqBxgPh1Ei5MbfOSaxUQPVBMWXN8yQwx0I
         s8Ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873140; x=1763477940;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=xTMFUifx+TJfTFU72YaoOWp2HIO61WumH/tcNsD+lpw=;
        b=C5v7aUvLPZytgD2aFeCFKLfds+dvIVYM4qrewVqzl6lTsCzkCk8OOI/XEJBtlK+9k9
         tJwx455WZWmIyhmBJ9tCaq+sEK+M+BWydMJi5iJFpYeXflNPhHk5nQYpXhEFGzijLS9i
         3Kwrmz0R5LacLvcHHfRLFyNaHZxK6liwYpesdIDuG0h0zlNE/UJCVVY42B4q+SyOcCWS
         UCd7XSII62ySsZAXY+qJw2O1TK8yi4+RAF+hk2xHvbR9gwNa5e6Agzr0gqdTr44xkuB0
         LidMMvdO12uHtNkyI2PoHASu2nmrVfdGUI+UAz4P3Wyy3K71I+ku/ndZx2YyPivL6xFh
         5Jpg==
X-Gm-Message-State: AOJu0YzGmzHG1+YGTKN1Bo8hrBu8w4rBY4pU2hWHO2banPy6zamjoj4P
	LFhat5zye2Txqh8OjlhREKuAEG6hPx5J1fqCmltsXY8aJB1EJi/1r9HlwFhYTfVnErXORszZDzc
	3MTD0NuQ=
X-Gm-Gg: ASbGncsue+VQcQZZPOeiQwlX6bJaPVCDQ+DGwwnfG5FtHlWEh/6iHzmo7zc17wtVzN3
	edocxfGQ5sHNeQdtv/eLfu3MKEsdoYONj3VYIAdZVZdORObd/O3LsPTyCpYXSVQeVwsZ4FGBInC
	RQ9cmypaktEvZ2k8HBiB4Hbe0fvpIw2zh0BO0EHHhnlj4kklfKLy8/kuYYIvWoVMQVjq+GccIgX
	XOcQ7+DoCuma4yjbE19zXwOM+ijzuyG/kNAp8BJUBTPN7xv+rLV6qUxe4M8cRR3I+zJT4e1qNFk
	obkTV4DioInMjBgWeQ/XnuDYs411ek77DxuUu2kvMVlZAL/j4iZ+eXsj1vbl2n9hIck8OfUTSO1
	/JAfylNOX1WQE7wj3W4b/wuvXzqHSyP3xf54yasAE0qvZ93U0kaX3sKndi79ddXA5uUHGDuhCGk
	Bovw==
X-Google-Smtp-Source: 
 AGHT+IGuYR5uNivn2QPSHtzgej4oJWtfnx80DnqIcZwjPNYZguX2AsMbdKW8oOdkgDpI6BCvqyS+5g==
X-Received: by 2002:a17:90b:3948:b0:341:315:f4ed with SMTP id
 98e67ed59e1d1-3436cb89b24mr14820755a91.10.1762873139748;
        Tue, 11 Nov 2025 06:58:59 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.58.59
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:58:59 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 11/19] ca-certificates: update 20211016 ->
 20240203
Date: Tue, 11 Nov 2025 06:58:19 -0800
Message-ID: 
 <63620f034019b3b3585e263bd26b3fadd9a1692e.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:59:09 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226176

From: "Theodore A. Roth" <troth@openavr.org>

The 20240203 version is the same as used in Ubuntu >= 24.04 and Debian
Trixie (testing).

Signed-off-by: Theodore A. Roth <troth@openavr.org>
Signed-off-by: Theodore A. Roth <theodore_roth@trimble.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ce19168885a04b0d77e81c1fd1c4262b195a47d4)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...mozilla-certdata2pem.py-print-a-warning-for-e.patch | 10 +++++-----
 ...ca-certificates-don-t-use-Debianisms-in-run-p.patch |  6 +++---
 ...ficates_20211016.bb => ca-certificates_20240203.bb} |  2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)
 rename meta/recipes-support/ca-certificates/{ca-certificates_20211016.bb => ca-certificates_20240203.bb} (98%)

diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
index 5c4a32f526..78898f5150 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
@@ -19,7 +19,7 @@ diff --git a/debian/changelog b/debian/changelog
 index 531e4d0..4006509 100644
 --- a/debian/changelog
 +++ b/debian/changelog
-@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low
+@@ -120,7 +120,6 @@ ca-certificates (20211004) unstable; urgency=low
      - "Trustis FPS Root CA"
      - "Staat der Nederlanden Root CA - G3"
    * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
@@ -37,9 +37,9 @@ index 4434b7a..5c6ba24 100644
  Build-Depends: debhelper-compat (= 13), po-debconf
 -Build-Depends-Indep: python3, openssl, python3-cryptography
 +Build-Depends-Indep: python3, openssl
- Standards-Version: 4.5.0.2
+ Standards-Version: 4.6.2
+ Rules-Requires-Root: no
  Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
- Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
 diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
 index ede23d4..7d796f1 100644
 --- a/mozilla/certdata2pem.py
@@ -66,8 +66,8 @@ index ede23d4..7d796f1 100644
          if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
              continue
 -
--        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
--        if cert.not_valid_after < datetime.datetime.now():
+-        cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+-        if cert.not_valid_after < datetime.datetime.utcnow():
 -            print('!'*74)
 -            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
 -            print('!'*74)
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
index 4a8ae5f4b5..1feefeb96a 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
@@ -21,14 +21,14 @@ Index: git/sbin/update-ca-certificates
 ===================================================================
 --- git.orig/sbin/update-ca-certificates
 +++ git/sbin/update-ca-certificates
-@@ -191,9 +191,7 @@ if [ -d "$HOOKSDIR" ]
+@@ -202,9 +202,7 @@ if [ -d "$HOOKSDIR" ]
  then
  
    echo "Running hooks in $HOOKSDIR..."
 -  VERBOSE_ARG=
 -  [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose"
--  eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook
-+  eval run-parts --test "$HOOKSDIR" | while read hook
+-  eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read -r hook
++  eval run-parts --test "$HOOKSDIR" | while read -r hook
    do
      ( cat "$ADDED"
        cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb b/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
similarity index 98%
rename from meta/recipes-support/ca-certificates/ca-certificates_20211016.bb
rename to meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
index 99abe60613..b198ea77a9 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
@@ -14,7 +14,7 @@ DEPENDS:class-nativesdk = "openssl-native"
 # Need rehash from openssl and run-parts from debianutils
 PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
 
-SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8"
+SRCREV = "ee6e0484031314090a11c04ee82689acb73d7ad8"
 
 SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https;branch=master \
            file://0002-update-ca-certificates-use-SYSROOT.patch \

From patchwork Tue Nov 11 14:58:20 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74201
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 43E92CCFA1A
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:59:09 +0000 (UTC)
Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com
 [209.85.216.52])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19442.1762873142065612195
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:02 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=i9Ur6iLw;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.52,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f52.google.com with SMTP id
 98e67ed59e1d1-3418ad69672so2880056a91.3
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873141;
 x=1763477941; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=jodlcdF4XMMN45pBNb87ZOu1FyAJ+Gx37uPn7UPRN/A=;
        b=i9Ur6iLw+5JNaYK7Qf6Tl7WnCbXK6fCjNp/xm9I3LzP66k63igyrkmmPWUy59j42WB
         4X2lMTOQTjr9K7w/f/6PxWhz8fKh8s24ho12CfBnNFykTRc5WOJL+EUPPTBBSITuD2PP
         rI9iGn2PDZDwltctuU82PfgbfArTKv3ery86C01J8zkMWpM1niF8ip1VL7unoHXwGTvm
         3NRsVMCD3eNncG5eoKgkTPd26vUQa+d3yLVC059/DpqM+9t/1n9mfPLGB15NjtOMWbmO
         Bu5wAQAi/ZEvmRsciAMDMJbvSxEoFFuqTvLFpGve8JH7a1ocq9AlVjHpBOzIB/ahioEJ
         RkiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873141; x=1763477941;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=jodlcdF4XMMN45pBNb87ZOu1FyAJ+Gx37uPn7UPRN/A=;
        b=CE8gjN65Rv3MpTyNum48hnUT2RVB1/RoCwStbtulPcnUoFmYNqTkUwT3aYBBqPSOTu
         JvOyIel5FxxknKXjRhrJ3XaGVE/F3ijNT/dILJd871NqhSa1cWXnKwKKeTZUDugkWoIA
         kjrvrH7Ln2HkRRqbvYYAoBbvOhcwniFJyRbMU7wMrQIJPmjoc/MkZeCIDC/xg2KrPSMG
         27S4pL0WbyzVKAvxfDRP6iIAyxHq5sv8F8kjX67TK1Ux7IDYN7Iato25K08AEVJAVL0F
         rwI78rsN3T4KhT32Pk8mkFqrwAbRpLSJDVIF//fZv6JZVB1COhEK6K/2Qmf/W/Aujnjz
         X3vg==
X-Gm-Message-State: AOJu0YwOXO3pYvQmQc05/pcvmKlMa6c/3SdHPm4WFUy2NbwGWhS2BLIu
	UvXSG1zggFHGZgSvpZROmT/PGj0tDb5uRv+dw+JGzT5IjTQju5bMgy0zBZK6CW2wgq+yElFanUM
	El6fPIYE=
X-Gm-Gg: ASbGncva2AfdW1YOaDoJWfrsIgno1tL97teoAQPSfws0UFvZsBNRmQLvxanq51vyHW6
	6OCCMs5g2u5ox4gnOowGYBSCz2m1yYwz2Qd76BWw1Lt5u/qbpKxRkEfDk1hGBBqdh8aFlVP7cQ4
	0+glCdiwyhBePRmIyulsH2K0PYvOHgsW6rB9NHFStocLCUx1J0MHtkbzgDRk+cm7XxqjYCtjBVD
	5Q1mwKUEbmr2PQy+9MuGdTYCGiCFQZJxDV1kzenpy/EiH0n3tkUGDUbTAMMZKxmmSOhnqbBsCLa
	W36wg4PuLrGYM8Yx4AwwGKS29JD9/gT5Vo5efpbEmPdhQ1SHB9oHAgCZg8dztFNYFx+kjycrLiA
	QY6tmquUjnReo1jkFs2ORjLSEX/qdODMDpWpHZ5Is0HsA76KaRdMNZTM7NEt4u5vw2npODWr4BU
	KSKw==
X-Google-Smtp-Source: 
 AGHT+IFOHdNOORdIxwqqTRRwJHpafvGAOYyOy/IUht53WCY3hlUVoddoeRNj/hg59mfweiHtR3M2jA==
X-Received: by 2002:a17:90b:3a83:b0:341:88c5:2073 with SMTP id
 98e67ed59e1d1-3436cb0d1fbmr13807517a91.2.1762873141327;
        Tue, 11 Nov 2025 06:59:01 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.59.00
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:59:01 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 12/19] ca-certificates: Add comment for
 provenance of SRCREV
Date: Tue, 11 Nov 2025 06:58:20 -0800
Message-ID: 
 <b1d86653f1485aa56fe8bf050931d5b8657ee499.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:59:09 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226177

From: "Theodore A. Roth" <troth@openavr.org>

Provide references for how the SRCREV was arrived at for the 20240203
release.

Signed-off-by: Theodore A. Roth <troth@openavr.org>
Signed-off-by: Theodore A. Roth <theodore_roth@trimble.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6916cdb0f05f6644edb1e432a9421595abb9f0ca)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ca-certificates/ca-certificates_20240203.bb            | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb b/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
index b198ea77a9..ac0756471c 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
@@ -14,6 +14,13 @@ DEPENDS:class-nativesdk = "openssl-native"
 # Need rehash from openssl and run-parts from debianutils
 PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
 
+# Since there is no TAG in the git repository, the SRCREV was determined
+# through comparison of the git repository and the data on the following
+# package informatin pages:
+#
+# * https://packages.debian.org/trixie/ca-certificates
+# * https://packages.ubuntu.com/noble/ca-certificates
+#
 SRCREV = "ee6e0484031314090a11c04ee82689acb73d7ad8"
 
 SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https;branch=master \

From patchwork Tue Nov 11 14:58:21 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74203
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4F2E5CCFA18
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:59:09 +0000 (UTC)
Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com
 [209.85.216.53])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19445.1762873143400606256
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:03 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=yXj3qauW;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.53,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f53.google.com with SMTP id
 98e67ed59e1d1-34101107cc8so3540047a91.0
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873143;
 x=1763477943; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=5nIk0bHjB6HruDM3QRn9sOI0yxCDveGs/HfgkmHBtDY=;
        b=yXj3qauWZYyGKMpAB/GmxnwqfZ8q3V2CtklR95yiAh646rruM64X12m5G5Eb1uGS6i
         xdHMx8M0Hq9tRLNYOUrXy2JtYbYVXqkZBOVQ9G1gSAn087okWMZ2nf9c4qrtb2RP6r8c
         RhlVTJ/boKxU/v5r4rogx0ZeZFAqyOCdx6TksQbZIPDeQmuuKk5aWhn/ZpwnAOUh3FU8
         aA6R616ZUZvmY/g37ygloqh+MD+aflkkb9x3d+paMRoS1MXInTy+NB3uF2JAF8Koj4gO
         qEQyR1tfXUizkip9hvwP456xDKFe2rN2JtQK4KMP4AoPNCP357uj0vFNtY5LpxomdMPl
         N7YQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873143; x=1763477943;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=5nIk0bHjB6HruDM3QRn9sOI0yxCDveGs/HfgkmHBtDY=;
        b=APzgwS2H5Zi/VBNOYLJ2X5ZZpUQkGKPoHxU8lZzcA2R2/doQLNd4HgEn+/VeRLnd7w
         GVfx+iKeKdjtLxzBdfe/X08gJyhac0gnpCvQzLTJlttS0AlXVa/Wk2JrbJuYUhByDhZw
         3r9sFLFmU8GT4CNDs2CYcWghJ9wSuDX06HSEQ40qbfzp89FaSZlQFz9jHrw90ywe6k/3
         28743O7vAQlAIclprZs0vJk8bD/Ng8gH/hEpt5FLzUAvMcQXzhdyHKq8OTMUpWQgoPTk
         GayiaMjDfypb65zAjPbBCfwQ4zeHtFaG0ZKNJ4tdRdgNwDgucwXZ3iOJmk016JdRAW5D
         If5g==
X-Gm-Message-State: AOJu0YyFk72xvPhlupJTYttuV0zXq9HgZS3igcPrCYkOZPpzt+10CEVP
	qP5lydz1tRCIoYkiWR0qVGh315u188iXx7P2MXbc3dIudJQi9Ru8m/3a/L7Z54mgc+M4YVKbBmz
	xDWhpczI=
X-Gm-Gg: ASbGnctUq8bCWt6V/Pq2sSijxSv+ljpSFEw6HwMvRXGm71sEXA64PHskZDeyW3hqy5/
	3pjVDGTqpg8r0F9m30sN68joYS6CTuk9aIr2uI1U2oKMBTPgvnnnthtN8k35G1wvzXYGD6zy0Ou
	7JTVc07Oki1ao2wk2UdKSjIynfB9e8NtMT9HhSV071BtLO9v1UAXhYGMrW28tbwZUciwjivH2qL
	5eN0Fj6kx/oOBn1HP2k16HT75cCr/y8odjodwus/EY3W921/lOMvG6C2ELq5Ijc1YLT+axHHoez
	nPDsd7thm/0Tg9aCkciV1ygwT2luxj71E/TLrVybIWSWBuTYgzlG0Jbvli88sHPJboIPSMaXOtP
	c94M2GYvqzkZ2B0MvI/KNYbFzydztLtR98We1Qdmkn/Swr/Tdipe5RYKg8qVmMxHlkSM=
X-Google-Smtp-Source: 
 AGHT+IGSYh1TL/N7CCTy8q9v1xs9MpA02L7Gx7HByLh50c7jwiBkDpPHyX8DM4sAupKqKaI8bxT0/w==
X-Received: by 2002:a17:90b:3d86:b0:338:3789:2e7b with SMTP id
 98e67ed59e1d1-3436cb40997mr15755140a91.13.1762873142643;
        Tue, 11 Nov 2025 06:59:02 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.59.02
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:59:02 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 13/19] ca-certificates: get sources from debian
 tarballs
Date: Tue, 11 Nov 2025 06:58:21 -0800
Message-ID: 
 <44c113497c7e3f9f06604e892df1eb717bb3410d.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:59:09 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226178

From: Alexander Kanavin <alex@linutronix.de>

git repo no longer has tags for recent versions which means
we had missed several of them, and wouldn't be able to get
notifications about any future releases.

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 81f013fd1312551628701bf36ac62746a2606dbd)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ca-certificates/ca-certificates_20240203.bb | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb b/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
index ac0756471c..eff1d97bc5 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
@@ -14,26 +14,15 @@ DEPENDS:class-nativesdk = "openssl-native"
 # Need rehash from openssl and run-parts from debianutils
 PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
 
-# Since there is no TAG in the git repository, the SRCREV was determined
-# through comparison of the git repository and the data on the following
-# package informatin pages:
-#
-# * https://packages.debian.org/trixie/ca-certificates
-# * https://packages.ubuntu.com/noble/ca-certificates
-#
-SRCREV = "ee6e0484031314090a11c04ee82689acb73d7ad8"
-
-SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https;branch=master \
+SRC_URI[sha256sum] = "3286d3fc42c4d11b7086711a85f865b44065ce05cf1fb5376b2abed07622a9c6"
+SRC_URI = "${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz \
            file://0002-update-ca-certificates-use-SYSROOT.patch \
            file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
            file://default-sysroot.patch \
            file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
            file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \
            "
-UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)"
-
-S = "${WORKDIR}/git"
-
+S = "${WORKDIR}/ca-certificates"
 inherit allarch
 
 EXTRA_OEMAKE = "\

From patchwork Tue Nov 11 14:58:22 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74204
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5A0EBCD13D2
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:59:09 +0000 (UTC)
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com
 [209.85.216.44])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19448.1762873145122814915
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:05 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=DjwQJLEa;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.44,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f44.google.com with SMTP id
 98e67ed59e1d1-3436d6aa66dso777303a91.1
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873144;
 x=1763477944; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ciXvvYKDCYykGcM2nNqCpu2jwCwOT4DfYjqoH5quoWQ=;
        b=DjwQJLEa11A0KbLbfhs0+3P2Jqcry0INSZ1fIbWlqhS9jeN2eMlIUwRzsBwFklFXcH
         FxLV1xsgR+bpxDcEs3UnC17pUfD47jvCGV372zBQxICupEk9j+ShiHyNqHYNcKQPf/xg
         hnb89jYpqJ2lZkiftPvpEFVwGmUZE5N3VcZ+UrAVyGFCXEHt/TxSa+yEXi7P+qyO3mKf
         TJqpbaVeXCuy4d7UgUEoxxoWe3qKJQLvRs6K1JXZvnaH6dyhA6OrZmTeM4w3mx+ZIwWk
         IPkvk8ckj07QJi/8So6uw2GNcDs02LFpqNWbxqs2jMtTV26jIVEfxwA723WhqjKMWDeG
         VDlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873144; x=1763477944;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=ciXvvYKDCYykGcM2nNqCpu2jwCwOT4DfYjqoH5quoWQ=;
        b=IFkFLXZsR3bIIEo4hDbORdReHOCIvwRi9Wq+LtgXbvPVDjN6WefXtAr0yYZFBUSElk
         +nk9PvxMC/XTCcg3j/VM54kDA4U1qS99iHyv9zyKQdtkIj8e6Zvjjid1A1aCWmhJAs2A
         2FURmwwhK+rCNnE3/vt9U8rbwGwLxhvXklISK3P8eTZIuzd5J84Re5sMm1aGILzH61zI
         LKXGvXmeFfRPlWZKabVFrAjTsoyQJzKpUXgpUn7GMwVVD2PbgfuIf4DUcQmynkubPydU
         myR9nAI1Ny9jL/hpQwxsYqNKD8OG/3qtXwvXe/o0ekxUWJgonu2bvEw141Q8WmC1OjE+
         udpA==
X-Gm-Message-State: AOJu0Yw8W01SGZ9/3VXuenle2dYxWexOwRbYEhTyHT2gN1y+ArhN8XzS
	5N2BGiFt3rv0to0a/6aoXU4xczEwBLeCciHCwsUV3mvjsYHGy4+JnSfiFHJ3SAT8rGhQYOFzlT5
	PjdUfjAU=
X-Gm-Gg: ASbGnctO5DRbgTDY3Gs0VUT+jdIHQ29oLcwaAkiHbjf8bY8H85MJ+PRqBqByJrl5PYz
	JIb9+W/ggZM69b8u98duop+keel1wql/MW77MUXrwWjpbHdbO5cZEpn9aDrv5SUN1UvvTDG+Eur
	VZ6l4iQHrr9L4SFa9qsKBFl7FXAI4Mc/U9iAAwGprwp/C9vlDth/oYRi1nBM6pFhJQTpA8n5IEG
	Qi8linQZ2mLrEIYjtCLEEP/9IZasADrTSvhB35rR5I8mWjwDQ1V1KRNfBHBkB+QsDZyYTeu/Rbq
	/L1XdxuhB35y0sCrgBXRiwIsoH5ptbFdlIFPUWniQFuf5t8UF6IOEG6IxF5AoUoLvHhiT6/nxPw
	8MiG3qCrjlzEu4+LOv4iH2lqJNvSG0o8g4DwJMk9faxLq1i1dYQPEGtkJb0W0yW31gZsj6jcYbB
	Lt9w==
X-Google-Smtp-Source: 
 AGHT+IHE3D62Uuql84msV2YYkt8Xcu5nlzYB499btenYv+vbrgX1UE7wqbNyBlGtHtkOX21px8qAMQ==
X-Received: by 2002:a17:90b:3849:b0:343:72d5:2c18 with SMTP id
 98e67ed59e1d1-343bf23f306mr4598786a91.12.1762873144246;
        Tue, 11 Nov 2025 06:59:04 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.59.03
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:59:03 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 14/19] ca-certificates: upgrade 20240203 ->
 20241223
Date: Tue, 11 Nov 2025 06:58:22 -0800
Message-ID: 
 <7e4ce7c927f6328e013db53690a2ef841b1bb9bf.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:59:09 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226179

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 48a236c2f78fee5e6db19c6be23b4a18df025607)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...certdata2pem.py-print-a-warning-for-e.patch | 13 +++++--------
 ...ficates-don-t-use-Debianisms-in-run-p.patch | 14 +++++++++-----
 ...02-update-ca-certificates-use-SYSROOT.patch | 18 +++++++++---------
 ...ficates-use-relative-symlinks-from-ET.patch |  4 ++--
 .../ca-certificates/default-sysroot.patch      | 16 ++++++++++++----
 ...20240203.bb => ca-certificates_20241223.bb} |  2 +-
 6 files changed, 38 insertions(+), 29 deletions(-)
 rename meta/recipes-support/ca-certificates/{ca-certificates_20240203.bb => ca-certificates_20241223.bb} (97%)

diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
index 78898f5150..da2a247e51 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
@@ -1,4 +1,4 @@
-From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001
+From 630736f427c0a1bd0be0b5a2f6d51d63b2c4c9fd Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex@linutronix.de>
 Date: Mon, 18 Oct 2021 12:05:49 +0200
 Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired
@@ -16,10 +16,10 @@ Signed-off-by: Alexander Kanavin <alex@linutronix.de>
  3 files changed, 1 insertion(+), 13 deletions(-)
 
 diff --git a/debian/changelog b/debian/changelog
-index 531e4d0..4006509 100644
+index 52d41ca..bdb2c8a 100644
 --- a/debian/changelog
 +++ b/debian/changelog
-@@ -120,7 +120,6 @@ ca-certificates (20211004) unstable; urgency=low
+@@ -138,7 +138,6 @@ ca-certificates (20211004) unstable; urgency=low
      - "Trustis FPS Root CA"
      - "Staat der Nederlanden Root CA - G3"
    * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
@@ -28,7 +28,7 @@ index 531e4d0..4006509 100644
   -- Julien Cristau <jcristau@debian.org>  Thu, 07 Oct 2021 17:12:47 +0200
  
 diff --git a/debian/control b/debian/control
-index 4434b7a..5c6ba24 100644
+index b5f2ab0..d0e830e 100644
 --- a/debian/control
 +++ b/debian/control
 @@ -3,7 +3,7 @@ Section: misc
@@ -41,7 +41,7 @@ index 4434b7a..5c6ba24 100644
  Rules-Requires-Root: no
  Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
 diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
-index ede23d4..7d796f1 100644
+index 4df86a2..7d796f1 100644
 --- a/mozilla/certdata2pem.py
 +++ b/mozilla/certdata2pem.py
 @@ -21,16 +21,12 @@
@@ -75,6 +75,3 @@ index ede23d4..7d796f1 100644
          bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
                                        .replace(' ', '_')\
                                        .replace('(', '=')\
--- 
-2.20.1
-
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
index 1feefeb96a..cad30929f5 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
@@ -1,3 +1,8 @@
+From 348163df412e53b1b7ec3e81ae5f22caa0227c37 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@intel.com>
+Date: Mon, 6 Jul 2015 15:19:41 +0100
+Subject: [PATCH] ca-certificates: remove Debianism in run-parts invocation
+
 ca-certificates is a package from Debian, but some host distros such as Fedora
 have a leaner run-parts provided by cron which doesn't support --verbose or the
  -- separator between arguments and paths.
@@ -9,7 +14,6 @@ This solves errors such as
 | [...]/usr/sbin/update-ca-certificates: line 230: Not a directory: --: command not found
 | E: Not a directory: -- exited with code 127.
 
-
 Upstream-Status: Inappropriate
 Signed-off-by: Ross Burton <ross.burton@intel.com>
 Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
@@ -17,10 +21,10 @@ Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
  sbin/update-ca-certificates | 4 +---
  1 file changed, 1 insertion(+), 3 deletions(-)
 
-Index: git/sbin/update-ca-certificates
-===================================================================
---- git.orig/sbin/update-ca-certificates
-+++ git/sbin/update-ca-certificates
+diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
+index 36cdd9a..2d3e1fe 100755
+--- a/sbin/update-ca-certificates
++++ b/sbin/update-ca-certificates
 @@ -202,9 +202,7 @@ if [ -d "$HOOKSDIR" ]
  then
  
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch b/meta/recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch
index 792b4030b2..48c69f0cbc 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch
@@ -1,19 +1,19 @@
-Upstream-Status: Pending
-
-From 724cb153ca0f607fb38b3a8db3ebb2742601cd81 Mon Sep 17 00:00:00 2001
+From cdb53438bae194c1281c31374a901ad7ee460408 Mon Sep 17 00:00:00 2001
 From: Andreas Oberritter <obi@opendreambox.org>
 Date: Tue, 19 Mar 2013 17:14:33 +0100
-Subject: [PATCH 2/2] update-ca-certificates: use $SYSROOT
+Subject: [PATCH] update-ca-certificates: use $SYSROOT
+
+Upstream-Status: Pending
 
 Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
 ---
- sbin/update-ca-certificates |   14 +++++++-------
+ sbin/update-ca-certificates | 14 +++++++-------
  1 file changed, 7 insertions(+), 7 deletions(-)
 
-Index: git/sbin/update-ca-certificates
-===================================================================
---- git.orig/sbin/update-ca-certificates
-+++ git/sbin/update-ca-certificates
+diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
+index 5a0a1da..36cdd9a 100755
+--- a/sbin/update-ca-certificates
++++ b/sbin/update-ca-certificates
 @@ -24,12 +24,12 @@
  verbose=0
  fresh=0
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch
index 4bd967f788..214f88909a 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch
@@ -1,4 +1,4 @@
-From a9fc13b2aee55655d58fcb77a3180fa99f96438a Mon Sep 17 00:00:00 2001
+From 38d47c53749c6f16d5d7993410b256116e0ee0b8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
 Date: Wed, 28 Mar 2018 16:45:05 +0100
 Subject: [PATCH] update-ca-certificates: use relative symlinks from
@@ -45,7 +45,7 @@ Signed-off-by: André Draszik <andre.draszik@jci.com>
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index 00f80c7..7e911a9 100755
+index f7d0dbf..97a589c 100755
 --- a/sbin/update-ca-certificates
 +++ b/sbin/update-ca-certificates
 @@ -29,6 +29,7 @@ CERTSDIR=$SYSROOT/usr/share/ca-certificates
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/default-sysroot.patch b/meta/recipes-support/ca-certificates/ca-certificates/default-sysroot.patch
index f8b0791bea..c2a54c0096 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates/default-sysroot.patch
+++ b/meta/recipes-support/ca-certificates/ca-certificates/default-sysroot.patch
@@ -1,13 +1,21 @@
+From 50aadd3eb1c4be43d3decdeb60cede2de5a687be Mon Sep 17 00:00:00 2001
+From: Christopher Larson <chris_larson@mentor.com>
+Date: Fri, 23 Aug 2013 12:26:14 -0700
+Subject: [PATCH] ca-certificates: add recipe (version 20130610)
+
 Upstream-Status: Pending
 
 update-ca-certificates: find SYSROOT relative to its own location
 
 This makes the script relocatable.
+---
+ sbin/update-ca-certificates | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
 
-Index: git/sbin/update-ca-certificates
-===================================================================
---- git.orig/sbin/update-ca-certificates
-+++ git/sbin/update-ca-certificates
+diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
+index 2d3e1fe..f7d0dbf 100755
+--- a/sbin/update-ca-certificates
++++ b/sbin/update-ca-certificates
 @@ -66,6 +66,39 @@ do
    shift
  done
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb b/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb
similarity index 97%
rename from meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
rename to meta/recipes-support/ca-certificates/ca-certificates_20241223.bb
index eff1d97bc5..bbdc7dd68d 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20240203.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb
@@ -14,7 +14,7 @@ DEPENDS:class-nativesdk = "openssl-native"
 # Need rehash from openssl and run-parts from debianutils
 PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
 
-SRC_URI[sha256sum] = "3286d3fc42c4d11b7086711a85f865b44065ce05cf1fb5376b2abed07622a9c6"
+SRC_URI[sha256sum] = "dd8286d0a9dd35c756fea5f1df3fed1510fb891f376903891b003cd9b1ad7e03"
 SRC_URI = "${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz \
            file://0002-update-ca-certificates-use-SYSROOT.patch \
            file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \

From patchwork Tue Nov 11 14:58:23 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74205
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5F4B3CD13D3
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:59:09 +0000 (UTC)
Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com
 [209.85.216.52])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19450.1762873146656051981
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:06 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=eaUGWGs3;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.52,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f52.google.com with SMTP id
 98e67ed59e1d1-3436a97f092so4166287a91.3
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873146;
 x=1763477946; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=wulw7insuv7q7rdd9IaOYah76nzapU+cDAsnRhHZjcI=;
        b=eaUGWGs3OtYo7mClCQMCSUVvvBwhcqUSkvvdTZB2IfNsDvl2g5cnVaj9HyXAc00/rY
         ibtMswolb45vLFmgl2tmviBQHKGlGjBkIoWYIZIzTc23u/crUyXnoevqU6x2brjCCuE/
         /jI2ZC4vjlUN4Z3xAB1xyyZOrl2U6FCQlmgIV7/fOZpTfLe5S6xWI4DaR/IoCjnTLhcN
         qte6a2xk/U9Vk99MmyyggHxGHdGKZyhq13tMgnIFWQQNjfqZwpwbr8WHXCvaqkrGJLkF
         ksJgIUHCtwGj67BC8TXnh6EcWYu4xvf4KaJjqKbgld0P403cqObhGngk0xK6tp8i9aua
         CH7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873146; x=1763477946;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=wulw7insuv7q7rdd9IaOYah76nzapU+cDAsnRhHZjcI=;
        b=N+/mhMSayuzXbRqCPIGau99AzfPm3fkmswCjhO3Ni9ExmyON7Ws9dRpa4Vge6EsNRX
         alFt0oZoHbzh1+Oa50kMMq+GAOYuKWJkhiL/rsDqWUh+l7mHvz20+Ec66dU9RfekpVzJ
         baCTa8mCczFZheI/8eX4DZDf6B5J53h4oj7PqAWq9rnDTWjO2tmAB5jzh7iGlKZbq1vi
         OvZmQtBwys2ed4H4WuBBCAjI/23uCG5Kz84Gfa7Cnb0uoLZpWScvLbFn/LDR/NyTBzfv
         Dx8uvf/KYUPRonUjsDxvCIPjan6dqADyzSaUVNaAywK13+XWyI7Yb/Mvz6uej3/eozAj
         jT6g==
X-Gm-Message-State: AOJu0YwRBvmIso6hMRySpth28ujRmnhxefrQEhNw3M/s4q7pI4Q25kFy
	KWjf80z4EfvwTMlgWPPbM118Z31pyKw7dDUmwSx5aaBZSrhRGi46Er/mHw5TVUUPVJQ1ysD6whU
	7cLPCdNg=
X-Gm-Gg: ASbGncuxMFxjvtWay1PJdC1mGj/YRXFun68ClbXz+iqbLOrAnzzXP1FZ3lwq0lrQStk
	eQ7+SZtAZ/l1aAcY/NE763C+WmRsWJLxLqfAR2kLlwRuG2Sj5ddmRZF4qQR83OTaV36ZEc/vF3f
	l/kBSSfdd53HFj9z+npyAaz/up2y0TZMUWrEWPfUqTrvc7M8g64p8T2iN0hup9HH/9o6QwZffDF
	30WGQ+yohbHELG/hTpf8EVkwL4FtWsZx0/xIAYTMM6s6hPUKNukr0yRpIdsrxsQAAwzqaDyryIH
	f+kH0C72JD7jjWvPPbIpeSZDsTSETCedQglktDrt/FzbVlR/V7oaJ19YEba3cPofq/09BrDFmU6
	7WLYN9C//69eQkuj0AZ7I3UHRF5RVACQhDwOOOCx0zcOqH31lgUgDPsOVjYtx8Cw4LHh6Q7svFw
	fvKw==
X-Google-Smtp-Source: 
 AGHT+IHpt1ePUni1NMc2sPQ8ltk9ZY7tTNIZ3VO1yWgFTSOp7kmLfzdhHzy+CrgvjRapaT1V4N8x/w==
X-Received: by 2002:a17:90b:2fc5:b0:340:e517:4e05 with SMTP id
 98e67ed59e1d1-3436cb3e5a6mr19484587a91.12.1762873145845;
        Tue, 11 Nov 2025 06:59:05 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.59.05
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:59:05 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 15/19] ca-certificates: submit sysroot patch
 upstream, drop default-sysroot.patch
Date: Tue, 11 Nov 2025 06:58:23 -0800
Message-ID: 
 <a80185fd72a2be183783b0e464c07f1043d7dd37.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:59:09 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226180

From: Alexander Kanavin <alex@linutronix.de>

ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch
was using a non-standard environment variable, and was replaced
with a patch that adds a command line option (and then this
was submitted upstream). ca-certificates recipe was tweaked accordingly,
and nothing else in core or meta-oe is using update-ca-certificates.

Drop default-sysroot.patch as the use case is unclear: sysroot
is explicitly specified in all known invocations of update-ca-certificate,
and if there's a place where it isn't, then update-ca-certificates
will error out trying to write to /etc, and should be fixed to
explicitly specify the sysroot.

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 90d9f0ba674d4fe8e9291f0513c13dff3775c545)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...ca-certificates-add-a-sysroot-option.patch | 36 ++++++++++++
 ...2-update-ca-certificates-use-SYSROOT.patch | 46 ---------------
 ...icates-use-relative-symlinks-from-ET.patch | 18 +++---
 .../ca-certificates/default-sysroot.patch     | 58 -------------------
 .../ca-certificates_20241223.bb               |  9 ++-
 5 files changed, 49 insertions(+), 118 deletions(-)
 create mode 100644 meta/recipes-support/ca-certificates/ca-certificates/0002-sbin-update-ca-certificates-add-a-sysroot-option.patch
 delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch
 delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates/default-sysroot.patch

diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0002-sbin-update-ca-certificates-add-a-sysroot-option.patch b/meta/recipes-support/ca-certificates/ca-certificates/0002-sbin-update-ca-certificates-add-a-sysroot-option.patch
new file mode 100644
index 0000000000..ba5bb69657
--- /dev/null
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0002-sbin-update-ca-certificates-add-a-sysroot-option.patch
@@ -0,0 +1,36 @@
+From d6bb773745c2e95fd1a414e916fbed64e0d8df66 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Mon, 31 Mar 2025 17:42:25 +0200
+Subject: [PATCH] sbin/update-ca-certificates: add a --sysroot option
+
+This allows using the script in cross-compilation environments
+where the script needs to prefix the sysroot to every other
+directory it operates on. There are individual options
+to set those directories, but using a common prefix option
+instead is a lot less clutter and more robust.
+
+Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/13]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ sbin/update-ca-certificates | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
+index 4bb77a0..1e737b9 100755
+--- a/sbin/update-ca-certificates
++++ b/sbin/update-ca-certificates
+@@ -59,6 +59,14 @@ do
+     --hooksdir)
+       shift
+       HOOKSDIR="$1";;
++    --sysroot)
++      shift
++      SYSROOT="$1"
++      CERTSCONF="$1/${CERTSCONF}"
++      CERTSDIR="$1/${CERTSDIR}"
++      LOCALCERTSDIR="$1/${LOCALCERTSDIR}"
++      ETCCERTSDIR="$1/${ETCCERTSDIR}"
++      HOOKSDIR="$1/${HOOKSDIR}";;
+     --help|-h|*)
+       echo "$0: [--verbose] [--fresh]"
+       exit;;
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch b/meta/recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch
deleted file mode 100644
index 48c69f0cbc..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From cdb53438bae194c1281c31374a901ad7ee460408 Mon Sep 17 00:00:00 2001
-From: Andreas Oberritter <obi@opendreambox.org>
-Date: Tue, 19 Mar 2013 17:14:33 +0100
-Subject: [PATCH] update-ca-certificates: use $SYSROOT
-
-Upstream-Status: Pending
-
-Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
----
- sbin/update-ca-certificates | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index 5a0a1da..36cdd9a 100755
---- a/sbin/update-ca-certificates
-+++ b/sbin/update-ca-certificates
-@@ -24,12 +24,12 @@
- verbose=0
- fresh=0
- default=0
--CERTSCONF=/etc/ca-certificates.conf
--CERTSDIR=/usr/share/ca-certificates
--LOCALCERTSDIR=/usr/local/share/ca-certificates
-+CERTSCONF=$SYSROOT/etc/ca-certificates.conf
-+CERTSDIR=$SYSROOT/usr/share/ca-certificates
-+LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
- CERTBUNDLE=ca-certificates.crt
--ETCCERTSDIR=/etc/ssl/certs
--HOOKSDIR=/etc/ca-certificates/update.d
-+ETCCERTSDIR=$SYSROOT/etc/ssl/certs
-+HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d
- 
- while [ $# -gt 0 ];
- do
-@@ -92,9 +92,9 @@ add() {
-   PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
-                                                   -e 's/[()]/=/g' \
-                                                   -e 's/,/_/g').pem"
--  if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
-+  if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
-   then
--    ln -sf "$CERT" "$PEM"
-+    ln -sf "${CERT##$SYSROOT}" "$PEM"
-     echo "+$PEM" >> "$ADDED"
-   fi
-   # Add trailing newline to certificate, if it is missing (#635570)
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch
index 214f88909a..929945b56f 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0003-update-ca-certificates-use-relative-symlinks-from-ET.patch
@@ -1,4 +1,4 @@
-From 38d47c53749c6f16d5d7993410b256116e0ee0b8 Mon Sep 17 00:00:00 2001
+From a69933f96a8675369de702bdb55e57dc21f65e7f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
 Date: Wed, 28 Mar 2018 16:45:05 +0100
 Subject: [PATCH] update-ca-certificates: use relative symlinks from
@@ -45,26 +45,26 @@ Signed-off-by: André Draszik <andre.draszik@jci.com>
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index f7d0dbf..97a589c 100755
+index 1e737b9..8510082 100755
 --- a/sbin/update-ca-certificates
 +++ b/sbin/update-ca-certificates
-@@ -29,6 +29,7 @@ CERTSDIR=$SYSROOT/usr/share/ca-certificates
- LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
+@@ -30,6 +30,7 @@ LOCALCERTSDIR=/usr/local/share/ca-certificates
  CERTBUNDLE=ca-certificates.crt
- ETCCERTSDIR=$SYSROOT/etc/ssl/certs
+ ETCCERTSDIR=/etc/ssl/certs
+ HOOKSDIR=/etc/ca-certificates/update.d
 +FSROOT=../../../ # to get from $ETCCERTSDIR to the root of the file system
- HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d
  
  while [ $# -gt 0 ];
-@@ -125,9 +126,10 @@ add() {
+ do
+@@ -100,9 +101,10 @@ add() {
    PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
                                                    -e 's/[()]/=/g' \
                                                    -e 's/,/_/g').pem"
--  if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
+-  if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
 +  DST="$(echo ${CERT} | sed -e "s|^$SYSROOT||" -e "s|^/|$FSROOT|" )"
 +  if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${DST}" ]
    then
--    ln -sf "${CERT##$SYSROOT}" "$PEM"
+-    ln -sf "$CERT" "$PEM"
 +    ln -sf "${DST}" "$PEM"
      echo "+$PEM" >> "$ADDED"
    fi
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/default-sysroot.patch b/meta/recipes-support/ca-certificates/ca-certificates/default-sysroot.patch
deleted file mode 100644
index c2a54c0096..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/default-sysroot.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 50aadd3eb1c4be43d3decdeb60cede2de5a687be Mon Sep 17 00:00:00 2001
-From: Christopher Larson <chris_larson@mentor.com>
-Date: Fri, 23 Aug 2013 12:26:14 -0700
-Subject: [PATCH] ca-certificates: add recipe (version 20130610)
-
-Upstream-Status: Pending
-
-update-ca-certificates: find SYSROOT relative to its own location
-
-This makes the script relocatable.
----
- sbin/update-ca-certificates | 33 +++++++++++++++++++++++++++++++++
- 1 file changed, 33 insertions(+)
-
-diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index 2d3e1fe..f7d0dbf 100755
---- a/sbin/update-ca-certificates
-+++ b/sbin/update-ca-certificates
-@@ -66,6 +66,39 @@ do
-   shift
- done
- 
-+if [ -z "$SYSROOT" ]; then
-+  local_which () {
-+    if [ $# -lt 1 ]; then
-+      return 1
-+    fi
-+
-+    (
-+      IFS=:
-+      for entry in $PATH; do
-+        if [ -x "$entry/$1" ]; then
-+          echo "$entry/$1"
-+          exit 0
-+        fi
-+      done
-+      exit 1
-+    )
-+  }
-+
-+  case "$0" in
-+    */*)
-+      sbindir=$(cd ${0%/*} && pwd)
-+      ;;
-+    *)
-+      sbindir=$(cd $(dirname $(local_which $0)) && pwd)
-+      ;;
-+  esac
-+  prefix=${sbindir%/*}
-+  SYSROOT=${prefix%/*}
-+  if [ ! -d "$SYSROOT/usr/share/ca-certificates" ]; then
-+    SYSROOT=
-+  fi
-+fi
-+
- if [ ! -s "$CERTSCONF" ]
- then
-   fresh=1
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb b/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb
index bbdc7dd68d..676e9e0c78 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb
@@ -16,9 +16,8 @@ PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
 
 SRC_URI[sha256sum] = "dd8286d0a9dd35c756fea5f1df3fed1510fb891f376903891b003cd9b1ad7e03"
 SRC_URI = "${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz \
-           file://0002-update-ca-certificates-use-SYSROOT.patch \
            file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
-           file://default-sysroot.patch \
+           file://0002-sbin-update-ca-certificates-add-a-sysroot-option.patch \
            file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
            file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \
            "
@@ -62,7 +61,7 @@ do_install:append:class-target () {
 }
 
 pkg_postinst:${PN}:class-target () {
-    SYSROOT="$D" $D${sbindir}/update-ca-certificates
+    $D${sbindir}/update-ca-certificates --sysroot $D
 }
 
 CONFFILES:${PN} += "${sysconfdir}/ca-certificates.conf"
@@ -71,11 +70,11 @@ CONFFILES:${PN} += "${sysconfdir}/ca-certificates.conf"
 # we just run update-ca-certificate from do_install() for nativesdk.
 CONFFILES:${PN}:append:class-nativesdk = " ${sysconfdir}/ssl/certs/ca-certificates.crt"
 do_install:append:class-nativesdk () {
-    SYSROOT="${D}${SDKPATHNATIVE}" ${D}${sbindir}/update-ca-certificates
+    ${D}${sbindir}/update-ca-certificates --sysroot ${D}${SDKPATHNATIVE}
 }
 
 do_install:append:class-native () {
-    SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
+    ${D}${sbindir}/update-ca-certificates --sysroot ${D}${base_prefix}
 }
 
 RDEPENDS:${PN}:append:class-target = " openssl-bin openssl"

From patchwork Tue Nov 11 14:58:24 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74206
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6767ECD13D9
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:59:09 +0000 (UTC)
Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com
 [209.85.210.169])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19452.1762873148230186949
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:08 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=hrqa7LJ6;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.169,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f169.google.com with SMTP id
 d2e1a72fcca58-7b4933bc4bbso858418b3a.1
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873147;
 x=1763477947; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=p8+oNzc0AvRQJpZqGl0/Yol/dB/2CNWtHzdIHAZft8A=;
        b=hrqa7LJ6haksFE/0XMG1bHh0QqSqoELPn16u4TLWOJUzuWs29pepyDf8Cje9t47Zpy
         uE+503M12COCjq26rXeFIUkI/3rArHH5nHXqkD67DMKVjg40JaM3I9OpI9t1/KiyM+dm
         HICKRWbjF6YD61eDvUL+M0qZIphdGxsiT4M54zt/XitQ2Q+ZqDBsvcGukMM73gMsRZkQ
         f1ZzJNjiSgJxQIJmmSVb940QRNkUIDcJRCw8Xdk5Sn4fC186YdIHfgueBmmz0H0dYAiC
         HWZARxKEHrJH3Ap/ofs3Bi6yIAFU7xjyes8hBeZ7sTAwZhp0uoNviyov63fIBSHXkgWt
         G31A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873147; x=1763477947;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=p8+oNzc0AvRQJpZqGl0/Yol/dB/2CNWtHzdIHAZft8A=;
        b=udePxmZrcbSaaW/Lt/9HFbQtDLHzitkYF37yAuiDmw9J8n32PHKgdXhvL33EPE22qL
         cOXMEMHPFWxU/xOFuAy7PxJdGzSk3U7Ws5aS135ZCaKXROu2tVwIYoLLZ+uSk3CDaBoQ
         39iVXc3Mx/dzB6Cb4XulvkJkC0rbJw/FLL9mwqwzyA+ZsbrVSQ4jiaEf1eXo75CoZ/bw
         Vtxm3yvX8YXRd5vx1K4/72eDf7kSvxdYz2B5KDvlkRRpIRCcUc8+fFcKk3zQDjgXsgja
         VAK1FzsO6LeJSk0qFCmBNVJ7AzRy9kaK2+8pG1H73123lKArnwJ54oqBu5/fI4WdX30Z
         l3Cg==
X-Gm-Message-State: AOJu0Yx5kQvyY/5iL3JewaAvJwDvoJg9dSYCaR4CX4bKNlx2cpqsFhUH
	mil0RVo3geRdPbCmulE5C7SP+w3S9u2qbxwNV1vfS0DCHhZNCtQ/nDkYUgmcAEysDqVOk4P+RA4
	5wL0rV4Q=
X-Gm-Gg: ASbGncv8HiND9TYPz0JbZrMcYbAtg5sWRBunvvdPFwYG3isrQCrK24MpkyFrFfC2A7U
	HH2DdkEpSiDngGoIMnpadau1vPFFvf+IEETABZvA1BZlaHuGTNrSfncKEt2kzslEXDAfgUauowX
	nOXB7PEzg5fFZl01tj+n2CXhtKY0240zqIwQbUeu8gi1F6Ou+ICJ6vdEFsYZFy4Rla6f6G4uMsG
	Cl0hU0thXPvmiolNkU6rX8A4Mw3/exTmVLOVSjim3iL8jqWY3wbkWbImLmcN2oY0SYSQuWhseYp
	HibDRtmpwTd3ZG/DDKWDcZAXkI/gC8TlGScDscTNvwlHCtBjWLJb5mb5FuYyyYyV0f3hsBR+7Bm
	9jyDFGyBeqQx052MO5iN+aPkTpLdhEQxqvc2eDrT8ZPkqh/klZZ54sP3EbRdbZkQkqz77nzVI6i
	QxQzIitEc+UfCD
X-Google-Smtp-Source: 
 AGHT+IEB2+LJfu9RX4YkOo1cAptu4WHOnpcrLtipUhNZRuRugBBlIc9nd8szI/DLYVAVP15SeiXR1A==
X-Received: by 2002:a17:90b:2fcf:b0:314:2cd2:595d with SMTP id
 98e67ed59e1d1-343bf0dd30dmr4131345a91.8.1762873147385;
        Tue, 11 Nov 2025 06:59:07 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.59.06
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:59:07 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 16/19] ca-certificates: upgrade 20241223 ->
 20250419
Date: Tue, 11 Nov 2025 06:58:24 -0800
Message-ID: 
 <dd05818a422c8c5be1aef06405d200280b382b91.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:59:09 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226181

From: Wang Mingyu <wangmy@fujitsu.com>

0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
refreshed for 20250419

0002-sbin-update-ca-certificates-add-a-sysroot-option.patch
removed since it's included in 20250419

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e39cc1fb7234bf2b37856296d3c0d10ddf8cae64)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...ertdata2pem.py-print-a-warning-for-e.patch |  6 ++--
 ...icates-don-t-use-Debianisms-in-run-p.patch |  6 ++--
 ...ca-certificates-add-a-sysroot-option.patch | 36 -------------------
 ...0241223.bb => ca-certificates_20250419.bb} |  3 +-
 4 files changed, 7 insertions(+), 44 deletions(-)
 delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates/0002-sbin-update-ca-certificates-add-a-sysroot-option.patch
 rename meta/recipes-support/ca-certificates/{ca-certificates_20241223.bb => ca-certificates_20250419.bb} (94%)

diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
index da2a247e51..1226508c98 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
@@ -1,4 +1,4 @@
-From 630736f427c0a1bd0be0b5a2f6d51d63b2c4c9fd Mon Sep 17 00:00:00 2001
+From 743774cd53ed1c45bb660eddacf6dadb5ee3e145 Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex@linutronix.de>
 Date: Mon, 18 Oct 2021 12:05:49 +0200
 Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired
@@ -16,10 +16,10 @@ Signed-off-by: Alexander Kanavin <alex@linutronix.de>
  3 files changed, 1 insertion(+), 13 deletions(-)
 
 diff --git a/debian/changelog b/debian/changelog
-index 52d41ca..bdb2c8a 100644
+index dbe3e9c..496e05d 100644
 --- a/debian/changelog
 +++ b/debian/changelog
-@@ -138,7 +138,6 @@ ca-certificates (20211004) unstable; urgency=low
+@@ -156,7 +156,6 @@ ca-certificates (20211004) unstable; urgency=low
      - "Trustis FPS Root CA"
      - "Staat der Nederlanden Root CA - G3"
    * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
index cad30929f5..1a29da756f 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
@@ -1,4 +1,4 @@
-From 348163df412e53b1b7ec3e81ae5f22caa0227c37 Mon Sep 17 00:00:00 2001
+From 63086d41f76b1c3357e23c6509df72d3f75af20c Mon Sep 17 00:00:00 2001
 From: Ross Burton <ross.burton@intel.com>
 Date: Mon, 6 Jul 2015 15:19:41 +0100
 Subject: [PATCH] ca-certificates: remove Debianism in run-parts invocation
@@ -22,10 +22,10 @@ Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
  1 file changed, 1 insertion(+), 3 deletions(-)
 
 diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index 36cdd9a..2d3e1fe 100755
+index 91d8024..1e737b9 100755
 --- a/sbin/update-ca-certificates
 +++ b/sbin/update-ca-certificates
-@@ -202,9 +202,7 @@ if [ -d "$HOOKSDIR" ]
+@@ -210,9 +210,7 @@ if [ -d "$HOOKSDIR" ]
  then
  
    echo "Running hooks in $HOOKSDIR..."
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0002-sbin-update-ca-certificates-add-a-sysroot-option.patch b/meta/recipes-support/ca-certificates/ca-certificates/0002-sbin-update-ca-certificates-add-a-sysroot-option.patch
deleted file mode 100644
index ba5bb69657..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/0002-sbin-update-ca-certificates-add-a-sysroot-option.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From d6bb773745c2e95fd1a414e916fbed64e0d8df66 Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex@linutronix.de>
-Date: Mon, 31 Mar 2025 17:42:25 +0200
-Subject: [PATCH] sbin/update-ca-certificates: add a --sysroot option
-
-This allows using the script in cross-compilation environments
-where the script needs to prefix the sysroot to every other
-directory it operates on. There are individual options
-to set those directories, but using a common prefix option
-instead is a lot less clutter and more robust.
-
-Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/13]
-Signed-off-by: Alexander Kanavin <alex@linutronix.de>
----
- sbin/update-ca-certificates | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index 4bb77a0..1e737b9 100755
---- a/sbin/update-ca-certificates
-+++ b/sbin/update-ca-certificates
-@@ -59,6 +59,14 @@ do
-     --hooksdir)
-       shift
-       HOOKSDIR="$1";;
-+    --sysroot)
-+      shift
-+      SYSROOT="$1"
-+      CERTSCONF="$1/${CERTSCONF}"
-+      CERTSDIR="$1/${CERTSDIR}"
-+      LOCALCERTSDIR="$1/${LOCALCERTSDIR}"
-+      ETCCERTSDIR="$1/${ETCCERTSDIR}"
-+      HOOKSDIR="$1/${HOOKSDIR}";;
-     --help|-h|*)
-       echo "$0: [--verbose] [--fresh]"
-       exit;;
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb b/meta/recipes-support/ca-certificates/ca-certificates_20250419.bb
similarity index 94%
rename from meta/recipes-support/ca-certificates/ca-certificates_20241223.bb
rename to meta/recipes-support/ca-certificates/ca-certificates_20250419.bb
index 676e9e0c78..f06a30bd6d 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20250419.bb
@@ -14,10 +14,9 @@ DEPENDS:class-nativesdk = "openssl-native"
 # Need rehash from openssl and run-parts from debianutils
 PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
 
-SRC_URI[sha256sum] = "dd8286d0a9dd35c756fea5f1df3fed1510fb891f376903891b003cd9b1ad7e03"
+SRC_URI[sha256sum] = "33b44ef78653ecd3f0f2f13e5bba6be466be2e7da72182f737912b81798ba5d2"
 SRC_URI = "${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz \
            file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
-           file://0002-sbin-update-ca-certificates-add-a-sysroot-option.patch \
            file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
            file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \
            "

From patchwork Tue Nov 11 14:58:25 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74207
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5FC22CCFA1A
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:59:19 +0000 (UTC)
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com
 [209.85.216.44])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19453.1762873149830698684
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:09 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=yX6E/Bdz;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.44,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f44.google.com with SMTP id
 98e67ed59e1d1-3439e1b6f72so2274733a91.2
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873149;
 x=1763477949; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=iTg2DWy+BucWAt6jlB+hfnmidd52UA99uHyPBfvB+FI=;
        b=yX6E/Bdz1huhcGqa0OnEUEiWRnygbai/KR5Qgn6LMDakx+HvD/15fwvPE6OeyLAwWN
         chvHu6VVoYavpiR5pnqR7CIJbzVS2MN2ICddFNcpyvEzg0EfxVmMoBGosh8F8Hqf+FxI
         b+ZaBhC+fxVdEYv+nY9omU1kzZc9Xm8WT+got+bVWcFH34awN/J9lcoQoHEWs/Y/6CdV
         5ZN7NhTrZvBngnsiRuE6IBIusX28krPvO7Lb3ykcFydlkFeCJWH5+OaeK6g+OCXkyOZZ
         QKaFoYFkxQDuhZ9C5VNWR5bThk2sJAkawreY8/C3ubnox/Tkoqoy1E9SeIXLaBYGXGcQ
         Zw3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873149; x=1763477949;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=iTg2DWy+BucWAt6jlB+hfnmidd52UA99uHyPBfvB+FI=;
        b=EP9e4iGW3Qgnx9/Qc/r3++nePHc9iVfIfr/rx2JqpEJTZxCJRcEf0jWI93EG6SWe4h
         4Zt4RXbmombBCTNXg4GXdUA2l0iDg8NlUiEJFTRk9pqpxtxXTYAZcaOtFH9kYrluwlmq
         PI9TJEF6XORtaSWXT+uUYE/ThwyHnGhjCw+TorTmNFp9RQMUpQFxzLBcyt807sT09mFU
         qcP8QxdRT5aOpwdHxF+ejAuvglxsU51YNbLu69uRDx096h2RABul1+doHdHjXr8+SITz
         lpDiWFrozHKJxupUZoskZNEyJ4d9TsmPJM2iPJROwxyf8S3eq1reYDTdxoISew5n7xHX
         xV4w==
X-Gm-Message-State: AOJu0YwDq2uvpAPEFPmwkxwLssh03zXtcsnEr5qwmXy7BON1pt7ee2N+
	qCmzX5+/g10IgXGTe+wWDakHfbp6B9s1qkfcP1DDZHt5hK5+gGNOA1oIUM5P/vIf24242J7knGO
	3iGMzGK0=
X-Gm-Gg: ASbGncvLy+cPpAWEC59wPzK/GXYlcBvjv+zu92EnUYglsQWSdXdNWeHadHsx/ZLYMhA
	7LG+bvCzeHaePfwp1KXmm7h7Hfkgwa7JvrALbue+AANOVX21EWOXM/HDY6mVTWk9l6IHfQPltiZ
	5R5fanikVXzAgLQVpCnaIEYqsbTCCxC9iIBv80P1D/RXrbEQ37m/wSX5DhhzBRVZOH4m9mTDG7f
	94aNhUkWdMRmolglTlHC/UEiEFCAZIim5eWOGz/FXryow9BRCI0lj3hcesO5PlE+KL3WFrNpTHX
	gygszsoJHOplKvp6bVWlBesK80SRNmiW4VvaRj6CMIQxovgI1zD0bKZZTPFU+9d2J/uGBJxYs+k
	0JPMJvI+kqnH0GfMbtCGjRoI4pHup5nkIXLzQmLJyC1Cq85vJevA8nPlyC1ozH5tdvV4=
X-Google-Smtp-Source: 
 AGHT+IG/ORnCu4HluzWXeX56wKgMzDwZkBEw8mWRxvwWdaqb4O+rVMnf2ooAnYqtAxXXUhNc3pPrKA==
X-Received: by 2002:a17:90a:e7ca:b0:340:f05a:3ebd with SMTP id
 98e67ed59e1d1-3436ccfe431mr12877959a91.28.1762873149084;
        Tue, 11 Nov 2025 06:59:09 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.59.08
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:59:08 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 17/19] ca-certificates: fix on-target postinstall
 script
Date: Tue, 11 Nov 2025 06:58:25 -0800
Message-ID: 
 <9a2bd3b6e2e53071a1463d2804d0d4fb17b1814f.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:59:19 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226182

From: Gyorgy Sarvari <skandigraun@gmail.com>

When the package is installed directly on the machine (instead of
installing it in the rootfs directly), the postinstall script fails with
the following error:

/usr/sbin/update-ca-certificates: line 75: shift: shift count out of range

The reason is that the "update-ca-certificates" script is executed with
the "--sysroot" argument, and as the sysroot $D is passed. However on the
target system this variable doesn't exist, so the argument is passed without
this mandatory value, and the execution fails.

To avoid this error, check if the $D variable exists, and pass the --sysroot
argument only when it does.

Reported-by: WXbet <Wxbet@proton.me>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cf39461e97098a1b28693299677888ba7e8bfccf)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ca-certificates/ca-certificates_20250419.bb                | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20250419.bb b/meta/recipes-support/ca-certificates/ca-certificates_20250419.bb
index f06a30bd6d..01f594095e 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20250419.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20250419.bb
@@ -60,7 +60,8 @@ do_install:append:class-target () {
 }
 
 pkg_postinst:${PN}:class-target () {
-    $D${sbindir}/update-ca-certificates --sysroot $D
+    [ -n "$D" ] && sysroot_args="--sysroot $D"
+    $D${sbindir}/update-ca-certificates $sysroot_args
 }
 
 CONFFILES:${PN} += "${sysconfdir}/ca-certificates.conf"

From patchwork Tue Nov 11 14:58:26 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74208
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5FC72CCFA1E
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:59:19 +0000 (UTC)
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com
 [209.85.216.51])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19454.1762873151399694396
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:11 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=TwafW1x7;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.51,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f51.google.com with SMTP id
 98e67ed59e1d1-343514c7854so959998a91.1
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873151;
 x=1763477951; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=XLQAo2ohzlc2vlEzyyb6Rmi7iUywz98niE6EVPbE2xY=;
        b=TwafW1x7BmyVZZgULJ5Fz1LD0dYq6LNSRe7xOB5hSKeCHJfNCNztTfB9tyrI+m8iaM
         rBAzfNRKsHWHfPsq+XVaR5FltPm4lm92u+QT96rJSQbknEmWuJNzRTeCXwXAiRDDEzVF
         ZtimAK3GHNGFZSjOzrYMsmtEo2kNr7CI+tOwGjyD1PgXsrUyojcuf3PjwzbirKQUH4xX
         h986NSavMCsPanBNU8PFoYz1nO8A0f3zdnbD10CgiOoClARtsgm08AVjBBiYq64/4l+w
         WLvcOxJ+jjADJ2KU/wRoQe+++/tsWRXvf24xdUifWxxbKZHXO8SeXsNFcH3AqQ7GqRNM
         tOEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873151; x=1763477951;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=XLQAo2ohzlc2vlEzyyb6Rmi7iUywz98niE6EVPbE2xY=;
        b=IiczznLGFWUpaqH4HY2vmBRUaxcpqTBB+OlE6sBssEf/AaAXH2Nn/3Wxp8vPxhRpgn
         tN2ETKW69p3GCf2OWKYIsueSVgixy71IEyg7KCWhy+wVYq5B1BSps22K0lQnSeugQZJ/
         akYOPhq/G9TarmcJgIx6uExC7DjVgp67BRnIQzrvmFjnbpiX0CK3u9ZyV1MLyy5TJVAT
         dbsLn/iWqcGU1u9os3Co82FoL2VjWaga0uNqYRpX+KiBubin//ijs1QeBf0yXICnfWqX
         2vvttEOTESIo6UtK8EbeRCgMl5ryZkKh9253Uf9OaBrG4aP2a/KwVeYToC+gACcN2Sa3
         dSZg==
X-Gm-Message-State: AOJu0YxntD0oLrajLvezc/uYaqVdRhrbfiz55I2sItZQOMbWWM4bAYno
	fxFKVK3czdPu4g30Z0uYP8gKqB2PAMyh0c3R146JwgwpRrdO/NIHJ0zy4dciAyuWLj4cO6YLJny
	xPFtCBmQ=
X-Gm-Gg: ASbGncu/38Oh7zZhm/FJqji58IJPUc/H84JBTh2q/lLqn+aOqwIPmWr2nHRNXVkHyrD
	zKA8/wZXAk3r9Q8WDoJevNnfksz1rpoSiGK7rxr74GMvsSTx1ioIuoCzUgaE+RI1DxRYTCHOATD
	kqTJeRCHQGOcKj5EZS887p80bzduMBuwzQxmv+QaG8ZjmnrD0/Y0kiGALzsdpMNJcacxNQAxgIZ
	/bt6+Rblo+7BPgi2MpjXLtvlHsP9eUy8HKkALWeCHwkxD2NBy7AnbkKiLuombaKumauv8GL1TGE
	BrXzLq3bNPLKuvPzD+zBZ3Q1ndkQoAtTrxJribix41Ifd20fRal1qOPpSTBXGdTrseDo7lHjnF9
	4j5afYMx/RstGV2K8RI312w75iDVAed3peZ6GCPdE2vEj9C1Xau4aXR3yiho6h0SaAmU2JnVhw0
	vTAw==
X-Google-Smtp-Source: 
 AGHT+IFflO0uEpP1NKfkPPuhBdzBSSTfQLFrYZYMttlF6StfZUYO8x33PRPXEHE9llVl4r0Ca//0NQ==
X-Received: by 2002:a17:90b:164b:b0:32e:4716:d551 with SMTP id
 98e67ed59e1d1-343bf0dd604mr4505929a91.6.1762873150668;
        Tue, 11 Nov 2025 06:59:10 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.59.10
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:59:10 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 18/19] oeqa/selftest/devtool: Update after
 upstream repo changes
Date: Tue, 11 Nov 2025 06:58:26 -0800
Message-ID: 
 <1e0a64a1890a62e130595f46d93c8d08af9170f5.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:59:19 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226183

From: Richard Purdie <richard.purdie@linuxfoundation.org>

The upstream changed the branch name, moving to archive/ so we need to
update too. Take the opportunity to match the new location too to avoid
the redirect.

We could use a different branch but upstream would probably eventually
rename that too so this may last longer.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 478a645bad150f04dee1b0085c4542c2eefe7007)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/devtool.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/devtool.py b/meta/lib/oeqa/selftest/cases/devtool.py
index ee75687f01..55048830bf 100644
--- a/meta/lib/oeqa/selftest/cases/devtool.py
+++ b/meta/lib/oeqa/selftest/cases/devtool.py
@@ -476,8 +476,8 @@ class DevtoolAddTests(DevtoolBase):
         version = 'v3.1.0'
         pn = 'mbedtls'
         # this will trigger reformat_git_uri with branch parameter in url
-        git_url = "'git://git@github.com/ARMmbed/mbedtls.git;branch=mbedtls-2.28;protocol=https'"
-        resulting_src_uri = "git://git@github.com/ARMmbed/mbedtls.git;branch=mbedtls-2.28;protocol=https"
+        git_url = "'git://git@github.com/Mbed-TLS/mbedtls.git;branch=archive/mbedtls-2.28;protocol=https'"
+        resulting_src_uri = "git://git@github.com/Mbed-TLS/mbedtls.git;branch=archive/mbedtls-2.28;protocol=https"
         self._test_devtool_add_git_url(git_url, version, pn, resulting_src_uri)
 
     def test_devtool_add_git_style2(self):
@@ -485,8 +485,8 @@ class DevtoolAddTests(DevtoolBase):
         srcrev = 'v3.1.0'
         pn = 'mbedtls'
         # this will trigger reformat_git_uri with branch parameter in url
-        git_url = "'git://git@github.com/ARMmbed/mbedtls.git;protocol=https'"
-        resulting_src_uri = "git://git@github.com/ARMmbed/mbedtls.git;protocol=https;branch=master"
+        git_url = "'git://git@github.com/Mbed-TLS/mbedtls.git;protocol=https'"
+        resulting_src_uri = "git://git@github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=master"
         self._test_devtool_add_git_url(git_url, version, pn, resulting_src_uri, srcrev)
 
     def test_devtool_add_library(self):

From patchwork Tue Nov 11 14:58:27 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 74209
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6C3C9CCFA18
	for <webhook@archiver.kernel.org>; Tue, 11 Nov 2025 14:59:19 +0000 (UTC)
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com
 [209.85.216.47])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.19456.1762873153242620515
 for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:13 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=xZseCaj+;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.47,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f47.google.com with SMTP id
 98e67ed59e1d1-3437ea05540so2732452a91.0
        for <openembedded-core@lists.openembedded.org>;
 Tue, 11 Nov 2025 06:59:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1762873152;
 x=1763477952; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=d9Q95o1JycxnWSxCNx5NkELaeB5dG4ILg+B7aFPaRW0=;
        b=xZseCaj+3n13Pgt62L7ZU7U1IPJHCtK3l6KPgOCUowCXfJnFAGB/ydhWAko6cbixN4
         zB1dbpRrK+KLkZTIyx8iAc5edXo6AstG+ndavziKnTVQojXl16RH4s9Ruda+s69oPLED
         IJAli13s9CwNVKpTFx3vog7P38HgT7m2FkK8y5WVg8gNJOhFUWFdu+6+FmErwukjP2PY
         9VnbFLcy1vrtqz8/ygyH6avbbF36MMBUeJxSfpxpj1+IsFOtbwJSE3UhBYV5m9Z983sf
         e671RaiMi6RHH3z/HVv+Yt6maDdR0D7YO1Qx+5kjGtEpdThGAckkN0qMKBUp+Uu4kKN2
         cp/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762873152; x=1763477952;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=d9Q95o1JycxnWSxCNx5NkELaeB5dG4ILg+B7aFPaRW0=;
        b=NI6CDI/V9RJq1QC6TspLfrGLzZzb8Zn2tz5SUE68DXVynZxEUIfQlFttUG2bt4bGO/
         kFj3q1S6F/6a8josVqgI6P44YahvYLsYBvyXiawu6q92TH46OvxhaiNjr5ebRWTW8QGz
         Se2O0mtj7S+8FppwaY1TbUMuJUAjyvQxuMXsEJpbIYXu3v9KH9HIXwMWgZlahuTfTFYi
         i5GQ06vHW3TD00vTk3HCG6eMar+T+PIQF1h499J4tXtXThDReVVj8p0uU4K+Yh8qTCRv
         S2SGBZkPEJQajKbcbuMLo4xBXsCWB7rgiPIGRk16FFrqYPx2fzMQcTV2j15bRSig8axg
         Awpg==
X-Gm-Message-State: AOJu0Yx1ae6rj/9xUa8BU3Xo+NK3nYdKiaJMJSdxJ+yVRBYAnEQemvJm
	6b1HVIgfqjdz1Q1xgMPMLU9R76A4efS7DBD+yciyhB3DtQYm8yZnBFbZlWeKMgtDwEdvC0l15t1
	wDDq3zVo=
X-Gm-Gg: ASbGnct6K9ktul0BsLQ584I6LFVg/3bznhr5dWU644g5KiraQSn6CnNYJHD/X3h9QuH
	QyKDmdTjpFd9uwcG9Ov2l+jG3H1D3m5KWql5nJH73tDHLdZ+tVDGiYV/7+3z+xXJYgqLPwRyOgu
	ZO6QzP9flauaScaHAX7Uyxv30Honm065giwdTZuNtRSKq/hMfLyrMLmI1ayM7zFG1z76pHheeA6
	VmigVNeRYj4yaOol2XPm6wxk3Z1/S+aNcIWmmEYsb+dEGx7QJjvK29zyaEMTX6VUFAlBoRucjG1
	8YTOpN8MCLngYf4pIhm5PtOlItjSAxbMO5k7kC+w57e+Xfc04VYlD2QJWieZDehF1U0agsvJcys
	jTqkz8QNakPGsSy2nT3krN+h4Ue3aBeTgkx6GCKOl0R5QjicfDRnvMkC1huI6Cn1AoUE=
X-Google-Smtp-Source: 
 AGHT+IHS5NARacw1ivOkPauHzZh7V8UMu/6B2DywyDhfR+1C9MhZgcOKL2YLD4zCk536IlB+PsqrFw==
X-Received: by 2002:a17:90b:1d49:b0:340:be44:dd0b with SMTP id
 98e67ed59e1d1-3436cbc6fc3mr14605399a91.34.1762873152542;
        Tue, 11 Nov 2025 06:59:12 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:db6b:ed5a:7890:6b41])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-343685301f8sm11662588a91.5.2025.11.11.06.59.11
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Nov 2025 06:59:12 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 19/19] xf86-video-intel: correct SRC_URI as
 freedesktop anongit is down
Date: Tue, 11 Nov 2025 06:58:27 -0800
Message-ID: 
 <64eff9fa267f33d2ca0972a5dc4ae010138cd720.1762872962.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1762872962.git.steve@sakoman.com>
References: <cover.1762872962.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 11 Nov 2025 14:59:19 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/226184

From: Alexander Kanavin <alex@linutronix.de>

(From OE-Core rev: 04037a14e1431c4a51f5d51885974732a6108368)

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9649bec517996558e01d668d2b59e68306a3a647)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb b/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb
index 2e526bd799..0a42bd9975 100644
--- a/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb
+++ b/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb
@@ -13,7 +13,7 @@ SRCREV = "31486f40f8e8f8923ca0799aea84b58799754564"
 PV = "2.99.917+git"
 S = "${WORKDIR}/git"
 
-SRC_URI = "git://anongit.freedesktop.org/git/xorg/driver/xf86-video-intel;protocol=https;branch=master"
+SRC_URI = "git://gitlab.freedesktop.org/xorg/driver/xf86-video-intel.git;protocol=https;branch=master"
 
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)"