From patchwork Mon Jan 19 20:39:56 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Scott Murray <scott.murray@konsulko.com>
X-Patchwork-Id: 79109
Return-Path: <scott.murray@konsulko.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B3580D2ECF3
	for <webhook@archiver.kernel.org>; Mon, 19 Jan 2026 20:40:23 +0000 (UTC)
Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com
 [209.85.222.179])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.44336.1768855218199890243
 for <yocto-patches@lists.yoctoproject.org>;
 Mon, 19 Jan 2026 12:40:18 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@konsulko.com header.s=google header.b=pXfTs3h9;
 spf=pass (domain: konsulko.com, ip: 209.85.222.179,
 mailfrom: scott.murray@konsulko.com)
Received: by mail-qk1-f179.google.com with SMTP id
 af79cd13be357-8c5386f1c9fso716115685a.1
        for <yocto-patches@lists.yoctoproject.org>;
 Mon, 19 Jan 2026 12:40:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=konsulko.com; s=google; t=1768855217; x=1769460017;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=oqYtpc8dgicxM7a0kHrtnQT45FuX8uQ+kyTn8yU7hgw=;
        b=pXfTs3h9v3oByKQF4AUeekJbRx4Or02O8dONVTmSI3yib5v64HnSO9DFGXYxFhxb+q
         JT50UD11tZgp+0FcGIysbBykJlT6zdjuWpHkQpwZvh8X4LLbRaZHb9/PDY4yqVI5rChy
         oEkfjdUA215Wxjk7AFdsGV6fwpq59rjJQ6pPs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768855217; x=1769460017;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=oqYtpc8dgicxM7a0kHrtnQT45FuX8uQ+kyTn8yU7hgw=;
        b=I9KQ/6kPAQSK1YnucH05+jyZJUXRUQ3X9t6p0BqVQrS7cwc9Sgzq3FvD2km3Ah2+oJ
         p9yz05N7icxGusKiC3hInzbV1tTm/CxJjpguoYG8Dj3e2NOLtJt7OmlKLiceVejr2jiZ
         SyLHvuH0W+/AcTpFwFtsJwgErwBZQDCOUVcLn5LwHAl4BJQl6/VE5wl574e3MSuz+lDD
         byxyf8R4UiYa0uznVELDARzqTMtyeQ9hY7pO+5xBJuQX8h3TVYJTp0ic4tDsKWsJw1Cp
         b/VrwpBZ9EZ0VxKLEext8NiVFX8fOsXY+MeH+9E0U5hZTXocm8nxC/bJZ9n05wL1Q1Hc
         cIvw==
X-Gm-Message-State: AOJu0YyW2QIoLoe5xYmSs/lwxLvQLcwHBAX9fanE2SNOlhkyEClBtguu
	nO7qiAN6rSo+xILtep+wIZ0mNj2Aq5KrOTDe8shzRSJCmz2ZD5rb5JG90r42esG5XWPNq786pND
	6ROZK
X-Gm-Gg: AY/fxX6+YVqSu/SsMpKyxhbGSpBkn/AKZ180kZdAye5M4m74WaO9kigWeRuNbVGXB4F
	hAUwfgW6woDlMZUW9WQf1zOGmRuH9VsW5OnH8QiBXq82q6HlU16TlQFqbZOY6joEDZ77iYqafHZ
	HtGt6RmXpcHChIpOXwLs0KqejjhIz/Mu268T+4lXfWwkcTHBUmUda6EZc8/S8OhT3+mmh3q8+Wh
	g4ruwNYldvImnqPAHXYlLHUiRhmji8McZQslDWFKHNkICgTUQCyokZCqKq2sAU3+iDMg7m572O1
	07VB+FYOiDYaPgnT/2ipT+28ivJNEqMK85WwwzqD47hVGOnZfEvtJ+TBCf6o72lrhX4W9q8X/V+
	ScjspJcQGETf/bEjafwCpl7wuwI6o5tyVDdFADxaQpm4u0T2FAa6ihjq01PIL1C0ZQiZeHyk4BD
	VGTJWUDt7FVa5WhvbAxjCPeQuAmtgijchoGAMXo4MFqg3yosNuKS5+NOu+8txo8B/uT1HYlR8Cg
	gB95l3tz7ZGaGPcc3cUeuRkwoLK1FZUApMYdoGV1Hf4gOnxKadY
X-Received: by 2002:a05:620a:1991:b0:8c6:a539:55d4 with SMTP id
 af79cd13be357-8c6a695607cmr1565379485a.48.1768855216913;
        Mon, 19 Jan 2026 12:40:16 -0800 (PST)
Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com.
 [107.179.213.3])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-8c6a70f1fe1sm851462085a.0.2026.01.19.12.40.16
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jan 2026 12:40:16 -0800 (PST)
From: Scott Murray <scott.murray@konsulko.com>
To: yocto-patches@lists.yoctoproject.org
Cc: Marta Rybczynska <rybczynska@gmail.com>
Subject: [meta-security][scarthgap][PATCH 1/6] sssd: Upgrade 2.9.2 -> 2.9.5
Date: Mon, 19 Jan 2026 15:39:56 -0500
Message-ID: 
 <e954c09eaa38f5a36b24f8a7be7e4a5b51e8fa4b.1768854779.git.scott.murray@konsulko.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1768854779.git.scott.murray@konsulko.com>
References: <cover.1768854779.git.scott.murray@konsulko.com>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Mon, 19 Jan 2026 20:40:23 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/3025

From: Vijay Anusuri <vanusuri@mvista.com>

Includes security fix CVE-2023-3758

ChangeLog:
https://github.com/SSSD/sssd/releases/tag/2.9.5

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../recipes-security/sssd/{sssd_2.9.2.bb => sssd_2.9.5.bb}      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.9.2.bb => sssd_2.9.5.bb} (98%)

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
similarity index 98%
rename from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
index d61471c..cb27675 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
@@ -26,7 +26,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \
            file://musl_fixup.patch \
            file://0001-sssctl-add-error-analyzer.patch \
            "
-SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6f762ba"
+SRC_URI[sha256sum] = "bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3"
 
 UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"
 

From patchwork Mon Jan 19 20:39:57 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Scott Murray <scott.murray@konsulko.com>
X-Patchwork-Id: 79105
Return-Path: <scott.murray@konsulko.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8BE1ED2ECEB
	for <webhook@archiver.kernel.org>; Mon, 19 Jan 2026 20:40:23 +0000 (UTC)
Received: from mail-qk1-f182.google.com (mail-qk1-f182.google.com
 [209.85.222.182])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.44337.1768855219168676575
 for <yocto-patches@lists.yoctoproject.org>;
 Mon, 19 Jan 2026 12:40:19 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@konsulko.com header.s=google header.b=IN+lQuLo;
 spf=pass (domain: konsulko.com, ip: 209.85.222.182,
 mailfrom: scott.murray@konsulko.com)
Received: by mail-qk1-f182.google.com with SMTP id
 af79cd13be357-8c59bce68a1so297729485a.0
        for <yocto-patches@lists.yoctoproject.org>;
 Mon, 19 Jan 2026 12:40:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=konsulko.com; s=google; t=1768855218; x=1769460018;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=8YwWN0BLw9QbFvEB3WXy18vFRQ6dhMJlqNE50ZnN0dI=;
        b=IN+lQuLoiLFWKEUSxpuJXPDT9okHLSYl29BomdUSrIXbX5JuzXKbHCeff8lgv0k5uZ
         yBqeMILjjTbE6hIjvSsCSmu118wWQfP7i4MDh5ky9gSyqINP/TvUFLRtuIZjBp0g32wc
         x5aZHZQsjIX1rKjGI3Rl+TabWPsZUU/zPjnHk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768855218; x=1769460018;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=8YwWN0BLw9QbFvEB3WXy18vFRQ6dhMJlqNE50ZnN0dI=;
        b=udMwdJ5VNLpfVm8yprmE7I76KvjGSt3Q4jp5wjLX6KmnG9AVEWzO9FnpDwZ9T7GlzT
         w6IR4gGe8CfNfgglHU7hYemuChr/PB59VnO+iqkwNRRUynepn/xYdaQSbq+jWvUeUw2a
         JsmV9BONHid+Mmmx7dzFhIAlYkEH91vp+vyV8lfxvqvkjH5S947E4gVtu/1v/CXGOjDm
         q22QJQUOuoH1sBeGC8+HP8FePczhMJUCPf85HyKjCubpFmfuVKF4rB103VriFkXr3bUR
         zWlu4qSIQvm5kf05+PvMj4wS/tOiPiBUf3J9E64LxeMbCtvFG+wumidnDcnqJq5Ovbpd
         7QUg==
X-Gm-Message-State: AOJu0YzMRN05KQQHy80SOHylB2TdBPpsXDt4e8l9mrUBPlPRCf3kSrvQ
	SkwZX+3iLxn1VoCnkyihPjGb/+aAfjZ/pdquOXfjgI8PjiJM/PnfruW61cr4bw5AEa1g4m+ImiA
	ijgfY
X-Gm-Gg: AY/fxX47bYIenhCUN92anvsHJTiYLMB3eW+AF04jMhhzwf69Gp+bHtRGmvJPPSm5V9I
	oid86+gNr3wHmo0qUDbksG1w+az5u94FGwIjryn3bVgVvhj1Ret/kgd5RD9HI83XUKY+zmGKKzb
	/suGxaZHiGdmUeHUsxz1Ndnz6nBLBCegDI5Qxr1NmVlOx/pfQxV3+4YgbD5ab7HhjTW4EZAdhVo
	kfTJvhGCNuCHS7csIDDlQK2mfjW4P4a/XLQJgmPX8leK7e/r7oIowhDRHudNM3FP8TAqt2nCCCI
	yjPQhd8OO4oXXNGpyEEGv/z8L85PzLkj4OcpIFKN+GRu+n5nkFvu630QX8MAkUWGRWmuUMmwNHw
	BF+eiLVpex+VJM6q/ZbiPyt67gKsj9V+hdjGi3OOv/WQZVH9mW0HBNWqJ3nFdEagwn6EnT5CkIF
	FcD41cpFVH0Qe0LdzMOxSSZYfyL7XbtiZEbjmZW0Y4cX5tYPOvIXJQOES9aIr5CAG2FVF2gjpyL
	jtArTSbZZM3igLNcr0hzdqkxGpdac/ittd+lwFkDPoayX+Y/FzR
X-Received: by 2002:a05:620a:2808:b0:8c1:ab1c:f2da with SMTP id
 af79cd13be357-8c6a67b79c5mr1762465585a.70.1768855217799;
        Mon, 19 Jan 2026 12:40:17 -0800 (PST)
Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com.
 [107.179.213.3])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-8c6a70f1fe1sm851462085a.0.2026.01.19.12.40.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jan 2026 12:40:17 -0800 (PST)
From: Scott Murray <scott.murray@konsulko.com>
To: yocto-patches@lists.yoctoproject.org
Cc: Marta Rybczynska <rybczynska@gmail.com>
Subject: [meta-security][scarthgap][PATCH 2/6] sssd: Fix for CVE-2025-11561
Date: Mon, 19 Jan 2026 15:39:57 -0500
Message-ID: 
 <cbe6438806d061bd92a6473d3715b35a739a295d.1768854779.git.scott.murray@konsulko.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1768854779.git.scott.murray@konsulko.com>
References: <cover.1768854779.git.scott.murray@konsulko.com>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Mon, 19 Jan 2026 20:40:23 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/3026

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/e5224f0cb684e61203d2cd8045266f7248696204]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../sssd/files/CVE-2025-11561.patch           | 50 +++++++++++++++++++
 .../recipes-security/sssd/sssd_2.9.5.bb       |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch
new file mode 100644
index 0000000..8111ca0
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch
@@ -0,0 +1,50 @@
+From e5224f0cb684e61203d2cd8045266f7248696204 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 10 Oct 2025 12:57:40 +0200
+Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a client is joined to AD or IPA SSSD's localauth plugin can handle
+the mapping of Kerberos principals to local accounts. In case it cannot
+map the Kerberos principals libkrb5 is currently configured to fall back
+to the default localauth plugins 'default', 'rule', 'names',
+'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
+All plugins except 'an2ln' require some explicit configuration by either
+the administrator or the local user. To avoid some unexpected mapping is
+done by the 'an2ln' plugin this patch disables it in the configuration
+snippets for SSSD's localauth plugin.
+
+Resolves: https://github.com/SSSD/sssd/issues/8021
+
+:relnote: After startup SSSD already creates a Kerberos configuration
+ snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
+ if the AD or IPA providers are used. This enables SSSD's localauth plugin.
+ Starting with this release the an2ln plugin is disabled in the
+ configuration snippet as well. If this file or its content are included in
+ the Kerberos configuration it will fix CVE-2025-11561.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
+
+Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/e5224f0cb684e61203d2cd8045266f7248696204]
+CVE: CVE-2025-11561
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/util/domain_info_utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
+index edaf967e186..5c1f050184e 100644
+--- a/src/util/domain_info_utils.c
++++ b/src/util/domain_info_utils.c
+@@ -751,6 +751,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name,
+ #define LOCALAUTH_PLUGIN_CONFIG \
+ "[plugins]\n" \
+ " localauth = {\n" \
++"  disable = an2ln\n" \
+ "  module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
+ " }\n"
+ 
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
index cb27675..2954257 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \
            file://fix-ldblibdir.patch \
            file://musl_fixup.patch \
            file://0001-sssctl-add-error-analyzer.patch \
+           file://CVE-2025-11561.patch \
            "
 SRC_URI[sha256sum] = "bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3"
 

From patchwork Mon Jan 19 20:39:58 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Scott Murray <scott.murray@konsulko.com>
X-Patchwork-Id: 79110
Return-Path: <scott.murray@konsulko.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9A0F5D2ECF1
	for <webhook@archiver.kernel.org>; Mon, 19 Jan 2026 20:40:23 +0000 (UTC)
Received: from mail-qk1-f169.google.com (mail-qk1-f169.google.com
 [209.85.222.169])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.44338.1768855220163504155
 for <yocto-patches@lists.yoctoproject.org>;
 Mon, 19 Jan 2026 12:40:20 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@konsulko.com header.s=google header.b=SEvDrqcd;
 spf=pass (domain: konsulko.com, ip: 209.85.222.169,
 mailfrom: scott.murray@konsulko.com)
Received: by mail-qk1-f169.google.com with SMTP id
 af79cd13be357-8c530866cf0so459487085a.1
        for <yocto-patches@lists.yoctoproject.org>;
 Mon, 19 Jan 2026 12:40:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=konsulko.com; s=google; t=1768855219; x=1769460019;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=M8bq+6KeqQyN23rui25FW9ufE+GtUa1ry7e/bdMMZBc=;
        b=SEvDrqcdxxJgkFoja2yPu0HQREoc1z2VZaQqt36Wuk4M1xjAbjjk5rFJczKp4G07N3
         5iUWDv6Vn+HL6b0Vi553xi6QXx6HPFKtOaULergGT+sIF8rLqLbraL1joi46p5MXxyyv
         /i65s5QNWj27rnTFkzgvhFNgsPqTJxviut7SY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768855219; x=1769460019;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=M8bq+6KeqQyN23rui25FW9ufE+GtUa1ry7e/bdMMZBc=;
        b=PODhHJl4sXpn69It06npfdl7+3t0+T2xd1qkzuVIS/sJzDXjYMcGj3aXR92ZkTMA/J
         4k8vVKpKETOyTwGYwCz/cpUlm0kKZNf65c+aVRy9FSQU1qxgQdwElkbTm8msVfoCRzPG
         SgTDhOacaWCoZpc3MlLjeLG2zTOPtaenkDkY694rnJVe4Bo+bNGVN43DKQqH4fh+/hoH
         J0u4z162d1bRqJONxlZdZz6nrSHFoYk8krcdnymDVBx7FehekxAvl+jV00S8fTGXu/YW
         Q48bOac4OgmrlC+c6uxPdiI56ZzOI1te4MKoI22nujpWkVODCjgMVlfQRHp4m5LSpZ0y
         vnmw==
X-Gm-Message-State: AOJu0YwjW6E4UStHhMW8Hh1+qy4Ao0s9zvt+yGAzHPU1+hAlWLYLXEOd
	B7RD3OGl3NAQv43PpqAG4zk9DQc9sFpXecsknOv70cE7cnvfGwNbF0eI4CMDMp4CfEyVNb5WGkR
	NFNMo
X-Gm-Gg: AY/fxX5lXfMJziU8pmM7AaVIgfvQjtUqvW08C8V99Ocx7jto5XUDdEWT6yTxJrTYU7N
	bY9mrHJ6DpqdbkGTD/09knNkjzYNEniFZSJpzZuBHBJOvgC69427xAtklr18xo/gLKEwA2H0o7n
	K4hBXWp/kjAg28HTqcwkH+i1bhpGAKTtOomvssVyqaalIeq4g9bmgYElVvP+SVv65ZvGcr/86DE
	miLNbTiI78xS6kuTpnq2pX7w7LYOjSVE95M48PEIE/K4oJjxYfjNXxUP29GgDPe2chojkZL3msx
	r5Qop44XtDrkO+EsF1Ltu0l79yA7rHISvthzJ6bPm9+JCQYw5x9j0GPvYLIASXcCtAg9OTP/Fwo
	9fvBrSSL6tDUjllwdkrQ4CCTLYLQVcx24P5NNdyE4fcKSYC8xOLKZmcPEG/EXPnrV3tKjDIiP3G
	jIQJ/JflSacYJM5eYhTpt0vbRsXD/46GtH2iUj9lT2Iq0gD+nB3I42DQ0DYXb0pr1qimOzXD8Jq
	Rpv95ng9lkANNVq17n4lZGMaiFaK1AoaM36R4OndTzExDCG2rKl
X-Received: by 2002:a05:620a:7003:b0:8c6:ad72:7a5c with SMTP id
 af79cd13be357-8c6ad727cf4mr1354731685a.23.1768855218788;
        Mon, 19 Jan 2026 12:40:18 -0800 (PST)
Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com.
 [107.179.213.3])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-8c6a70f1fe1sm851462085a.0.2026.01.19.12.40.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jan 2026 12:40:18 -0800 (PST)
From: Scott Murray <scott.murray@konsulko.com>
To: yocto-patches@lists.yoctoproject.org
Cc: Marta Rybczynska <rybczynska@gmail.com>
Subject: [meta-security][scarthgap][PATCH 3/6] sssd: Upgrade to 2.9.7
Date: Mon, 19 Jan 2026 15:39:58 -0500
Message-ID: 
 <62059c7e36c4a91c0f9579f986c24140a1260ed1.1768854779.git.scott.murray@konsulko.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1768854779.git.scott.murray@konsulko.com>
References: <cover.1768854779.git.scott.murray@konsulko.com>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Mon, 19 Jan 2026 20:40:23 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/3027

Release notes:
https://sssd.io/release-notes/sssd-2.9.6.html
https://sssd.io/release-notes/sssd-2.9.7.html

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../0001-sssctl-add-error-analyzer.patch      | 42 ++++++++++---------
 .../sssd/files/CVE-2025-11561.patch           |  6 +--
 .../sssd/files/drop_ntpdate_chk.patch         | 17 +++++---
 .../sssd/files/fix-ldblibdir.patch            |  9 +++-
 .../recipes-security/sssd/files/fix_gid.patch | 16 +++++--
 .../sssd/files/musl_fixup.patch               | 34 ++++++++-------
 .../recipes-security/sssd/files/no_gen.patch  | 18 +++++---
 .../sssd/{sssd_2.9.5.bb => sssd_2.9.7.bb}     |  2 +-
 8 files changed, 90 insertions(+), 54 deletions(-)
 rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.9.5.bb => sssd_2.9.7.bb} (98%)

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
index 6880405..4f58125 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
@@ -1,13 +1,17 @@
+From 56bcfecda72dc56c1bb8b8eb2721033f54dba9f8 Mon Sep 17 00:00:00 2001
+From: roy214 <abroy@redhat.com>
+Date: Tue, 25 Apr 2023 20:01:24 +0530
+Subject: [PATCH] sssctl: add error analyzer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
 Backport patch to fix interpreter of sss_analyze.
 
 Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/ed3726c]
 
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
 
-From ed3726c37fe07aab788404bfa2f9003db15f4210 Mon Sep 17 00:00:00 2001
-From: roy214 <abroy@redhat.com>
-Date: Tue, 25 Apr 2023 20:01:24 +0530
-Subject: [PATCH] sssctl: add error analyzer
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -28,7 +32,7 @@ Reviewed-by: Tomáš Halman <thalman@redhat.com>
  create mode 100644 src/tools/analyzer/util.py
 
 diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
-index b40043d043..7692af8528 100644
+index b40043d..7692af8 100644
 --- a/src/tools/analyzer/Makefile.am
 +++ b/src/tools/analyzer/Makefile.am
 @@ -13,10 +13,12 @@ dist_pkgpython_DATA = \
@@ -46,7 +50,7 @@ index b40043d043..7692af8528 100644
      $(NULL)
 diff --git a/src/tools/analyzer/modules/error.py b/src/tools/analyzer/modules/error.py
 new file mode 100644
-index 0000000000..71173670c5
+index 0000000..7117367
 --- /dev/null
 +++ b/src/tools/analyzer/modules/error.py
 @@ -0,0 +1,61 @@
@@ -112,7 +116,7 @@ index 0000000000..71173670c5
 +            print("For possible solutions please refer to https://sssd.io/troubleshooting/errors.html")
 +        return
 diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
-index d661dddb84..e4d5f060c7 100644
+index d661ddd..e4d5f06 100644
 --- a/src/tools/analyzer/modules/request.py
 +++ b/src/tools/analyzer/modules/request.py
 @@ -1,6 +1,6 @@
@@ -123,7 +127,7 @@ index d661dddb84..e4d5f060c7 100644
  from sssd.parser import SubparsersAction
  from sssd.parser import Option
  
-@@ -38,7 +38,6 @@ def print_module_help(self, args):
+@@ -38,7 +38,6 @@ class RequestAnalyzer:
      def setup_args(self, parser_grp, cli):
          """
          Setup module parser, subcommands, and options
@@ -131,7 +135,7 @@ index d661dddb84..e4d5f060c7 100644
          Args:
              parser_grp (argparse.Action): Parser group to nest
                 module and subcommands under
-@@ -63,42 +62,6 @@ def setup_args(self, parser_grp, cli):
+@@ -63,42 +62,6 @@ class RequestAnalyzer:
  
          return self.module_parser
  
@@ -174,7 +178,7 @@ index d661dddb84..e4d5f060c7 100644
      def get_linked_ids(self, source, pattern, regex):
          """
          Retrieve list of associated REQ_TRACE ids. Filter
-@@ -114,8 +77,9 @@ def get_linked_ids(self, source, pattern, regex):
+@@ -114,8 +77,9 @@ class RequestAnalyzer:
          Returns:
              List of linked ids discovered
          """
@@ -185,7 +189,7 @@ index d661dddb84..e4d5f060c7 100644
              id_re = re.compile(regex)
              match = id_re.search(match)
              if match:
-@@ -250,7 +214,8 @@ def list_requests(self, args):
+@@ -250,7 +214,8 @@ class RequestAnalyzer:
          Args:
              args (Namespace):  populated argparse namespace
          """
@@ -195,7 +199,7 @@ index d661dddb84..e4d5f060c7 100644
          component = source.Component.NSS
          resp = "nss"
          # Log messages matching the following regex patterns contain
-@@ -266,7 +231,7 @@ def list_requests(self, args):
+@@ -266,7 +231,7 @@ class RequestAnalyzer:
          if args.verbose:
              self.print_formatted_verbose(source)
          else:
@@ -204,7 +208,7 @@ index d661dddb84..e4d5f060c7 100644
                  if type(source).__name__ == 'Journald':
                      print(line)
                  else:
-@@ -279,7 +244,8 @@ def track_request(self, args):
+@@ -279,7 +244,8 @@ class RequestAnalyzer:
          Args:
              args (Namespace):  populated argparse namespace
          """
@@ -214,7 +218,7 @@ index d661dddb84..e4d5f060c7 100644
          cid = args.cid
          resp_results = False
          be_results = False
-@@ -294,7 +260,7 @@ def track_request(self, args):
+@@ -294,7 +260,7 @@ class RequestAnalyzer:
          logger.info(f"******** Checking {resp} responder for Client ID"
                      f" {cid} *******")
          source.set_component(component, args.child)
@@ -223,7 +227,7 @@ index d661dddb84..e4d5f060c7 100644
              resp_results = self.consume_line(match, source, args.merge)
  
          logger.info(f"********* Checking Backend for Client ID {cid} ********")
-@@ -307,7 +273,7 @@ def track_request(self, args):
+@@ -307,7 +273,7 @@ class RequestAnalyzer:
          pattern.clear()
          [pattern.append(f'\\{id}') for id in be_ids]
  
@@ -233,7 +237,7 @@ index d661dddb84..e4d5f060c7 100644
  
          if args.merge:
 diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze
-index 3f1beaf38b..6d4b5b30c6 100755
+index 3f1beaf..6d4b5b3 100755
 --- a/src/tools/analyzer/sss_analyze
 +++ b/src/tools/analyzer/sss_analyze
 @@ -1,4 +1,4 @@
@@ -243,7 +247,7 @@ index 3f1beaf38b..6d4b5b30c6 100755
  from sssd import sss_analyze
  
 diff --git a/src/tools/analyzer/sss_analyze.py b/src/tools/analyzer/sss_analyze.py
-index 18b998f380..dafc84fc03 100644
+index 18b998f..dafc84f 100644
 --- a/src/tools/analyzer/sss_analyze.py
 +++ b/src/tools/analyzer/sss_analyze.py
 @@ -1,6 +1,7 @@
@@ -254,7 +258,7 @@ index 18b998f380..dafc84fc03 100644
  from sssd.parser import SubparsersAction
  
  
-@@ -55,9 +56,11 @@ def load_modules(self, parser, parser_grp):
+@@ -55,9 +56,11 @@ class Analyzer:
          """
          # Currently only the 'request' module exists
          req = request.RequestAnalyzer()
@@ -268,7 +272,7 @@ index 18b998f380..dafc84fc03 100644
          """
 diff --git a/src/tools/analyzer/util.py b/src/tools/analyzer/util.py
 new file mode 100644
-index 0000000000..2a8d153a71
+index 0000000..2a8d153
 --- /dev/null
 +++ b/src/tools/analyzer/util.py
 @@ -0,0 +1,44 @@
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch
index 8111ca0..110444a 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2025-11561.patch
@@ -1,4 +1,4 @@
-From e5224f0cb684e61203d2cd8045266f7248696204 Mon Sep 17 00:00:00 2001
+From 9fdc7f2b4ed50a5ce788a86f2a5be448668381f5 Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Fri, 10 Oct 2025 12:57:40 +0200
 Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
@@ -37,10 +37,10 @@ Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
-index edaf967e186..5c1f050184e 100644
+index edaf967..5c1f050 100644
 --- a/src/util/domain_info_utils.c
 +++ b/src/util/domain_info_utils.c
-@@ -751,6 +751,7 @@ static errno_t sss_write_krb5_snippet_common(const char *file_name,
+@@ -751,6 +751,7 @@ done:
  #define LOCALAUTH_PLUGIN_CONFIG \
  "[plugins]\n" \
  " localauth = {\n" \
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
index 338af5d..e86a720 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
@@ -1,14 +1,21 @@
+From 1e8e2a324bfdeb2443c78db1689fe526fd5d8b60 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Tue, 18 May 2021 15:10:53 +0000
+Subject: [PATCH] sssd: update to 2.5.0
+
 nsupdate path is needed for various exec call
 but don't run natvie tests on it.
 
-
 Upstream-Status: Inappropriate [OE specific]
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ src/external/nsupdate.m4 | 12 ------------
+ 1 file changed, 12 deletions(-)
 
-Index: sssd-2.5.0/src/external/nsupdate.m4
-===================================================================
---- sssd-2.5.0.orig/src/external/nsupdate.m4
-+++ sssd-2.5.0/src/external/nsupdate.m4
+diff --git a/src/external/nsupdate.m4 b/src/external/nsupdate.m4
+index a137f38..ab08f57 100644
+--- a/src/external/nsupdate.m4
++++ b/src/external/nsupdate.m4
 @@ -3,16 +3,4 @@ AC_MSG_CHECKING(for executable nsupdate)
  if test -x "$NSUPDATE"; then
    AC_DEFINE_UNQUOTED([NSUPDATE_PATH], ["$NSUPDATE"], [The path to nsupdate])
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
index e350baf..f482716 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
@@ -1,3 +1,8 @@
+From 512e46f3b9965cff200aa47879857d198afd8fe2 Mon Sep 17 00:00:00 2001
+From: Kai Kang <kai.kang@windriver.com>
+Date: Wed, 16 Jun 2021 14:42:33 +0800
+Subject: [PATCH] sssd: fix for ldblibdir and systemd etc
+
 When calculate value of ldblibdir, it checks whether the directory of
 $ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not
 suitable for cross compile. Fix it that only re-assign ldblibdir when its value
@@ -11,10 +16,10 @@ Signed-off-by: Kai Kang <kai.kang@windriver.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/external/libldb.m4 b/src/external/libldb.m4
-index c400add..5e5f06d 100644
+index e8285a9..e98913c 100644
 --- a/src/external/libldb.m4
 +++ b/src/external/libldb.m4
-@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then
+@@ -22,7 +22,7 @@ if test x"$with_ldb_lib_dir" != x; then
      ldblibdir=$with_ldb_lib_dir
  else
      ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`"
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
index 419b83f..642002f 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
@@ -1,3 +1,8 @@
+From cf9fd2126e697b02e1561501a20dfa13fee16505 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Tue, 18 May 2021 15:10:53 +0000
+Subject: [PATCH] sssd: update to 2.5.0
+
 from ../sssd-2.5.0/src/util/sss_pam_data.c:27:
 | ../sssd-2.5.0/src/util/debug.h:88:44: error: unknown type name 'uid_t'; did you mean 'uint_t'?
 |    88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid);
@@ -11,11 +16,14 @@ from ../sssd-2.5.0/src/util/sss_pam_data.c:27:
 
 Upstream-Status: Pending
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ src/util/debug.h | 2 ++
+ 1 file changed, 2 insertions(+)
 
-Index: sssd-2.7.1/src/util/debug.h
-===================================================================
---- sssd-2.7.1.orig/src/util/debug.h
-+++ sssd-2.7.1/src/util/debug.h
+diff --git a/src/util/debug.h b/src/util/debug.h
+index c33c14e..405c21d 100644
+--- a/src/util/debug.h
++++ b/src/util/debug.h
 @@ -24,6 +24,8 @@
  #include "config.h"
  
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
index 68f267c..f998005 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
@@ -1,4 +1,7 @@
-fix musl build failures
+From abb66c871d5571accff49a281730246a057b4967 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Sun, 4 Jul 2021 08:50:06 -0700
+Subject: [PATCH] fix musl build failures
 
 Missing _PATH_HOSTS and some NETDB defines when musl is enabled.
 
@@ -8,22 +11,25 @@ These are work arounds for now while we figure out where the real fix should res
 |  1199 |                   _PATH_HOSTS);
 |       |                   ^~~~~~~~~~~
 
-and 
+and
 
 i./sssd-2.5.1/src/sss_client/nss_ipnetworks.c:415:21: error: 'NETDB_INTERNAL' undeclared (first use in this function)
 |   415 |         *h_errnop = NETDB_INTERNAL;
 
-
 Upstream-Status: Pending
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: sssd-2.5.1/src/providers/fail_over.c
-===================================================================
---- sssd-2.5.1.orig/src/providers/fail_over.c
-+++ sssd-2.5.1/src/providers/fail_over.c
-@@ -31,6 +31,10 @@
- #include <talloc.h>
+---
+ src/providers/fail_over.c | 4 ++++
+ src/sss_client/sss_cli.h  | 8 ++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
+index 835ac52..dea4fab 100644
+--- a/src/providers/fail_over.c
++++ b/src/providers/fail_over.c
+@@ -33,6 +33,10 @@
  #include <netdb.h>
+ #include <arpa/inet.h>
  
 +#if !defined(_PATH_HOSTS)
 +#define _PATH_HOSTS     "/etc/hosts"
@@ -32,10 +38,10 @@ Index: sssd-2.5.1/src/providers/fail_over.c
  #include "util/dlinklist.h"
  #include "util/refcount.h"
  #include "util/util.h"
-Index: sssd-2.5.1/src/sss_client/sss_cli.h
-===================================================================
---- sssd-2.5.1.orig/src/sss_client/sss_cli.h
-+++ sssd-2.5.1/src/sss_client/sss_cli.h
+diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
+index 29b496e..c47e776 100644
+--- a/src/sss_client/sss_cli.h
++++ b/src/sss_client/sss_cli.h
 @@ -44,6 +44,14 @@ typedef int errno_t;
  #define EOK 0
  #endif
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
index 7d8e80b..0a1972e 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
@@ -1,14 +1,20 @@
-don't run generate-sbus-code
+From 81074928bf6bf339628eb6427c44f8ad4512a431 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Tue, 18 May 2021 15:10:53 +0000
+Subject: [PATCH] don't run generate-sbus-code
 
 Upstream-Status: Inappropriate [OE Specific]
 
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ Makefile.am | 2 --
+ 1 file changed, 2 deletions(-)
 
-Index: sssd-2.7.1/Makefile.am
-===================================================================
---- sssd-2.7.1.orig/Makefile.am
-+++ sssd-2.7.1/Makefile.am
-@@ -1023,8 +1023,6 @@ generate-sbus-code:
+diff --git a/Makefile.am b/Makefile.am
+index 3477aa0..8943e8a 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1036,8 +1036,6 @@ generate-sbus-code:
  
  .PHONY: generate-sbus-code
  
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.7.bb
similarity index 98%
rename from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.7.bb
index 2954257..f92fe65 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.5.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.7.bb
@@ -27,7 +27,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \
            file://0001-sssctl-add-error-analyzer.patch \
            file://CVE-2025-11561.patch \
            "
-SRC_URI[sha256sum] = "bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3"
+SRC_URI[sha256sum] = "6b5284a4d72b67c0897699794360d79e0f67461957e20273c2649f025e76c248"
 
 UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"
 

From patchwork Mon Jan 19 20:39:59 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Scott Murray <scott.murray@konsulko.com>
X-Patchwork-Id: 79106
Return-Path: <scott.murray@konsulko.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9794DD2ECEC
	for <webhook@archiver.kernel.org>; Mon, 19 Jan 2026 20:40:23 +0000 (UTC)
Received: from mail-qk1-f182.google.com (mail-qk1-f182.google.com
 [209.85.222.182])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.44589.1768855221116786548
 for <yocto-patches@lists.yoctoproject.org>;
 Mon, 19 Jan 2026 12:40:21 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@konsulko.com header.s=google header.b=bgwYcJCi;
 spf=pass (domain: konsulko.com, ip: 209.85.222.182,
 mailfrom: scott.murray@konsulko.com)
Received: by mail-qk1-f182.google.com with SMTP id
 af79cd13be357-8c538d17816so616993185a.0
        for <yocto-patches@lists.yoctoproject.org>;
 Mon, 19 Jan 2026 12:40:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=konsulko.com; s=google; t=1768855220; x=1769460020;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+cermduJ9NzDmicLfoeS7Wu9tOaO08S61cUCQdgteFI=;
        b=bgwYcJCi1x8spmGcwSaZQi5B+pVoOTHRnmg0SXN23VMMEOoSmFQN4SqmGGpcjjOPR2
         Po0MIlGvsLzEDeJ5SzNkD9usejWuckvJWxkO79J+x25gQZWoMQkgO0HwZsIQcr/gzq/L
         j2TQElFVvjMvD10RmYVn2lq+C95AQe1ju3fww=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768855220; x=1769460020;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=+cermduJ9NzDmicLfoeS7Wu9tOaO08S61cUCQdgteFI=;
        b=c964HW5xrE4xWVjIPlRdPA9qXMyKlaWkIFWlaRUF3LXsQyrryTEQq8ldTgnNOpTn7t
         HESTJ3EK3RHaXtdCgh6EtsFk+vmq1bnnO5CBLId+QMGfP4nsFuMJ87oYaOqfH9U3+IwS
         SX0ZmCcaL6UgRrkQ0uuIkx+jrYx+tYPtrMwSSCPX71dqh+lE7xS/Mfq0BB8vkcw8eQ94
         yH31J+uAnt0BLTUwU/D1+QH3T/10te8vpO6XaVqOtfS7+en5m83w7tQ55VJ5NKwkwcnF
         /W98Jnc2JlV+fEbMu5oCfaHIoh6KlNjYYVLChZ0jaXyQQV6Hpqy5h17xR4gAW2iDHpus
         9w8w==
X-Gm-Message-State: AOJu0YzhIoUr2k9NWg9yHu2mfrIrIfWWe5p+Wtht7c+3dEr19erZGzNh
	2bkHsLAY8pjilSx8eh4k35vI6VIOwN7ogUga6gznpY/Rx05o9+gk9eUbDt7bMgQQdFK2NI52Zy8
	8L0cx
X-Gm-Gg: AY/fxX5VSasBBMNSF3+sNSe/2GIik601LWMgQgOrFwt3OvuEpIprY1K0Li7zU4tLAoV
	yyHbVN9VjSnaYY+Y13EmIpZngbCfW1Jq6NRXntmKp+4rUjnmOeCYuvOQxy0GkOAIiXilck50k/g
	Nv0M+CNbeCS6+Z1wApncejqXI/NU3BmMCjk0mTKn/c7N9iZGC3bMeNl2rl7hznjYF9tIxVW/EPE
	KI+Wnj3AdohZJk4Nx3GEyEaW+NLv9e2Tl9lMUDvem8CTv6FzlSYltRoMTZzfJ0bN7kPWQwc8NUu
	NkguDQVi4rc9EZK9H+/tEYzk8yROatU9bUl7RATSQ2c6rH1EXzgT79ytWZ0q7ZV7BRMSK8fZXGy
	ZxskOic7Bd5Fpa6VGMgWa6tiK6RFUKNVvehTvPh1ZIghwP2A0yC+zbow1xhMKytv1DeWtMJ1kVO
	Z1JFW/kfCT5Znq7rHzhxZTw5A3KQ0bKgOvOz+3gyJkazHcu0SlO6+iyTe8EVEyuke6F+jGoRxqB
	Ld7k8yhUxT5AxNSeqYkf71y3z3LDlpZpsnBIgc3rOftKoWAm7n/
X-Received: by 2002:a05:620a:4095:b0:8b2:e4f0:74d2 with SMTP id
 af79cd13be357-8c6a696524bmr1548688185a.88.1768855219801;
        Mon, 19 Jan 2026 12:40:19 -0800 (PST)
Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com.
 [107.179.213.3])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-8c6a70f1fe1sm851462085a.0.2026.01.19.12.40.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jan 2026 12:40:19 -0800 (PST)
From: Scott Murray <scott.murray@konsulko.com>
To: yocto-patches@lists.yoctoproject.org
Cc: Marta Rybczynska <rybczynska@gmail.com>
Subject: [meta-security][scarthgap][PATCH 4/6] lynis: update to 3.1.5
Date: Mon, 19 Jan 2026 15:39:59 -0500
Message-ID: 
 <4fa748a3e886549fa99ca86ec2c4c843c8a953a3.1768854779.git.scott.murray@konsulko.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1768854779.git.scott.murray@konsulko.com>
References: <cover.1768854779.git.scott.murray@konsulko.com>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Mon, 19 Jan 2026 20:40:23 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/3028

From: Michael Opdenacker <michael.opdenacker@rootcommit.com>

Tested on master (whinlatter) with beaglebone-yocto

New in version 3.1.5 (2025-07-29):
https://cisofy.com/changelog/lynis/#315

Added:
- Support for OpenWrt
- Bitdefender detection on Linux
- Detection of openSUSE Tumbleweed-Slowroll

Changed:
- Corrected detection of service manager SMF
- Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt
- Check modules also under /usr/lib/modules.d

Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
(backported to scarthgap)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-compliance/lynis/{lynis_3.1.4.bb => lynis_3.1.5.bb} (93%)

diff --git a/recipes-compliance/lynis/lynis_3.1.4.bb b/recipes-compliance/lynis/lynis_3.1.5.bb
similarity index 93%
rename from recipes-compliance/lynis/lynis_3.1.4.bb
rename to recipes-compliance/lynis/lynis_3.1.5.bb
index 9cce848..6264edc 100644
--- a/recipes-compliance/lynis/lynis_3.1.4.bb
+++ b/recipes-compliance/lynis/lynis_3.1.5.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
 
 SRC_URI = "https://downloads.cisofy.com/lynis/${BPN}-${PV}.tar.gz"
 
-SRC_URI[sha256sum] = "c4dbcddd429624d5b2319cd3b19728e18a7885b70b8eb0a9fdd3ca5f0ae28eb6"
+SRC_URI[sha256sum] = "8d2c6652ba60116a82514522b666ca77293f4bfc69f1e581028769f7ebb52ba4"
 
 #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
 

From patchwork Mon Jan 19 20:40:00 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Scott Murray <scott.murray@konsulko.com>
X-Patchwork-Id: 79107
Return-Path: <scott.murray@konsulko.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8917DD2ECE6
	for <webhook@archiver.kernel.org>; Mon, 19 Jan 2026 20:40:23 +0000 (UTC)
Received: from mail-qt1-f172.google.com (mail-qt1-f172.google.com
 [209.85.160.172])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.44340.1768855222033769652
 for <yocto-patches@lists.yoctoproject.org>;
 Mon, 19 Jan 2026 12:40:22 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@konsulko.com header.s=google header.b=H3oj6SHG;
 spf=pass (domain: konsulko.com, ip: 209.85.160.172,
 mailfrom: scott.murray@konsulko.com)
Received: by mail-qt1-f172.google.com with SMTP id
 d75a77b69052e-502a2370e4fso28629571cf.3
        for <yocto-patches@lists.yoctoproject.org>;
 Mon, 19 Jan 2026 12:40:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=konsulko.com; s=google; t=1768855221; x=1769460021;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=nfbwCU7FfjY92xWO5Wpj7s0BSBcchgYYh/RKQZOG064=;
        b=H3oj6SHGm6FceqcH+wCigcaZe+rfCY5gzE/PJy9f3BXo7XUFnkW6HVXgG/nJF2e0Sc
         Q+USdcioTzoaHBFYQ4CCkFpEc5xNRJ+6mM/JZ4tqYSm0xTe/tJ3IHVawVe10vteFDqNb
         Lj8+Z29hMaDZWAiC0uu3P/+8HQM3LXB1O/Nls=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768855221; x=1769460021;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=nfbwCU7FfjY92xWO5Wpj7s0BSBcchgYYh/RKQZOG064=;
        b=bhBUHfI9N1POidRuJOESbKJ9zMgKDnr+RpJyZt1Pq0FGBzfSTtbiOjf5L6kLD4052R
         /docq99hJS/h8kxYLPDejfOAGPH/pLDRb8BAgQrTMBnVN9wz46/7m3hjaU57B92DQB5s
         zdhXCYOheHHwi6eVyZP49RzCaCa6ryjWbYK0MmFnVM1dt9Zjy4SFO0l20UZfoXMjdeji
         C14vys3ZNBBy1+7v6UFlaA+lLJSLGwcovoxMMOrFBH3RMxNfk+PZEyR27eLI5D3dc7m0
         Q8kn/SkCqnaaFggu9vP8RUxMBuM3F37C0Y3ig+sn8glJv6xXFTHn+m0YvSLu7B38kJRf
         fTpA==
X-Gm-Message-State: AOJu0YwxBIpNSoGArSaNe+/TsuGrSeuOsPTx+r4Y1Q9uA0qi42P2qob6
	8huqe0cYm0abAvuYbnB2hVf69Lf0sguBPO81569czSKFNkzbEfKkrtv2DCHQvH7HYCyncMxqQDy
	POZu4
X-Gm-Gg: AY/fxX5W6uecQ1F7vdwwjmwMh3/HCV23Anle+D8cXUMqFbnSp9MuYd6VvG7kaWqWSSz
	QMIIyqqvq60Db55/BNkUBtnaJNfZOt1W9uFhz8PXdVRjL6HInBuV51fQdouaqRQQNvm/AZrmgPl
	sf0qKRVVMXSX42UYT5/Y+3YYI3xEZZTebt8JiQuAoKLzPGiq9MBlEDXU7UK4CYD8NMO9d1RyZCy
	C3bI+G7aD4hrTO1tQl5Jb0cIMHk/s5SGa+c8tZV+CfZCiZodK0xF06wtKmNPdphajAb5wWdnhRc
	04XdJT9QRzJbVos1SayA1h6w+RpXmhl9sjOHMenUr1ZVV1HFQdMvrg+ovf3l5nm/bX4CFoXChXk
	eAZVocux6dJFYdV09B80CSYElXivF7ewDaDIiaz4ldS33cRHZ7UPMeEJmsxU49qt71Q3+K94Q5O
	y+nwjpf+GCoLTg0+Tq1PY0rHMyj3bDRlfxf0DVfwkrcoDFcfcNPmk7VAWM0eytxb9sBz9Ces1DF
	pGHBEi/C5LGgWEimozabYVmat5dzMiZ1wRJlEF/bZZIyP2gJsOH
X-Received: by 2002:a05:622a:1794:b0:4ee:2423:d538 with SMTP id
 d75a77b69052e-502a168803fmr146249181cf.18.1768855220701;
        Mon, 19 Jan 2026 12:40:20 -0800 (PST)
Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com.
 [107.179.213.3])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-8c6a70f1fe1sm851462085a.0.2026.01.19.12.40.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jan 2026 12:40:20 -0800 (PST)
From: Scott Murray <scott.murray@konsulko.com>
To: yocto-patches@lists.yoctoproject.org
Cc: Marta Rybczynska <rybczynska@gmail.com>
Subject: [meta-security][scarthgap][PATCH 5/6] lynis: move to GitHub fetching
Date: Mon, 19 Jan 2026 15:40:00 -0500
Message-ID: 
 <6113f0e2f8521427374c8c47bf7ed883962651bd.1768854779.git.scott.murray@konsulko.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1768854779.git.scott.murray@konsulko.com>
References: <cover.1768854779.git.scott.murray@konsulko.com>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Mon, 19 Jan 2026 20:40:23 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/3029

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Move to fetching from GitHub hashes to avoid issues at releases,
when the last-recent release changes place.

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(adapted for scarthgap)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-compliance/lynis/lynis_3.1.5.bb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-compliance/lynis/lynis_3.1.5.bb b/recipes-compliance/lynis/lynis_3.1.5.bb
index 6264edc..9105bbc 100644
--- a/recipes-compliance/lynis/lynis_3.1.5.bb
+++ b/recipes-compliance/lynis/lynis_3.1.5.bb
@@ -6,13 +6,13 @@ HOMEDIR = "https://cisofy.com/"
 LICENSE = "GPL-3.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
 
-SRC_URI = "https://downloads.cisofy.com/lynis/${BPN}-${PV}.tar.gz"
+SRC_URI = "git://github.com/CISOfy/lynis.git;branch=master;protocol=https"
 
-SRC_URI[sha256sum] = "8d2c6652ba60116a82514522b666ca77293f4bfc69f1e581028769f7ebb52ba4"
+SRCREV = "380b414e09bbca70be59a1b7ddccfaed4c30e1aa"
 
 #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
 
-S = "${WORKDIR}/${BPN}"
+S = "${WORKDIR}/git"
 
 inherit autotools-brokensep
 

From patchwork Mon Jan 19 20:40:01 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Scott Murray <scott.murray@konsulko.com>
X-Patchwork-Id: 79108
Return-Path: <scott.murray@konsulko.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 98613D2ECF0
	for <webhook@archiver.kernel.org>; Mon, 19 Jan 2026 20:40:23 +0000 (UTC)
Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com
 [209.85.222.177])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.44591.1768855222836175140
 for <yocto-patches@lists.yoctoproject.org>;
 Mon, 19 Jan 2026 12:40:22 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@konsulko.com header.s=google header.b=Ttmb21IM;
 spf=pass (domain: konsulko.com, ip: 209.85.222.177,
 mailfrom: scott.murray@konsulko.com)
Received: by mail-qk1-f177.google.com with SMTP id
 af79cd13be357-8c6aaf3cd62so365161585a.3
        for <yocto-patches@lists.yoctoproject.org>;
 Mon, 19 Jan 2026 12:40:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=konsulko.com; s=google; t=1768855222; x=1769460022;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=A5oCyw6LHwxw9OGXp6TB0YVR9Us0fHgJvgE68DdcVec=;
        b=Ttmb21IMW27596TNxsjBiWp4kxVfSz6+pnSPkibJtr1boFUsDgZ75ivZjIBnf+KQ63
         3NkmyC9ar+FX4WS8qgOanqK0kNZDLGLc+PeKVHzQwxjntDNmTswxQ/hvrC2NXqxJYW2X
         KjNMW6E4PUKUmtgr8J8wdYJanJKXU7JgNeDaQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768855222; x=1769460022;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=A5oCyw6LHwxw9OGXp6TB0YVR9Us0fHgJvgE68DdcVec=;
        b=fiyKvW/oEioXAtybCegZHGQkEoHQEgsxPwGOt+2SYbm1sYqk1d7FexbYMdbpn+PKkU
         WAsVaTK5wjR+uPybZYLlb+2g6V0f7KMOsJKERB4pmT1HjGEmUA5p8GNHtXK0NUsOFMlE
         pFoEOdFv4Jlb1DedjoPzVznK48ru1qOLHHs9OiPzKwbq/U5M2/6O6zN/XQ26jnxjuJTh
         a2PGp5U735Icc/HTvPeiba1VrqAf/ZZTNwv2TKpNHCyWu6PnYPCxieg5blzuYXIIqnC4
         RECjx7whA3MBzUiOBtG/XXJpiklv/uedQo0+2t0jkhA4JjfHUNiZwRcN74wsc/zYIQGK
         eKrQ==
X-Gm-Message-State: AOJu0YxgMl4Q9qXS2sixaghw505XeFuz7Dkr32K15qs9vyL8Xa6RrM1e
	IpeYOrFnIEoFZmaaCDv2eC57x82ue3jCLPCGEyBJuzTgLNOlTA2x2roECSwJyomfAVCJXVKzMhQ
	wg1xv
X-Gm-Gg: AY/fxX7Vep7onTdlTKpSdFx6lgsGTKug7UD5vp81mZ5ZIpx7urPqLPI5n3dfxVxm3Yo
	QojgmmNB6L8L8/wZZPgWkOweVg/JvFhhlbJmmxUWTb1vUsX9bRFAW9r4sy+2akrjLJDowBuTNcR
	fTzjexmuXXDlPsf9JG24LPWt0w/p/NPaLAbl6RqlgjrmqVpPK8F2QnZ+THtLxteEu94/Sc0MnIH
	Kirk5Se3r9EDNvosYYQV+znkg9Jg9jCwn38K+HkHG7Ca9ratPrDZDuEmEnrat7/xlfTljNXbSC8
	0NPYt+bnbnKYfht7/NqkYRTg7hcWvNDp7PVHBXloCubxOKjZVSpUpqwDmY3kQLemDJYXIjml+ED
	6Ue4fD5Qzh9Wypwu2tIx8qnRevojoTDZm0imxC9Vl5Gn1uX3kxyzKgl//IJWqwCumS9ccfMHbD5
	krfA37d7qUeXK3LD5TzU03Zwfv81b8HE1eV7xBEbC+q7alu6voe+8ONDKuiCKGlDMVulTeWBoMM
	YkmPTU99J8fIPV0OdEBV9rqt4C5I8D5lX5YUnwkt9Byuf8fiP/w
X-Received: by 2002:a05:620a:3b11:b0:8a3:e51d:63c9 with SMTP id
 af79cd13be357-8c6a66f8dfbmr1390912585a.25.1768855221614;
        Mon, 19 Jan 2026 12:40:21 -0800 (PST)
Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com.
 [107.179.213.3])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-8c6a70f1fe1sm851462085a.0.2026.01.19.12.40.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jan 2026 12:40:21 -0800 (PST)
From: Scott Murray <scott.murray@konsulko.com>
To: yocto-patches@lists.yoctoproject.org
Cc: Marta Rybczynska <rybczynska@gmail.com>
Subject: [meta-security][scarthgap][PATCH 6/6] lynis: upgrade to 3.1.6
Date: Mon, 19 Jan 2026 15:40:01 -0500
Message-ID: 
 <97e482b71688b62ac1109d16e89368122f039cbf.1768854779.git.scott.murray@konsulko.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1768854779.git.scott.murray@konsulko.com>
References: <cover.1768854779.git.scott.murray@konsulko.com>
MIME-Version: 1.0
List-Id: <yocto-patches.lists.yoctoproject.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <yocto-patches@lists.yoctoproject.org>; Mon, 19 Jan 2026 20:40:23 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/3030

Release notes:
https://github.com/CISOfy/lynis/releases/tag/3.1.6

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-compliance/lynis/{lynis_3.1.5.bb => lynis_3.1.6.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-compliance/lynis/{lynis_3.1.5.bb => lynis_3.1.6.bb} (96%)

diff --git a/recipes-compliance/lynis/lynis_3.1.5.bb b/recipes-compliance/lynis/lynis_3.1.6.bb
similarity index 96%
rename from recipes-compliance/lynis/lynis_3.1.5.bb
rename to recipes-compliance/lynis/lynis_3.1.6.bb
index 9105bbc..c3961b7 100644
--- a/recipes-compliance/lynis/lynis_3.1.5.bb
+++ b/recipes-compliance/lynis/lynis_3.1.6.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
 
 SRC_URI = "git://github.com/CISOfy/lynis.git;branch=master;protocol=https"
 
-SRCREV = "380b414e09bbca70be59a1b7ddccfaed4c30e1aa"
+SRCREV = "06153321ea50d53a27446084e646d9f43fe46e0e"
 
 #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"