[hardknott 00/11] Patch review: Jan 15th

[hardknott 00/11] Patch review: Jan 15th

[Armin Kuster]

Please have comments back by Monday

The following changes since commit 4932616b69b957e3a876541a579b79cb3f83306f:

  sdbus-c++-libsystemd: Avoid hard dependency on rsync (2021-11-18 08:05:44 -0800)

are available in the Git repository at:

  git://git.openembedded.org/meta-openembedded-contrib stable/hardknott-nut
  http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/hardknott-nut

Armin Kuster (1):
  wireshark: update to latest stable 3.4.11

Changqing Li (2):
  syslog-ng: adjust control socket location
  redis: add back missing patch

Chen Qi (1):
  udisks2: upgrade from 2.9.2 to 2.9.4

Jeremy Puhlman (1):
  ifenslave: Add branch=main

Mingli Yu (1):
  libteam: switch to python3

Peter Kjellerstedt (1):
  googletest: Switch branch from master to main

Sakib Sajal (1):
  nss: fix CVE-2021-43527

Yi Zhao (2):
  postfix: fix build with glibc 2.34
  postfix: upgrade 3.4.12 -> 3.4.23

wangmy (1):
  apache2: upgrade 2.4.51 -> 2.4.52

 .../0001-fix-build-with-glibc-2.34.patch      |  46 +++
 .../{postfix_3.4.12.bb => postfix_3.4.23.bb}  |   5 +-
 .../ifenslave/ifenslave_2.11.bb               |   2 +-
 .../0004-lemon-Remove-line-directives.patch   |  15 +-
 ...wireshark_3.4.8.bb => wireshark_3.4.11.bb} |   2 +-
 meta-oe/recipes-extended/redis/redis_6.2.6.bb |   4 +
 ...team_basic_test.py-switch-to-python3.patch | 101 ++++++
 ...asic_test.py-use-python3-interpreter.patch |  28 --
 .../recipes-support/libteam/libteam_1.31.bb   |   2 +-
 ...re-DER-encoded-signatures-are-within.patch | 297 ++++++++++++++++++
 meta-oe/recipes-support/nss/nss_3.64.bb       |   1 +
 ...log-ng.service-the-syslog-ng-service.patch |   2 +-
 .../{udisks2_2.9.2.bb => udisks2_2.9.4.bb}    |   4 +-
 .../recipes-test/googletest/googletest_git.bb |   2 +-
 .../{apache2_2.4.51.bb => apache2_2.4.52.bb}  |   2 +-
 15 files changed, 466 insertions(+), 47 deletions(-)
 create mode 100644 meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch
 rename meta-networking/recipes-daemons/postfix/{postfix_3.4.12.bb => postfix_3.4.23.bb} (75%)
 rename meta-networking/recipes-support/wireshark/{wireshark_3.4.8.bb => wireshark_3.4.11.bb} (97%)
 create mode 100644 meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-switch-to-python3.patch
 delete mode 100644 meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-use-python3-interpreter.patch
 create mode 100644 meta-oe/recipes-support/nss/nss/0001-Bug-1737470-Ensure-DER-encoded-signatures-are-within.patch
 rename meta-oe/recipes-support/udisks/{udisks2_2.9.2.bb => udisks2_2.9.4.bb} (89%)
 rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.51.bb => apache2_2.4.52.bb} (99%)

-- 
2.25.1

[hardknott 01/11] syslog-ng: adjust control socket location

[Armin Kuster]

From: Changqing Li <changqing.li@windriver.com>

Commit [1] changed the pidfile dir to /var/run/syslog-ng. This also changed
the location where the control socket is searched for, causing the following
error with systemd:

root@qemux86-64:~# syslog-ng-ctl config
Error connecting control socket, socket='/var/run/syslog-ng/syslog-ng.ctl',
error='No such file or directory'

Update the systemd service file to point to the new location.

[1] 00d1d63e4f7f ("syslog-ng: provide correct PID directory location to
                   restart/stop syslog-ng daemon")

(master rev: b57d824fdf822a4c3fdb153b92063f88705e3a6b)

Signed-off-by: lmorales <luisalejandro.moralespena@windriver.com>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../files/syslog-ng.service-the-syslog-ng-service.patch         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-oe/recipes-support/syslog-ng/files/syslog-ng.service-the-syslog-ng-service.patch b/meta-oe/recipes-support/syslog-ng/files/syslog-ng.service-the-syslog-ng-service.patch
index 0e1d09492b..7334800304 100644
--- a/meta-oe/recipes-support/syslog-ng/files/syslog-ng.service-the-syslog-ng-service.patch
+++ b/meta-oe/recipes-support/syslog-ng/files/syslog-ng.service-the-syslog-ng-service.patch
@@ -38,7 +38,7 @@ index 0ccc2b9..7f08c0e 100644
 -CONTROL_FILE=/var/run/syslog-ng.ctl
 -PID_FILE=/var/run/syslog-ng.pid
 +PERSIST_FILE=@LOCALSTATEDIR@/lib/syslog-ng/syslog-ng.persist
-+CONTROL_FILE=@LOCALSTATEDIR@/lib/syslog-ng/syslog-ng.ctl
++CONTROL_FILE=@LOCALSTATEDIR@/run/syslog-ng/syslog-ng.ctl
 +PID_FILE=@LOCALSTATEDIR@/run/syslog-ng.pid
  OTHER_OPTIONS="--enable-core"
 -- 
-- 
2.25.1

[hardknott 02/11] libteam: switch to python3

[Armin Kuster]

From: Mingli Yu <mingli.yu@windriver.com>

The original fix for team_basic_test.py only change the interpreter
to python3, but still some error as below:
 # ./run-ptest
 File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 35
 print "Usage: team_basic_test.py [OPTION...]"
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?

 # ./run-ptest
 RUN #1
 # "ip link add testteamx type team"
 # "teamnl testteamx getoption mode"
 # "ip link del testteamx"
 # "modprobe -r team_mode_loadbalance team_mode_roundrobin team_mode_activebackup team_mode_broadcast team"
 Traceback (most recent call last):
  File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 206, in <module>
    main()
  File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 203, in main
    btest.run()
  File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 180, in run
    self._run_one_loop(i + 1)
  File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 173, in _run_one_loop
    self._run_one_mode(mode_name)
  File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 101, in _run_one_mode
    cmd_exec("teamnl %s getoption mode" % team_name, "*NOMODE*")
  File "/usr/lib64/libteam/ptest/./team_basic_test.py", line 80, in cmd_exec
    raise CmdExecUnexpectedOutputException(output, expected_output)
 __main__.CmdExecUnexpectedOutputException: Command execution output unexpected: "b'*NOMODE*'" != "*NOMODE*"

 So rework team_basic_test.py to fix the above issue.

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...team_basic_test.py-switch-to-python3.patch | 101 ++++++++++++++++++
 ...asic_test.py-use-python3-interpreter.patch |  28 -----
 .../recipes-support/libteam/libteam_1.31.bb   |   2 +-
 3 files changed, 102 insertions(+), 29 deletions(-)
 create mode 100644 meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-switch-to-python3.patch
 delete mode 100644 meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-use-python3-interpreter.patch

diff --git a/meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-switch-to-python3.patch b/meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-switch-to-python3.patch
new file mode 100644
index 0000000000..69276aba91
--- /dev/null
+++ b/meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-switch-to-python3.patch
@@ -0,0 +1,101 @@
+From 06050e79655f0fa7d9daeda1fbd3a9a2c7736841 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Thu, 2 Dec 2021 15:08:25 +0800
+Subject: [PATCH] team_basic_test.py: switch to python3
+
+Switch the script team_basic_test.py to python3
+
+Upstream-Status: Submitted [https://github.com/jpirko/libteam/pull/63]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ scripts/team_basic_test.py | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/scripts/team_basic_test.py b/scripts/team_basic_test.py
+index faabd18..0b64af2 100755
+--- a/scripts/team_basic_test.py
++++ b/scripts/team_basic_test.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python3
+ """
+ Basic test.
+ 
+@@ -32,11 +32,11 @@ def usage():
+     """
+     Print usage of this app
+     """
+-    print "Usage: team_basic_test.py [OPTION...]"
+-    print ""
+-    print "  -h, --help                         print this message"
+-    print "  -c, --loop-count=NUMBER            number of loops (default 1)"
+-    print "  -p, --port=NETDEV                  port device (can be defined multiple times)"
++    print("Usage: team_basic_test.py [OPTION...]")
++    print("")
++    print("  -h, --help                         print this message")
++    print("  -c, --loop-count=NUMBER            number of loops (default 1)")
++    print("  -p, --port=NETDEV                  port device (can be defined multiple times)")
+     sys.exit()
+ 
+ class CmdExecFailedException(Exception):
+@@ -55,15 +55,15 @@ class CmdExecUnexpectedOutputException(Exception):
+         return "Command execution output unexpected: \"%s\" != \"%s\"" % (self.__output, self.__expected_output)
+ 
+ def print_output(out_type, string):
+-    print("%s:\n"
++    print(("%s:\n"
+           "----------------------------\n"
+           "%s"
+-          "----------------------------" % (out_type, string))
++          "----------------------------" % (out_type, string)))
+ 
+ def cmd_exec(cmd, expected_output=None, cleaner=False):
+     cmd = cmd.rstrip(" ")
+     if not cleaner:
+-        print("# \"%s\"" % cmd)
++        print(("# \"%s\"" % cmd))
+     subp = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE,
+                             stderr=subprocess.PIPE)
+     (data_stdout, data_stderr) = subp.communicate()
+@@ -74,7 +74,7 @@ def cmd_exec(cmd, expected_output=None, cleaner=False):
+         if data_stderr:
+             print_output("Stderr", data_stderr)
+         raise CmdExecFailedException(subp.returncode)
+-    output = data_stdout.rstrip()
++    output = (data_stdout.rstrip()).decode()
+     if expected_output:
+         if output != expected_output:
+             raise CmdExecUnexpectedOutputException(output, expected_output)
+@@ -166,7 +166,7 @@ TEAM_PORT_CONFIG='{"prio": 10}'
+             os.removedirs("/tmp/team_test/")
+ 
+     def _run_one_loop(self, run_nr):
+-        print "RUN #%d" % (run_nr)
++        print("RUN #%d" % (run_nr))
+         self._created_teams = []
+         try:
+             for mode_name in self._team_modes:
+@@ -176,7 +176,7 @@ TEAM_PORT_CONFIG='{"prio": 10}'
+             cmd_exec("modprobe -r team_mode_loadbalance team_mode_roundrobin team_mode_activebackup team_mode_broadcast team");
+ 
+     def run(self):
+-        for i in xrange(self._loop_count):
++        for i in range(self._loop_count):
+             self._run_one_loop(i + 1)
+ 
+ def main():
+@@ -186,8 +186,8 @@ def main():
+             "hc:p:",
+             ["help", "loop-count=", "port="]
+         )
+-    except getopt.GetoptError, err:
+-        print str(err)
++    except getopt.GetoptError as err:
++        print(str(err))
+         usage()
+ 
+     btest = TeamBasicTest()
+-- 
+2.17.1
+
diff --git a/meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-use-python3-interpreter.patch b/meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-use-python3-interpreter.patch
deleted file mode 100644
index e27e4f3291..0000000000
--- a/meta-oe/recipes-support/libteam/libteam/0001-team_basic_test.py-use-python3-interpreter.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 571c141b434dff13494c6a3afe621f63a8e610e9 Mon Sep 17 00:00:00 2001
-From: Andrey Zhizhikin <andrey.z@gmail.com>
-Date: Mon, 27 Jan 2020 14:29:34 +0000
-Subject: [PATCH] team_basic_test.py: use python3 interpreter
-
-Use python3 since python2 is EOL and has been removed from several
-distributions.
-
-Upstream-Status: Pending
-
-Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
----
- scripts/team_basic_test.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/scripts/team_basic_test.py b/scripts/team_basic_test.py
-index b05be9e..ad980e8 100755
---- a/scripts/team_basic_test.py
-+++ b/scripts/team_basic_test.py
-@@ -1,4 +1,4 @@
--#! /usr/bin/env python
-+#! /usr/bin/env python3
- """
- Basic test.
- 
--- 
-2.17.1
-
diff --git a/meta-oe/recipes-support/libteam/libteam_1.31.bb b/meta-oe/recipes-support/libteam/libteam_1.31.bb
index eb59c1e3e9..764eb6fb74 100644
--- a/meta-oe/recipes-support/libteam/libteam_1.31.bb
+++ b/meta-oe/recipes-support/libteam/libteam_1.31.bb
@@ -11,7 +11,7 @@ SRC_URI = "git://github.com/jpirko/libteam;branch=master;protocol=https \
            file://0001-include-sys-select.h-for-fd_set-definition.patch \
            file://0002-teamd-Re-adjust-include-header-order.patch \
            file://0001-team_basic_test.py-disable-RedHat-specific-test.patch \
-           file://0001-team_basic_test.py-use-python3-interpreter.patch \
+           file://0001-team_basic_test.py-switch-to-python3.patch \
            file://run-ptest \
            "
 SRCREV = "3ee12c6d569977cf1cd30d0da77807a07aa77158"
-- 
2.25.1

[hardknott 03/11] redis: add back missing patch

[Armin Kuster]

From: Changqing Li <changqing.li@windriver.com>

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-extended/redis/redis_6.2.6.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta-oe/recipes-extended/redis/redis_6.2.6.bb b/meta-oe/recipes-extended/redis/redis_6.2.6.bb
index c129e61988..202fce16bb 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.6.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.6.bb
@@ -13,7 +13,11 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://hiredis-use-default-CC-if-it-is-set.patch \
            file://lua-update-Makefile-to-use-environment-build-setting.patch \
            file://oe-use-libc-malloc.patch \
+           file://0001-src-Do-not-reset-FINAL_LIBS.patch \
+           file://GNU_SOURCE.patch \
+           file://0006-Define-correct-gregs-for-RISCV32.patch \
            "
+
 SRC_URI[sha256sum] = "5b2b8b7a50111ef395bf1c1d5be11e6e167ac018125055daa8b5c2317ae131ab"
 
 inherit autotools-brokensep update-rc.d systemd useradd
-- 
2.25.1

[hardknott 04/11] googletest: Switch branch from master to main

[Armin Kuster]

From: Peter Kjellerstedt <peter.kjellerstedt@axis.com>

The master branch has been renamed to main in the github repo.

Change-Id: I19e9ea3998cf22508425d87fceb64ae68fbff166
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-test/googletest/googletest_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-oe/recipes-test/googletest/googletest_git.bb b/meta-oe/recipes-test/googletest/googletest_git.bb
index 898f23fafb..35fe1bed00 100644
--- a/meta-oe/recipes-test/googletest/googletest_git.bb
+++ b/meta-oe/recipes-test/googletest/googletest_git.bb
@@ -11,7 +11,7 @@ PROVIDES += "gmock gtest"
 
 S = "${WORKDIR}/git"
 SRCREV = "703bd9caab50b139428cea1aaff9974ebee5742e"
-SRC_URI = "git://github.com/google/googletest.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/google/googletest.git;branch=main;protocol=https"
 
 inherit cmake
 
-- 
2.25.1

[hardknott 05/11] nss: fix CVE-2021-43527

[Armin Kuster]

From: Sakib Sajal <sakib.sajal@windriver.com>

Backport patch to fix CVE-2021-43527.

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...re-DER-encoded-signatures-are-within.patch | 297 ++++++++++++++++++
 meta-oe/recipes-support/nss/nss_3.64.bb       |   1 +
 2 files changed, 298 insertions(+)
 create mode 100644 meta-oe/recipes-support/nss/nss/0001-Bug-1737470-Ensure-DER-encoded-signatures-are-within.patch

diff --git a/meta-oe/recipes-support/nss/nss/0001-Bug-1737470-Ensure-DER-encoded-signatures-are-within.patch b/meta-oe/recipes-support/nss/nss/0001-Bug-1737470-Ensure-DER-encoded-signatures-are-within.patch
new file mode 100644
index 0000000000..dff07de92f
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/0001-Bug-1737470-Ensure-DER-encoded-signatures-are-within.patch
@@ -0,0 +1,297 @@
+From 7c6fb56c3bcafa96c0bc87350f0f9e85f002a254 Mon Sep 17 00:00:00 2001
+From: Dennis Jackson <djackson@mozilla.com>
+Date: Mon, 22 Nov 2021 10:40:42 +0000
+Subject: [PATCH] Bug 1737470 - Ensure DER encoded signatures are within size
+ limits. r=jschanck,mt,bbeurdouche,rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D129514
+
+--HG--
+branch : NSS_3_68_1_BRANCH
+
+Upstream-Status: Backport [7c6fb56c3bcafa96c0bc87350f0f9e85f002a254]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ lib/cryptohi/secvfy.c | 192 ++++++++++++++++++++++++++----------------
+ 1 file changed, 121 insertions(+), 71 deletions(-)
+
+diff --git a/nss/lib/cryptohi/secvfy.c b/nss/lib/cryptohi/secvfy.c
+index 2540a544c..17545848c 100644
+--- a/nss/lib/cryptohi/secvfy.c
++++ b/nss/lib/cryptohi/secvfy.c
+@@ -164,6 +164,37 @@ verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest)
+         PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
+ }
+ 
++static unsigned int
++checkedSignatureLen(const SECKEYPublicKey *pubk)
++{
++    unsigned int sigLen = SECKEY_SignatureLen(pubk);
++    if (sigLen == 0) {
++        /* Error set by SECKEY_SignatureLen */
++        return sigLen;
++    }
++    unsigned int maxSigLen;
++    switch (pubk->keyType) {
++        case rsaKey:
++        case rsaPssKey:
++            maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
++            break;
++        case dsaKey:
++            maxSigLen = DSA_MAX_SIGNATURE_LEN;
++            break;
++        case ecKey:
++            maxSigLen = 2 * MAX_ECKEY_LEN;
++            break;
++        default:
++            PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
++            return 0;
++    }
++    if (sigLen > maxSigLen) {
++        PORT_SetError(SEC_ERROR_INVALID_KEY);
++        return 0;
++    }
++    return sigLen;
++}
++
+ /*
+  * decode the ECDSA or DSA signature from it's DER wrapping.
+  * The unwrapped/raw signature is placed in the buffer pointed
+@@ -174,38 +205,38 @@ decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
+                        unsigned int len)
+ {
+     SECItem *dsasig = NULL; /* also used for ECDSA */
+-    SECStatus rv = SECSuccess;
+ 
+-    if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+-        (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
+-        if (sig->len != len) {
+-            PORT_SetError(SEC_ERROR_BAD_DER);
+-            return SECFailure;
++    /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
++    if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
++        if (len > DSA_MAX_SIGNATURE_LEN) {
++            goto loser;
+         }
+-
+-        PORT_Memcpy(dsig, sig->data, sig->len);
+-        return SECSuccess;
+-    }
+-
+-    if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
++    } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+         if (len > MAX_ECKEY_LEN * 2) {
+-            PORT_SetError(SEC_ERROR_BAD_DER);
+-            return SECFailure;
++            goto loser;
+         }
+-    }
+-    dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+-
+-    if ((dsasig == NULL) || (dsasig->len != len)) {
+-        rv = SECFailure;
+     } else {
+-        PORT_Memcpy(dsig, dsasig->data, dsasig->len);
++        goto loser;
+     }
+ 
+-    if (dsasig != NULL)
++    /* Decode and pad to length */
++    dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
++    if (dsasig == NULL) {
++        goto loser;
++    }
++    if (dsasig->len != len) {
+         SECITEM_FreeItem(dsasig, PR_TRUE);
+-    if (rv == SECFailure)
+-        PORT_SetError(SEC_ERROR_BAD_DER);
+-    return rv;
++        goto loser;
++    }
++
++    PORT_Memcpy(dsig, dsasig->data, len);
++    SECITEM_FreeItem(dsasig, PR_TRUE);
++
++    return SECSuccess;
++
++loser:
++    PORT_SetError(SEC_ERROR_BAD_DER);
++    return SECFailure;
+ }
+ 
+ const SEC_ASN1Template hashParameterTemplate[] =
+@@ -281,7 +312,7 @@ SECStatus
+ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
+                  const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
+ {
+-    int len;
++    unsigned int len;
+     PLArenaPool *arena;
+     SECStatus rv;
+     SECItem oid;
+@@ -466,48 +497,52 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
+     cx->pkcs1RSADigestInfo = NULL;
+     rv = SECSuccess;
+     if (sig) {
+-        switch (type) {
+-            case rsaKey:
+-                rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+-                                            &cx->pkcs1RSADigestInfo,
+-                                            &cx->pkcs1RSADigestInfoLen,
+-                                            cx->key,
+-                                            sig, wincx);
+-                break;
+-            case rsaPssKey:
+-                sigLen = SECKEY_SignatureLen(key);
+-                if (sigLen == 0) {
+-                    /* error set by SECKEY_SignatureLen */
+-                    rv = SECFailure;
++        rv = SECFailure;
++        if (type == rsaKey) {
++            rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
++                                        &cx->pkcs1RSADigestInfo,
++                                        &cx->pkcs1RSADigestInfoLen,
++                                        cx->key,
++                                        sig, wincx);
++        } else {
++            sigLen = checkedSignatureLen(key);
++            /* Check signature length is within limits */
++            if (sigLen == 0) {
++                /* error set by checkedSignatureLen */
++                rv = SECFailure;
++                goto loser;
++            }
++            if (sigLen > sizeof(cx->u)) {
++                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++                rv = SECFailure;
++                goto loser;
++            }
++            switch (type) {
++                case rsaPssKey:
++                    if (sig->len != sigLen) {
++                        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++                        rv = SECFailure;
++                        goto loser;
++                    }
++                    PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
++                    rv = SECSuccess;
+                     break;
+-                }
+-                if (sig->len != sigLen) {
+-                    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+-                    rv = SECFailure;
++                case ecKey:
++                case dsaKey:
++                    /* decodeECorDSASignature will check sigLen == sig->len after padding */
++                    rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+                     break;
+-                }
+-                PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
+-                break;
+-            case dsaKey:
+-            case ecKey:
+-                sigLen = SECKEY_SignatureLen(key);
+-                if (sigLen == 0) {
+-                    /* error set by SECKEY_SignatureLen */
++                default:
++                    /* Unreachable */
+                     rv = SECFailure;
+-                    break;
+-                }
+-                rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+-                break;
+-            default:
+-                rv = SECFailure;
+-                PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+-                break;
++                    goto loser;
++            }
++        }
++        if (rv != SECSuccess) {
++            goto loser;
+         }
+     }
+ 
+-    if (rv)
+-        goto loser;
+-
+     /* check hash alg again, RSA may have changed it.*/
+     if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
+         /* error set by HASH_GetHashTypeByOidTag */
+@@ -650,11 +685,16 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
+     switch (cx->key->keyType) {
+         case ecKey:
+         case dsaKey:
+-            dsasig.data = cx->u.buffer;
+-            dsasig.len = SECKEY_SignatureLen(cx->key);
++            dsasig.len = checkedSignatureLen(cx->key);
+             if (dsasig.len == 0) {
+                 return SECFailure;
+             }
++            if (dsasig.len > sizeof(cx->u)) {
++                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++                return SECFailure;
++            }
++            dsasig.data = cx->u.buffer;
++
+             if (sig) {
+                 rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
+                                             dsasig.len);
+@@ -686,8 +726,13 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
+                 }
+ 
+                 rsasig.data = cx->u.buffer;
+-                rsasig.len = SECKEY_SignatureLen(cx->key);
++                rsasig.len = checkedSignatureLen(cx->key);
+                 if (rsasig.len == 0) {
++                    /* Error set by checkedSignatureLen */
++                    return SECFailure;
++                }
++                if (rsasig.len > sizeof(cx->u)) {
++                    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+                     return SECFailure;
+                 }
+                 if (sig) {
+@@ -749,7 +794,6 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
+     SECStatus rv;
+     VFYContext *cx;
+     SECItem dsasig; /* also used for ECDSA */
+-
+     rv = SECFailure;
+ 
+     cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
+@@ -757,19 +801,25 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
+         switch (key->keyType) {
+             case rsaKey:
+                 rv = verifyPKCS1DigestInfo(cx, digest);
++                /* Error (if any) set by verifyPKCS1DigestInfo */
+                 break;
+-            case dsaKey:
+             case ecKey:
++            case dsaKey:
+                 dsasig.data = cx->u.buffer;
+-                dsasig.len = SECKEY_SignatureLen(cx->key);
++                dsasig.len = checkedSignatureLen(cx->key);
+                 if (dsasig.len == 0) {
++                    /* Error set by checkedSignatureLen */
++                    rv = SECFailure;
+                     break;
+                 }
+-                if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
+-                    SECSuccess) {
++                if (dsasig.len > sizeof(cx->u)) {
++                    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++                    rv = SECFailure;
++                    break;
++                }
++                rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
++                if (rv != SECSuccess) {
+                     PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+-                } else {
+-                    rv = SECSuccess;
+                 }
+                 break;
+             default:
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-support/nss/nss_3.64.bb b/meta-oe/recipes-support/nss/nss_3.64.bb
index 97193aff5c..ccb5201d49 100644
--- a/meta-oe/recipes-support/nss/nss_3.64.bb
+++ b/meta-oe/recipes-support/nss/nss_3.64.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
            file://system-pkcs11.txt \
            file://nss-fix-nsinstall-build.patch \
            file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \
+           file://0001-Bug-1737470-Ensure-DER-encoded-signatures-are-within.patch \
            "
 SRC_URI[sha256sum] = "d3175427172e9c3a6f1ebc74452cb791590f28191c6a1a443dbc0d87c9df1126"
 
-- 
2.25.1

[hardknott 06/11] ifenslave: Add branch=main

[Armin Kuster]

From: Jeremy Puhlman <jpuhlman@mvista.com>

master branch has been removed upstream

Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
[tweeked to apply to previous branch define]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-networking/recipes-support/ifenslave/ifenslave_2.11.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-networking/recipes-support/ifenslave/ifenslave_2.11.bb b/meta-networking/recipes-support/ifenslave/ifenslave_2.11.bb
index d2a6d02d2f..5e547a4621 100644
--- a/meta-networking/recipes-support/ifenslave/ifenslave_2.11.bb
+++ b/meta-networking/recipes-support/ifenslave/ifenslave_2.11.bb
@@ -9,7 +9,7 @@ inherit manpages
 MAN_PKG = "${PN}"
 
 SRCREV = "c26e9310f552e69d0d44eb48746e02c9ae4b4f6f"
-SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https;branch=master"
+SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https;branch=main"
 
 S = "${WORKDIR}/git"
 
-- 
2.25.1

[hardknott 08/11] postfix: upgrade 3.4.12 -> 3.4.23

[Armin Kuster]

From: Yi Zhao <yi.zhao@windriver.com>

Changelog:
http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-3.3.20.HISTORY

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../postfix/{postfix_3.4.12.bb => postfix_3.4.23.bb}          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-networking/recipes-daemons/postfix/{postfix_3.4.12.bb => postfix_3.4.23.bb} (82%)

diff --git a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb b/meta-networking/recipes-daemons/postfix/postfix_3.4.23.bb
similarity index 82%
rename from meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb
rename to meta-networking/recipes-daemons/postfix/postfix_3.4.23.bb
index e7bb3e9d32..bb66345805 100644
--- a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb
+++ b/meta-networking/recipes-daemons/postfix/postfix_3.4.23.bb
@@ -15,5 +15,5 @@ SRC_URI += "ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-${P
            file://0001-makedefs-add-lnsl-and-lresolv-to-SYSLIBS-by-default.patch \
            file://0001-fix-build-with-glibc-2.34.patch \
            "
-SRC_URI[sha256sum] = "18555183ae8b52a9e76067799279c86f9f2770cdef3836deb8462ee0a0855dec"
-UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.3(\.\d+)+).tar.gz"
+SRC_URI[sha256sum] = "1759e953bf7baccb533899845c17753bf57a99ebac9c21717626262966a122f9"
+UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.4(\.\d+)+).tar.gz"
-- 
2.25.1

[hardknott 09/11] apache2: upgrade 2.4.51 -> 2.4.52

[Armin Kuster]

From: wangmy <wangmy@fujitsu.com>

Changelog:
==========
 *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A carefully crafted request body can cause a buffer overflow in
     the mod_lua multipart parser (r:parsebody() called from Lua
     scripts).
     The Apache httpd team is not aware of an exploit for the
     vulnerabilty though it might be possible to craft one.
     This issue affects Apache HTTP Server 2.4.51 and earlier.

  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
     forward proxy configurations in Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A crafted URI sent to httpd configured as a forward proxy
     (ProxyRequests on) can cause a crash (NULL pointer dereference)
     or, for configurations mixing forward and reverse proxy
     declarations, can allow for requests to be directed to a
     declared Unix Domain Socket endpoint (Server Side Request
     Forgery).
     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
     (included).

  *) http: Enforce that fully qualified uri-paths not to be forward-proxied
     have an http(s) scheme, and that the ones to be forward proxied have a
     hostname, per HTTP specifications.

  *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
     specified openssl path.

  *) mod_proxy_connect, mod_proxy: Do not change the status code after we
     already sent it to the client.

  *) mod_http: Correctly sent a 100 Continue status code when sending an interim
     response as result of an Expect: 100-Continue in the request and not the
     current status code of the request. PR 65725

  *) mod_dav: Some DAV extensions, like CalDAV, specify both document
     elements and property elements that need to be taken into account
     when generating a property. The document element and property element
     are made available in the dav_liveprop_elem structure by calling
     dav_get_liveprop_element().

  *) mod_dav: Add utility functions dav_validate_root_ns(),
     dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
     dav_find_attr() so that other modules get to play too.

  *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.

  *) mod_http2: fixes 2 regressions in server limit handling.
     1. When reaching server limits, such as MaxRequestsPerChild, the
        HTTP/2 connection send a GOAWAY frame much too early on new
        connections, leading to invalid protocol state and a client
        failing the request. See PR65731.
        The module now initializes the HTTP/2 protocol correctly and
        allows the client to submit one request before the shutdown
        via a GOAWAY frame is being announced.
     2. A regression in v1.15.24 was fixed that could lead to httpd
        child processes not being terminated on a graceful reload or
        when reaching MaxConnectionsPerChild. When unprocessed h2
        requests were queued at the time, these could stall.
        See <https://github.com/icing/mod_h2/issues/212>.

  *) mod_ssl: Add build support for OpenSSL v3.

  *) mod_proxy_connect: Honor the smallest of the backend or client timeout
     while tunneling.

  *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
     half-close forwarding when tunneling protocols.

  *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
     a third-party module.  PR 65627.

  *) mod_md: Fix memory leak in case of failures to load the private key.
     PR 65620

  *) mod_md: adding v2.4.8 with the following changes
    - Added support for ACME External Account Binding (EAB).
      Use the new directive `MDExternalAccountBinding` to provide the
      server with the value for key identifier and hmac as provided by
      your CA.
      While working on some servers, EAB handling is not uniform
      across CAs. First tests with a Sectigo Certificate Manager in
      demo mode are successful. But ZeroSSL, for example, seems to
      regard EAB values as a one-time-use-only thing, which makes them
      fail if you create a seconde account or retry the creation of the
      first account with the same EAB.
    - The directive 'MDCertificateAuthority' now checks if its parameter
      is a http/https url or one of a set of known names. Those are
      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
      for now and they are not case-sensitive.
      The default of LetsEncrypt is unchanged.
    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
      section.
    - Treating 401 HTTP status codes for orders like 403, since some ACME
      servers seem to prefer that for accessing oders from other accounts.
    - When retrieving certificate chains, try to read the repsonse even
      if the HTTP Content-Type is unrecognized.
    - Fixed a bug that reset the error counter of a certificate renewal
      and prevented the increasing delays in further attempts.
    - Fixed the renewal process giving up every time on an already existing
      order with some invalid domains. Now, if such are seen in a previous
      order, a new order is created for a clean start over again.
      See <https://github.com/icing/mod_md/issues/268>
    - Fixed a mixup in md-status handler when static certificate files
      and renewal was configured at the same time.

  *) mod_md: values for External Account Binding (EAB) can
     now also be configured to be read from a separate JSON
     file. This allows to keep server configuration permissions
     world readable without exposing secrets.

  *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
     PR 65616.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ea76fc643713915a1618597be8bdbe0e4a3d993e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../apache2/{apache2_2.4.51.bb => apache2_2.4.52.bb}            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.51.bb => apache2_2.4.52.bb} (99%)

diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.51.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.52.bb
similarity index 99%
rename from meta-webserver/recipes-httpd/apache2/apache2_2.4.51.bb
rename to meta-webserver/recipes-httpd/apache2/apache2_2.4.52.bb
index d6e736d31d..10123aa2bb 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.51.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.52.bb
@@ -26,7 +26,7 @@ SRC_URI_append_class-target = " \
            "
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3"
-SRC_URI[sha256sum] = "20e01d81fecf077690a4439e3969a9b22a09a8d43c525356e863407741b838f4"
+SRC_URI[sha256sum] = "0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9"
 
 S = "${WORKDIR}/httpd-${PV}"
 
-- 
2.25.1

[hardknott 10/11] wireshark: update to latest stable 3.4.11

[Armin Kuster]

For more infromation, see:
https://www.wireshark.org/docs/relnotes/wireshark-3.4.11.html

refresh 0004-lemon-Remove-line-directives.patch

Includes CVEs:

3.4.11:
wnpa-sec-2021-16 Gryphon dissector crash. Issue 17737. CVE-2021-4186.
wnpa-sec-2021-17 RTMPT dissector infinite loop. Issue 17745. CVE-2021-4185.
wnpa-sec-2021-18 BitTorrent DHT dissector infinite loop. Issue 17754. CVE-2021-4184.
wnpa-sec-2021-20 RFC 7468 file parser infinite loop. Issue 17801. CVE-2021-4182.
wnpa-sec-2021-21 Sysdig Event dissector crash. CVE-2021-4181.

3.4.10:
wnpa-sec-2021-07 Bluetooth DHT dissector crash. Issue 17651. CVE-2021-39929.
wnpa-sec-2021-08 Bluetooth HCI_ISO dissector crash. Issue 17649. CVE-2021-39926.
wnpa-sec-2021-09 Bluetooth SDP dissector crash. Issue 17635. CVE-2021-39925.
wnpa-sec-2021-10 Bluetooth DHT dissector large loop. Issue 17677. CVE-2021-39924.
wnpa-sec-2021-11 PNRP dissector large loop. Issue 17684.
wnpa-sec-2021-12 C12.22 dissector crash. Issue 17636. CVE-2021-39922.
wnpa-sec-2021-13 IEEE 802.11 dissector crash. Issue 17704. CVE-2021-39928.
wnpa-sec-2021-14 Modbus dissector crash. Issue 17703. CVE-2021-39921.
wnpa-sec-2021-15 IPPUSB dissector crash. Issue 17705. CVE-2021-39920.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 89bf10d0cb8af495de02ba7a02c487a8b5592cc6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../files/0004-lemon-Remove-line-directives.patch | 15 ++++++---------
 .../{wireshark_3.4.8.bb => wireshark_3.4.11.bb}   |  2 +-
 2 files changed, 7 insertions(+), 10 deletions(-)
 rename meta-networking/recipes-support/wireshark/{wireshark_3.4.8.bb => wireshark_3.4.11.bb} (97%)

diff --git a/meta-networking/recipes-support/wireshark/files/0004-lemon-Remove-line-directives.patch b/meta-networking/recipes-support/wireshark/files/0004-lemon-Remove-line-directives.patch
index c1a528f90d..134633f668 100644
--- a/meta-networking/recipes-support/wireshark/files/0004-lemon-Remove-line-directives.patch
+++ b/meta-networking/recipes-support/wireshark/files/0004-lemon-Remove-line-directives.patch
@@ -12,11 +12,11 @@ Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
  cmake/modules/UseLemon.cmake | 49 +++++++++++++++++++++++++-----------
  1 file changed, 34 insertions(+), 15 deletions(-)
 
-diff --git a/cmake/modules/UseLemon.cmake b/cmake/modules/UseLemon.cmake
-index 849ffc1..ca38ab7 100644
---- a/cmake/modules/UseLemon.cmake
-+++ b/cmake/modules/UseLemon.cmake
-@@ -7,21 +7,40 @@ MACRO(ADD_LEMON_FILES _source _generated)
+Index: wireshark-3.4.11/cmake/modules/UseLemon.cmake
+===================================================================
+--- wireshark-3.4.11.orig/cmake/modules/UseLemon.cmake
++++ wireshark-3.4.11/cmake/modules/UseLemon.cmake
+@@ -7,21 +7,40 @@ MACRO(ADD_LEMON_FILES _source _generated
  
        SET(_out ${CMAKE_CURRENT_BINARY_DIR}/${_basename})
  
@@ -26,7 +26,7 @@ index 849ffc1..ca38ab7 100644
 -          # These files are generated as side-effect
 -          ${_out}.h
 -          ${_out}.out
--         COMMAND lemon
+-         COMMAND $<TARGET_FILE:lemon>
 -           -T${_lemonpardir}/lempar.c
 -           -d.
 -           ${_in}
@@ -72,6 +72,3 @@ index 849ffc1..ca38ab7 100644
  
        LIST(APPEND ${_source} ${_in})
        LIST(APPEND ${_generated} ${_out}.c)
--- 
-2.26.2.Cisco
-
diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.8.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb
similarity index 97%
rename from meta-networking/recipes-support/wireshark/wireshark_3.4.8.bb
rename to meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb
index 73ccfc5f30..df1fb89f0a 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.8.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.11.bb
@@ -19,7 +19,7 @@ SRC_URI += " \
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
 
-SRC_URI[sha256sum] = "58a7fa8dfe2010a8c8b7dcf66438c653e6493d47eb936ba48ef49d4aa4dbd725"
+SRC_URI[sha256sum] = "a0e227bce2cc3a51ef3301891a0243231990b52a39b68a84a6e32f69c4e75279"
 
 PE = "1"
 
-- 
2.25.1

[hardknott 11/11] udisks2: upgrade from 2.9.2 to 2.9.4

[Armin Kuster]

From: Chen Qi <Qi.Chen@windriver.com>

Upgrade udisks2 from 2.9.2 to 2.9.4. This upgrade will solves
CVE-2021-3802.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../udisks/{udisks2_2.9.2.bb => udisks2_2.9.4.bb}             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-oe/recipes-support/udisks/{udisks2_2.9.2.bb => udisks2_2.9.4.bb} (89%)

diff --git a/meta-oe/recipes-support/udisks/udisks2_2.9.2.bb b/meta-oe/recipes-support/udisks/udisks2_2.9.4.bb
similarity index 89%
rename from meta-oe/recipes-support/udisks/udisks2_2.9.2.bb
rename to meta-oe/recipes-support/udisks/udisks2_2.9.4.bb
index 4c64f91a9e..a25860fd92 100644
--- a/meta-oe/recipes-support/udisks/udisks2_2.9.2.bb
+++ b/meta-oe/recipes-support/udisks/udisks2_2.9.4.bb
@@ -17,8 +17,8 @@ DEPENDS += "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
 
 RDEPENDS_${PN} = "acl"
 
-SRC_URI = "git://github.com/storaged-project/udisks.git;branch=master;protocol=https"
-SRCREV = "da6d9480fefeb0ffdf8a84626b5096827d8d7030"
+SRC_URI = "git://github.com/storaged-project/udisks.git;branch=2.9.x-branch;protocol=https"
+SRCREV = "001c486e6d099ed33e2de4f5c73c03e3ee180f81"
 S = "${WORKDIR}/git"
 
 CVE_PRODUCT = "udisks"
-- 
2.25.1