Release notes for Yocto-4.0.22 (Kirkstone)

Security Fixes in Yocto-4.0.22

• cups: Fix CVE-2024-35235 and CVE-2024-47175

• curl: Fix CVE-2024-8096

• expat: Fix CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492

• gnupg: Ignore CVE-2022-3219

• libpcap: Fix CVE-2023-7256 and CVE-2024-8006

• linux-yocto/5.10: Fix CVE-2022-48772, CVE-2023-52434, CVE-2023-52447, CVE-2023-52458, CVE-2024-0841, CVE-2024-26601, CVE-2024-26882, CVE-2024-26883, CVE-2024-26884, CVE-2024-26885, CVE-2024-26898, CVE-2024-26901, CVE-2024-26903, CVE-2024-26907, CVE-2024-26934, CVE-2024-26978, CVE-2024-27013, CVE-2024-27020, CVE-2024-35972, CVE-2024-35978, CVE-2024-35982, CVE-2024-35984, CVE-2024-35990, CVE-2024-35997, CVE-2024-36008, CVE-2024-36270, CVE-2024-36489, CVE-2024-36902, CVE-2024-36971, CVE-2024-36978, CVE-2024-38546, CVE-2024-38547, CVE-2024-38549, CVE-2024-38552, CVE-2024-38555, CVE-2024-38583, CVE-2024-38590, CVE-2024-38597, CVE-2024-38598, CVE-2024-38627, CVE-2024-38633, CVE-2024-38661, CVE-2024-38662, CVE-2024-38780, CVE-2024-39292, CVE-2024-39301, CVE-2024-39468, CVE-2024-39471, CVE-2024-39475, CVE-2024-39476, CVE-2024-39480, CVE-2024-39482, CVE-2024-39484, CVE-2024-39487, CVE-2024-39489, CVE-2024-39495, CVE-2024-39506, CVE-2024-40902, CVE-2024-40904, CVE-2024-40905, CVE-2024-40912, CVE-2024-40932, CVE-2024-40934, CVE-2024-40958, CVE-2024-40959, CVE-2024-40960, CVE-2024-40961, CVE-2024-40980, CVE-2024-40981, CVE-2024-40995, CVE-2024-41000, CVE-2024-41006, CVE-2024-41007, CVE-2024-41012, CVE-2024-41040, CVE-2024-41046, CVE-2024-41049, CVE-2024-41059, CVE-2024-41063, CVE-2024-41064, CVE-2024-41070, CVE-2024-41087, CVE-2024-41089, CVE-2024-41092, CVE-2024-41095, CVE-2024-41097, CVE-2024-42070, CVE-2024-42076, CVE-2024-42077, CVE-2024-42082, CVE-2024-42090, CVE-2024-42093, CVE-2024-42094, CVE-2024-42101, CVE-2024-42102, CVE-2024-42104, CVE-2024-42131, CVE-2024-42137, CVE-2024-42148, CVE-2024-42152, CVE-2024-42153, CVE-2024-42154, CVE-2024-42157, CVE-2024-42161, CVE-2024-42223, CVE-2024-42224, CVE-2024-42229, CVE-2024-42232, CVE-2024-42236, CVE-2024-42244 and CVE-2024-42247

• linux-yocto/5.15: Fix CVE-2023-52889, CVE-2024-41011, CVE-2024-42114, CVE-2024-42259, CVE-2024-42271, CVE-2024-42272, CVE-2024-42277, CVE-2024-42280, CVE-2024-42283, CVE-2024-42284, CVE-2024-42285, CVE-2024-42286, CVE-2024-42287, CVE-2024-42288, CVE-2024-42289, CVE-2024-42301, CVE-2024-42302, CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42313, CVE-2024-43817, CVE-2024-43828, CVE-2024-43854, CVE-2024-43856, CVE-2024-43858, CVE-2024-43860, CVE-2024-43861, CVE-2024-43863, CVE-2024-43871, CVE-2024-43873, CVE-2024-43882, CVE-2024-43889, CVE-2024-43890, CVE-2024-43893, CVE-2024-43894, CVE-2024-43902, CVE-2024-43907, CVE-2024-43908, CVE-2024-43909, CVE-2024-43914, CVE-2024-44934, CVE-2024-44935, CVE-2024-44944, CVE-2024-44947, CVE-2024-44952, CVE-2024-44954, CVE-2024-44958, CVE-2024-44960, CVE-2024-44965, CVE-2024-44966, CVE-2024-44969, CVE-2024-44971, CVE-2024-44982, CVE-2024-44983, CVE-2024-44985, CVE-2024-44986, CVE-2024-44987, CVE-2024-44988, CVE-2024-44989, CVE-2024-44990, CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003, CVE-2024-45006, CVE-2024-45011, CVE-2024-45016, CVE-2024-45018, CVE-2024-45021, CVE-2024-45025, CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46674, CVE-2024-46675, CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685, CVE-2024-46689, CVE-2024-46702 and CVE-2024-46707

• openssl: Fix CVE-2024-6119

• procps: Fix CVE-2023-4016

• python3: Fix CVE-2023-27043, CVE-2024-4030, CVE-2024-4032, CVE-2024-6923, CVE-2024-6232, CVE-2024-7592 and CVE-2024-8088

• qemu: Fix CVE-2024-4467

• rust: Ignore CVE-2024-43402

• webkitgtk: Fix CVE-2024-40779

• wpa-supplicant: Ignore CVE-2024-5290

• wpa-supplicant: Fix CVE-2024-3596

Fixes in Yocto-4.0.22

• bintuils: stable 2.38 branch update

• bitbake: fetch2/wget: Canonicalize DL_DIR paths for wget2 compatibility

• bitbake: fetch/wget: Move files into place atomically

• bitbake: hashserv: tests: Omit client in slow server start test

• bitbake: tests/fetch: Tweak to work on Fedora40

• bitbake: wget: Make wget –passive-ftp option conditional on ftp/ftps

• build-appliance-image: Update to kirkstone head revision

• buildhistory: Fix intermittent package file list creation

• buildhistory: Restoring files from preserve list

• buildhistory: Simplify intercept call sites and drop SSTATEPOSTINSTFUNC usage

• busybox: Fix cut with “-s” flag

• cdrtools-native: fix build with gcc-14

• curl: free old conn better on reuse

• cve-exclusion: Drop the version comparision/warning

• dejagnu: Fix LICENSE (change to GPL-3.0-only)

• doc/features: remove duplicate word in distribution feature ext2

• gcc: upgrade to v11.5

• gcr: Fix LICENSE (change to LGPL-2.0-only)

• glibc: stable 2.35 branch updates

• install-buildtools: fix “test installation” step

• install-buildtools: remove md5 checksum validation

• install-buildtools: support buildtools-make-tarball and update to 4.1

• iw: Fix LICENSE (change to ISC)

• kmscube: Add patch to fix -int-conversion build error

• lib/oeqa: rename assertRaisesRegexp to assertRaisesRegex

• libedit: Make docs generation deterministic

• linux-yocto/5.10: fix NFSV3 config warning

• linux-yocto/5.10: remove obsolete options

• linux-yocto/5.10: update to v5.10.223

• linux-yocto/5.15: update to v5.15.166

• meta-world-pkgdata: Inherit nopackages

• migration-guide: add release notes for 4.0.21

• openssl: Upgrade to 3.0.15

• poky.conf: bump version for 4.0.22

• populate_sdk_base: inherit nopackages

• python3: Upgrade to 3.10.15

• ruby: Make docs generation deterministic

• runqemu: keep generating tap devices

• scripts/install-buildtools: Update to 4.0.21

• selftest/runtime_test/virgl: Disable for all fedora

• testexport: fallback for empty IMAGE_LINK_NAME

• testimage: fallback for empty IMAGE_LINK_NAME

• tiff: Fix LICENSE (change to libtiff)

• udev-extraconf: Add collect flag to mount

• unzip: Fix LICENSE (change to Info-ZIP)

• valgrind: disable avx_estimate_insn.vgtest

• wpa-supplicant: Patch security advisory 2024-2

• yocto-uninative: Update to 4.5 for gcc 14

• yocto-uninative: Update to 4.6 for glibc 2.40

• zip: Fix LICENSE (change to Info-ZIP)

• zstd: fix LICENSE statement (change to “BSD-3-Clause | GPL-2.0-only”)

Known Issues in Yocto-4.0.22

• oeqa/runtime: the beaglebone-yocto target fails the parselogs runtime test due to unexpected kernel error messages in the log (see bug 15624 on Bugzilla).

Contributors to Yocto-4.0.22

• Aleksandar Nikolic

• Alexandre Belloni

• Archana Polampalli

• Bruce Ashfield

• Colin McAllister

• Deepthi Hemraj

• Divya Chellam

• Hitendra Prajapati

• Hugo SIMELIERE

• Jinfeng Wang

• Joshua Watt

• Jörg Sommer

• Konrad Weihmann

• Lee Chee Yang

• Martin Jansa

• Massimiliano Minella

• Michael Halstead

• Mingli Yu

• Niko Mauno

• Paul Eggleton

• Pedro Ferreira

• Peter Marko

• Purushottam Choudhary

• Richard Purdie

• Rob Woolley

• Rohini Sangam

• Ross Burton

• Rudolf J Streif

• Siddharth Doshi

• Steve Sakoman

• Vijay Anusuri

• Vivek Kumbhar

Repositories / Downloads for Yocto-4.0.22

poky

• Repository Location: https://git.yoctoproject.org/poky

• Branch: kirkstone

• Tag: yocto-4.0.22

• Git Revision: 7e87dc422d972e0dc98372318fcdc63a76347d16

• Release Artefact: poky-7e87dc422d972e0dc98372318fcdc63a76347d16

• sha: 5058e7b2474f8cb73c19e776ef58d9784321ef42109d5982747c8c432531239f

• Download Locations: http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.22/poky-7e87dc422d972e0dc98372318fcdc63a76347d16.tar.bz2 http://mirrors.kernel.org/yocto/yocto/yocto-4.0.22/poky-7e87dc422d972e0dc98372318fcdc63a76347d16.tar.bz2

openembedded-core

• Repository Location: https://git.openembedded.org/openembedded-core

• Branch: kirkstone

• Tag: yocto-4.0.22

• Git Revision: f09fca692f96c9c428e89c5ef53fbcb92ac0c9bf

• Release Artefact: oecore-f09fca692f96c9c428e89c5ef53fbcb92ac0c9bf

• sha: 378bcc840ba9fbf06a15fea1b5dacdd446f3ad4d85115d708e7bbb20629cdeb4

• Download Locations: http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.22/oecore-f09fca692f96c9c428e89c5ef53fbcb92ac0c9bf.tar.bz2 http://mirrors.kernel.org/yocto/yocto/yocto-4.0.22/oecore-f09fca692f96c9c428e89c5ef53fbcb92ac0c9bf.tar.bz2

meta-mingw

• Repository Location: https://git.yoctoproject.org/meta-mingw

• Branch: kirkstone

• Tag: yocto-4.0.22

• Git Revision: f6b38ce3c90e1600d41c2ebb41e152936a0357d7

• Release Artefact: meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7

• sha: 7d57167c19077f4ab95623d55a24c2267a3a3fb5ed83688659b4c03586373b25

• Download Locations: http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.22/meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7.tar.bz2 http://mirrors.kernel.org/yocto/yocto/yocto-4.0.22/meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7.tar.bz2

meta-gplv2

• Repository Location: https://git.yoctoproject.org/meta-gplv2

• Branch: kirkstone

• Tag: yocto-4.0.22

• Git Revision: d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a

• Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a

• sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d

• Download Locations: http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.22/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2 http://mirrors.kernel.org/yocto/yocto/yocto-4.0.22/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2

bitbake

• Repository Location: https://git.openembedded.org/bitbake

• Branch: 2.0

• Tag: yocto-4.0.22

• Git Revision: eb5c1ce6b1b8f33535ff7b9263ec7648044163ea

• Release Artefact: bitbake-eb5c1ce6b1b8f33535ff7b9263ec7648044163ea

• sha: 473d3e9539160633f3de9d88cce69123f6c623e4c8ab35beb7875868564593cf

• Download Locations: http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.22/bitbake-eb5c1ce6b1b8f33535ff7b9263ec7648044163ea.tar.bz2 http://mirrors.kernel.org/yocto/yocto/yocto-4.0.22/bitbake-eb5c1ce6b1b8f33535ff7b9263ec7648044163ea.tar.bz2

yocto-docs

• Repository Location: https://git.yoctoproject.org/yocto-docs

• Branch: kirkstone

• Tag: yocto-4.0.22

• Git Revision: 2169a52a24ebd1906039c42632bae6c4285a3aca