85 files changed, 7574 insertions, 19 deletions

diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc
index 6acedb5412..e1dfc7a861 100644
--- a/meta/recipes-connectivity/avahi/avahi.inc
+++ b/meta/recipes-connectivity/avahi/avahi.inc
@@ -21,6 +21,16 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
 
 SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
            file://fix-CVE-2017-6519.patch \
+           file://CVE-2021-3468.patch \
+           file://CVE-2023-1981.patch \
+           file://CVE-2023-38469-1.patch \
+           file://CVE-2023-38469-2.patch \
+           file://CVE-2023-38470-1.patch \
+           file://CVE-2023-38470-2.patch \
+           file://CVE-2023-38471-1.patch \
+           file://CVE-2023-38471-2.patch \
+           file://CVE-2023-38472.patch \
+           file://CVE-2023-38473.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/avahi_0.7.bb b/meta/recipes-connectivity/avahi/avahi_0.7.bb
index f6e3afb24e..0df44bffbe 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.7.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.7.bb
@@ -8,6 +8,9 @@ SRC_URI += "file://00avahi-autoipd \
 
 inherit update-rc.d systemd useradd
 
+# Issue only affects Debian/SUSE, not us
+CVE_CHECK_WHITELIST += "CVE-2021-26720"
+
 PACKAGES =+ "libavahi-gobject avahi-daemon libavahi-common libavahi-core libavahi-client avahi-dnsconfd libavahi-glib avahi-autoipd avahi-utils"
 
 LICENSE_libavahi-gobject = "LGPLv2.1+"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch
new file mode 100644
index 0000000000..638a1f6071
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch
@@ -0,0 +1,42 @@
+From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
+From: Riccardo Schirone <sirmy15@gmail.com>
+Date: Fri, 26 Mar 2021 11:50:24 +0100
+Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
+ client_work
+
+If a client fills the input buffer, client_work() disables the
+AVAHI_WATCH_IN event, thus preventing the function from executing the
+`read` syscall the next times it is called. However, if the client then
+terminates the connection, the socket file descriptor receives a HUP
+event, which is not handled, thus the kernel keeps marking the HUP event
+as occurring. While iterating over the file descriptors that triggered
+an event, the client file descriptor will keep having the HUP event and
+the client_work() function is always called with AVAHI_WATCH_HUP but
+without nothing being done, thus entering an infinite loop.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
+
+Upstream-Status: Backport
+CVE: CVE-2021-3468
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ avahi-daemon/simple-protocol.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
+index 3e0ebb11..6c0274d6 100644
+--- a/avahi-daemon/simple-protocol.c
++++ b/avahi-daemon/simple-protocol.c
+@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
+         }
+     }
+ 
++    if (events & AVAHI_WATCH_HUP) {
++        client_free(c);
++        return;
++    }
++
+     c->server->poll_api->watch_update(
+         watch,
+         (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
new file mode 100644
index 0000000000..1209864402
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
@@ -0,0 +1,60 @@
+Backport of:
+
+From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: [PATCH] Emit error if requested service is not found
+
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+
+Fixes #375
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f]
+CVE: CVE-2023-1981
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/avahi-daemon/dbus-protocol.c
++++ b/avahi-daemon/dbus-protocol.c
+@@ -391,10 +391,14 @@ static DBusHandlerResult msg_server_impl
+         }
+ 
+         t = avahi_alternative_host_name(n);
+-        avahi_dbus_respond_string(c, m, t);
+-        avahi_free(t);
+-
+-        return DBUS_HANDLER_RESULT_HANDLED;
++        if (t) {
++            avahi_dbus_respond_string(c, m, t);
++            avahi_free(t);
++
++            return DBUS_HANDLER_RESULT_HANDLED;
++        } else {
++            return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found");
++        }
+ 
+     } else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "GetAlternativeServiceName")) {
+         char *n, *t;
+@@ -405,10 +409,14 @@ static DBusHandlerResult msg_server_impl
+         }
+ 
+         t = avahi_alternative_service_name(n);
+-        avahi_dbus_respond_string(c, m, t);
+-        avahi_free(t);
+-
+-        return DBUS_HANDLER_RESULT_HANDLED;
++        if (t) {
++            avahi_dbus_respond_string(c, m, t);
++            avahi_free(t);
++
++            return DBUS_HANDLER_RESULT_HANDLED;
++        } else {
++            return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found");
++        }
+ 
+     } else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "EntryGroupNew")) {
+         Client *client;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
new file mode 100644
index 0000000000..12dad9ef6f
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
@@ -0,0 +1,48 @@
+From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Mon, 23 Oct 2023 20:29:31 +0000
+Subject: [PATCH] core: reject overly long TXT resource records
+
+Closes https://github.com/lathiat/avahi/issues/455
+
+CVE-2023-38469
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-1.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf]
+CVE: CVE-2023-38469
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-core/rr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+Index: avahi-0.7/avahi-core/rr.c
+===================================================================
+--- avahi-0.7.orig/avahi-core/rr.c
++++ avahi-0.7/avahi-core/rr.c
+@@ -32,6 +32,7 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/defs.h>
+ 
++#include "dns.h"
+ #include "rr.h"
+ #include "log.h"
+ #include "util.h"
+@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r
+         case AVAHI_DNS_TYPE_TXT: {
+ 
+             AvahiStringList *strlst;
++            size_t used = 0;
+ 
+-            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
++            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
+                 if (strlst->size > 255 || strlst->size <= 0)
+                     return 0;
+ 
++                used += 1+strlst->size;
++                if (used > AVAHI_DNS_RDATA_MAX)
++                    return 0;
++            }
++
+             return 1;
+         }
+     }
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
new file mode 100644
index 0000000000..a62c718ebe
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
@@ -0,0 +1,65 @@
+From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 25 Oct 2023 18:15:42 +0000
+Subject: [PATCH] tests: pass overly long TXT resource records
+
+to make sure they don't crash avahi any more.
+It reproduces https://github.com/lathiat/avahi/issues/455
+
+Canonical notes:
+nickgalanis> removed first hunk since there is no .github dir in this release
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-2.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237]
+CVE: CVE-2023-38469
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-client/client-test.c       | 14 ++++++++++++++
+ 1 files changed, 14 insertions(+)
+
+Index: avahi-0.7/avahi-client/client-test.c
+===================================================================
+--- avahi-0.7.orig/avahi-client/client-test.c
++++ avahi-0.7/avahi-client/client-test.c
+@@ -22,6 +22,7 @@
+ #endif
+ 
+ #include <stdio.h>
++#include <string.h>
+ #include <assert.h>
+ 
+ #include <avahi-client/client.h>
+@@ -33,6 +34,8 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/timeval.h>
+ 
++#include <avahi-core/dns.h>
++
+ static const AvahiPoll *poll_api = NULL;
+ static AvahiSimplePoll *simple_poll = NULL;
+ 
+@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     uint32_t cookie;
+     struct timeval tv;
+     AvahiAddress a;
++    uint8_t rdata[AVAHI_DNS_RDATA_MAX+1];
++    AvahiStringList *txt = NULL;
++    int r;
+ 
+     simple_poll = avahi_simple_poll_new();
+     poll_api = avahi_simple_poll_get(simple_poll);
+@@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
+     printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+ 
++    memset(rdata, 1, sizeof(rdata));
++    r = avahi_string_list_parse(rdata, sizeof(rdata), &txt);
++    assert(r >= 0);
++    assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata));
++    error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt);
++    assert(error == AVAHI_ERR_INVALID_RECORD);
++    avahi_string_list_free(txt);
++
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
new file mode 100644
index 0000000000..82fb1ab40b
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
@@ -0,0 +1,57 @@
+From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 11 Apr 2023 15:29:59 +0200
+Subject: [PATCH] Ensure each label is at least one byte long
+
+The only allowed exception is single dot, where it should return empty
+string.
+
+Fixes #454.
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-1.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c]
+CVE: CVE-2023-38470
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-common/domain-test.c | 14 ++++++++++++++
+ avahi-common/domain.c      |  2 +-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+Index: avahi-0.7/avahi-common/domain-test.c
+===================================================================
+--- avahi-0.7.orig/avahi-common/domain-test.c
++++ avahi-0.7/avahi-common/domain-test.c
+@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH
+     printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
+     avahi_free(s);
+ 
++    printf("%s\n", s = avahi_normalize_name_strdup("."));
++    avahi_free(s);
++
++    s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
++                   "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
++                   ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
++                   "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
++                   "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
++                   "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
++                   "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
++                   "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
++                   "}.?.?.?.}.=.?.?.}");
++    assert(s == NULL);
++
+     printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
+     printf("%i\n", avahi_domain_equal("A", "a"));
+ 
+Index: avahi-0.7/avahi-common/domain.c
+===================================================================
+--- avahi-0.7.orig/avahi-common/domain.c
++++ avahi-0.7/avahi-common/domain.c
+@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s
+         }
+ 
+         if (!empty) {
+-            if (size < 1)
++            if (size < 2)
+                 return NULL;
+ 
+             *(r++) = '.';
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
new file mode 100644
index 0000000000..403ed6fd6a
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
@@ -0,0 +1,53 @@
+From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 19 Sep 2023 03:21:25 +0000
+Subject: [PATCH] [common] bail out when escaped labels can't fit into ret
+
+Fixes:
+```
+==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8
+READ of size 1110 at 0x7f9e76f14c16 thread T0
+    #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba)
+    #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12
+    #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12
+```
+and
+```
+fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed.
+==101571== ERROR: libFuzzer: deadly signal
+    #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #3 0x7f1581d7ebaf  (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9
+```
+
+It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24]
+CVE: CVE-2023-38470 #Follow-up patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-common/domain.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: avahi-0.7/avahi-common/domain.c
+===================================================================
+--- avahi-0.7.orig/avahi-common/domain.c
++++ avahi-0.7/avahi-common/domain.c
+@@ -210,7 +210,8 @@ char *avahi_normalize_name(const char *s
+         } else
+             empty = 0;
+ 
+-        avahi_escape_label(label, strlen(label), &r, &size);
++        if (!(avahi_escape_label(label, strlen(label), &r, &size)))
++            return NULL;
+     }
+ 
+     return ret_s;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
new file mode 100644
index 0000000000..c8d6a66174
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
@@ -0,0 +1,73 @@
+From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Mon, 23 Oct 2023 13:38:35 +0200
+Subject: [PATCH] core: extract host name using avahi_unescape_label()
+
+Previously we could create invalid escape sequence when we split the
+string on dot. For example, from valid host name "foo\\.bar" we have
+created invalid name "foo\\" and tried to set that as the host name
+which crashed the daemon.
+
+Fixes #453
+
+CVE-2023-38471
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-1.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09]
+CVE: CVE-2023-38471
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-core/server.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+Index: avahi-0.7/avahi-core/server.c
+===================================================================
+--- avahi-0.7.orig/avahi-core/server.c
++++ avahi-0.7/avahi-core/server.c
+@@ -1253,7 +1253,11 @@ static void update_fqdn(AvahiServer *s)
+ }
+ 
+ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+-    char *hn = NULL;
++    char label_escaped[AVAHI_LABEL_MAX*4+1];
++    char label[AVAHI_LABEL_MAX];
++    char *hn = NULL, *h;
++    size_t len;
++
+     assert(s);
+ 
+     AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
+@@ -1263,17 +1267,28 @@ int avahi_server_set_host_name(AvahiServ
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+ 
+-    hn[strcspn(hn, ".")] = 0;
++    h = hn;
++    if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
++        avahi_free(h);
++        return AVAHI_ERR_INVALID_HOST_NAME;
++    }
++
++    avahi_free(h);
+ 
+-    if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
+-        avahi_free(hn);
++    h = label_escaped;
++    len = sizeof(label_escaped);
++    if (!avahi_escape_label(label, strlen(label), &h, &len))
++        return AVAHI_ERR_INVALID_HOST_NAME;
++
++    if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+-    }
+ 
+     withdraw_host_rrs(s);
+ 
+     avahi_free(s->host_name);
+-    s->host_name = hn;
++    s->host_name = avahi_strdup(label_escaped);
++    if (!s->host_name)
++        return AVAHI_ERR_NO_MEMORY;
+ 
+     update_fqdn(s);
+ 
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
new file mode 100644
index 0000000000..a789b144ed
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
@@ -0,0 +1,52 @@
+From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 24 Oct 2023 22:04:51 +0000
+Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
+
+It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460]
+CVE: CVE-2023-38471 #Follow-up Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-core/server.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+Index: avahi-0.7/avahi-core/server.c
+===================================================================
+--- avahi-0.7.orig/avahi-core/server.c
++++ avahi-0.7/avahi-core/server.c
+@@ -1267,10 +1267,13 @@ int avahi_server_set_host_name(AvahiServ
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+ 
++    if (!hn)
++        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
++
+     h = hn;
+     if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+         avahi_free(h);
+-        return AVAHI_ERR_INVALID_HOST_NAME;
++        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+     }
+ 
+     avahi_free(h);
+@@ -1278,7 +1281,7 @@ int avahi_server_set_host_name(AvahiServ
+     h = label_escaped;
+     len = sizeof(label_escaped);
+     if (!avahi_escape_label(label, strlen(label), &h, &len))
+-        return AVAHI_ERR_INVALID_HOST_NAME;
++        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+ 
+     if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+@@ -1288,7 +1291,7 @@ int avahi_server_set_host_name(AvahiServ
+     avahi_free(s->host_name);
+     s->host_name = avahi_strdup(label_escaped);
+     if (!s->host_name)
+-        return AVAHI_ERR_NO_MEMORY;
++        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+ 
+     update_fqdn(s);
+ 
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
new file mode 100644
index 0000000000..f49d990a42
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
@@ -0,0 +1,45 @@
+From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Thu, 19 Oct 2023 17:36:44 +0200
+Subject: [PATCH] core: make sure there is rdata to process before parsing it
+
+Fixes #452
+
+CVE-2023-38472
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38472.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40]
+CVE: CVE-2023-38472
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-client/client-test.c      | 3 +++
+ avahi-daemon/dbus-entry-group.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+Index: avahi-0.7/avahi-client/client-test.c
+===================================================================
+--- avahi-0.7.orig/avahi-client/client-test.c
++++ avahi-0.7/avahi-client/client-test.c
+@@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     assert(error == AVAHI_ERR_INVALID_RECORD);
+     avahi_string_list_free(txt);
+ 
++    error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
++    assert(error != AVAHI_OK);
++
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
+Index: avahi-0.7/avahi-daemon/dbus-entry-group.c
+===================================================================
+--- avahi-0.7.orig/avahi-daemon/dbus-entry-group.c
++++ avahi-0.7/avahi-daemon/dbus-entry-group.c
+@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_g
+         if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
+ 
+-        if (avahi_rdata_parse (r, rdata, size) < 0) {
++        if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
+             avahi_record_unref (r);
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
+         }
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
new file mode 100644
index 0000000000..59f6806c85
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
@@ -0,0 +1,109 @@
+From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 11 Oct 2023 17:45:44 +0200
+Subject: [PATCH] common: derive alternative host name from its unescaped
+ version
+
+Normalization of input makes sure we don't have to deal with special
+cases like unescaped dot at the end of label.
+
+Fixes #451 #487
+CVE-2023-38473
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38473.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
+CVE: CVE-2023-38473
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-common/alternative-test.c |  3 +++
+ avahi-common/alternative.c      | 27 +++++++++++++++++++--------
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+
+Index: avahi-0.7/avahi-common/alternative-test.c
+===================================================================
+--- avahi-0.7.orig/avahi-common/alternative-test.c
++++ avahi-0.7/avahi-common/alternative-test.c
+@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH
+     const char* const test_strings[] = {
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
++        ").",
++        "\\.",
++        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
+         "gurke",
+         "-",
+         " #",
+Index: avahi-0.7/avahi-common/alternative.c
+===================================================================
+--- avahi-0.7.orig/avahi-common/alternative.c
++++ avahi-0.7/avahi-common/alternative.c
+@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c
+ }
+ 
+ char *avahi_alternative_host_name(const char *s) {
++    char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
++    char *alt, *r, *ret;
+     const char *e;
+-    char *r;
++    size_t len;
+ 
+     assert(s);
+ 
+     if (!avahi_is_valid_host_name(s))
+         return NULL;
+ 
+-    if ((e = strrchr(s, '-'))) {
++    if (!avahi_unescape_label(&s, label, sizeof(label)))
++        return NULL;
++
++    if ((e = strrchr(label, '-'))) {
+         const char *p;
+ 
+         e++;
+@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const
+ 
+     if (e) {
+         char *c, *m;
+-        size_t l;
+         int n;
+ 
+         n = atoi(e)+1;
+         if (!(m = avahi_strdup_printf("%i", n)))
+             return NULL;
+ 
+-        l = e-s-1;
++        len = e-label-1;
+ 
+-        if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+-            l = AVAHI_LABEL_MAX-1-strlen(m)-1;
++        if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
++            len = AVAHI_LABEL_MAX-1-strlen(m)-1;
+ 
+-        if (!(c = avahi_strndup(s, l))) {
++        if (!(c = avahi_strndup(label, len))) {
+             avahi_free(m);
+             return NULL;
+         }
+@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const
+     } else {
+         char *c;
+ 
+-        if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
++        if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
+             return NULL;
+ 
+         drop_incomplete_utf8(c);
+@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const
+         avahi_free(c);
+     }
+ 
++    alt = alternative;
++    len = sizeof(alternative);
++    ret = avahi_escape_label(r, strlen(r), &alt, &len);
++
++    avahi_free(r);
++    r = avahi_strdup(ret);
++
+     assert(avahi_is_valid_host_name(r));
+ 
+     return r;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
new file mode 100644
index 0000000000..940c6776d3
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
@@ -0,0 +1,67 @@
+From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
+Date: Thu, 8 Sep 2022 11:11:30 +0200
+Subject: [PATCH 1/3] Bound the amount of work performed for delegations
+
+Limit the amount of database lookups that can be triggered in
+fctx_getaddresses() (i.e. when determining the name server addresses to
+query next) by setting a hard limit on the number of NS RRs processed
+for any delegation encountered.  Without any limit in place, named can
+be forced to perform large amounts of database lookups per each query
+received, which severely impacts resolver performance.
+
+The limit used (20) is an arbitrary value that is considered to be big
+enough for any sane DNS delegation.
+
+(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
+
+Upstream-Status: Backport
+CVE: CVE-2022-2795
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
+
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/resolver.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 8ae9a993bbd7..ac9a9ef5d009 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -180,6 +180,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
++/*
++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
++ * any NS RRset encountered, to avoid excessive resource use while processing
++ * large delegations.
++ */
++#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+        bool need_alternate = false;
+        bool all_spilled = true;
+        unsigned int no_addresses = 0;
++       unsigned int ns_processed = 0;
+ 
+        FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 
+                dns_rdata_reset(&rdata);
+                dns_rdata_freestruct(&ns);
++
++               if (++ns_processed >= NS_PROCESSING_LIMIT) {
++                       result = ISC_R_NOMORE;
++                       break;
++               }
+        }
+        if (result != ISC_R_NOMORE) {
+                return (result);
+-- 
+2.34.1
+
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch
new file mode 100644
index 0000000000..0ef87fd260
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch
@@ -0,0 +1,31 @@
+From ef3d1a84ff807eea27b4fef601a15932c5ffbfbf Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:15:34 +1000
+Subject: [PATCH 2/3] Free eckey on siglen mismatch
+
+Upstream-Status: Backport
+CVE: CVE-2022-38177
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590
+
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/opensslecdsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
+index 83b5b51cd78c..7576e04ac635 100644
+--- a/lib/dns/opensslecdsa_link.c
++++ b/lib/dns/opensslecdsa_link.c
+@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+                siglen = DNS_SIG_ECDSA384SIZE;
+ 
+        if (sig->length != siglen)
+-               return (DST_R_VERIFYFAILURE);
++               DST_RET(DST_R_VERIFYFAILURE);
+ 
+        if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+                DST_RET (dst__openssl_toresult3(dctx->category,
+-- 
+2.34.1
+
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch
new file mode 100644
index 0000000000..e0b398e24a
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch
@@ -0,0 +1,33 @@
+From 65f5b2f0162d5d2ab25f463aa14a8bae71ace3d9 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:28:13 +1000
+Subject: [PATCH 3/3] Free ctx on invalid siglen
+
+(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825)
+
+Upstream-Status: Backport
+CVE: CVE-2022-38178
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6
+
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/openssleddsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
+index 8b115ec283f0..b4fcd607c131 100644
+--- a/lib/dns/openssleddsa_link.c
++++ b/lib/dns/openssleddsa_link.c
+@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+                siglen = DNS_SIG_ED448SIZE;
+ 
+        if (sig->length != siglen)
+-               return (DST_R_VERIFYFAILURE);
++               DST_RET(ISC_R_NOTIMPLEMENTED);
+ 
+        isc_buffer_usedregion(buf, &tbsreg);
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
new file mode 100644
index 0000000000..6f6c104530
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
@@ -0,0 +1,166 @@
+
+Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u9.debian.tar.xz
+Upstream patch https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch]
+Upstream Commit: https://github.com/isc-projects/bind9/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a
+CVE: CVE-2023-2828
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+
+---
+ lib/dns/rbtdb.c | 106 +++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 63 insertions(+), 43 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index b1b928c..3165e26 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -792,7 +792,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+                          bool tree_locked, expire_t reason);
+ static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+-                         isc_stdtime_t now, bool tree_locked);
++                         size_t purgesize, bool tree_locked);
+ static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
+                                  rdatasetheader_t *newheader);
+ static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+@@ -6784,6 +6784,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
+ 
+ static dns_dbmethods_t zone_methods;
+ 
++static size_t
++rdataset_size(rdatasetheader_t *header) {
++       if (!NONEXISTENT(header)) {
++               return (dns_rdataslab_size((unsigned char *)header,
++                                          sizeof(*header)));
++       }
++
++       return (sizeof(*header));
++}
++
+ static isc_result_t
+ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+            isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+@@ -6932,7 +6942,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+        }
+ 
+        if (cache_is_overmem)
+-               overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
++               overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
++                             tree_locked);
+ 
+        NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+                  isc_rwlocktype_write);
+@@ -6947,9 +6958,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+                        cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+ 
+                header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
+-               if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
+-                       expire_header(rbtdb, header, tree_locked,
+-                                     expire_ttl);
++               if (header != NULL) {
++                       dns_ttl_t rdh_ttl = header->rdh_ttl;
++
++                       if (rdh_ttl < now - RBTDB_VIRTUAL) {
++                               expire_header(rbtdb, header, tree_locked,
++                                             expire_ttl);
++                       }
++               }
+ 
+                /*
+                 * If we've been holding a write lock on the tree just for
+@@ -10388,54 +10404,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+        ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
+ }
+ 
++static size_t
++expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
++                  bool tree_locked) {
++       rdatasetheader_t *header, *header_prev;
++       size_t purged = 0;
++
++       for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
++            header != NULL && purged <= purgesize; header = header_prev)
++       {
++               header_prev = ISC_LIST_PREV(header, link);
++               /*
++                * Unlink the entry at this point to avoid checking it
++                * again even if it's currently used someone else and
++                * cannot be purged at this moment.  This entry won't be
++                * referenced any more (so unlinking is safe) since the
++                * TTL was reset to 0.
++                */
++               ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
++               size_t header_size = rdataset_size(header);
++               expire_header(rbtdb, header, tree_locked, expire_lru);
++               purged += header_size;
++       }
++
++       return (purged);
++}
++
+ /*%
+- * Purge some expired and/or stale (i.e. unused for some period) cache entries
+- * under an overmem condition.  To recover from this condition quickly, up to
+- * 2 entries will be purged.  This process is triggered while adding a new
+- * entry, and we specifically avoid purging entries in the same LRU bucket as
+- * the one to which the new entry will belong.  Otherwise, we might purge
+- * entries of the same name of different RR types while adding RRsets from a
+- * single response (consider the case where we're adding A and AAAA glue records
+- * of the same NS name).
+- */
++ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
++ * entries under the overmem condition.  To recover from this condition quickly,
++ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
++ *
++ * This process is triggered while adding a new entry, and we specifically avoid
++ * purging entries in the same LRU bucket as the one to which the new entry will
++ * belong.  Otherwise, we might purge entries of the same name of different RR
++ * types while adding RRsets from a single response (consider the case where
++ * we're adding A and AAAA glue records of the same NS name).
++*/
+ static void
+-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+-             isc_stdtime_t now, bool tree_locked)
++overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
++             bool tree_locked)
+ {
+-       rdatasetheader_t *header, *header_prev;
+        unsigned int locknum;
+-       int purgecount = 2;
++       size_t purged = 0;
+ 
+        for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
+-            locknum != locknum_start && purgecount > 0;
++            locknum != locknum_start && purged <= purgesize;
+             locknum = (locknum + 1) % rbtdb->node_lock_count) {
+                NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+                          isc_rwlocktype_write);
+ 
+-               header = isc_heap_element(rbtdb->heaps[locknum], 1);
+-               if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
+-                       expire_header(rbtdb, header, tree_locked,
+-                                     expire_ttl);
+-                       purgecount--;
+-               }
+-
+-               for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+-                    header != NULL && purgecount > 0;
+-                    header = header_prev) {
+-                       header_prev = ISC_LIST_PREV(header, link);
+-                       /*
+-                        * Unlink the entry at this point to avoid checking it
+-                        * again even if it's currently used someone else and
+-                        * cannot be purged at this moment.  This entry won't be
+-                        * referenced any more (so unlinking is safe) since the
+-                        * TTL was reset to 0.
+-                        */
+-                       ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
+-                                       link);
+-                       expire_header(rbtdb, header, tree_locked,
+-                                     expire_lru);
+-                       purgecount--;
+-               }
++               purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
++                                            tree_locked);
+ 
+                NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+                                    isc_rwlocktype_write);
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
new file mode 100644
index 0000000000..be479cb00e
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
@@ -0,0 +1,175 @@
+From c4fac5ca98efd02fbaef43601627c7a3a09f5a71 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 20 Jun 2023 15:21:36 +1000
+Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
+
+Named and rndc do not need a lot of recursion so the depth is
+set to 10.
+
+Taken from BIND 9.16.44 change.
+
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71]
+CVE: CVE-2023-3341
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/isccc/cc.c                   | 38 +++++++++++++++++++++++---------
+ lib/isccc/include/isccc/result.h |  4 +++-
+ lib/isccc/result.c               |  4 +++-
+ 3 files changed, 34 insertions(+), 12 deletions(-)
+
+diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
+index e012685..8eac3d6 100644
+--- a/lib/isccc/cc.c
++++ b/lib/isccc/cc.c
+@@ -53,6 +53,10 @@
+ 
+ #define MAX_TAGS               256
+ #define DUP_LIFETIME           900
++#ifndef ISCCC_MAXDEPTH
++#define ISCCC_MAXDEPTH \
++       10 /* Big enough for rndc which just sends a string each way. */
++#endif
+ 
+ typedef isccc_sexpr_t *sexpr_ptr;
+ 
+@@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+-              uint32_t algorithm, isccc_sexpr_t **alistp);
++              uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
++list_fromwire(isccc_region_t *source, unsigned int depth,
++             isccc_sexpr_t **listp);
+ 
+ static isc_result_t
+-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
++value_fromwire(isccc_region_t *source, unsigned int depth,
++              isccc_sexpr_t **valuep) {
+        unsigned int msgtype;
+        uint32_t len;
+        isccc_sexpr_t *value;
+        isccc_region_t active;
+        isc_result_t result;
+ 
++       if (depth > ISCCC_MAXDEPTH) {
++               return (ISCCC_R_MAXDEPTH);
++       }
++
+        if (REGION_SIZE(*source) < 1 + 4)
+                return (ISC_R_UNEXPECTEDEND);
+        GET8(msgtype, source->rstart);
+@@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+                } else
+                        result = ISC_R_NOMEMORY;
+        } else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
+-               result = table_fromwire(&active, NULL, 0, valuep);
++               result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
+        else if (msgtype == ISCCC_CCMSGTYPE_LIST)
+-               result = list_fromwire(&active, valuep);
++               result = list_fromwire(&active, depth + 1, valuep);
+        else
+                result = ISCCC_R_SYNTAX;
+ 
+@@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+-              uint32_t algorithm, isccc_sexpr_t **alistp)
++              uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
+ {
+        char key[256];
+        uint32_t len;
+@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ 
+        REQUIRE(alistp != NULL && *alistp == NULL);
+ 
++       if (depth > ISCCC_MAXDEPTH) {
++               return (ISCCC_R_MAXDEPTH);
++       }
++
+        checksum_rstart = NULL;
+        first_tag = true;
+        alist = isccc_alist_create();
+@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+                GET_MEM(key, len, source->rstart);
+                key[len] = '\0';        /* Ensure NUL termination. */
+                value = NULL;
+-               result = value_fromwire(source, &value);
++               result = value_fromwire(source, depth + 1, &value);
+                if (result != ISC_R_SUCCESS)
+                        goto bad;
+                if (isccc_alist_define(alist, key, value) == NULL) {
+@@ -661,14 +675,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ }
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
++list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp) {
+        isccc_sexpr_t *list, *value;
+        isc_result_t result;
+ 
++       if (depth > ISCCC_MAXDEPTH) {
++               return (ISCCC_R_MAXDEPTH);
++       }
++
+        list = NULL;
+        while (!REGION_EMPTY(*source)) {
+                value = NULL;
+-               result = value_fromwire(source, &value);
++               result = value_fromwire(source, depth + 1, &value);
+                if (result != ISC_R_SUCCESS) {
+                        isccc_sexpr_free(&list);
+                        return (result);
+@@ -699,7 +717,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+        if (version != 1)
+                return (ISCCC_R_UNKNOWNVERSION);
+ 
+-       return (table_fromwire(source, secret, algorithm, alistp));
++       return (table_fromwire(source, secret, algorithm, 0, alistp));
+ }
+ 
+ static isc_result_t
+diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
+index 6c79dd7..a85861c 100644
+--- a/lib/isccc/include/isccc/result.h
++++ b/lib/isccc/include/isccc/result.h
+@@ -47,8 +47,10 @@
+ #define ISCCC_R_CLOCKSKEW              (ISC_RESULTCLASS_ISCCC + 4)
+ /*% Duplicate */
+ #define ISCCC_R_DUPLICATE              (ISC_RESULTCLASS_ISCCC + 5)
++/*% Maximum recursion depth */
++#define ISCCC_R_MAXDEPTH               (ISC_RESULTCLASS_ISCCC + 6)
+ 
+-#define ISCCC_R_NRESULTS               6       /*%< Number of results */
++#define ISCCC_R_NRESULTS               7       /*%< Number of results */
+ 
+ ISC_LANG_BEGINDECLS
+ 
+diff --git a/lib/isccc/result.c b/lib/isccc/result.c
+index 8419bbb..325200b 100644
+--- a/lib/isccc/result.c
++++ b/lib/isccc/result.c
+@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = {
+        "bad auth",                             /* 3 */
+        "expired",                              /* 4 */
+        "clock skew",                           /* 5 */
+-       "duplicate"                             /* 6 */
++       "duplicate",                            /* 6 */
++       "max depth",                            /* 7 */
+ };
+ 
+ static const char *ids[ISCCC_R_NRESULTS] = {
+@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
+        "ISCCC_R_EXPIRED",
+        "ISCCC_R_CLOCKSKEW",
+        "ISCCC_R_DUPLICATE",
++       "ISCCC_R_MAXDEPTH",
+ };
+ 
+ #define ISCCC_RESULT_RESULTSET                 2
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/bind/bind_9.11.22.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb
index 3b4a299b36..95bb5be005 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.22.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb
@@ -1,9 +1,10 @@
 SUMMARY = "ISC Internet Domain Name Server"
 HOMEPAGE = "https://www.isc.org/bind/"
+DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
 SECTION = "console/network"
 
 LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=89a97ebbf713f7125fe5c02223d3ae95"
 
 DEPENDS = "openssl libcap zlib"
 
@@ -18,9 +19,14 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
            file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
            file://0001-avoid-start-failure-with-bind-user.patch \
+           file://CVE-2022-2795.patch \
+           file://CVE-2022-38177.patch \
+           file://CVE-2022-38178.patch \
+           file://CVE-2023-2828.patch \
+           file://CVE-2023-3341.patch \
            "
 
-SRC_URI[sha256sum] = "afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9"
+SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index f34ba0dce5..74fd344170 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
                     file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \
                     file://src/main.c;beginline=1;endline=24;md5=9bc54b93cd7e17bf03f52513f39f926e"
 DEPENDS = "dbus glib-2.0"
+RDEPENDS:${PN} += "dbus"
 PROVIDES += "bluez-hcidump"
 RPROVIDES_${PN} += "bluez-hcidump"
 
@@ -52,6 +53,13 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
            ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
            file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
            file://0001-test-gatt-Fix-hung-issue.patch \
+           file://CVE-2021-0129.patch \
+           file://CVE-2021-3588.patch \
+          file://CVE-2021-3658.patch \
+           file://CVE-2022-0204.patch \
+           file://CVE-2022-39176.patch \
+           file://CVE-2022-3637.patch \
+           file://CVE-2023-45866.patch \
            "
 S = "${WORKDIR}/bluez-${PV}"
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
new file mode 100644
index 0000000000..b39730dc10
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
@@ -0,0 +1,109 @@
+From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 2 Mar 2021 11:38:33 -0800
+Subject: shared/gatt-server: Fix not properly checking for secure flags
+
+When passing the mask to check_permissions all valid permissions for
+the operation must be set including BT_ATT_PERM_SECURE flags.
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=00da0fb4972cf59e1c075f313da81ea549cb8738]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+CVE: CVE-2021-0129
+---
+ src/shared/att-types.h   |  8 ++++++++
+ src/shared/gatt-server.c | 25 +++++++------------------
+ 2 files changed, 15 insertions(+), 18 deletions(-)
+
+diff --git a/src/shared/att-types.h b/src/shared/att-types.h
+index 7108b4e94..3adc05d9e 100644
+--- a/src/shared/att-types.h
++++ b/src/shared/att-types.h
+@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
+ #define BT_ATT_PERM_WRITE_SECURE       0x0200
+ #define BT_ATT_PERM_SECURE             (BT_ATT_PERM_READ_SECURE | \
+                                        BT_ATT_PERM_WRITE_SECURE)
++#define BT_ATT_PERM_READ_MASK          (BT_ATT_PERM_READ | \
++                                       BT_ATT_PERM_READ_AUTHEN | \
++                                       BT_ATT_PERM_READ_ENCRYPT | \
++                                       BT_ATT_PERM_READ_SECURE)
++#define BT_ATT_PERM_WRITE_MASK         (BT_ATT_PERM_WRITE | \
++                                       BT_ATT_PERM_WRITE_AUTHEN | \
++                                       BT_ATT_PERM_WRITE_ENCRYPT | \
++                                       BT_ATT_PERM_WRITE_SECURE)
+ 
+ /* GATT Characteristic Properties Bitfield values */
+ #define BT_GATT_CHRC_PROP_BROADCAST                    0x01
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index b5f7de7dc..970c35f94 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
+                return;
+        }
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
++       ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+                                (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+                                handle);
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-                                               BT_ATT_PERM_WRITE_AUTHEN |
+-                                               BT_ATT_PERM_WRITE_ENCRYPT);
++       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
+                        opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
+                        handle);
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
++       ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
+                goto error;
+        }
+ 
+-       ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
++       ecode = check_permissions(data->server, next_attr,
++                                               BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
+                goto error;
+        }
+ 
+-       ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
+-                                               BT_ATT_PERM_READ_AUTHEN |
+-                                               BT_ATT_PERM_READ_ENCRYPT);
++       ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
+        if (ecode)
+                goto error;
+ 
+@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+        util_debug(server->debug_callback, server->debug_data,
+                                "Prep Write Req - handle: 0x%04x", handle);
+ 
+-       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-                                               BT_ATT_PERM_WRITE_AUTHEN |
+-                                               BT_ATT_PERM_WRITE_ENCRYPT);
++       ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
+ 
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
new file mode 100644
index 0000000000..f52ff47a06
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
@@ -0,0 +1,34 @@
+From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 4 Jan 2021 10:38:31 -0800
+Subject: [PATCH] gatt: Fix potential buffer out-of-bound
+
+When client features is read check if the offset is within the cli_feat
+bounds.
+
+Fixes: https://github.com/bluez/bluez/issues/70
+
++Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a]
++Signed-off-by: Steve Sakoman <steve@sakoman.com>
++CVE: CVE-2021-3588
+
+---
+ src/gatt-database.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/gatt-database.c b/src/gatt-database.c
+index 90cc4bade..f2d7b5821 100644
+--- a/src/gatt-database.c
++++ b/src/gatt-database.c
+@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
+                goto done;
+        }
+ 
++       if (offset >= sizeof(state->cli_feat)) {
++               ecode = BT_ATT_ERROR_INVALID_OFFSET;
++               goto done;
++       }
++
+        len = sizeof(state->cli_feat) - offset;
+        value = len ? &state->cli_feat[offset] : NULL;
+ 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
new file mode 100644
index 0000000000..1738ca13da
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
@@ -0,0 +1,95 @@
+From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 24 Jun 2021 16:32:04 -0700
+Subject: [PATCH] adapter: Fix storing discoverable setting
+
+discoverable setting shall only be store when changed via Discoverable
+property and not when discovery client set it as that be considered
+temporary just for the lifetime of the discovery.
+
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055]
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+---
+ src/adapter.c | 35 ++++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+diff --git a/src/adapter.c b/src/adapter.c
+index 12e4ff5c0..663b778e4 100644
+--- a/src/adapter.c
++++ b/src/adapter.c
+@@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
+        if (changed_mask & MGMT_SETTING_DISCOVERABLE) {
+                g_dbus_emit_property_changed(dbus_conn, adapter->path,
+                                        ADAPTER_INTERFACE, "Discoverable");
+-               store_adapter_info(adapter);
++               /* Only persist discoverable setting if it was not set
++                * temporarily by discovery.
++                */
++               if (!adapter->discovery_discoverable)
++                       store_adapter_info(adapter);
+                btd_adv_manager_refresh(adapter->adv_manager);
+        }
+ 
+@@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a,
+ static int update_discovery_filter(struct btd_adapter *adapter)
+ {
+        struct mgmt_cp_start_service_discovery *sd_cp;
+-       GSList *l;
+-
+ 
+        DBG("");
+ 
+@@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter)
+                return -ENOMEM;
+        }
+ 
+-       for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
+-               struct discovery_client *client = l->data;
++       /* Only attempt to overwrite current discoverable setting when not
++        * discoverable.
++        */
++       if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) {
++               GSList *l;
+ 
+-               if (!client->discovery_filter)
+-                       continue;
++               for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
++                       struct discovery_client *client = l->data;
+ 
+-               if (client->discovery_filter->discoverable)
+-                       break;
+-       }
++                       if (!client->discovery_filter)
++                               continue;
+ 
+-       set_discovery_discoverable(adapter, l ? true : false);
++                       if (client->discovery_filter->discoverable) {
++                               set_discovery_discoverable(adapter, true);
++                               break;
++                       }
++               }
++       }
+ 
+        /*
+         * If filters are equal, then don't update scan, except for when
+@@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client)
+                return 0;
+        }
+ 
+-       if (adapter->discovery_discoverable)
+-               set_discovery_discoverable(adapter, false);
++       set_discovery_discoverable(adapter, false);
+ 
+        /*
+         * In the idle phase of a discovery, there is no need to stop it
+@@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter)
+        g_free(adapter->current_discovery_filter);
+        adapter->current_discovery_filter = NULL;
+ 
++       set_discovery_discoverable(adapter, false);
+        adapter->discovering = false;
+ 
+        while (adapter->connections) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
new file mode 100644
index 0000000000..646b5ddfc8
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
@@ -0,0 +1,66 @@
+From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 8 Jun 2021 16:46:49 -0700
+Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare
+ writes
+
+The code shall check if the prepare writes would append more the
+allowed maximum attribute length.
+
+Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
+
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0]
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+CVE: CVE-2022-0204
+
+---
+ src/shared/gatt-server.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index 0c25a97..20e14bc 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server,
+                                                server->authorize_data);
+ }
+ 
++static uint8_t check_length(uint16_t length, uint16_t offset)
++{
++       if (length > BT_ATT_MAX_VALUE_LEN)
++               return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
++
++       if (offset > BT_ATT_MAX_VALUE_LEN)
++               return BT_ATT_ERROR_INVALID_OFFSET;
++
++       if (length + offset > BT_ATT_MAX_VALUE_LEN)
++               return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
++
++       return 0;
++}
++
+ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+                                        uint16_t length, void *user_data)
+ {
+@@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+                                (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+                                handle);
+ 
++       ecode = check_length(length, 0);
++       if (ecode)
++               goto error;
++
+        ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
+@@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+        util_debug(server->debug_callback, server->debug_data,
+                                "Prep Write Req - handle: 0x%04x", handle);
+ 
++       ecode = check_length(length, offset);
++       if (ecode)
++               goto error;
++
+        ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+        if (ecode)
+                goto error;
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch
new file mode 100644
index 0000000000..4ca60f99d5
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch
@@ -0,0 +1,39 @@
+From b808b2852a0b48c6f9dbb038f932613cea3126c2 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 27 Oct 2022 09:51:27 +0530
+Subject: [PATCH] CVE-2022-3637
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/monitor/jlink.c?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f]
+CVE: CVE-2022-3637
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+monitor: Fix crash when using RTT backend
+
+This fix regression introduced by "monitor: Fix memory leaks".
+J-Link shared library is in use if jlink_init() returns 0 and thus
+handle shall not be closed.
+---
+ monitor/jlink.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/monitor/jlink.c b/monitor/jlink.c
+index afa9d93..5bd4aed 100644
+--- a/monitor/jlink.c
++++ b/monitor/jlink.c
+@@ -120,9 +120,12 @@ int jlink_init(void)
+                        !jlink.tif_select || !jlink.setspeed ||
+                        !jlink.connect || !jlink.getsn ||
+                        !jlink.emu_getproductname ||
+-                       !jlink.rtterminal_control || !jlink.rtterminal_read)
++                       !jlink.rtterminal_control || !jlink.rtterminal_read) {
++               dlclose(so);
+                return -EIO;
++       }
+ 
++       /* don't dlclose(so) here cause symbols from it are in use now */
+        return 0;
+ }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch
new file mode 100644
index 0000000000..7bd1f5f80f
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch
@@ -0,0 +1,126 @@
+From 752c7f707c3cc1eb12eadc13bc336a5c484d4bdf Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 28 Sep 2022 10:45:53 +0530
+Subject: [PATCH] CVE-2022-39176
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.6]
+CVE: CVE-2022-39176
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++---------------
+ profiles/audio/avrcp.c |  8 ++++++
+ 2 files changed, 44 insertions(+), 20 deletions(-)
+
+diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
+index 782268c..0adf413 100644
+--- a/profiles/audio/avdtp.c
++++ b/profiles/audio/avdtp.c
+@@ -1261,43 +1261,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session,
+        return NULL;
+ }
+ 
+-static GSList *caps_to_list(uint8_t *data, int size,
++static GSList *caps_to_list(uint8_t *data, size_t size,
+                                struct avdtp_service_capability **codec,
+                                gboolean *delay_reporting)
+ {
++       struct avdtp_service_capability *cap;
+        GSList *caps;
+-       int processed;
+ 
+        if (delay_reporting)
+                *delay_reporting = FALSE;
+ 
+-       for (processed = 0, caps = NULL; processed + 2 <= size;) {
+-               struct avdtp_service_capability *cap;
+-               uint8_t length, category;
++       if (size < sizeof(*cap))
++               return NULL;
++
++       for (caps = NULL; size >= sizeof(*cap);) {
++               struct avdtp_service_capability *cpy;
+ 
+-               category = data[0];
+-               length = data[1];
++               cap = (struct avdtp_service_capability *)data;
+ 
+-               if (processed + 2 + length > size) {
++               if (sizeof(*cap) + cap->length > size) {
+                        error("Invalid capability data in getcap resp");
+                        break;
+                }
+ 
+-               cap = g_malloc(sizeof(struct avdtp_service_capability) +
+-                                       length);
+-               memcpy(cap, data, 2 + length);
++               if (cap->category == AVDTP_MEDIA_CODEC &&
++                                       cap->length < sizeof(**codec)) {
++                       error("Invalid codec data in getcap resp");
++                       break;
++               }
++
++               cpy = btd_malloc(sizeof(*cpy) + cap->length);
++               memcpy(cpy, cap, sizeof(*cap) + cap->length);
+ 
+-               processed += 2 + length;
+-               data += 2 + length;
++               size -= sizeof(*cap) + cap->length;
++               data += sizeof(*cap) + cap->length;
+ 
+-               caps = g_slist_append(caps, cap);
++               caps = g_slist_append(caps, cpy);
+ 
+-               if (category == AVDTP_MEDIA_CODEC &&
+-                               length >=
+-                               sizeof(struct avdtp_media_codec_capability))
+-                       *codec = cap;
+-               else if (category == AVDTP_DELAY_REPORTING && delay_reporting)
+-                       *delay_reporting = TRUE;
++               switch (cap->category) {
++               case AVDTP_MEDIA_CODEC:
++                       if (codec)
++                               *codec = cpy;
++                       break;
++               case AVDTP_DELAY_REPORTING:
++                       if (delay_reporting)
++                               *delay_reporting = TRUE;
++                       break;
++               }
+        }
+ 
+        return caps;
+@@ -1494,6 +1504,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
+                                        &stream->codec,
+                                        &stream->delay_reporting);
+ 
++       if (!stream->caps || !stream->codec) {
++               err = AVDTP_UNSUPPORTED_CONFIGURATION;
++               category = 0x00;
++               goto failed_stream;
++       }
++
+        /* Verify that the Media Transport capability's length = 0. Reject otherwise */
+        for (l = stream->caps; l != NULL; l = g_slist_next(l)) {
+                struct avdtp_service_capability *cap = l->data;
+diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
+index d9471c0..0233d53 100644
+--- a/profiles/audio/avrcp.c
++++ b/profiles/audio/avrcp.c
+@@ -1916,6 +1916,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction,
+                goto err_metadata;
+        }
+ 
++       operands += sizeof(*pdu);
++       operand_count -= sizeof(*pdu);
++
++       if (pdu->params_len != operand_count) {
++               DBG("AVRCP PDU parameters length don't match");
++               pdu->params_len = operand_count;
++       }
++
+        for (handler = session->control_handlers; handler->pdu_id; handler++) {
+                if (handler->pdu_id == pdu->pdu_id)
+                        break;
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
new file mode 100644
index 0000000000..43670ab2b3
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
@@ -0,0 +1,54 @@
+From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 10 Oct 2023 13:03:12 -0700
+Subject: input.conf: Change default of ClassicBondedOnly
+
+This changes the default of ClassicBondedOnly since defaulting to false
+is not inline with HID specification which mandates the of Security Mode
+4:
+
+BLUETOOTH SPECIFICATION Page 84 of 123
+Human Interface Device (HID) Profile:
+
+5.4.3.4.2 Security Modes
+Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
+Bluetooth HID devices that are compliant to the Bluetooth Core
+Specification v2.1+EDR[6].
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675]
+CVE: CVE-2023-45866
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ profiles/input/device.c   | 2 +-
+ profiles/input/input.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 375314e..0236488 100644
+--- a/profiles/input/device.c
++++ b/profiles/input/device.c
+@@ -93,7 +93,7 @@ struct input_device {
+ 
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+-static bool classic_bonded_only = false;
++static bool classic_bonded_only = true;
+ 
+ void input_set_idle_timeout(int timeout)
+ {
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 4c70bc5..d8645f3 100644
+--- a/profiles/input/input.conf
++++ b/profiles/input/input.conf
+@@ -17,7 +17,7 @@
+ # platforms may want to make sure that input connections only come from bonded
+ # device connections. Several older mice have been known for not supporting
+ # pairing/encryption.
+-# Defaults to false to maximize device compatibility.
++# Defaults to true for security.
+ #ClassicBondedOnly=true
+ 
+ # LE upgrade security
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
index 8190924562..be74a35e0a 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
@@ -3,6 +3,16 @@ require bluez5.inc
 SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a"
 SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88"
 
+# These issues have kernel fixes rather than bluez fixes so exclude here
+CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490"
+
+# Commit 7a80d2096f1b7125085e21448112aa02f49f5e9a, e2b0f0d8d63e1223bb714a9efb37e2257818268b 
+# and 0388794dc5fdb73a4ea88bcf148de0a12b4364d4 to fix CVE-2022-39177 
+# already backport in CVE-2022-39176.patch
+# https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968
+
+CVE_CHECK_WHITELIST += "CVE-2022-39177"
+
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
 NOINST_TOOLS_READLINE ?= " \
diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
index 778bf50191..24593d6258 100644
--- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
+++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
@@ -10,7 +10,7 @@ DEPENDS = "gtk+3 dbus-glib dbus-glib-native intltool-native gettext-native"
 
 # 0.7 tag
 SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143"
-SRC_URI = "git://github.com/connectivity/connman-gnome.git \
+SRC_URI = "git://github.com/connectivity/connman-gnome.git;branch=master;protocol=https \
            file://0001-Removed-icon-from-connman-gnome-about-applet.patch \
            file://null_check_for_ipv4_config.patch \
            file://images/* \
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index 55e5bf97c7..c495ae29ad 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
 
 inherit autotools pkgconfig systemd update-rc.d update-alternatives
 
+CVE_PRODUCT = "connman connection_manager"
+
 DEPENDS  = "dbus glib-2.0 ppp"
 
 INC_PR = "r20"
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
new file mode 100644
index 0000000000..2648a832ca
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
@@ -0,0 +1,62 @@
+From e4079a20f617a4b076af503f6e4e8b0304c9f2cb Mon Sep 17 00:00:00 2001
+From: Colin Wee <cwee@tesla.com>
+Date: Thu, 28 Jan 2021 19:41:53 +0100
+Subject: [PATCH] dnsproxy: Add length checks to prevent buffer overflow
+
+Fixes: CVE-2021-26675
+
+Upstream-Status: Backport
+CVE: CVE-2021-26675
+
+Reference to upstream patch:
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/dnsproxy.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index a7bf87a1..4f5c897f 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1767,6 +1767,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                        char **uncompressed_ptr)
+ {
+        char *uptr = *uncompressed_ptr; /* position in result buffer */
++       char * const uncomp_end = uncompressed + uncomp_len - 1;
+
+        debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);
+
+@@ -1787,12 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                 * tmp buffer.
+                 */
+
+-               ulen = strlen(name);
+-               strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
+-
+                debug("pos %d ulen %d left %d name %s", pos, ulen,
+                        (int)(uncomp_len - (uptr - uncompressed)), uptr);
+
++               ulen = strlen(name);
++               if ((uptr + ulen + 1) > uncomp_end) {
++                       goto out;
++               }
++               strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
++
+                uptr += ulen;
+                *uptr++ = '\0';
+
+@@ -1802,6 +1806,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                 * We copy also the fixed portion of the result (type, class,
+                 * ttl, address length and the address)
+                 */
++               if ((uptr + NS_RRFIXEDSZ) > uncomp_end) {
++                       debug("uncompressed data too large for buffer");
++                       goto out;
++               }
+                memcpy(uptr, ptr, NS_RRFIXEDSZ);
+
+                dns_type = uptr[0] << 8 | uptr[1];
+--
+2.17.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch
new file mode 100644
index 0000000000..4104e4bfc6
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch
@@ -0,0 +1,231 @@
+From 58d397ba74873384aee449690a9070bacd5676fa Mon Sep 17 00:00:00 2001
+From: Colin Wee <cwee@tesla.com>
+Date: Thu, 28 Jan 2021 19:39:14 +0100
+Subject: [PATCH] gdhcp: Avoid reading invalid data in dhcp_get_option
+
+Upstream-Status: Backport
+CVE: CVE-2021-26676
+
+Reference to upstream patch:
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ gdhcp/client.c | 20 +++++++++++---------
+ gdhcp/common.c | 24 +++++++++++++++++++-----
+ gdhcp/common.h |  2 +-
+ gdhcp/server.c | 12 +++++++-----
+ 4 files changed, 38 insertions(+), 20 deletions(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 09dfe5ec..6a5613e7 100644
+--- a/gdhcp/client.c
++++ b/gdhcp/client.c
+@@ -1629,12 +1629,12 @@ static void start_request(GDHCPClient *dhcp_client)
+                                                        NULL);
+ }
+
+-static uint32_t get_lease(struct dhcp_packet *packet)
++static uint32_t get_lease(struct dhcp_packet *packet, uint16_t packet_len)
+ {
+        uint8_t *option;
+        uint32_t lease_seconds;
+
+-       option = dhcp_get_option(packet, DHCP_LEASE_TIME);
++       option = dhcp_get_option(packet, packet_len, DHCP_LEASE_TIME);
+        if (!option)
+                return 3600;
+
+@@ -2226,7 +2226,8 @@ static void get_dhcpv6_request(GDHCPClient *dhcp_client,
+        }
+ }
+
+-static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet)
++static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet,
++               uint16_t packet_len)
+ {
+        GDHCPOptionType type;
+        GList *list, *value_list;
+@@ -2237,7 +2238,7 @@ static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet)
+        for (list = dhcp_client->request_list; list; list = list->next) {
+                code = (uint8_t) GPOINTER_TO_INT(list->data);
+
+-               option = dhcp_get_option(packet, code);
++               option = dhcp_get_option(packet, packet_len, code);
+                if (!option) {
+                        g_hash_table_remove(dhcp_client->code_value_hash,
+                                                GINT_TO_POINTER((int) code));
+@@ -2297,6 +2298,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+                re = dhcp_recv_l2_packet(&packet,
+                                        dhcp_client->listener_sockfd,
+                                        &dst_addr);
++               pkt_len = (uint16_t)(unsigned int)re;
+                xid = packet.xid;
+        } else if (dhcp_client->listen_mode == L3) {
+                if (dhcp_client->type == G_DHCP_IPV6) {
+@@ -2361,7 +2363,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+                        dhcp_client->status_code = status;
+                }
+        } else {
+-               message_type = dhcp_get_option(&packet, DHCP_MESSAGE_TYPE);
++               message_type = dhcp_get_option(&packet, pkt_len, DHCP_MESSAGE_TYPE);
+                if (!message_type)
+                        return TRUE;
+        }
+@@ -2378,7 +2380,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+                dhcp_client->timeout = 0;
+                dhcp_client->retry_times = 0;
+
+-               option = dhcp_get_option(&packet, DHCP_SERVER_ID);
++               option = dhcp_get_option(&packet, pkt_len, DHCP_SERVER_ID);
+                dhcp_client->server_ip = get_be32(option);
+                dhcp_client->requested_ip = ntohl(packet.yiaddr);
+
+@@ -2428,9 +2430,9 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+
+                        remove_timeouts(dhcp_client);
+
+-                       dhcp_client->lease_seconds = get_lease(&packet);
++                       dhcp_client->lease_seconds = get_lease(&packet, pkt_len);
+
+-                       get_request(dhcp_client, &packet);
++                       get_request(dhcp_client, &packet, pkt_len);
+
+                        switch_listening_mode(dhcp_client, L_NONE);
+
+@@ -2438,7 +2440,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+                        dhcp_client->assigned_ip = get_ip(packet.yiaddr);
+
+                        if (dhcp_client->state == REBOOTING) {
+-                               option = dhcp_get_option(&packet,
++                               option = dhcp_get_option(&packet, pkt_len,
+                                                        DHCP_SERVER_ID);
+                                dhcp_client->server_ip = get_be32(option);
+                        }
+diff --git a/gdhcp/common.c b/gdhcp/common.c
+index 1d667d17..c8916aa8 100644
+--- a/gdhcp/common.c
++++ b/gdhcp/common.c
+@@ -73,18 +73,21 @@ GDHCPOptionType dhcp_get_code_type(uint8_t code)
+        return OPTION_UNKNOWN;
+ }
+
+-uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code)
++uint8_t *dhcp_get_option(struct dhcp_packet *packet, uint16_t packet_len, int code)
+ {
+        int len, rem;
+-       uint8_t *optionptr;
++       uint8_t *optionptr, *options_end;
++       size_t options_len;
+        uint8_t overload = 0;
+
+        /* option bytes: [code][len][data1][data2]..[dataLEN] */
+        optionptr = packet->options;
+        rem = sizeof(packet->options);
++       options_len = packet_len - (sizeof(*packet) - sizeof(packet->options));
++       options_end = optionptr + options_len - 1;
+
+        while (1) {
+-               if (rem <= 0)
++               if ((rem <= 0) && (optionptr + OPT_CODE > options_end))
+                        /* Bad packet, malformed option field */
+                        return NULL;
+
+@@ -115,14 +118,25 @@ uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code)
+                        break;
+                }
+
++               if (optionptr + OPT_LEN > options_end) {
++                       /* bad packet, would read length field from OOB */
++                       return NULL;
++               }
++
+                len = 2 + optionptr[OPT_LEN];
+
+                rem -= len;
+                if (rem < 0)
+                        continue; /* complain and return NULL */
+
+-               if (optionptr[OPT_CODE] == code)
+-                       return optionptr + OPT_DATA;
++               if (optionptr[OPT_CODE] == code) {
++                       if (optionptr + len > options_end) {
++                               /* bad packet, option length points OOB */
++                               return NULL;
++                       } else {
++                               return optionptr + OPT_DATA;
++                       }
++               }
+
+                if (optionptr[OPT_CODE] == DHCP_OPTION_OVERLOAD)
+                        overload |= optionptr[OPT_DATA];
+diff --git a/gdhcp/common.h b/gdhcp/common.h
+index 9660231c..8f63fd75 100644
+--- a/gdhcp/common.h
++++ b/gdhcp/common.h
+@@ -179,7 +179,7 @@ struct in6_pktinfo {
+ };
+ #endif
+
+-uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code);
++uint8_t *dhcp_get_option(struct dhcp_packet *packet, uint16_t packet_len, int code);
+ uint8_t *dhcpv6_get_option(struct dhcpv6_packet *packet, uint16_t pkt_len,
+                        int code, uint16_t *option_len, int *option_count);
+ uint8_t *dhcpv6_get_sub_option(unsigned char *option, uint16_t max_len,
+diff --git a/gdhcp/server.c b/gdhcp/server.c
+index 85405f19..52ea2a55 100644
+--- a/gdhcp/server.c
++++ b/gdhcp/server.c
+@@ -413,7 +413,7 @@ error:
+ }
+
+
+-static uint8_t check_packet_type(struct dhcp_packet *packet)
++static uint8_t check_packet_type(struct dhcp_packet *packet, uint16_t packet_len)
+ {
+        uint8_t *type;
+
+@@ -423,7 +423,7 @@ static uint8_t check_packet_type(struct dhcp_packet *packet)
+        if (packet->op != BOOTREQUEST)
+                return 0;
+
+-       type = dhcp_get_option(packet, DHCP_MESSAGE_TYPE);
++       type = dhcp_get_option(packet, packet_len, DHCP_MESSAGE_TYPE);
+
+        if (!type)
+                return 0;
+@@ -651,6 +651,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+        struct dhcp_lease *lease;
+        uint32_t requested_nip = 0;
+        uint8_t type, *server_id_option, *request_ip_option;
++       uint16_t packet_len;
+        int re;
+
+        if (condition & (G_IO_NVAL | G_IO_ERR | G_IO_HUP)) {
+@@ -661,12 +662,13 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+        re = dhcp_recv_l3_packet(&packet, dhcp_server->listener_sockfd);
+        if (re < 0)
+                return TRUE;
++       packet_len = (uint16_t)(unsigned int)re;
+
+-       type = check_packet_type(&packet);
++       type = check_packet_type(&packet, packet_len);
+        if (type == 0)
+                return TRUE;
+
+-       server_id_option = dhcp_get_option(&packet, DHCP_SERVER_ID);
++       server_id_option = dhcp_get_option(&packet, packet_len, DHCP_SERVER_ID);
+        if (server_id_option) {
+                uint32_t server_nid =
+                        get_unaligned((const uint32_t *) server_id_option);
+@@ -675,7 +677,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+                        return TRUE;
+        }
+
+-       request_ip_option = dhcp_get_option(&packet, DHCP_REQUESTED_IP);
++       request_ip_option = dhcp_get_option(&packet, packet_len, DHCP_REQUESTED_IP);
+        if (request_ip_option)
+                requested_nip = get_be32(request_ip_option);
+
+--
+2.17.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch
new file mode 100644
index 0000000000..ce909ec293
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch
@@ -0,0 +1,33 @@
+From a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1 Mon Sep 17 00:00:00 2001
+From: Colin Wee <cwee@tesla.com>
+Date: Thu, 28 Jan 2021 19:41:09 +0100
+Subject: [PATCH] gdhcp: Avoid leaking stack data via unitiialized variable
+
+Fixes: CVE-2021-26676
+
+Upstream-Status: Backport
+CVE: CVE-2021-26676
+
+Reference to upstream patch:
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ gdhcp/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 6a5613e7..c7b85e58 100644
+--- a/gdhcp/client.c
++++ b/gdhcp/client.c
+@@ -2270,7 +2270,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+ {
+        GDHCPClient *dhcp_client = user_data;
+        struct sockaddr_in dst_addr = { 0 };
+-       struct dhcp_packet packet;
++       struct dhcp_packet packet = { 0 };
+        struct dhcpv6_packet *packet6 = NULL;
+        uint8_t *message_type = NULL, *client_id = NULL, *option,
+                *server_id = NULL;
+--
+2.17.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
new file mode 100644
index 0000000000..770948fb69
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
@@ -0,0 +1,72 @@
+From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001
+From: Valery Kashcheev <v.kascheev@omp.ru>
+Date: Mon, 7 Jun 2021 18:58:24 +0200
+Subject: dnsproxy: Check the length of buffers before memcpy
+
+Fix using a stack-based buffer overflow attack by checking the length of
+the ptr and uptr buffers.
+
+Fix debug message output.
+
+Fixes: CVE-2021-33833
+
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
+CVE: CVE-2021-33833
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ src/dnsproxy.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index de52df5a..38dbdd71 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                 * tmp buffer.
+                 */
+ 
+-               debug("pos %d ulen %d left %d name %s", pos, ulen,
+-                       (int)(uncomp_len - (uptr - uncompressed)), uptr);
+-
+-               ulen = strlen(name);
+-               if ((uptr + ulen + 1) > uncomp_end) {
++               ulen = strlen(name) + 1;
++               if ((uptr + ulen) > uncomp_end)
+                        goto out;
+-               }
+-               strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
++               strncpy(uptr, name, ulen);
++
++               debug("pos %d ulen %d left %d name %s", pos, ulen,
++                       (int)(uncomp_end - (uptr + ulen)), uptr);
+ 
+                uptr += ulen;
+-               *uptr++ = '\0';
+ 
+                ptr += pos;
+ 
+@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
+                        dlen = uptr[-2] << 8 | uptr[-1];
+ 
+-                       if (ptr + dlen > end) {
++                       if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
+                                debug("data len %d too long", dlen);
+                                goto out;
+                        }
+@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                         * refresh interval, retry interval, expiration
+                         * limit and minimum ttl). They are 20 bytes long.
+                         */
++                       if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
++                               debug("soa record too long");
++                               goto out;
++                       }
+                        memcpy(uptr, ptr, 20);
+                        uptr += 20;
+                        ptr += 20;
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch
new file mode 100644
index 0000000000..7f27474830
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch
@@ -0,0 +1,121 @@
+From e5a313736e13c90d19085e953a26256a198e4950 Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 25 Jan 2022 10:00:24 +0100
+Subject: dnsproxy: Validate input data before using them
+
+dnsproxy is not validating various input data. Add a bunch of checks.
+
+Fixes: CVE-2022-23097
+Fixes: CVE-2022-23096
+
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e5a313736e13c90d19085e953a26256a198e4950
+
+CVE: CVE-2022-23096 CVE-2022-23097
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ src/dnsproxy.c | 31 ++++++++++++++++++++++++++-----
+ 1 file changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index cdfafbc2..c027bcb9 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1951,6 +1951,12 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+ 
+        if (offset < 0)
+                return offset;
++       if (reply_len < 0)
++               return -EINVAL;
++       if (reply_len < offset + 1)
++               return -EINVAL;
++       if ((size_t)reply_len < sizeof(struct domain_hdr))
++               return -EINVAL;
+ 
+        hdr = (void *)(reply + offset);
+        dns_id = reply[offset] | reply[offset + 1] << 8;
+@@ -1986,23 +1992,31 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+                 */
+                if (req->append_domain && ntohs(hdr->qdcount) == 1) {
+                        uint16_t domain_len = 0;
+-                       uint16_t header_len;
++                       uint16_t header_len, payload_len;
+                        uint16_t dns_type, dns_class;
+                        uint8_t host_len, dns_type_pos;
+                        char uncompressed[NS_MAXDNAME], *uptr;
+                        char *ptr, *eom = (char *)reply + reply_len;
++                       char *domain;
+ 
+                        /*
+                         * ptr points to the first char of the hostname.
+                         * ->hostname.domain.net
+                         */
+                        header_len = offset + sizeof(struct domain_hdr);
++                       if (reply_len < header_len)
++                               return -EINVAL;
++                       payload_len = reply_len - header_len;
++
+                        ptr = (char *)reply + header_len;
+ 
+                        host_len = *ptr;
++                       domain = ptr + 1 + host_len;
++                       if (domain > eom)
++                               return -EINVAL;
++
+                        if (host_len > 0)
+-                               domain_len = strnlen(ptr + 1 + host_len,
+-                                               reply_len - header_len);
++                               domain_len = strnlen(domain, eom - domain);
+ 
+                        /*
+                         * If the query type is anything other than A or AAAA,
+@@ -2011,6 +2025,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+                         */
+                        dns_type_pos = host_len + 1 + domain_len + 1;
+ 
++                       if (ptr + (dns_type_pos + 3) > eom)
++                               return -EINVAL;
+                        dns_type = ptr[dns_type_pos] << 8 |
+                                                        ptr[dns_type_pos + 1];
+                        dns_class = ptr[dns_type_pos + 2] << 8 |
+@@ -2040,6 +2056,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+                                int new_len, fixed_len;
+                                char *answers;
+ 
++                               if (len > payload_len)
++                                       return -EINVAL;
+                                /*
+                                 * First copy host (without domain name) into
+                                 * tmp buffer.
+@@ -2054,6 +2072,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+                                 * Copy type and class fields of the question.
+                                 */
+                                ptr += len + domain_len + 1;
++                               if (ptr + NS_QFIXEDSZ > eom)
++                                       return -EINVAL;
+                                memcpy(uptr, ptr, NS_QFIXEDSZ);
+ 
+                                /*
+@@ -2063,6 +2083,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+                                uptr += NS_QFIXEDSZ;
+                                answers = uptr;
+                                fixed_len = answers - uncompressed;
++                               if (ptr + offset > eom)
++                                       return -EINVAL;
+ 
+                                /*
+                                 * We then uncompress the result to buffer
+@@ -2257,8 +2279,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition,
+ 
+        len = recv(sk, buf, sizeof(buf), 0);
+ 
+-       if (len >= 12)
+-               forward_dns_reply(buf, len, IPPROTO_UDP, data);
++       forward_dns_reply(buf, len, IPPROTO_UDP, data);
+ 
+        return TRUE;
+ }
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch
new file mode 100644
index 0000000000..a40c9f583f
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch
@@ -0,0 +1,50 @@
+From d8708b85c1e8fe25af7803e8a20cf20e7201d8a4 Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <mgerstner@suse.de>
+Date: Tue, 25 Jan 2022 10:00:25 +0100
+Subject: dnsproxy: Avoid 100 % busy loop in TCP server case
+
+Once the TCP socket is connected and until the remote server is
+responding (if ever) ConnMan executes a 100 % CPU loop, since
+the connected socket will always be writable (G_IO_OUT).
+
+To fix this, modify the watch after the connection is established to
+remove the G_IO_OUT from the callback conditions.
+
+Fixes: CVE-2022-23098
+
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d8708b85c1e8fe25af7803e8a20cf20e7201d8a4
+
+CVE: CVE-2022-23098
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ src/dnsproxy.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index c027bcb9..1ccf36a9 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -2360,6 +2360,18 @@ hangup:
+                        }
+                }
+ 
++               /*
++                * Remove the G_IO_OUT flag from the watch, otherwise we end
++                * up in a busy loop, because the socket is constantly writable.
++                *
++                * There seems to be no better way in g_io to do that than
++                * re-adding the watch.
++                */
++               g_source_remove(server->watch);
++               server->watch = g_io_add_watch(server->channel,
++                       G_IO_IN | G_IO_HUP | G_IO_NVAL | G_IO_ERR,
++                       tcp_server_event, server);
++
+                server->connected = true;
+                server_list = g_slist_append(server_list, server);
+ 
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
new file mode 100644
index 0000000000..74a739d6a2
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
@@ -0,0 +1,37 @@
+From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
+From: Nathan Crandall <ncrandall@tesla.com>
+Date: Tue, 12 Jul 2022 08:56:34 +0200
+Subject: gweb: Fix OOB write in received_data()
+
+There is a mismatch of handling binary vs. C-string data with memchr
+and strlen, resulting in pos, count, and bytes_read to become out of
+sync and result in a heap overflow.  Instead, do not treat the buffer
+as an ASCII C-string. We calculate the count based on the return value
+of memchr, instead of strlen.
+
+Fixes: CVE-2022-32292
+
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b
+CVE: CVE-2022-32292
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ gweb/gweb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gweb/gweb.c b/gweb/gweb.c
+index 12fcb1d8..13c6c5f2 100644
+--- a/gweb/gweb.c
++++ b/gweb/gweb.c
+@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
+                }
+ 
+                *pos = '\0';
+-               count = strlen((char *) ptr);
++               count = pos - ptr;
+                if (count > 0 && ptr[count - 1] == '\r') {
+                        ptr[--count] = '\0';
+                        bytes_read--;
+-- 
+cgit 
+
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch
new file mode 100644
index 0000000000..83a013981c
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch
@@ -0,0 +1,266 @@
+From 358a44b1442fae0f82846e10da0708b5c4e1ce27 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 20 Sep 2022 17:58:19 +0530
+Subject: [PATCH] CVE-2022-32293
+
+CVE: CVE-2022-32293
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c && https://git.kernel.org/pub/scm/network/connman/connman.git/commit/src/wispr.c?id=416bfaff988882c553c672e5bfc2d4f648d29e8a]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/wispr.c | 83 ++++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 63 insertions(+), 20 deletions(-)
+
+diff --git a/src/wispr.c b/src/wispr.c
+index 473c0e0..97e0242 100644
+--- a/src/wispr.c
++++ b/src/wispr.c
+@@ -59,6 +59,7 @@ struct wispr_route {
+ };
+ 
+ struct connman_wispr_portal_context {
++       int refcount;
+        struct connman_service *service;
+        enum connman_ipconfig_type type;
+        struct connman_wispr_portal *wispr_portal;
+@@ -96,10 +97,13 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data);
+ 
+ static GHashTable *wispr_portal_list = NULL;
+ 
++#define wispr_portal_context_ref(wp_context) \
++       wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__)
++#define wispr_portal_context_unref(wp_context) \
++       wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__)
++
+ static void connman_wispr_message_init(struct connman_wispr_message *msg)
+ {
+-       DBG("");
+-
+        msg->has_error = false;
+        msg->current_element = NULL;
+ 
+@@ -159,11 +163,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context)
+ static void free_connman_wispr_portal_context(
+                struct connman_wispr_portal_context *wp_context)
+ {
+-       DBG("context %p", wp_context);
+-
+-       if (!wp_context)
+-               return;
+-
+        if (wp_context->wispr_portal) {
+                if (wp_context->wispr_portal->ipv4_context == wp_context)
+                        wp_context->wispr_portal->ipv4_context = NULL;
+@@ -200,9 +199,38 @@ static void free_connman_wispr_portal_context(
+        g_free(wp_context);
+ }
+ 
++static struct connman_wispr_portal_context *
++wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context,
++                       const char *file, int line, const char *caller)
++{
++       DBG("%p ref %d by %s:%d:%s()", wp_context,
++               wp_context->refcount + 1, file, line, caller);
++
++       __sync_fetch_and_add(&wp_context->refcount, 1);
++
++       return wp_context;
++}
++
++static void wispr_portal_context_unref_debug(
++               struct connman_wispr_portal_context *wp_context,
++               const char *file, int line, const char *caller)
++{
++       if (!wp_context)
++               return;
++
++       DBG("%p ref %d by %s:%d:%s()", wp_context,
++               wp_context->refcount - 1, file, line, caller);
++
++       if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1)
++               return;
++
++       free_connman_wispr_portal_context(wp_context);
++}
++
+ static struct connman_wispr_portal_context *create_wispr_portal_context(void)
+ {
+-       return g_try_new0(struct connman_wispr_portal_context, 1);
++       return wispr_portal_context_ref(
++               g_new0(struct connman_wispr_portal_context, 1));
+ }
+ 
+ static void free_connman_wispr_portal(gpointer data)
+@@ -214,8 +242,8 @@ static void free_connman_wispr_portal(gpointer data)
+        if (!wispr_portal)
+                return;
+ 
+-       free_connman_wispr_portal_context(wispr_portal->ipv4_context);
+-       free_connman_wispr_portal_context(wispr_portal->ipv6_context);
++       wispr_portal_context_unref(wispr_portal->ipv4_context);
++       wispr_portal_context_unref(wispr_portal->ipv6_context);
+ 
+        g_free(wispr_portal);
+ }
+@@ -450,8 +478,6 @@ static void portal_manage_status(GWebResult *result,
+                                &str))
+                connman_info("Client-Timezone: %s", str);
+ 
+-       free_connman_wispr_portal_context(wp_context);
+-
+        __connman_service_ipconfig_indicate_state(service,
+                                        CONNMAN_SERVICE_STATE_ONLINE, type);
+ }
+@@ -509,14 +535,17 @@ static void wispr_portal_request_portal(
+ {
+        DBG("");
+ 
++       wispr_portal_context_ref(wp_context);
+        wp_context->request_id = g_web_request_get(wp_context->web,
+                                        wp_context->status_url,
+                                        wispr_portal_web_result,
+                                        wispr_route_request,
+                                        wp_context);
+ 
+-       if (wp_context->request_id == 0)
++       if (wp_context->request_id == 0) {
+                wispr_portal_error(wp_context);
++               wispr_portal_context_unref(wp_context);
++       }
+ }
+ 
+ static bool wispr_input(const guint8 **data, gsize *length,
+@@ -562,13 +591,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service,
+                return;
+ 
+        if (!authentication_done) {
+-               wispr_portal_error(wp_context);
+                free_wispr_routes(wp_context);
++               wispr_portal_error(wp_context);
++               wispr_portal_context_unref(wp_context);
+                return;
+        }
+ 
+        /* Restarting the test */
+        __connman_service_wispr_start(service, wp_context->type);
++       wispr_portal_context_unref(wp_context);
+ }
+ 
+ static void wispr_portal_request_wispr_login(struct connman_service *service,
+@@ -592,7 +623,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service,
+                                return;
+                }
+ 
+-               free_connman_wispr_portal_context(wp_context);
++               wispr_portal_context_unref(wp_context);
+                return;
+        }
+ 
+@@ -644,11 +675,13 @@ static bool wispr_manage_message(GWebResult *result,
+ 
+                wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN;
+ 
++               wispr_portal_context_ref(wp_context);
+                if (__connman_agent_request_login_input(wp_context->service,
+                                        wispr_portal_request_wispr_login,
+-                                       wp_context) != -EINPROGRESS)
++                                       wp_context) != -EINPROGRESS) {
+                        wispr_portal_error(wp_context);
+-               else
++                       wispr_portal_context_unref(wp_context);
++               } else
+                        return true;
+ 
+                break;
+@@ -697,6 +730,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+                if (length > 0) {
+                        g_web_parser_feed_data(wp_context->wispr_parser,
+                                                                chunk, length);
++                       wispr_portal_context_unref(wp_context);
+                        return true;
+                }
+ 
+@@ -714,6 +748,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 
+        switch (status) {
+        case 000:
++               wispr_portal_context_ref(wp_context);
+                __connman_agent_request_browser(wp_context->service,
+                                wispr_portal_browser_reply_cb,
+                                wp_context->status_url, wp_context);
+@@ -725,11 +760,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+                if (g_web_result_get_header(result, "X-ConnMan-Status",
+                                                &str)) {
+                        portal_manage_status(result, wp_context);
++                       wispr_portal_context_unref(wp_context);
+                        return false;
+-               } else
++               } else {
++                       wispr_portal_context_ref(wp_context);
+                        __connman_agent_request_browser(wp_context->service,
+                                        wispr_portal_browser_reply_cb,
+                                        wp_context->redirect_url, wp_context);
++               }
+ 
+                break;
+        case 302:
+@@ -737,6 +775,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+                        !g_web_result_get_header(result, "Location",
+                                                        &redirect)) {
+ 
++                       wispr_portal_context_ref(wp_context);
+                        __connman_agent_request_browser(wp_context->service,
+                                        wispr_portal_browser_reply_cb,
+                                        wp_context->status_url, wp_context);
+@@ -747,6 +786,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 
+                wp_context->redirect_url = g_strdup(redirect);
+ 
++               wispr_portal_context_ref(wp_context);
+                wp_context->request_id = g_web_request_get(wp_context->web,
+                                redirect, wispr_portal_web_result,
+                                wispr_route_request, wp_context);
+@@ -763,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 
+                break;
+        case 505:
++               wispr_portal_context_ref(wp_context);
+                __connman_agent_request_browser(wp_context->service,
+                                wispr_portal_browser_reply_cb,
+                                wp_context->status_url, wp_context);
+@@ -775,6 +816,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+        wp_context->request_id = 0;
+ done:
+        wp_context->wispr_msg.message_type = -1;
++       wispr_portal_context_unref(wp_context);
+        return false;
+ }
+ 
+@@ -809,6 +851,7 @@ static void proxy_callback(const char *proxy, void *user_data)
+                                        xml_wispr_parser_callback, wp_context);
+ 
+        wispr_portal_request_portal(wp_context);
++       wispr_portal_context_unref(wp_context);
+ }
+ 
+ static gboolean no_proxy_callback(gpointer user_data)
+@@ -903,7 +946,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context)
+ 
+                if (wp_context->token == 0) {
+                        err = -EINVAL;
+-                       free_connman_wispr_portal_context(wp_context);
++                       wispr_portal_context_unref(wp_context);
+                }
+        } else if (wp_context->timeout == 0) {
+                wp_context->timeout = g_idle_add(no_proxy_callback, wp_context);
+@@ -952,7 +995,7 @@ int __connman_wispr_start(struct connman_service *service,
+ 
+        /* If there is already an existing context, we wipe it */
+        if (wp_context)
+-               free_connman_wispr_portal_context(wp_context);
++               wispr_portal_context_unref(wp_context);
+ 
+        wp_context = create_wispr_portal_context();
+        if (!wp_context)
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
new file mode 100644
index 0000000000..ea1601cc04
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
@@ -0,0 +1,54 @@
+From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 11 Apr 2023 08:12:56 +0200
+Subject: gdhcp: Verify and sanitize packet length first
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
+CVE: CVE-2023-28488
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ gdhcp/client.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 7efa7e45..82017692 100644
+--- a/gdhcp/client.c
++++ b/gdhcp/client.c
+@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
+ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+                                struct sockaddr_in *dst_addr)
+ {
+-       int bytes;
+        struct ip_udp_dhcp_packet packet;
+        uint16_t check;
++       int bytes, tot_len;
+ 
+        memset(&packet, 0, sizeof(packet));
+ 
+@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+        if (bytes < 0)
+                return -1;
+ 
+-       if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+-               return -1;
+-
+-       if (bytes < ntohs(packet.ip.tot_len))
++       tot_len = ntohs(packet.ip.tot_len);
++       if (bytes > tot_len) {
++               /* ignore any extra garbage bytes */
++               bytes = tot_len;
++       } else if (bytes < tot_len) {
+                /* packet is bigger than sizeof(packet), we did partial read */
+                return -1;
++       }
+ 
+-       /* ignore any extra garbage bytes */
+-       bytes = ntohs(packet.ip.tot_len);
++       if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
++               return -1;
+ 
+        if (!sanity_check(&packet, bytes))
+                return -1;
+-- 
+cgit 
+
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb
index 00852bf0d6..8062a094d3 100644
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -6,6 +6,15 @@ SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
             file://0001-gweb-fix-segfault-with-musl-v1.1.21.patch \
             file://connman \
             file://no-version-scripts.patch \
+            file://CVE-2021-26675.patch \
+            file://CVE-2021-26676-0001.patch \
+            file://CVE-2021-26676-0002.patch \
+            file://CVE-2021-33833.patch \
+            file://CVE-2022-23096-7.patch \
+            file://CVE-2022-23098.patch \
+            file://CVE-2022-32292.patch \
+             file://CVE-2022-32293.patch \
+            file://CVE-2023-28488.patch \
 "
 
 SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
new file mode 100644
index 0000000000..91aaf83a77
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
@@ -0,0 +1,66 @@
+From 5a7344b05081d84343a1627e47478f3990b17700 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Thu, 8 Jul 2021 00:08:25 +0000
+Subject: [PATCH] ISC has disclosed a vulnerability in ISC DHCP
+ (CVE-2021-25217)
+
+On May 26, 2021, we (Internet Systems Consortium) disclosed a
+vulnerability affecting our ISC DHCP software:
+
+    CVE-2021-25217: A buffer overrun in lease file parsing code can be
+    used to exploit a common vulnerability shared by dhcpd and dhclient
+    https://kb.isc.org/docs/cve-2021-25217
+
+New versions of ISC DHCP are available from https://www.isc.org/downloads
+
+Operators and package maintainers who prefer to apply patches selectively can
+find individual vulnerability-specific patches in the "patches" subdirectory
+of the release directories for our two stable release branches (4.4 and 4.1-ESV)
+
+   https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches
+   https://downloads.isc.org/isc/dhcp/4.1-ESV-R16-P1/patches
+
+With the public announcement of this vulnerability, the embargo
+period is ended and any updated software packages that have been
+prepared may be released.
+
+Upstream-Status: Accepted [https://www.openwall.com/lists/oss-security/2021/05/26/6]
+CVE: CVE-2021-25217
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ common/parse.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/common/parse.c b/common/parse.c
+index 386a632..fc7b39c 100644
+--- a/common/parse.c
++++ b/common/parse.c
+@@ -3,7 +3,7 @@
+    Common parser code for dhcpd and dhclient. */
+ 
+ /*
+- * Copyright (c) 2004-2019 by Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (c) 2004-2021 by Internet Systems Consortium, Inc. ("ISC")
+  * Copyright (c) 1995-2003 by Internet Software Consortium
+  *
+  * This Source Code Form is subject to the terms of the Mozilla Public
+@@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max)
+                                skip_to_semi (cfile);
+                                return 0;
+                        }
+-                       convert_num (cfile, &buf [len], val, 16, 8);
+-                       if (len++ > max) {
++                       if (len >= max) {
+                                parse_warn (cfile,
+                                            "hexadecimal constant too long.");
+                                skip_to_semi (cfile);
+                                return 0;
+                        }
++                       convert_num (cfile, &buf [len], val, 16, 8);
++                       len++;
+                        token = peek_token (&val, (unsigned *)0, cfile);
+                        if (token == COLON)
+                                token = next_token (&val,
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch
new file mode 100644
index 0000000000..11f162cbda
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch
@@ -0,0 +1,120 @@
+From 8a5d739eea10ee6e193f053b1662142d5657cbc6 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 6 Oct 2022 09:39:18 +0530
+Subject: [PATCH] CVE-2022-2928
+
+Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
+CVE: CVE-2022-2928
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common/options.c               |  7 +++++
+ common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+)
+
+diff --git a/common/options.c b/common/options.c
+index a7ed84c..4e53bb4 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -4452,6 +4452,8 @@ add_option(struct option_state *options,
+        if (!option_cache_allocate(&oc, MDL)) {
+                log_error("No memory for option cache adding %s (option %d).",
+                          option->name, option_num);
++               /* Get rid of reference created during hash lookup. */
++               option_dereference(&option, MDL);
+                return 0;
+        }
+ 
+@@ -4463,6 +4465,8 @@ add_option(struct option_state *options,
+                             MDL)) {
+                log_error("No memory for constant data adding %s (option %d).",
+                          option->name, option_num);
++               /* Get rid of reference created during hash lookup. */
++               option_dereference(&option, MDL);
+                option_cache_dereference(&oc, MDL);
+                return 0;
+        }
+@@ -4471,6 +4475,9 @@ add_option(struct option_state *options,
+        save_option(&dhcp_universe, options, oc);
+        option_cache_dereference(&oc, MDL);
+ 
++       /* Get rid of reference created during hash lookup. */
++       option_dereference(&option, MDL);
++
+        return 1;
+ }
+ 
+diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
+index cd52cfb..690704d 100644
+--- a/common/tests/option_unittest.c
++++ b/common/tests/option_unittest.c
+@@ -130,6 +130,59 @@ ATF_TC_BODY(pretty_print_option, tc)
+ }
+ 
+ 
++ATF_TC(add_option_ref_cnt);
++
++ATF_TC_HEAD(add_option_ref_cnt, tc)
++{
++    atf_tc_set_md_var(tc, "descr",
++        "Verify add_option() does not leak option ref counts.");
++}
++
++ATF_TC_BODY(add_option_ref_cnt, tc)
++{
++    struct option_state *options = NULL;
++    struct option *option = NULL;
++    unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
++    char *cid_str = "1234";
++    int refcnt_before = 0;
++
++    // Look up the option we're going to add.
++    initialize_common_option_spaces();
++    if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
++                                 &cid_code, 0, MDL)) {
++        atf_tc_fail("cannot find option definition?");
++    }
++
++    // Get the option's reference count before we call add_options.
++    refcnt_before = option->refcnt;
++
++    // Allocate a option_state to which to add an option.
++    if (!option_state_allocate(&options, MDL)) {
++           atf_tc_fail("cannot allocat options state");
++    }
++
++    // Call add_option() to add the option to the option state.
++    if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
++           atf_tc_fail("add_option returned 0");
++    }
++
++    // Verify that calling add_option() only adds 1 to the option ref count.
++    if (option->refcnt != (refcnt_before + 1)) {
++        atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
++                    refcnt_before, option->refcnt);
++    }
++
++    // Derefrence the option_state, this should reduce the ref count to
++    // it's starting value.
++    option_state_dereference(&options, MDL);
++
++    // Verify that dereferencing option_state restores option ref count.
++    if (option->refcnt != refcnt_before) {
++        atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
++                    refcnt_before, option->refcnt);
++    }
++}
++
+ /* This macro defines main() method that will call specified
+    test cases. tp and simple_test_case names can be whatever you want
+    as long as it is a valid variable identifier. */
+@@ -137,6 +190,7 @@ ATF_TP_ADD_TCS(tp)
+ {
+     ATF_TP_ADD_TC(tp, option_refcnt);
+     ATF_TP_ADD_TC(tp, pretty_print_option);
++    ATF_TP_ADD_TC(tp, add_option_ref_cnt);
+ 
+     return (atf_no_error());
+ }
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch
new file mode 100644
index 0000000000..d605204f89
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch
@@ -0,0 +1,40 @@
+From 5c959166ebee7605e2048de573f2475b4d731ff7 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 6 Oct 2022 09:42:59 +0530
+Subject: [PATCH] CVE-2022-2929
+
+Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
+CVE: CVE-2022-2929
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common/options.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/common/options.c b/common/options.c
+index 4e53bb4..28800fc 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
+                while (s < &bp -> data[0] + length + 2) {
+                        len = *s;
+                        if (len > 63) {
+-                               log_info ("fancy bits in fqdn option");
+-                               return 0;
++                               log_info ("label length exceeds 63 in fqdn option");
++                               goto bad;
+                        }
+                        if (len == 0) {
+                                terminated = 1;
+                                break;
+                        }
+                        if (s + len > &bp -> data [0] + length + 3) {
+-                               log_info ("fqdn tag longer than buffer");
+-                               return 0;
++                               log_info ("fqdn label longer than buffer");
++                               goto bad;
+                        }
+ 
+                        if (first_len == 0) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
index b56a204821..d3c87d0d07 100644
--- a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
+++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
@@ -10,6 +10,9 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
             file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
             file://0013-fixup_use_libbind.patch \
             file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \
+            file://CVE-2021-25217.patch \
+            file://CVE-2022-2928.patch \
+            file://CVE-2022-2929.patch \
 "
 
 SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1"
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
new file mode 100644
index 0000000000..aea07bd803
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
@@ -0,0 +1,283 @@
+From 703418fe9d2e3b1e8d594df5788d8001a8116265 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Date: Fri, 30 Jun 2023 19:02:45 +0200
+Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check
+ set*id() return values
+
+Several setuid(), setgid(), seteuid() and setguid() return values
+were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
+leading to potential security issues.
+
+CVE: CVE-2023-40303
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6]
+Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Signed-off-by: Simon Josefsson <simon@josefsson.org>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ ftpd/ftpd.c  | 10 +++++++---
+ src/rcp.c    | 39 +++++++++++++++++++++++++++++++++------
+ src/rlogin.c | 11 +++++++++--
+ src/rsh.c    | 25 +++++++++++++++++++++----
+ src/rshd.c   | 20 +++++++++++++++++---
+ src/uucpd.c  | 15 +++++++++++++--
+ 6 files changed, 100 insertions(+), 20 deletions(-)
+
+diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
+index 5db88d0..b52b122 100644
+--- a/ftpd/ftpd.c
++++ b/ftpd/ftpd.c
+@@ -862,7 +862,9 @@ end_login (struct credentials *pcred)
+   char *remotehost = pcred->remotehost;
+   int atype = pcred->auth_type;
+ 
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++    _exit (EXIT_FAILURE);
++
+   if (pcred->logged_in)
+     {
+       logwtmp_keep_open (ttyline, "", "");
+@@ -1151,7 +1153,8 @@ getdatasock (const char *mode)
+ 
+   if (data >= 0)
+     return fdopen (data, mode);
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++    _exit (EXIT_FAILURE);
+   s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
+   if (s < 0)
+     goto bad;
+@@ -1978,7 +1981,8 @@ passive (int epsv, int af)
+   else /* !AF_INET6 */
+     ((struct sockaddr_in *) &pasv_addr)->sin_port = 0;
+ 
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++    _exit (EXIT_FAILURE);
+   if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0)
+     {
+       if (seteuid ((uid_t) cred.uid))
+diff --git a/src/rcp.c b/src/rcp.c
+index bafa35f..366295c 100644
+--- a/src/rcp.c
++++ b/src/rcp.c
+@@ -347,14 +347,23 @@ main (int argc, char *argv[])
+   if (from_option)
+     {                          /* Follow "protocol", send data. */
+       response ();
+-      setuid (userid);
++
++      if (setuid (userid) == -1)
++      {
++        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++      }
++
+       source (argc, argv);
+       exit (errs);
+     }
+ 
+   if (to_option)
+     {                          /* Receive data. */
+-      setuid (userid);
++      if (setuid (userid) == -1)
++      {
++        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++      }
++
+       sink (argc, argv);
+       exit (errs);
+     }
+@@ -539,7 +548,11 @@ toremote (char *targ, int argc, char *argv[])
+              if (response () < 0)
+                exit (EXIT_FAILURE);
+              free (bp);
+-             setuid (userid);
++
++             if (setuid (userid) == -1)
++              {
++                error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++              }
+            }
+          source (1, argv + i);
+          close (rem);
+@@ -634,7 +647,12 @@ tolocal (int argc, char *argv[])
+          ++errs;
+          continue;
+        }
+-      seteuid (userid);
++
++      if (seteuid (userid) == -1)
++      {
++        error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++      }
++
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+       sslen = sizeof (ss);
+       (void) getpeername (rem, (struct sockaddr *) &ss, &sslen);
+@@ -647,7 +665,12 @@ tolocal (int argc, char *argv[])
+ #endif
+       vect[0] = target;
+       sink (1, vect);
+-      seteuid (effuid);
++
++      if (seteuid (effuid) == -1)
++      {
++        error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++      }
++
+       close (rem);
+       rem = -1;
+ #ifdef SHISHI
+@@ -1453,7 +1476,11 @@ susystem (char *s, int userid)
+       return (127);
+ 
+     case 0:
+-      setuid (userid);
++      if (setuid (userid) == -1)
++      {
++        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++      }
++
+       execl (PATH_BSHELL, "sh", "-c", s, NULL);
+       _exit (127);
+     }
+diff --git a/src/rlogin.c b/src/rlogin.c
+index e5e11a7..6b38901 100644
+--- a/src/rlogin.c
++++ b/src/rlogin.c
+@@ -649,8 +649,15 @@ try_connect:
+   /* Now change to the real user ID.  We have to be set-user-ID root
+      to get the privileged port that rcmd () uses.  We now want, however,
+      to run as the real user who invoked us.  */
+-  seteuid (uid);
+-  setuid (uid);
++  if (seteuid (uid) == -1)
++  {
++    error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++  }
++
++  if (setuid (uid) == -1)
++  {
++    error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++  }
+ 
+   doit (&osmask);      /* The old mask will activate SIGURG and SIGUSR1!  */
+ 
+diff --git a/src/rsh.c b/src/rsh.c
+index bd70372..b451a70 100644
+--- a/src/rsh.c
++++ b/src/rsh.c
+@@ -278,8 +278,17 @@ main (int argc, char **argv)
+     {
+       if (asrsh)
+        *argv = (char *) "rlogin";
+-      seteuid (getuid ());
+-      setuid (getuid ());
++
++      if (seteuid (getuid ()) == -1)
++      {
++        error (EXIT_FAILURE, errno, "seteuid() failed");
++      }
++
++      if (setuid (getuid ()) == -1)
++      {
++        error (EXIT_FAILURE, errno, "setuid() failed");
++      }
++
+       execv (PATH_RLOGIN, argv);
+       error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
+     }
+@@ -543,8 +552,16 @@ try_connect:
+        error (0, errno, "setsockopt DEBUG (ignored)");
+     }
+ 
+-  seteuid (uid);
+-  setuid (uid);
++  if (seteuid (uid) == -1)
++  {
++    error (EXIT_FAILURE, errno, "seteuid() failed");
++  }
++
++  if (setuid (uid) == -1)
++  {
++    error (EXIT_FAILURE, errno, "setuid() failed");
++  }
++
+ #ifdef HAVE_SIGACTION
+   sigemptyset (&sigs);
+   sigaddset (&sigs, SIGINT);
+diff --git a/src/rshd.c b/src/rshd.c
+index b824a10..8cdcd06 100644
+--- a/src/rshd.c
++++ b/src/rshd.c
+@@ -1848,8 +1848,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+     pwd->pw_shell = PATH_BSHELL;
+ 
+   /* Set the gid, then uid to become the user specified by "locuser" */
+-  setegid ((gid_t) pwd->pw_gid);
+-  setgid ((gid_t) pwd->pw_gid);
++  if (setegid ((gid_t) pwd->pw_gid) == -1)
++  {
++    rshd_error ("Cannot drop privileges (setegid() failed)\n");
++    exit (EXIT_FAILURE);
++  }
++
++  if (setgid ((gid_t) pwd->pw_gid) == -1)
++  {
++    rshd_error ("Cannot drop privileges (setgid() failed)\n");
++    exit (EXIT_FAILURE);
++  }
++
+ #ifdef HAVE_INITGROUPS
+   initgroups (pwd->pw_name, pwd->pw_gid);      /* BSD groups */
+ #endif
+@@ -1871,7 +1881,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+     }
+ #endif /* WITH_PAM */
+ 
+-  setuid ((uid_t) pwd->pw_uid);
++  if (setuid ((uid_t) pwd->pw_uid) == -1)
++  {
++    rshd_error ("Cannot drop privileges (setuid() failed)\n");
++    exit (EXIT_FAILURE);
++  }
+ 
+   /* We'll execute the client's command in the home directory
+    * of locuser. Note, that the chdir must be executed after
+diff --git a/src/uucpd.c b/src/uucpd.c
+index 55c3d44..6aba294 100644
+--- a/src/uucpd.c
++++ b/src/uucpd.c
+@@ -254,7 +254,12 @@ doit (struct sockaddr *sap, socklen_t salen)
+   sprintf (Username, "USER=%s", user);
+   sprintf (Logname, "LOGNAME=%s", user);
+   dologin (pw, sap, salen);
+-  setgid (pw->pw_gid);
++
++  if (setgid (pw->pw_gid) == -1)
++  {
++    fprintf (stderr, "setgid() failed");
++    return;
++  }
+ #ifdef HAVE_INITGROUPS
+   initgroups (pw->pw_name, pw->pw_gid);
+ #endif
+@@ -263,7 +268,13 @@ doit (struct sockaddr *sap, socklen_t salen)
+       fprintf (stderr, "Login incorrect.");
+       return;
+     }
+-  setuid (pw->pw_uid);
++
++  if (setuid (pw->pw_uid) == -1)
++  {
++    fprintf (stderr, "setuid() failed");
++    return;
++  }
++
+   execl (uucico_location, "uucico", NULL);
+   perror ("uucico server: execl");
+ }
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
new file mode 100644
index 0000000000..4bc354d256
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
@@ -0,0 +1,254 @@
+From 70fe022f9dac760eaece0228cad17e3d29a57fb8 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Mon, 31 Jul 2023 13:59:05 +0200
+Subject: [PATCH] CVE-2023-40303: Indent changes in previous commit.
+
+CVE: CVE-2023-40303
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/rcp.c    | 42 ++++++++++++++++++++++++------------------
+ src/rlogin.c | 12 ++++++------
+ src/rsh.c    | 24 ++++++++++++------------
+ src/rshd.c   | 24 ++++++++++++------------
+ src/uucpd.c  | 16 ++++++++--------
+ 5 files changed, 62 insertions(+), 56 deletions(-)
+
+diff --git a/src/rcp.c b/src/rcp.c
+index cdcf8500..652f22e6 100644
+--- a/src/rcp.c
++++ b/src/rcp.c
+@@ -347,9 +347,10 @@ main (int argc, char *argv[])
+       response ();
+ 
+       if (setuid (userid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-      }
++       {
++         error (EXIT_FAILURE, 0,
++                "Could not drop privileges (setuid() failed)");
++       }
+ 
+       source (argc, argv);
+       exit (errs);
+@@ -358,9 +359,10 @@ main (int argc, char *argv[])
+   if (to_option)
+     {                          /* Receive data. */
+       if (setuid (userid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-      }
++       {
++         error (EXIT_FAILURE, 0,
++                "Could not drop privileges (setuid() failed)");
++       }
+ 
+       sink (argc, argv);
+       exit (errs);
+@@ -548,9 +550,10 @@ toremote (char *targ, int argc, char *argv[])
+              free (bp);
+ 
+              if (setuid (userid) == -1)
+-              {
+-                error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-              }
++               {
++                 error (EXIT_FAILURE, 0,
++                        "Could not drop privileges (setuid() failed)");
++               }
+            }
+          source (1, argv + i);
+          close (rem);
+@@ -645,9 +648,10 @@ tolocal (int argc, char *argv[])
+        }
+ 
+       if (seteuid (userid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+-      }
++       {
++         error (EXIT_FAILURE, 0,
++                "Could not drop privileges (seteuid() failed)");
++       }
+ 
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+       sslen = sizeof (ss);
+@@ -663,9 +667,10 @@ tolocal (int argc, char *argv[])
+       sink (1, vect);
+ 
+       if (seteuid (effuid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+-      }
++       {
++         error (EXIT_FAILURE, 0,
++                "Could not drop privileges (seteuid() failed)");
++       }
+ 
+       close (rem);
+       rem = -1;
+@@ -1465,9 +1470,10 @@ susystem (char *s, int userid)
+ 
+     case 0:
+       if (setuid (userid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-      }
++       {
++         error (EXIT_FAILURE, 0,
++                "Could not drop privileges (setuid() failed)");
++       }
+ 
+       execl (PATH_BSHELL, "sh", "-c", s, NULL);
+       _exit (127);
+diff --git a/src/rlogin.c b/src/rlogin.c
+index c543de0c..4360202f 100644
+--- a/src/rlogin.c
++++ b/src/rlogin.c
+@@ -648,14 +648,14 @@ try_connect:
+      to get the privileged port that rcmd () uses.  We now want, however,
+      to run as the real user who invoked us.  */
+   if (seteuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+-  }
++    {
++      error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++    }
+ 
+   if (setuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-  }
++    {
++      error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++    }
+ 
+   doit (&osmask);      /* The old mask will activate SIGURG and SIGUSR1!  */
+ 
+diff --git a/src/rsh.c b/src/rsh.c
+index 6f60667d..179b47cd 100644
+--- a/src/rsh.c
++++ b/src/rsh.c
+@@ -278,14 +278,14 @@ main (int argc, char **argv)
+        *argv = (char *) "rlogin";
+ 
+       if (seteuid (getuid ()) == -1)
+-      {
+-        error (EXIT_FAILURE, errno, "seteuid() failed");
+-      }
++       {
++         error (EXIT_FAILURE, errno, "seteuid() failed");
++       }
+ 
+       if (setuid (getuid ()) == -1)
+-      {
+-        error (EXIT_FAILURE, errno, "setuid() failed");
+-      }
++       {
++         error (EXIT_FAILURE, errno, "setuid() failed");
++       }
+ 
+       execv (PATH_RLOGIN, argv);
+       error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
+@@ -551,14 +551,14 @@ try_connect:
+     }
+ 
+   if (seteuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, errno, "seteuid() failed");
+-  }
++    {
++      error (EXIT_FAILURE, errno, "seteuid() failed");
++    }
+ 
+   if (setuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, errno, "setuid() failed");
+-  }
++    {
++      error (EXIT_FAILURE, errno, "setuid() failed");
++    }
+ 
+ #ifdef HAVE_SIGACTION
+   sigemptyset (&sigs);
+diff --git a/src/rshd.c b/src/rshd.c
+index 707790e7..3a153a18 100644
+--- a/src/rshd.c
++++ b/src/rshd.c
+@@ -1848,16 +1848,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+ 
+   /* Set the gid, then uid to become the user specified by "locuser" */
+   if (setegid ((gid_t) pwd->pw_gid) == -1)
+-  {
+-    rshd_error ("Cannot drop privileges (setegid() failed)\n");
+-    exit (EXIT_FAILURE);
+-  }
++    {
++      rshd_error ("Cannot drop privileges (setegid() failed)\n");
++      exit (EXIT_FAILURE);
++    }
+ 
+   if (setgid ((gid_t) pwd->pw_gid) == -1)
+-  {
+-    rshd_error ("Cannot drop privileges (setgid() failed)\n");
+-    exit (EXIT_FAILURE);
+-  }
++    {
++      rshd_error ("Cannot drop privileges (setgid() failed)\n");
++      exit (EXIT_FAILURE);
++    }
+ 
+ #ifdef HAVE_INITGROUPS
+   initgroups (pwd->pw_name, pwd->pw_gid);      /* BSD groups */
+@@ -1881,10 +1881,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+ #endif /* WITH_PAM */
+ 
+   if (setuid ((uid_t) pwd->pw_uid) == -1)
+-  {
+-    rshd_error ("Cannot drop privileges (setuid() failed)\n");
+-    exit (EXIT_FAILURE);
+-  }
++    {
++      rshd_error ("Cannot drop privileges (setuid() failed)\n");
++      exit (EXIT_FAILURE);
++    }
+ 
+   /* We'll execute the client's command in the home directory
+    * of locuser. Note, that the chdir must be executed after
+diff --git a/src/uucpd.c b/src/uucpd.c
+index 29cfce35..fde7b9c9 100644
+--- a/src/uucpd.c
++++ b/src/uucpd.c
+@@ -254,10 +254,10 @@ doit (struct sockaddr *sap, socklen_t salen)
+   dologin (pw, sap, salen);
+ 
+   if (setgid (pw->pw_gid) == -1)
+-  {
+-    fprintf (stderr, "setgid() failed");
+-    return;
+-  }
++    {
++      fprintf (stderr, "setgid() failed");
++      return;
++    }
+ #ifdef HAVE_INITGROUPS
+   initgroups (pw->pw_name, pw->pw_gid);
+ #endif
+@@ -268,10 +268,10 @@ doit (struct sockaddr *sap, socklen_t salen)
+     }
+ 
+   if (setuid (pw->pw_uid) == -1)
+-  {
+-    fprintf (stderr, "setuid() failed");
+-    return;
+-  }
++    {
++      fprintf (stderr, "setuid() failed");
++      return;
++    }
+ 
+   execl (uucico_location, "uucico", NULL);
+   perror ("uucico server: execl");
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
new file mode 100644
index 0000000000..54252d6bc7
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
@@ -0,0 +1,67 @@
+From 4e355804d57d5686defc363c70f81e6f58cd08f0 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Fri, 17 Dec 2021 21:52:18 -0800
+Subject: [PATCH] ftp: check that PASV/LSPV addresses match.
+
+* NEWS: Mention change.
+* ftp/ftp.c (initconn): Validate returned addresses.
+
+CVE: CVE-2021-40491
+
+Upstream-Status: Backport
+[https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd]
+
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ ftp/ftp.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/ftp/ftp.c b/ftp/ftp.c
+index 9813586..7c72cb2 100644
+--- a/ftp/ftp.c
++++ b/ftp/ftp.c
+@@ -1344,6 +1344,13 @@ initconn (void)
+                  uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr;
+                  pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | h[3]);
+                }
++               if (data_addr_sa4->sin_addr.s_addr
++                   != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++                 {
++                   printf ("Passive mode address mismatch.\n");
++                   (void) command ("ABOR");    /* Cancel any open connection.  */
++                   goto bad;
++                 }
+            } /* LPSV IPv4 */
+          else /* IPv6 */
+            {
+@@ -1374,6 +1381,13 @@ initconn (void)
+                  pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) | h[11]);
+                  pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 8) | h[15]);
+                }
++               if (data_addr_sa6->sin6_addr.s6_addr
++                   != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr)
++                 {
++                   printf ("Passive mode address mismatch.\n");
++                   (void) command ("ABOR");    /* Cancel any open connection.  */
++                   goto bad;
++                 }
+            } /* LPSV IPv6 */
+        }
+       else /* !EPSV && !LPSV */
+@@ -1394,6 +1408,13 @@ initconn (void)
+                         | ((a2 & 0xff) << 8) | (a3 & 0xff) );
+              data_addr_sa4->sin_port =
+                  htons (((p0 & 0xff) << 8) | (p1 & 0xff));
++             if (data_addr_sa4->sin_addr.s_addr
++                 != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++               {
++                 printf ("Passive mode address mismatch.\n");
++                 (void) command ("ABOR");      /* Cancel any open connection.  */
++                 goto bad;
++               }
+            } /* PASV */
+          else
+            {
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch
new file mode 100644
index 0000000000..da2da8da8a
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch
@@ -0,0 +1,54 @@
+From eaae65aac967f9628787dca4a2501ca860bb6598 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Mon, 26 Sep 2022 22:05:07 +0200
+Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt
+
+Fix telnetd crash if the first two bytes of a new connection
+are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL).
+
+The problem was reported in:
+<https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>.
+
+* NEWS: Mention fix.
+* telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and
+zero slctab[SLC_EL].sptr.
+
+CVE: CVE-2022-39028
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f]
+Signed-off-by: Minjae Kim<flowergom@gmail.com>
+---
+ telnetd/state.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/telnetd/state.c b/telnetd/state.c
+index 2184bca..7948503 100644
+--- a/telnetd/state.c
++++ b/telnetd/state.c
+@@ -314,15 +314,21 @@ telrcv (void)
+            case EC:
+            case EL:
+              {
+-               cc_t ch;
++               cc_t ch = (cc_t) (_POSIX_VDISABLE);
+ 
+                DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
+                ptyflush ();    /* half-hearted */
+                init_termbuf ();
+                if (c == EC)
+-                 ch = *slctab[SLC_EC].sptr;
++               {
++                 if (slctab[SLC_EC].sptr)
++                   ch = *slctab[SLC_EC].sptr;
++               }
+                else
+-                 ch = *slctab[SLC_EL].sptr;
++               {
++                 if (slctab[SLC_EL].sptr)
++                   ch = *slctab[SLC_EL].sptr;
++               }
+                if (ch != (cc_t) (_POSIX_VDISABLE))
+                  pty_output_byte ((unsigned char) ch);
+                break;
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
index cc9410b94e..3a68b34825 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
@@ -23,6 +23,10 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \
            file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \
            file://0001-rcp-fix-to-work-with-large-files.patch \
            file://fix-buffer-fortify-tfpt.patch \
+           file://CVE-2021-40491.patch \
+           file://CVE-2022-39028.patch \
+           file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \
+           file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \
 "
 
 SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52"
diff --git a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
index 5e4460045b..5213b28345 100644
--- a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
+++ b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Name Service Switch module for Multicast DNS (zeroconf) name resolution"
 HOMEPAGE = "https://github.com/lathiat/nss-mdns"
+DESCRIPTION = "nss-mdns is a plugin for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc) providing host name resolution via Multicast DNS (aka Zeroconf, aka Apple Rendezvous, aka Apple Bonjour), effectively allowing name resolution by common Unix/Linux programs in the ad-hoc mDNS domain .local."
 SECTION = "libs"
 
 LICENSE = "LGPLv2.1+"
@@ -7,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1"
 
 DEPENDS = "avahi"
 
-SRC_URI = "git://github.com/lathiat/nss-mdns \
+SRC_URI = "git://github.com/lathiat/nss-mdns;branch=master;protocol=https \
            "
 
 SRCREV = "41c9c5e78f287ed4b41ac438c1873fa71bfa70ae"
diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
index 7dccc15e03..a4030b7b32 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
@@ -1,13 +1,15 @@
 SUMMARY = "Mobile Broadband Service Provider Database"
 HOMEPAGE = "http://live.gnome.org/NetworkManager/MobileBroadband/ServiceProviders"
+DESCRIPTION = "Mobile Broadband Service Provider Database stores service provider specific information. When this Database is available the information can be fetched there"
 SECTION = "network"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
-SRCREV = "90f3fe28aa25135b7e4a54a7816388913bfd4a2a"
-PV = "20201225"
+
+SRCREV = "aae7c68671d225e6d35224613d5b98192b9b2ffe"
+PV = "20230416"
 PE = "1"
 
-SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https"
+SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main"
 S = "${WORKDIR}/git"
 
 inherit autotools
diff --git a/meta/recipes-connectivity/neard/neard_0.16.bb b/meta/recipes-connectivity/neard/neard_0.16.bb
index 7c124a3c0b..dd0742f792 100644
--- a/meta/recipes-connectivity/neard/neard_0.16.bb
+++ b/meta/recipes-connectivity/neard/neard_0.16.bb
@@ -2,21 +2,22 @@ SUMMARY = "Linux NFC daemon"
 DESCRIPTION = "A daemon for the Linux Near Field Communication stack"
 HOMEPAGE = "http://01.org/linux-nfc"
 LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
+                    file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
+                   "
 
 DEPENDS = "dbus glib-2.0 libnl"
 
-SRC_URI = "${KERNELORG_MIRROR}/linux/network/nfc/${BP}.tar.xz \
+SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=git;branch=master \
            file://neard.in \
            file://Makefile.am-fix-parallel-issue.patch \
            file://Makefile.am-do-not-ship-version.h.patch \
            file://0001-Add-header-dependency-to-nciattach.o.patch \
           "
-SRC_URI[md5sum] = "5c691fb7872856dc0d909c298bc8cb41"
-SRC_URI[sha256sum] = "eae3b11c541a988ec11ca94b7deab01080cd5b58cfef3ced6ceac9b6e6e65b36"
 
-LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
- file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
- "
+SRCREV = "949795024f7625420e93e288c56e194cb9a3e74a"
+
+S = "${WORKDIR}/git"
 
 inherit autotools pkgconfig systemd update-rc.d
 
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
new file mode 100644
index 0000000000..3adb981fb4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
@@ -0,0 +1,97 @@
+From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 18 Sep 2020 05:23:03 +0000
+Subject: upstream: tweak the client hostkey preference ordering algorithm to
+
+prefer the default ordering if the user has a key that matches the
+best-preference default algorithm.
+
+feedback and ok markus@
+
+OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+
+CVE: CVE-2020-14145
+Upstream-Status: Backport [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
+Comment: Refreshed first hunk
+
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 347e348c..f64aae66 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
++/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2008 Damien Miller.  All rights reserved.
+@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+        return 0;
+ }
+ 
++/* Returns the first item from a comma-separated algorithm list */
++static char *
++first_alg(const char *algs)
++{
++       char *ret, *cp;
++
++       ret = xstrdup(algs);
++       if ((cp = strchr(ret, ',')) != NULL)
++               *cp = '\0';
++       return ret;
++}
++
+ static char *
+ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+ {
+-       char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
++       char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
++       char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
+        size_t maxlen;
+-       struct hostkeys *hostkeys;
++       struct hostkeys *hostkeys = NULL;
+        int ktype;
+        u_int i;
+ 
+@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+        for (i = 0; i < options.num_system_hostfiles; i++)
+                load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+ 
++       /*
++        * If a plain public key exists that matches the type of the best
++        * preference HostkeyAlgorithms, then use the whole list as is.
++        * Note that we ignore whether the best preference algorithm is a
++        * certificate type, as sshconnect.c will downgrade certs to
++        * plain keys if necessary.
++        */
++       best = first_alg(options.hostkeyalgorithms);
++       if (lookup_key_in_hostkeys_by_type(hostkeys,
++           sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
++               debug3("%s: have matching best-preference key type %s, "
++                   "using HostkeyAlgorithms verbatim", __func__, best);
++               ret = xstrdup(options.hostkeyalgorithms);
++               goto out;
++       }
++
++       /*
++        * Otherwise, prefer the host key algorithms that match known keys
++        * while keeping the ordering of HostkeyAlgorithms as much as possible.
++        */
+        oavail = avail = xstrdup(options.hostkeyalgorithms);
+        maxlen = strlen(avail) + 1;
+        first = xmalloc(maxlen);
+@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+        if (*first != '\0')
+                debug3("%s: prefer hostkeyalgs: %s", __func__, first);
+ 
++ out:
++       free(best);
+        free(first);
+        free(last);
+        free(hostname);
+-- 
+cgit v1.2.3
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch
new file mode 100644
index 0000000000..9fd7e932d1
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch
@@ -0,0 +1,20 @@
+Description: fix double-free memory corruption in ssh-agent
+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
+Origin: minimal fix for https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2021-28041
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_8.2p1-4ubuntu0.3.debian.tar.xz]
+Comment: No change in any hunk
+
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -496,6 +496,7 @@ process_add_identity(SocketEntry *e)
+                                goto err;
+                        }
+                        free(ext_name);
++                       ext_name = NULL;
+                        break;
+                default:
+                        error("%s: Unknown constraint %d", __func__, ctype);
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
new file mode 100644
index 0000000000..bda896f581
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
@@ -0,0 +1,52 @@
+From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
+From: Ali Abdallah <aabdallah@suse.de>
+Date: Wed, 24 Nov 2021 13:33:39 +0100
+Subject: [PATCH] CVE-2021-41617 fix
+
+backport of the following two upstream commits
+
+f3cbe43e28fe71427d41cfe3a17125b972710455
+bf944e3794eff5413f2df1ef37cddf96918c6bde
+
+CVE-2021-41617 failed to correctly initialise supplemental groups
+when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,
+where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
+directive has been set to run the command as a different user. Instead
+these commands would inherit the groups that sshd(8) was started with.
+---
+ auth.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+CVE: CVE-2021-41617
+Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015]
+Comment: No change in any hunk
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+diff --git a/auth.c b/auth.c
+index 163038f..a47b267 100644
+--- a/auth.c
++++ b/auth.c
+@@ -52,6 +52,7 @@
+ #include <limits.h>
+ #include <netdb.h>
+ #include <time.h>
++#include <grp.h>
+ 
+ #include "xmalloc.h"
+ #include "match.h"
+@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
+                }
+                closefrom(STDERR_FILENO + 1);
+ 
++               if (geteuid() == 0 &&
++                   initgroups(pw->pw_name, pw->pw_gid) == -1) {
++                       error("%s: initgroups(%s, %u): %s", tag,
++                           pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++                       _exit(1);
++               }
++
+                /* Don't use permanently_set_uid() here to avoid fatal() */
+                if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+                        error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+-- 
+2.26.2
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
new file mode 100644
index 0000000000..c899056337
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
@@ -0,0 +1,189 @@
+From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Fri, 1 Oct 2021 16:35:49 +1000
+Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough
+
+ok dtucker
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11-client.c | 16 ++++++++--------
+ ssh-pkcs11.c        | 26 +++++++++++++-------------
+ 2 files changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
+index 8a0ffef..41114c7 100644
+--- a/ssh-pkcs11-client.c
++++ b/ssh-pkcs11-client.c
+@@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+        return (ret);
+ }
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+     const BIGNUM *rp, EC_KEY *ec)
+@@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+        sshbuf_free(msg);
+        return (ret);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ static RSA_METHOD      *helper_rsa;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static EC_KEY_METHOD   *helper_ecdsa;
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ /* redirect private key crypto operations to the ssh-pkcs11-helper */
+ static void
+@@ -233,10 +233,10 @@ wrap_key(struct sshkey *k)
+ {
+        if (k->type == KEY_RSA)
+                RSA_set_method(k->rsa, helper_rsa);
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+        else if (k->type == KEY_ECDSA)
+                EC_KEY_set_method(k->ecdsa, helper_ecdsa);
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+        else
+                fatal("%s: unknown key type", __func__);
+ }
+@@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void)
+        if (helper_rsa != NULL)
+                return (0);
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+        int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
+            unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
+        if (helper_ecdsa != NULL)
+@@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void)
+                return (-1);
+        EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
+        EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+        if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
+                fatal("%s: RSA_meth_dup failed", __func__);
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index a302c79..b56a41b 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -78,7 +78,7 @@ struct pkcs11_key {
+
+ int pkcs11_interactive = 0;
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static void
+ ossl_error(const char *msg)
+ {
+@@ -89,7 +89,7 @@ ossl_error(const char *msg)
+                error("%s: libcrypto error: %.100s", __func__,
+                    ERR_error_string(e, NULL));
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ int
+ pkcs11_init(int interactive)
+@@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id)
+
+ static RSA_METHOD *rsa_method;
+ static int rsa_idx = 0;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static EC_KEY_METHOD *ec_key_method;
+ static int ec_key_idx = 0;
+-#endif
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ /* release a wrapped object */
+ static void
+@@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
+        return (0);
+ }
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ /* openssl callback doing the actual signing operation */
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+@@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
+
+        return (0);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ /* remove trailing spaces */
+ static void
+@@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key)
+        return (0);
+ }
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static struct sshkey *
+ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+     CK_OBJECT_HANDLE *obj)
+@@ -802,7 +802,7 @@ fail:
+
+        return (key);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ static struct sshkey *
+ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+@@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ #endif
+        struct sshkey           *key = NULL;
+        int                      i;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+        int                      nid;
+ #endif
+        const u_char            *cp;
+@@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+                key->type = KEY_RSA;
+                key->flags |= SSHKEY_FLAG_EXT;
+                rsa = NULL;     /* now owned by key */
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+        } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
+                if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
+                        error("invalid x509; no ec key");
+@@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+                key->type = KEY_ECDSA;
+                key->flags |= SSHKEY_FLAG_EXT;
+                ec = NULL;      /* now owned by key */
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+        } else {
+                error("unknown certificate key type");
+                goto out;
+@@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
+                case CKK_RSA:
+                        key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
+                        break;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+                case CKK_ECDSA:
+                        key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
+                        break;
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+                default:
+                        /* XXX print key type? */
+                        key = NULL;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
new file mode 100644
index 0000000000..25ba921869
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
@@ -0,0 +1,581 @@
+From 92cebfbcc221c9ef3f6bbb78da3d7699c0ae56be Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 14:03:45 +0000
+Subject: [PATCH 02/12] upstream: Separate ssh-pkcs11-helpers for each p11
+ module
+
+Make ssh-pkcs11-client start an independent helper for each provider,
+providing better isolation between modules and reliability if a single
+module misbehaves.
+
+This also implements reference counting of PKCS#11-hosted keys,
+allowing ssh-pkcs11-helper subprocesses to be automatically reaped
+when no remaining keys reference them. This fixes some bugs we have
+that make PKCS11 keys unusable after they have been deleted, e.g.
+https://bugzilla.mindrot.org/show_bug.cgi?id=3125
+
+ok markus@
+
+OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11-client.c | 372 +++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 282 insertions(+), 90 deletions(-)
+
+diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
+index 41114c7..4f3c6ed 100644
+--- a/ssh-pkcs11-client.c
++++ b/ssh-pkcs11-client.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-pkcs11-client.c,v 1.16 2020/01/25 00:03:36 djm Exp $ */
++/* $OpenBSD: ssh-pkcs11-client.c,v 1.18 2023/07/19 14:03:45 djm Exp $ */
+ /*
+  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
+@@ -30,12 +30,11 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <errno.h>
++#include <limits.h>
+
+ #include <openssl/ecdsa.h>
+ #include <openssl/rsa.h>
+
+-#include "openbsd-compat/openssl-compat.h"
+-
+ #include "pathnames.h"
+ #include "xmalloc.h"
+ #include "sshbuf.h"
+@@ -47,18 +46,140 @@
+ #include "ssh-pkcs11.h"
+ #include "ssherr.h"
+
++#include "openbsd-compat/openssl-compat.h"
++
+ /* borrows code from sftp-server and ssh-agent */
+
+-static int fd = -1;
+-static pid_t pid = -1;
++/*
++ * Maintain a list of ssh-pkcs11-helper subprocesses. These may be looked up
++ * by provider path or their unique EC/RSA METHOD pointers.
++ */
++struct helper {
++       char *path;
++       pid_t pid;
++       int fd;
++       RSA_METHOD *rsa_meth;
++       EC_KEY_METHOD *ec_meth;
++       int (*rsa_finish)(RSA *rsa);
++       void (*ec_finish)(EC_KEY *key);
++       size_t nrsa, nec; /* number of active keys of each type */
++};
++static struct helper **helpers;
++static size_t nhelpers;
++
++static struct helper *
++helper_by_provider(const char *path)
++{
++       size_t i;
++
++       for (i = 0; i < nhelpers; i++) {
++               if (helpers[i] == NULL || helpers[i]->path == NULL ||
++                   helpers[i]->fd == -1)
++                       continue;
++               if (strcmp(helpers[i]->path, path) == 0)
++                       return helpers[i];
++       }
++       return NULL;
++}
++
++static struct helper *
++helper_by_rsa(const RSA *rsa)
++{
++       size_t i;
++       const RSA_METHOD *meth;
++
++       if ((meth = RSA_get_method(rsa)) == NULL)
++               return NULL;
++       for (i = 0; i < nhelpers; i++) {
++               if (helpers[i] != NULL && helpers[i]->rsa_meth == meth)
++                       return helpers[i];
++       }
++       return NULL;
++
++}
++
++static struct helper *
++helper_by_ec(const EC_KEY *ec)
++{
++       size_t i;
++       const EC_KEY_METHOD *meth;
++
++       if ((meth = EC_KEY_get_method(ec)) == NULL)
++               return NULL;
++       for (i = 0; i < nhelpers; i++) {
++               if (helpers[i] != NULL && helpers[i]->ec_meth == meth)
++                       return helpers[i];
++       }
++       return NULL;
++
++}
++
++static void
++helper_free(struct helper *helper)
++{
++       size_t i;
++       int found = 0;
++
++       if (helper == NULL)
++               return;
++       if (helper->path == NULL || helper->ec_meth == NULL ||
++           helper->rsa_meth == NULL)
++               fatal("%s: inconsistent helper", __func__);
++       debug3("%s: free helper for provider %s", __func__ , helper->path);
++       for (i = 0; i < nhelpers; i++) {
++               if (helpers[i] == helper) {
++                       if (found)
++                               fatal("%s: helper recorded more than once", __func__);
++                       found = 1;
++               }
++               else if (found)
++                       helpers[i - 1] = helpers[i];
++       }
++       if (found) {
++               helpers = xrecallocarray(helpers, nhelpers,
++                   nhelpers - 1, sizeof(*helpers));
++               nhelpers--;
++       }
++       free(helper->path);
++       EC_KEY_METHOD_free(helper->ec_meth);
++       RSA_meth_free(helper->rsa_meth);
++       free(helper);
++}
++
++static void
++helper_terminate(struct helper *helper)
++{
++       if (helper == NULL) {
++               return;
++       } else if (helper->fd == -1) {
++               debug3("%s: already terminated", __func__);
++       } else {
++               debug3("terminating helper for %s; "
++                   "remaining %zu RSA %zu ECDSA", __func__,
++                   helper->path, helper->nrsa, helper->nec);
++               close(helper->fd);
++               /* XXX waitpid() */
++               helper->fd = -1;
++               helper->pid = -1;
++       }
++       /*
++        * Don't delete the helper entry until there are no remaining keys
++        * that reference it. Otherwise, any signing operation would call
++        * a free'd METHOD pointer and that would be bad.
++        */
++       if (helper->nrsa == 0 && helper->nec == 0)
++               helper_free(helper);
++}
+
+ static void
+-send_msg(struct sshbuf *m)
++send_msg(int fd, struct sshbuf *m)
+ {
+        u_char buf[4];
+        size_t mlen = sshbuf_len(m);
+        int r;
+
++       if (fd == -1)
++               return;
+        POKE_U32(buf, mlen);
+        if (atomicio(vwrite, fd, buf, 4) != 4 ||
+            atomicio(vwrite, fd, sshbuf_mutable_ptr(m),
+@@ -69,12 +190,15 @@ send_msg(struct sshbuf *m)
+ }
+
+ static int
+-recv_msg(struct sshbuf *m)
++recv_msg(int fd, struct sshbuf *m)
+ {
+        u_int l, len;
+        u_char c, buf[1024];
+        int r;
+
++       sshbuf_reset(m);
++       if (fd == -1)
++               return 0; /* XXX */
+        if ((len = atomicio(read, fd, buf, 4)) != 4) {
+                error("read from helper failed: %u", len);
+                return (0); /* XXX */
+@@ -83,7 +207,6 @@ recv_msg(struct sshbuf *m)
+        if (len > 256 * 1024)
+                fatal("response too long: %u", len);
+        /* read len bytes into m */
+-       sshbuf_reset(m);
+        while (len > 0) {
+                l = len;
+                if (l > sizeof(buf))
+@@ -104,14 +227,17 @@ recv_msg(struct sshbuf *m)
+ int
+ pkcs11_init(int interactive)
+ {
+-       return (0);
++       return 0;
+ }
+
+ void
+ pkcs11_terminate(void)
+ {
+-       if (fd >= 0)
+-               close(fd);
++       size_t i;
++
++       debug3("%s: terminating %zu helpers", __func__, nhelpers);
++       for (i = 0; i < nhelpers; i++)
++               helper_terminate(helpers[i]);
+ }
+
+ static int
+@@ -122,7 +248,11 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+        u_char *blob = NULL, *signature = NULL;
+        size_t blen, slen = 0;
+        int r, ret = -1;
++       struct helper *helper;
+
++       if ((helper = helper_by_rsa(rsa)) == NULL || helper->fd == -1)
++               fatal("%s: no helper for PKCS11 key", __func__);
++       debug3("%s: signing with PKCS11 provider %s", __func__, helper->path);
+        if (padding != RSA_PKCS1_PADDING)
+                goto fail;
+        key = sshkey_new(KEY_UNSPEC);
+@@ -144,10 +274,10 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+            (r = sshbuf_put_string(msg, from, flen)) != 0 ||
+            (r = sshbuf_put_u32(msg, 0)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-       send_msg(msg);
++       send_msg(helper->fd, msg);
+        sshbuf_reset(msg);
+
+-       if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) {
++       if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {
+                if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0)
+                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
+                if (slen <= (size_t)RSA_size(rsa)) {
+@@ -163,7 +293,26 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+        return (ret);
+ }
+
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
++static int
++rsa_finish(RSA *rsa)
++{
++       struct helper *helper;
++
++       if ((helper = helper_by_rsa(rsa)) == NULL)
++               fatal("%s: no helper for PKCS11 key", __func__);
++       debug3("%s: free PKCS11 RSA key for provider %s", __func__, helper->path);
++       if (helper->rsa_finish != NULL)
++               helper->rsa_finish(rsa);
++       if (helper->nrsa == 0)
++               fatal("%s: RSA refcount error", __func__);
++       helper->nrsa--;
++       debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
++           helper->path, helper->nrsa, helper->nec);
++       if (helper->nrsa == 0 && helper->nec == 0)
++               helper_terminate(helper);
++       return 1;
++}
++
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+     const BIGNUM *rp, EC_KEY *ec)
+@@ -175,7 +324,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+        u_char *blob = NULL, *signature = NULL;
+        size_t blen, slen = 0;
+        int r, nid;
++       struct helper *helper;
+
++       if ((helper = helper_by_ec(ec)) == NULL || helper->fd == -1)
++               fatal("%s: no helper for PKCS11 key", __func__);
++       debug3("%s: signing with PKCS11 provider %s", __func__, helper->path);
+        nid = sshkey_ecdsa_key_to_nid(ec);
+        if (nid < 0) {
+                error("%s: couldn't get curve nid", __func__);
+@@ -203,10 +356,10 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+            (r = sshbuf_put_string(msg, dgst, dgst_len)) != 0 ||
+            (r = sshbuf_put_u32(msg, 0)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-       send_msg(msg);
++       send_msg(helper->fd, msg);
+        sshbuf_reset(msg);
+
+-       if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) {
++       if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {
+                if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0)
+                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
+                cp = signature;
+@@ -220,75 +373,110 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+        sshbuf_free(msg);
+        return (ret);
+ }
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+-static RSA_METHOD      *helper_rsa;
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+-static EC_KEY_METHOD   *helper_ecdsa;
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
++static void
++ecdsa_do_finish(EC_KEY *ec)
++{
++       struct helper *helper;
++
++       if ((helper = helper_by_ec(ec)) == NULL)
++               fatal("%s: no helper for PKCS11 key", __func__);
++       debug3("%s: free PKCS11 ECDSA key for provider %s", __func__, helper->path);
++       if (helper->ec_finish != NULL)
++               helper->ec_finish(ec);
++       if (helper->nec == 0)
++               fatal("%s: ECDSA refcount error", __func__);
++       helper->nec--;
++       debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
++           helper->path, helper->nrsa, helper->nec);
++       if (helper->nrsa == 0 && helper->nec == 0)
++               helper_terminate(helper);
++}
+
+ /* redirect private key crypto operations to the ssh-pkcs11-helper */
+ static void
+-wrap_key(struct sshkey *k)
++wrap_key(struct helper *helper, struct sshkey *k)
+ {
+-       if (k->type == KEY_RSA)
+-               RSA_set_method(k->rsa, helper_rsa);
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+-       else if (k->type == KEY_ECDSA)
+-               EC_KEY_set_method(k->ecdsa, helper_ecdsa);
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+-       else
++       debug3("%s: wrap %s for provider %s", __func__, sshkey_type(k), helper->path);
++       if (k->type == KEY_RSA) {
++               RSA_set_method(k->rsa, helper->rsa_meth);
++               if (helper->nrsa++ >= INT_MAX)
++                       fatal("%s: RSA refcount error", __func__);
++       } else if (k->type == KEY_ECDSA) {
++               EC_KEY_set_method(k->ecdsa, helper->ec_meth);
++               if (helper->nec++ >= INT_MAX)
++                       fatal("%s: EC refcount error", __func__);
++       } else
+                fatal("%s: unknown key type", __func__);
++       k->flags |= SSHKEY_FLAG_EXT;
++       debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
++           helper->path, helper->nrsa, helper->nec);
+ }
+
+ static int
+-pkcs11_start_helper_methods(void)
++pkcs11_start_helper_methods(struct helper *helper)
+ {
+-       if (helper_rsa != NULL)
+-               return (0);
+-
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+-       int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
++       int (*ec_init)(EC_KEY *key);
++       int (*ec_copy)(EC_KEY *dest, const EC_KEY *src);
++       int (*ec_set_group)(EC_KEY *key, const EC_GROUP *grp);
++       int (*ec_set_private)(EC_KEY *key, const BIGNUM *priv_key);
++       int (*ec_set_public)(EC_KEY *key, const EC_POINT *pub_key);
++       int (*ec_sign)(int, const unsigned char *, int, unsigned char *,
+            unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
+-       if (helper_ecdsa != NULL)
+-               return (0);
+-       helper_ecdsa = EC_KEY_METHOD_new(EC_KEY_OpenSSL());
+-       if (helper_ecdsa == NULL)
+-               return (-1);
+-       EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
+-       EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+-
+-       if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
++       RSA_METHOD *rsa_meth;
++       EC_KEY_METHOD *ec_meth;
++
++       if ((ec_meth = EC_KEY_METHOD_new(EC_KEY_OpenSSL())) == NULL)
++               return -1;
++       EC_KEY_METHOD_get_sign(ec_meth, &ec_sign, NULL, NULL);
++       EC_KEY_METHOD_set_sign(ec_meth, ec_sign, NULL, ecdsa_do_sign);
++       EC_KEY_METHOD_get_init(ec_meth, &ec_init, &helper->ec_finish,
++           &ec_copy, &ec_set_group, &ec_set_private, &ec_set_public);
++       EC_KEY_METHOD_set_init(ec_meth, ec_init, ecdsa_do_finish,
++           ec_copy, ec_set_group, ec_set_private, ec_set_public);
++
++       if ((rsa_meth = RSA_meth_dup(RSA_get_default_method())) == NULL)
+                fatal("%s: RSA_meth_dup failed", __func__);
+-       if (!RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper") ||
+-           !RSA_meth_set_priv_enc(helper_rsa, rsa_encrypt))
++       helper->rsa_finish = RSA_meth_get_finish(rsa_meth);
++       if (!RSA_meth_set1_name(rsa_meth, "ssh-pkcs11-helper") ||
++           !RSA_meth_set_priv_enc(rsa_meth, rsa_encrypt) ||
++           !RSA_meth_set_finish(rsa_meth, rsa_finish))
+                fatal("%s: failed to prepare method", __func__);
+
+-       return (0);
++       helper->ec_meth = ec_meth;
++       helper->rsa_meth = rsa_meth;
++       return 0;
+ }
+
+-static int
+-pkcs11_start_helper(void)
++static struct helper *
++pkcs11_start_helper(const char *path)
+ {
+        int pair[2];
+-       char *helper, *verbosity = NULL;
+-
+-       if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
+-               verbosity = "-vvv";
+-
+-       if (pkcs11_start_helper_methods() == -1) {
+-               error("pkcs11_start_helper_methods failed");
+-               return (-1);
+-       }
++       char *prog, *verbosity = NULL;
++       struct helper *helper;
++       pid_t pid;
+
++       if (nhelpers >= INT_MAX)
++               fatal("%s: too many helpers", __func__);
++       debug3("%s: start helper for %s", __func__, path);
+        if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) {
+                error("socketpair: %s", strerror(errno));
+-               return (-1);
++               return NULL;
++       }
++       helper = xcalloc(1, sizeof(*helper));
++       if (pkcs11_start_helper_methods(helper) == -1) {
++               error("pkcs11_start_helper_methods failed");
++               goto fail;
+        }
+        if ((pid = fork()) == -1) {
+                error("fork: %s", strerror(errno));
+-               return (-1);
++ fail:
++               close(pair[0]);
++               close(pair[1]);
++               RSA_meth_free(helper->rsa_meth);
++               EC_KEY_METHOD_free(helper->ec_meth);
++               free(helper);
++               return NULL;
+        } else if (pid == 0) {
+                if ((dup2(pair[1], STDIN_FILENO) == -1) ||
+                    (dup2(pair[1], STDOUT_FILENO) == -1)) {
+@@ -297,18 +485,27 @@ pkcs11_start_helper(void)
+                }
+                close(pair[0]);
+                close(pair[1]);
+-               helper = getenv("SSH_PKCS11_HELPER");
+-               if (helper == NULL || strlen(helper) == 0)
+-                       helper = _PATH_SSH_PKCS11_HELPER;
++               prog = getenv("SSH_PKCS11_HELPER");
++               if (prog == NULL || strlen(prog) == 0)
++                       prog = _PATH_SSH_PKCS11_HELPER;
++               if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
++                       verbosity = "-vvv";
+                debug("%s: starting %s %s", __func__, helper,
+                    verbosity == NULL ? "" : verbosity);
+-               execlp(helper, helper, verbosity, (char *)NULL);
+-               fprintf(stderr, "exec: %s: %s\n", helper, strerror(errno));
++               execlp(prog, prog, verbosity, (char *)NULL);
++               fprintf(stderr, "exec: %s: %s\n", prog, strerror(errno));
+                _exit(1);
+        }
+        close(pair[1]);
+-       fd = pair[0];
+-       return (0);
++       helper->fd = pair[0];
++       helper->path = xstrdup(path);
++       helper->pid = pid;
++       debug3("%s: helper %zu for \"%s\" on fd %d pid %ld", __func__, nhelpers,
++           helper->path, helper->fd, (long)helper->pid);
++       helpers = xrecallocarray(helpers, nhelpers,
++           nhelpers + 1, sizeof(*helpers));
++       helpers[nhelpers++] = helper;
++       return helper;
+ }
+
+ int
+@@ -322,9 +519,11 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+        size_t blen;
+        u_int nkeys, i;
+        struct sshbuf *msg;
++       struct helper *helper;
+
+-       if (fd < 0 && pkcs11_start_helper() < 0)
+-               return (-1);
++       if ((helper = helper_by_provider(name)) == NULL &&
++           (helper = pkcs11_start_helper(name)) == NULL)
++               return -1;
+
+        if ((msg = sshbuf_new()) == NULL)
+                fatal("%s: sshbuf_new failed", __func__);
+@@ -332,10 +531,10 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+            (r = sshbuf_put_cstring(msg, name)) != 0 ||
+            (r = sshbuf_put_cstring(msg, pin)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-       send_msg(msg);
++       send_msg(helper->fd, msg);
+        sshbuf_reset(msg);
+
+-       type = recv_msg(msg);
++       type = recv_msg(helper->fd, msg);
+        if (type == SSH2_AGENT_IDENTITIES_ANSWER) {
+                if ((r = sshbuf_get_u32(msg, &nkeys)) != 0)
+                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -350,7 +549,7 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+                                    __func__, ssh_err(r));
+                        if ((r = sshkey_from_blob(blob, blen, &k)) != 0)
+                                fatal("%s: bad key: %s", __func__, ssh_err(r));
+-                       wrap_key(k);
++                       wrap_key(helper, k);
+                        (*keysp)[i] = k;
+                        if (labelsp)
+                                (*labelsp)[i] = label;
+@@ -371,22 +570,15 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+ int
+ pkcs11_del_provider(char *name)
+ {
+-       int r, ret = -1;
+-       struct sshbuf *msg;
+-
+-       if ((msg = sshbuf_new()) == NULL)
+-               fatal("%s: sshbuf_new failed", __func__);
+-       if ((r = sshbuf_put_u8(msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY)) != 0 ||
+-           (r = sshbuf_put_cstring(msg, name)) != 0 ||
+-           (r = sshbuf_put_cstring(msg, "")) != 0)
+-               fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-       send_msg(msg);
+-       sshbuf_reset(msg);
+-
+-       if (recv_msg(msg) == SSH_AGENT_SUCCESS)
+-               ret = 0;
+-       sshbuf_free(msg);
+-       return (ret);
++       struct helper *helper;
++
++       /*
++        * ssh-agent deletes keys before calling this, so the helper entry
++        * should be gone before we get here.
++        */
++       debug3("%s: delete %s", __func__, name);
++       if ((helper = helper_by_provider(name)) != NULL)
++               helper_terminate(helper);
++       return 0;
+ }
+-
+ #endif /* ENABLE_PKCS11 */
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
new file mode 100644
index 0000000000..e16e5e245e
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
@@ -0,0 +1,171 @@
+From 2f1be98e83feb90665b9292eff8bb734537fd491 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 14:02:27 +0000
+Subject: [PATCH 03/12] upstream: Ensure FIDO/PKCS11 libraries contain expected
+ symbols
+
+This checks via nlist(3) that candidate provider libraries contain one
+of the symbols that we will require prior to dlopen(), which can cause
+a number of side effects, including execution of constructors.
+
+Feedback deraadt; ok markus
+
+OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ misc.c       | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ misc.h       |  1 +
+ ssh-pkcs11.c |  4 +++
+ ssh-sk.c     |  6 ++--
+ 4 files changed, 86 insertions(+), 2 deletions(-)
+
+diff --git a/misc.c b/misc.c
+index 3a31d5c..8a107e4 100644
+--- a/misc.c
++++ b/misc.c
+@@ -28,6 +28,7 @@
+
+ #include <sys/types.h>
+ #include <sys/ioctl.h>
++#include <sys/mman.h>
+ #include <sys/socket.h>
+ #include <sys/stat.h>
+ #include <sys/time.h>
+@@ -41,6 +42,9 @@
+ #ifdef HAVE_POLL_H
+ #include <poll.h>
+ #endif
++#ifdef HAVE_NLIST_H
++#include <nlist.h>
++#endif
+ #include <signal.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+@@ -2266,3 +2270,76 @@ ssh_signal(int signum, sshsig_t handler)
+        }
+        return osa.sa_handler;
+ }
++
++
++/*
++ * Returns zero if the library at 'path' contains symbol 's', nonzero
++ * otherwise.
++ */
++int
++lib_contains_symbol(const char *path, const char *s)
++{
++#ifdef HAVE_NLIST_H
++       struct nlist nl[2];
++       int ret = -1, r;
++
++       memset(nl, 0, sizeof(nl));
++       nl[0].n_name = xstrdup(s);
++       nl[1].n_name = NULL;
++       if ((r = nlist(path, nl)) == -1) {
++               error("%s: nlist failed for %s", __func__, path);
++               goto out;
++       }
++       if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) {
++               error("%s: library %s does not contain symbol %s", __func__, path, s);
++               goto out;
++       }
++       /* success */
++       ret = 0;
++ out:
++       free(nl[0].n_name);
++       return ret;
++#else /* HAVE_NLIST_H */
++       int fd, ret = -1;
++       struct stat st;
++       void *m = NULL;
++       size_t sz = 0;
++
++       memset(&st, 0, sizeof(st));
++       if ((fd = open(path, O_RDONLY)) < 0) {
++               error("%s: open %s: %s", __func__, path, strerror(errno));
++               return -1;
++       }
++       if (fstat(fd, &st) != 0) {
++               error("%s: fstat %s: %s", __func__, path, strerror(errno));
++               goto out;
++       }
++       if (!S_ISREG(st.st_mode)) {
++               error("%s: %s is not a regular file", __func__, path);
++               goto out;
++       }
++       if (st.st_size < 0 ||
++           (size_t)st.st_size < strlen(s) ||
++           st.st_size >= INT_MAX/2) {
++               error("%s: %s bad size %lld", __func__, path, (long long)st.st_size);
++               goto out;
++       }
++       sz = (size_t)st.st_size;
++       if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED ||
++           m == NULL) {
++               error("%s: mmap %s: %s", __func__, path, strerror(errno));
++               goto out;
++       }
++       if (memmem(m, sz, s, strlen(s)) == NULL) {
++               error("%s: %s does not contain expected string %s", __func__, path, s);
++               goto out;
++       }
++       /* success */
++       ret = 0;
++ out:
++       if (m != NULL && m != MAP_FAILED)
++               munmap(m, sz);
++       close(fd);
++       return ret;
++#endif /* HAVE_NLIST_H */
++}
+diff --git a/misc.h b/misc.h
+index 4a05db2..3f9f4db 100644
+--- a/misc.h
++++ b/misc.h
+@@ -86,6 +86,7 @@ const char *atoi_err(const char *, int *);
+ int     parse_absolute_time(const char *, uint64_t *);
+ void    format_absolute_time(uint64_t, char *, size_t);
+ int     path_absolute(const char *);
++int     lib_contains_symbol(const char *, const char *);
+
+ void    sock_set_v6only(int);
+
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index b56a41b..639a6f7 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_id, char *pin,
+                    __func__, provider_id);
+                goto fail;
+        }
++       if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) {
++               error("provider %s is not a PKCS11 library", provider_id);
++               goto fail;
++       }
+        /* open shared pkcs11-library */
+        if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) {
+                error("dlopen %s failed: %s", provider_id, dlerror());
+diff --git a/ssh-sk.c b/ssh-sk.c
+index 5ff9381..9df12cc 100644
+--- a/ssh-sk.c
++++ b/ssh-sk.c
+@@ -119,10 +119,12 @@ sshsk_open(const char *path)
+ #endif
+                return ret;
+        }
+-       if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
+-               error("Provider \"%s\" dlopen failed: %s", path, dlerror());
++       if (lib_contains_symbol(path, "sk_api_version") != 0) {
++               error("provider %s is not an OpenSSH FIDO library", path);
+                goto fail;
+        }
++       if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL)
++               fatal("Provider \"%s\" dlopen failed: %s", path, dlerror());
+        if ((ret->sk_api_version = dlsym(ret->dlhandle,
+            "sk_api_version")) == NULL) {
+                error("Provider \"%s\" dlsym(sk_api_version) failed: %s",
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
new file mode 100644
index 0000000000..5e8040c9bf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
@@ -0,0 +1,34 @@
+From 0862f338941bfdfb2cadee87de6d5fdca1b8f457 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 13:55:53 +0000
+Subject: [PATCH 04/12] upstream: terminate process if requested to load a
+ PKCS#11 provider that isn't a PKCS#11 provider; from / ok markus@
+
+OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index 639a6f7..7530acc 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -1508,10 +1508,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
+                error("dlopen %s failed: %s", provider_id, dlerror());
+                goto fail;
+        }
+-       if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+-               error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+-               goto fail;
+-       }
++       if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
++               fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+        p = xcalloc(1, sizeof(*p));
+        p->name = xstrdup(provider_id);
+        p->handle = handle;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
new file mode 100644
index 0000000000..0ddbdc68d4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
@@ -0,0 +1,194 @@
+From a6cee3905edf070c0de135d3f2ee5b74da1dbd28 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 May 2020 01:26:58 +0000
+Subject: [PATCH 05/12] upstream: Restrict ssh-agent from signing web
+ challenges for FIDO
+
+keys.
+
+When signing messages in ssh-agent using a FIDO key that has an
+application string that does not start with "ssh:", ensure that the
+message being signed is one of the forms expected for the SSH protocol
+(currently pubkey authentication and sshsig signatures).
+
+This prevents ssh-agent forwarding on a host that has FIDO keys
+attached granting the ability for the remote side to sign challenges
+for web authentication using those keys too.
+
+Note that the converse case of web browsers signing SSH challenges is
+already precluded because no web RP can have the "ssh:" prefix in the
+application string that we require.
+
+ok markus@
+
+OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0c111eb84efba7c2a38b2cc3278901a0123161b9]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 100 insertions(+), 10 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index ceb348c..1794f35 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.255 2020/02/06 22:30:54 naddy Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -77,6 +77,7 @@
+
+ #include "xmalloc.h"
+ #include "ssh.h"
++#include "ssh2.h"
+ #include "sshbuf.h"
+ #include "sshkey.h"
+ #include "authfd.h"
+@@ -167,6 +168,9 @@ static long lifetime = 0;
+
+ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+
++/* Refuse signing of non-SSH messages for web-origin FIDO keys */
++static int restrict_websafe = 1;
++
+ static void
+ close_socket(SocketEntry *e)
+ {
+@@ -282,6 +286,80 @@ agent_decode_alg(struct sshkey *key, u_int flags)
+        return NULL;
+ }
+
++/*
++ * This function inspects a message to be signed by a FIDO key that has a
++ * web-like application string (i.e. one that does not begin with "ssh:".
++ * It checks that the message is one of those expected for SSH operations
++ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
++ * for the web.
++ */
++static int
++check_websafe_message_contents(struct sshkey *key,
++    const u_char *msg, size_t len)
++{
++       int matched = 0;
++       struct sshbuf *b;
++       u_char m, n;
++       char *cp1 = NULL, *cp2 = NULL;
++       int r;
++       struct sshkey *mkey = NULL;
++
++       if ((b = sshbuf_from(msg, len)) == NULL)
++               fatal("%s: sshbuf_new", __func__);
++
++       /* SSH userauth request */
++       if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */
++           (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */
++           (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */
++           (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */
++           (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */
++           (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */
++           (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */
++           (r = sshkey_froms(b, &mkey)) == 0 && /* key */
++           sshbuf_len(b) == 0) {
++               debug("%s: parsed userauth", __func__);
++               if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 &&
++                   strcmp(cp1, "ssh-connection") == 0 &&
++                   strcmp(cp2, "publickey") == 0 &&
++                   sshkey_equal(key, mkey)) {
++                       debug("%s: well formed userauth", __func__);
++                       matched = 1;
++               }
++       }
++       free(cp1);
++       free(cp2);
++       sshkey_free(mkey);
++       sshbuf_free(b);
++       if (matched)
++               return 1;
++
++       if ((b = sshbuf_from(msg, len)) == NULL)
++               fatal("%s: sshbuf_new", __func__);
++       cp1 = cp2 = NULL;
++       mkey = NULL;
++
++       /* SSHSIG */
++       if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 &&
++           (r = sshbuf_consume(b, 6)) == 0 &&
++           (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */
++           (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */
++           (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */
++           (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */
++           sshbuf_len(b) == 0) {
++               debug("%s: parsed sshsig", __func__);
++               matched = 1;
++       }
++
++       sshbuf_free(b);
++       if (matched)
++               return 1;
++
++       /* XXX CA signature operation */
++
++       error("web-origin key attempting to sign non-SSH message");
++       return 0;
++}
++
+ /* ssh2 only */
+ static void
+ process_sign_request2(SocketEntry *e)
+@@ -314,14 +392,20 @@ process_sign_request2(SocketEntry *e)
+                verbose("%s: user refused key", __func__);
+                goto send;
+        }
+-       if (sshkey_is_sk(id->key) &&
+-           (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
+-               if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
+-                   SSH_FP_DEFAULT)) == NULL)
+-                       fatal("%s: fingerprint failed", __func__);
+-               notifier = notify_start(0,
+-                   "Confirm user presence for key %s %s",
+-                   sshkey_type(id->key), fp);
++       if (sshkey_is_sk(id->key)) {
++               if (strncmp(id->key->sk_application, "ssh:", 4) != 0 &&
++                   !check_websafe_message_contents(key, data, dlen)) {
++                       /* error already logged */
++                       goto send;
++               }
++               if ((id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
++                       if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
++                           SSH_FP_DEFAULT)) == NULL)
++                               fatal("%s: fingerprint failed", __func__);
++                       notifier = notify_start(0,
++                           "Confirm user presence for key %s %s",
++                           sshkey_type(id->key), fp);
++               }
+        }
+        if ((r = sshkey_sign(id->key, &signature, &slen,
+            data, dlen, agent_decode_alg(key, flags),
+@@ -1214,7 +1298,7 @@ main(int ac, char **av)
+        __progname = ssh_get_progname(av[0]);
+        seed_rng();
+
+-       while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
++       while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
+                switch (ch) {
+                case 'E':
+                        fingerprint_hash = ssh_digest_alg_by_name(optarg);
+@@ -1229,6 +1313,12 @@ main(int ac, char **av)
+                case 'k':
+                        k_flag++;
+                        break;
++               case 'O':
++                       if (strcmp(optarg, "no-restrict-websafe") == 0)
++                               restrict_websafe  = 0;
++                       else
++                               fatal("Unknown -O option");
++                       break;
+                case 'P':
+                        if (provider_whitelist != NULL)
+                                fatal("-P option already specified");
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
new file mode 100644
index 0000000000..ac494aab0b
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
@@ -0,0 +1,73 @@
+From a5d845b7b42861d18f43e83de9f24c7374d1b458 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 18 Sep 2020 08:16:38 +0000
+Subject: [PATCH 06/12] upstream: handle multiple messages in a single read()
+
+PR#183 by Dennis Kaarsemaker; feedback and ok markus@
+
+OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/52a03e9fca2d74eef953ddd4709250f365ca3975]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 1794f35..78f7268 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -853,8 +853,10 @@ send:
+ }
+ #endif /* ENABLE_PKCS11 */
+
+-/* dispatch incoming messages */
+-
++/*
++ * dispatch incoming message.
++ * returns 1 on success, 0 for incomplete messages or -1 on error.
++ */
+ static int
+ process_message(u_int socknum)
+ {
+@@ -908,7 +910,7 @@ process_message(u_int socknum)
+                        /* send a fail message for all other request types */
+                        send_status(e, 0);
+                }
+-               return 0;
++               return 1;
+        }
+
+        switch (type) {
+@@ -952,7 +954,7 @@ process_message(u_int socknum)
+                send_status(e, 0);
+                break;
+        }
+-       return 0;
++       return 1;
+ }
+
+ static void
+@@ -1043,7 +1045,12 @@ handle_conn_read(u_int socknum)
+        if ((r = sshbuf_put(sockets[socknum].input, buf, len)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        explicit_bzero(buf, sizeof(buf));
+-       process_message(socknum);
++       for (;;) {
++               if ((r = process_message(socknum)) == -1)
++                       return -1;
++               else if (r == 0)
++                       break;
++       }
+        return 0;
+ }
+
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
new file mode 100644
index 0000000000..0dcf23ae17
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
@@ -0,0 +1,125 @@
+From 653cc18c922fc387b3d3aa1b081c5e5283cce28a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 Jan 2021 00:47:47 +0000
+Subject: [PATCH 07/12] upstream: use recallocarray to allocate the agent
+ sockets table;
+
+also clear socket entries that are being marked as unused.
+
+spinkle in some debug2() spam to make it easier to watch an agent
+do its thing.
+
+ok markus
+
+OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1fe16fd61bb53944ec510882acc0491abd66ff76]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 78f7268..2635bc5 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -175,11 +175,12 @@ static void
+ close_socket(SocketEntry *e)
+ {
+        close(e->fd);
+-       e->fd = -1;
+-       e->type = AUTH_UNUSED;
+        sshbuf_free(e->input);
+        sshbuf_free(e->output);
+        sshbuf_free(e->request);
++       memset(e, '\0', sizeof(*e));
++       e->fd = -1;
++       e->type = AUTH_UNUSED;
+ }
+
+ static void
+@@ -249,6 +250,8 @@ process_request_identities(SocketEntry *e)
+        struct sshbuf *msg;
+        int r;
+
++       debug2("%s: entering", __func__);
++
+        if ((msg = sshbuf_new()) == NULL)
+                fatal("%s: sshbuf_new failed", __func__);
+        if ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 ||
+@@ -441,6 +444,7 @@ process_remove_identity(SocketEntry *e)
+        struct sshkey *key = NULL;
+        Identity *id;
+
++       debug2("%s: entering", __func__);
+        if ((r = sshkey_froms(e->request, &key)) != 0) {
+                error("%s: get key: %s", __func__, ssh_err(r));
+                goto done;
+@@ -467,6 +471,7 @@ process_remove_all_identities(SocketEntry *e)
+ {
+        Identity *id;
+
++       debug2("%s: entering", __func__);
+        /* Loop over all identities and clear the keys. */
+        for (id = TAILQ_FIRST(&idtab->idlist); id;
+            id = TAILQ_FIRST(&idtab->idlist)) {
+@@ -520,6 +525,7 @@ process_add_identity(SocketEntry *e)
+        u_char ctype;
+        int r = SSH_ERR_INTERNAL_ERROR;
+
++       debug2("%s: entering", __func__);
+        if ((r = sshkey_private_deserialize(e->request, &k)) != 0 ||
+            k == NULL ||
+            (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) {
+@@ -667,6 +673,7 @@ process_lock_agent(SocketEntry *e, int lock)
+        static u_int fail_count = 0;
+        size_t pwlen;
+
++       debug2("%s: entering", __func__);
+        /*
+         * This is deliberately fatal: the user has requested that we lock,
+         * but we can't parse their request properly. The only safe thing to
+@@ -738,6 +745,7 @@ process_add_smartcard_key(SocketEntry *e)
+        struct sshkey **keys = NULL, *k;
+        Identity *id;
+
++       debug2("%s: entering", __func__);
+        if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
+            (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
+                error("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -818,6 +826,7 @@ process_remove_smartcard_key(SocketEntry *e)
+        int r, success = 0;
+        Identity *id, *nxt;
+
++       debug2("%s: entering", __func__);
+        if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
+            (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
+                error("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -962,6 +971,8 @@ new_socket(sock_type type, int fd)
+ {
+        u_int i, old_alloc, new_alloc;
+
++       debug("%s: type = %s", __func__, type == AUTH_CONNECTION ? "CONNECTION" :
++           (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
+        set_nonblock(fd);
+
+        if (fd > max_fd)
+@@ -981,7 +992,8 @@ new_socket(sock_type type, int fd)
+                }
+        old_alloc = sockets_alloc;
+        new_alloc = sockets_alloc + 10;
+-       sockets = xreallocarray(sockets, new_alloc, sizeof(sockets[0]));
++       sockets = xrecallocarray(sockets, old_alloc, new_alloc,
++           sizeof(sockets[0]));
+        for (i = old_alloc; i < new_alloc; i++)
+                sockets[i].type = AUTH_UNUSED;
+        sockets_alloc = new_alloc;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
new file mode 100644
index 0000000000..141c8113bf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
@@ -0,0 +1,315 @@
+From c30158ea225cf8ad67c3dcc88fa9e4afbf8959a7 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 Jan 2021 00:53:31 +0000
+Subject: [PATCH 08/12] upstream: more ssh-agent refactoring
+
+Allow confirm_key() to accept an additional reason suffix
+
+Factor publickey userauth parsing out into its own function and allow
+it to optionally return things it parsed out of the message to its
+caller.
+
+feedback/ok markus@
+
+OpenBSD-Commit-ID: 29006515617d1aa2d8b85cd2bf667e849146477e
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/e0e8bee8024fa9e31974244d14f03d799e5c0775]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 197 ++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 130 insertions(+), 67 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 2635bc5..7ad323c 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -216,15 +216,16 @@ lookup_identity(struct sshkey *key)
+
+ /* Check confirmation of keysign request */
+ static int
+-confirm_key(Identity *id)
++confirm_key(Identity *id, const char *extra)
+ {
+        char *p;
+        int ret = -1;
+
+        p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT);
+        if (p != NULL &&
+-           ask_permission("Allow use of key %s?\nKey fingerprint %s.",
+-           id->comment, p))
++           ask_permission("Allow use of key %s?\nKey fingerprint %s.%s%s",
++           id->comment, p,
++           extra == NULL ? "" : "\n", extra == NULL ? "" : extra))
+                ret = 0;
+        free(p);
+
+@@ -290,74 +291,133 @@ agent_decode_alg(struct sshkey *key, u_int flags)
+ }
+
+ /*
+- * This function inspects a message to be signed by a FIDO key that has a
+- * web-like application string (i.e. one that does not begin with "ssh:".
+- * It checks that the message is one of those expected for SSH operations
+- * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
+- * for the web.
++ * Attempt to parse the contents of a buffer as a SSH publickey userauth
++ * request, checking its contents for consistency and matching the embedded
++ * key against the one that is being used for signing.
++ * Note: does not modify msg buffer.
++ * Optionally extract the username and session ID from the request.
+  */
+ static int
+-check_websafe_message_contents(struct sshkey *key,
+-    const u_char *msg, size_t len)
++parse_userauth_request(struct sshbuf *msg, const struct sshkey *expected_key,
++    char **userp, struct sshbuf **sess_idp)
+ {
+-       int matched = 0;
+-       struct sshbuf *b;
+-       u_char m, n;
+-       char *cp1 = NULL, *cp2 = NULL;
++       struct sshbuf *b = NULL, *sess_id = NULL;
++       char *user = NULL, *service = NULL, *method = NULL, *pkalg = NULL;
+        int r;
++       u_char t, sig_follows;
+        struct sshkey *mkey = NULL;
+
+-       if ((b = sshbuf_from(msg, len)) == NULL)
+-               fatal("%s: sshbuf_new", __func__);
++       if (userp != NULL)
++               *userp = NULL;
++       if (sess_idp != NULL)
++               *sess_idp = NULL;
++       if ((b = sshbuf_fromb(msg)) == NULL)
++               fatal("%s: sshbuf_fromb", __func__);
+
+        /* SSH userauth request */
+-       if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */
+-           (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */
+-           (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */
+-           (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */
+-           (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */
+-           (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */
+-           (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */
+-           (r = sshkey_froms(b, &mkey)) == 0 && /* key */
+-           sshbuf_len(b) == 0) {
+-               debug("%s: parsed userauth", __func__);
+-               if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 &&
+-                   strcmp(cp1, "ssh-connection") == 0 &&
+-                   strcmp(cp2, "publickey") == 0 &&
+-                   sshkey_equal(key, mkey)) {
+-                       debug("%s: well formed userauth", __func__);
+-                       matched = 1;
+-               }
++       if ((r = sshbuf_froms(b, &sess_id)) != 0)
++               goto out;
++       if (sshbuf_len(sess_id) == 0) {
++               r = SSH_ERR_INVALID_FORMAT;
++               goto out;
+        }
+-       free(cp1);
+-       free(cp2);
+-       sshkey_free(mkey);
++       if ((r = sshbuf_get_u8(b, &t)) != 0 || /* SSH2_MSG_USERAUTH_REQUEST */
++           (r = sshbuf_get_cstring(b, &user, NULL)) != 0 || /* server user */
++           (r = sshbuf_get_cstring(b, &service, NULL)) != 0 || /* service */
++           (r = sshbuf_get_cstring(b, &method, NULL)) != 0 || /* method */
++           (r = sshbuf_get_u8(b, &sig_follows)) != 0 || /* sig-follows */
++           (r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0 || /* alg */
++           (r = sshkey_froms(b, &mkey)) != 0) /* key */
++               goto out;
++       if (t != SSH2_MSG_USERAUTH_REQUEST ||
++           sig_follows != 1 ||
++           strcmp(service, "ssh-connection") != 0 ||
++           !sshkey_equal(expected_key, mkey) ||
++           sshkey_type_from_name(pkalg) != expected_key->type) {
++               r = SSH_ERR_INVALID_FORMAT;
++               goto out;
++       }
++       if (strcmp(method, "publickey") != 0) {
++               r = SSH_ERR_INVALID_FORMAT;
++               goto out;
++       }
++       if (sshbuf_len(b) != 0) {
++               r = SSH_ERR_INVALID_FORMAT;
++               goto out;
++       }
++       /* success */
++       r = 0;
++       debug("%s: well formed userauth", __func__);
++       if (userp != NULL) {
++               *userp = user;
++               user = NULL;
++       }
++       if (sess_idp != NULL) {
++               *sess_idp = sess_id;
++               sess_id = NULL;
++       }
++ out:
+        sshbuf_free(b);
+-       if (matched)
+-               return 1;
++       sshbuf_free(sess_id);
++       free(user);
++       free(service);
++       free(method);
++       free(pkalg);
++       sshkey_free(mkey);
++       return r;
++}
+
+-       if ((b = sshbuf_from(msg, len)) == NULL)
+-               fatal("%s: sshbuf_new", __func__);
+-       cp1 = cp2 = NULL;
+-       mkey = NULL;
+-
+-       /* SSHSIG */
+-       if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 &&
+-           (r = sshbuf_consume(b, 6)) == 0 &&
+-           (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */
+-           (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */
+-           (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */
+-           (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */
+-           sshbuf_len(b) == 0) {
+-               debug("%s: parsed sshsig", __func__);
+-               matched = 1;
+-       }
++/*
++ * Attempt to parse the contents of a buffer as a SSHSIG signature request.
++ * Note: does not modify buffer.
++ */
++static int
++parse_sshsig_request(struct sshbuf *msg)
++{
++       int r;
++       struct sshbuf *b;
+
++       if ((b = sshbuf_fromb(msg)) == NULL)
++               fatal("%s: sshbuf_fromb", __func__);
++
++       if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) != 0 ||
++           (r = sshbuf_consume(b, 6)) != 0 ||
++           (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* namespace */
++           (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || /* reserved */
++           (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* hashalg */
++           (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0) /* H(msg) */
++               goto out;
++       if (sshbuf_len(b) != 0) {
++               r = SSH_ERR_INVALID_FORMAT;
++               goto out;
++       }
++       /* success */
++       r = 0;
++ out:
+        sshbuf_free(b);
+-       if (matched)
++       return r;
++}
++
++/*
++ * This function inspects a message to be signed by a FIDO key that has a
++ * web-like application string (i.e. one that does not begin with "ssh:".
++ * It checks that the message is one of those expected for SSH operations
++ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
++ * for the web.
++ */
++static int
++check_websafe_message_contents(struct sshkey *key, struct sshbuf *data)
++{
++       if (parse_userauth_request(data, key, NULL, NULL) == 0) {
++               debug("%s: signed data matches public key userauth request", __func__);
+                return 1;
++       }
++       if (parse_sshsig_request(data) == 0) {
++               debug("%s: signed data matches SSHSIG signature request", __func__);
++               return 1;
++       }
+
+-       /* XXX CA signature operation */
++       /* XXX check CA signature operation */
+
+        error("web-origin key attempting to sign non-SSH message");
+        return 0;
+@@ -367,21 +427,22 @@ check_websafe_message_contents(struct sshkey *key,
+ static void
+ process_sign_request2(SocketEntry *e)
+ {
+-       const u_char *data;
+        u_char *signature = NULL;
+-       size_t dlen, slen = 0;
++       size_t i, slen = 0;
+        u_int compat = 0, flags;
+        int r, ok = -1;
+        char *fp = NULL;
+-       struct sshbuf *msg;
++       struct sshbuf *msg = NULL, *data = NULL;
+        struct sshkey *key = NULL;
+        struct identity *id;
+        struct notifier_ctx *notifier = NULL;
+
+-       if ((msg = sshbuf_new()) == NULL)
++       debug("%s: entering", __func__);
++
++       if ((msg = sshbuf_new()) == NULL | (data = sshbuf_new()) == NULL)
+                fatal("%s: sshbuf_new failed", __func__);
+        if ((r = sshkey_froms(e->request, &key)) != 0 ||
+-           (r = sshbuf_get_string_direct(e->request, &data, &dlen)) != 0 ||
++           (r = sshbuf_get_stringb(e->request, data)) != 0 ||
+            (r = sshbuf_get_u32(e->request, &flags)) != 0) {
+                error("%s: couldn't parse request: %s", __func__, ssh_err(r));
+                goto send;
+@@ -391,13 +452,13 @@ process_sign_request2(SocketEntry *e)
+                verbose("%s: %s key not found", __func__, sshkey_type(key));
+                goto send;
+        }
+-       if (id->confirm && confirm_key(id) != 0) {
++       if (id->confirm && confirm_key(id, NULL) != 0) {
+                verbose("%s: user refused key", __func__);
+                goto send;
+        }
+        if (sshkey_is_sk(id->key)) {
+                if (strncmp(id->key->sk_application, "ssh:", 4) != 0 &&
+-                   !check_websafe_message_contents(key, data, dlen)) {
++                   !check_websafe_message_contents(key, data)) {
+                        /* error already logged */
+                        goto send;
+                }
+@@ -411,7 +472,7 @@ process_sign_request2(SocketEntry *e)
+                }
+        }
+        if ((r = sshkey_sign(id->key, &signature, &slen,
+-           data, dlen, agent_decode_alg(key, flags),
++           sshbuf_ptr(data), sshbuf_len(data), agent_decode_alg(key, flags),
+            id->sk_provider, compat)) != 0) {
+                error("%s: sshkey_sign: %s", __func__, ssh_err(r));
+                goto send;
+@@ -420,8 +481,7 @@ process_sign_request2(SocketEntry *e)
+        ok = 0;
+  send:
+        notify_complete(notifier);
+-       sshkey_free(key);
+-       free(fp);
++
+        if (ok == 0) {
+                if ((r = sshbuf_put_u8(msg, SSH2_AGENT_SIGN_RESPONSE)) != 0 ||
+                    (r = sshbuf_put_string(msg, signature, slen)) != 0)
+@@ -432,7 +492,10 @@ process_sign_request2(SocketEntry *e)
+        if ((r = sshbuf_put_stringb(e->output, msg)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
++       sshbuf_free(data);
+        sshbuf_free(msg);
++       sshkey_free(key);
++       free(fp);
+        free(signature);
+ }
+
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
new file mode 100644
index 0000000000..b519ccce42
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
@@ -0,0 +1,38 @@
+From 7adba46611e5d076d7d12d9f4162dd4cabd5ff50 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 29 Jan 2021 06:28:10 +0000
+Subject: [PATCH 09/12] upstream: give typedef'd struct a struct name; makes
+ the fuzzer I'm
+
+writing a bit easier
+
+OpenBSD-Commit-ID: 1052ab521505a4d8384d67acb3974ef81b8896cb
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8afaa7d7918419d3da6c0477b83db2159879cb33]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 7ad323c..c99927c 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -108,7 +108,7 @@ typedef enum {
+        AUTH_CONNECTION
+ } sock_type;
+
+-typedef struct {
++typedef struct socket_entry {
+        int fd;
+        sock_type type;
+        struct sshbuf *input;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
new file mode 100644
index 0000000000..27b2eadfae
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
@@ -0,0 +1,39 @@
+From 343e2a2c0ef754a7a86118016b248f7a73f8d510 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 29 Jan 2021 06:29:46 +0000
+Subject: [PATCH 10/12] upstream: fix the values of enum sock_type
+
+OpenBSD-Commit-ID: 18d048f4dbfbb159ff500cfc2700b8fb1407facd
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1a4b92758690faa12f49079dd3b72567f909466d]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index c99927c..7f1e14b 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -103,9 +103,9 @@
+ #define AGENT_RBUF_LEN (4096)
+
+ typedef enum {
+-       AUTH_UNUSED,
+-       AUTH_SOCKET,
+-       AUTH_CONNECTION
++       AUTH_UNUSED = 0,
++       AUTH_SOCKET = 1,
++       AUTH_CONNECTION = 2,
+ } sock_type;
+
+ typedef struct socket_entry {
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
new file mode 100644
index 0000000000..c300393ebf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
@@ -0,0 +1,307 @@
+From 2b3b369c8cf71f9ef5942a5e074e6f86e7ca1e0c Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 19 Dec 2021 22:09:23 +0000
+Subject: [PATCH 11/12] upstream: ssh-agent side of binding
+
+record session ID/hostkey/forwarding status for each active socket.
+
+Attempt to parse data-to-be-signed at signature request time and extract
+session ID from the blob if it is a pubkey userauth request.
+
+ok markus@
+
+OpenBSD-Commit-ID: a80fd41e292b18b67508362129e9fed549abd318
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/4c1e3ce85e183a9d0c955c88589fed18e4d6a058]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ authfd.h    |   3 +
+ ssh-agent.c | 175 +++++++++++++++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 170 insertions(+), 8 deletions(-)
+
+diff --git a/authfd.h b/authfd.h
+index c3bf625..9cc9807 100644
+--- a/authfd.h
++++ b/authfd.h
+@@ -76,6 +76,9 @@ int   ssh_agent_sign(int sock, const struct sshkey *key,
+ #define SSH2_AGENTC_ADD_ID_CONSTRAINED         25
+ #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
+
++/* generic extension mechanism */
++#define SSH_AGENTC_EXTENSION                   27
++
+ #define        SSH_AGENT_CONSTRAIN_LIFETIME            1
+ #define        SSH_AGENT_CONSTRAIN_CONFIRM             2
+ #define        SSH_AGENT_CONSTRAIN_MAXSIGN             3
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 7f1e14b..01c7f2b 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -98,9 +98,15 @@
+ #endif
+
+ /* Maximum accepted message length */
+-#define AGENT_MAX_LEN  (256*1024)
++#define AGENT_MAX_LEN          (256*1024)
+ /* Maximum bytes to read from client socket */
+-#define AGENT_RBUF_LEN (4096)
++#define AGENT_RBUF_LEN         (4096)
++/* Maximum number of recorded session IDs/hostkeys per connection */
++#define AGENT_MAX_SESSION_IDS          16
++/* Maximum size of session ID */
++#define AGENT_MAX_SID_LEN              128
++
++/* XXX store hostkey_sid in a refcounted tree */
+
+ typedef enum {
+        AUTH_UNUSED = 0,
+@@ -108,12 +114,20 @@ typedef enum {
+        AUTH_CONNECTION = 2,
+ } sock_type;
+
++struct hostkey_sid {
++       struct sshkey *key;
++       struct sshbuf *sid;
++       int forwarded;
++};
++
+ typedef struct socket_entry {
+        int fd;
+        sock_type type;
+        struct sshbuf *input;
+        struct sshbuf *output;
+        struct sshbuf *request;
++       size_t nsession_ids;
++       struct hostkey_sid *session_ids;
+ } SocketEntry;
+
+ u_int sockets_alloc = 0;
+@@ -174,10 +188,17 @@ static int restrict_websafe = 1;
+ static void
+ close_socket(SocketEntry *e)
+ {
++       size_t i;
++
+        close(e->fd);
+        sshbuf_free(e->input);
+        sshbuf_free(e->output);
+        sshbuf_free(e->request);
++       for (i = 0; i < e->nsession_ids; i++) {
++               sshkey_free(e->session_ids[i].key);
++               sshbuf_free(e->session_ids[i].sid);
++       }
++       free(e->session_ids);
+        memset(e, '\0', sizeof(*e));
+        e->fd = -1;
+        e->type = AUTH_UNUSED;
+@@ -423,6 +444,18 @@ check_websafe_message_contents(struct sshkey *key, struct sshbuf *data)
+        return 0;
+ }
+
++static int
++buf_equal(const struct sshbuf *a, const struct sshbuf *b)
++{
++       if (sshbuf_ptr(a) == NULL || sshbuf_ptr(b) == NULL)
++               return SSH_ERR_INVALID_ARGUMENT;
++       if (sshbuf_len(a) != sshbuf_len(b))
++               return SSH_ERR_INVALID_FORMAT;
++       if (timingsafe_bcmp(sshbuf_ptr(a), sshbuf_ptr(b), sshbuf_len(a)) != 0)
++               return SSH_ERR_INVALID_FORMAT;
++       return 0;
++}
++
+ /* ssh2 only */
+ static void
+ process_sign_request2(SocketEntry *e)
+@@ -431,8 +464,8 @@ process_sign_request2(SocketEntry *e)
+        size_t i, slen = 0;
+        u_int compat = 0, flags;
+        int r, ok = -1;
+-       char *fp = NULL;
+-       struct sshbuf *msg = NULL, *data = NULL;
++       char *fp = NULL, *user = NULL, *sig_dest = NULL;
++       struct sshbuf *msg = NULL, *data = NULL, *sid = NULL;
+        struct sshkey *key = NULL;
+        struct identity *id;
+        struct notifier_ctx *notifier = NULL;
+@@ -452,7 +485,33 @@ process_sign_request2(SocketEntry *e)
+                verbose("%s: %s key not found", __func__, sshkey_type(key));
+                goto send;
+        }
+-       if (id->confirm && confirm_key(id, NULL) != 0) {
++       /*
++        * If session IDs were recorded for this socket, then use them to
++        * annotate the confirmation messages with the host keys.
++        */
++       if (e->nsession_ids > 0 &&
++           parse_userauth_request(data, key, &user, &sid) == 0) {
++               /*
++                * session ID from userauth request should match the final
++                * ID in the list recorded in the socket, unless the ssh
++                * client at that point lacks the binding extension (or if
++                * an attacker is trying to steal use of the agent).
++                */
++               i = e->nsession_ids - 1;
++               if (buf_equal(sid, e->session_ids[i].sid) == 0) {
++                       if ((fp = sshkey_fingerprint(e->session_ids[i].key,
++                           SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
++                               fatal("%s: fingerprint failed", __func__);
++                       debug3("%s: destination %s %s (slot %zu)", __func__,
++                           sshkey_type(e->session_ids[i].key), fp, i);
++                       xasprintf(&sig_dest, "public key request for "
++                           "target user \"%s\" to %s %s", user,
++                           sshkey_type(e->session_ids[i].key), fp);
++                       free(fp);
++                       fp = NULL;
++               }
++       }//
++       if (id->confirm && confirm_key(id, sig_dest) != 0) {
+                verbose("%s: user refused key", __func__);
+                goto send;
+        }
+@@ -467,8 +526,10 @@ process_sign_request2(SocketEntry *e)
+                            SSH_FP_DEFAULT)) == NULL)
+                                fatal("%s: fingerprint failed", __func__);
+                        notifier = notify_start(0,
+-                           "Confirm user presence for key %s %s",
+-                           sshkey_type(id->key), fp);
++                           "Confirm user presence for key %s %s%s%s",
++                           sshkey_type(id->key), fp,
++                           sig_dest == NULL ? "" : "\n",
++                           sig_dest == NULL ? "" : sig_dest);
+                }
+        }
+        if ((r = sshkey_sign(id->key, &signature, &slen,
+@@ -492,11 +553,14 @@ process_sign_request2(SocketEntry *e)
+        if ((r = sshbuf_put_stringb(e->output, msg)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
++       sshbuf_free(sid);
+        sshbuf_free(data);
+        sshbuf_free(msg);
+        sshkey_free(key);
+        free(fp);
+        free(signature);
++       free(sig_dest);
++       free(user);
+ }
+
+ /* shared */
+@@ -925,6 +989,98 @@ send:
+ }
+ #endif /* ENABLE_PKCS11 */
+
++static int
++process_ext_session_bind(SocketEntry *e)
++{
++       int r, sid_match, key_match;
++       struct sshkey *key = NULL;
++       struct sshbuf *sid = NULL, *sig = NULL;
++       char *fp = NULL;
++       u_char fwd;
++       size_t i;
++
++       debug2("%s: entering", __func__);
++       if ((r = sshkey_froms(e->request, &key)) != 0 ||
++           (r = sshbuf_froms(e->request, &sid)) != 0 ||
++           (r = sshbuf_froms(e->request, &sig)) != 0 ||
++           (r = sshbuf_get_u8(e->request, &fwd)) != 0) {
++               error("%s: parse: %s", __func__, ssh_err(r));
++               goto out;
++       }
++       if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
++           SSH_FP_DEFAULT)) == NULL)
++               fatal("%s: fingerprint failed", __func__);
++       /* check signature with hostkey on session ID */
++       if ((r = sshkey_verify(key, sshbuf_ptr(sig), sshbuf_len(sig),
++           sshbuf_ptr(sid), sshbuf_len(sid), NULL, 0, NULL)) != 0) {
++               error("%s: sshkey_verify for %s %s: %s", __func__, sshkey_type(key), fp, ssh_err(r));
++               goto out;
++       }
++       /* check whether sid/key already recorded */
++       for (i = 0; i < e->nsession_ids; i++) {
++               sid_match = buf_equal(sid, e->session_ids[i].sid) == 0;
++               key_match = sshkey_equal(key, e->session_ids[i].key);
++               if (sid_match && key_match) {
++                       debug("%s: session ID already recorded for %s %s", __func__,
++                           sshkey_type(key), fp);
++                       r = 0;
++                       goto out;
++               } else if (sid_match) {
++                       error("%s: session ID recorded against different key "
++                           "for %s %s", __func__, sshkey_type(key), fp);
++                       r = -1;
++                       goto out;
++               }
++               /*
++                * new sid with previously-seen key can happen, e.g. multiple
++                * connections to the same host.
++                */
++       }
++       /* record new key/sid */
++       if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
++               error("%s: too many session IDs recorded", __func__);
++               goto out;
++       }
++       e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
++           e->nsession_ids + 1, sizeof(*e->session_ids));
++       i = e->nsession_ids++;
++       debug("%s: recorded %s %s (slot %zu of %d)", __func__, sshkey_type(key), fp, i,
++           AGENT_MAX_SESSION_IDS);
++       e->session_ids[i].key = key;
++       e->session_ids[i].forwarded = fwd != 0;
++       key = NULL; /* transferred */
++       /* can't transfer sid; it's refcounted and scoped to request's life */
++       if ((e->session_ids[i].sid = sshbuf_new()) == NULL)
++               fatal("%s: sshbuf_new", __func__);
++       if ((r = sshbuf_putb(e->session_ids[i].sid, sid)) != 0)
++               fatal("%s: sshbuf_putb session ID: %s", __func__, ssh_err(r));
++       /* success */
++       r = 0;
++ out:
++       sshkey_free(key);
++       sshbuf_free(sid);
++       sshbuf_free(sig);
++       return r == 0 ? 1 : 0;
++}
++
++static void
++process_extension(SocketEntry *e)
++{
++       int r, success = 0;
++       char *name;
++
++       debug2("%s: entering", __func__);
++       if ((r = sshbuf_get_cstring(e->request, &name, NULL)) != 0) {
++               error("%s: parse: %s", __func__, ssh_err(r));
++               goto send;
++       }
++       if (strcmp(name, "session-bind@openssh.com") == 0)
++               success = process_ext_session_bind(e);
++       else
++               debug("%s: unsupported extension \"%s\"", __func__, name);
++send:
++       send_status(e, success);
++}
+ /*
+  * dispatch incoming message.
+  * returns 1 on success, 0 for incomplete messages or -1 on error.
+@@ -1019,6 +1175,9 @@ process_message(u_int socknum)
+                process_remove_smartcard_key(e);
+                break;
+ #endif /* ENABLE_PKCS11 */
++       case SSH_AGENTC_EXTENSION:
++               process_extension(e);
++               break;
+        default:
+                /* Unknown message.  Respond with failure. */
+                error("Unknown message %d", type);
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
new file mode 100644
index 0000000000..934775bdec
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
@@ -0,0 +1,120 @@
+From 4fe3d0fbd3d6dc1f19354e0d73a3231c461ed044 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 13:56:33 +0000
+Subject: [PATCH 12/12] upstream: Disallow remote addition of FIDO/PKCS11
+ provider libraries to ssh-agent by default.
+
+The old behaviour of allowing remote clients from loading providers
+can be restored using `ssh-agent -O allow-remote-pkcs11`.
+
+Detection of local/remote clients requires a ssh(1) that supports
+the `session-bind@openssh.com` extension. Forwarding access to a
+ssh-agent socket using non-OpenSSH tools may circumvent this control.
+
+ok markus@
+
+OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.1 | 20 ++++++++++++++++++++
+ ssh-agent.c | 26 ++++++++++++++++++++++++--
+ 2 files changed, 44 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-agent.1 b/ssh-agent.1
+index fff0db6..a0f1e21 100644
+--- a/ssh-agent.1
++++ b/ssh-agent.1
+@@ -97,6 +97,26 @@ The default is
+ Kill the current agent (given by the
+ .Ev SSH_AGENT_PID
+ environment variable).
++Currently two options are supported:
++.Cm allow-remote-pkcs11
++and
++.Pp
++The
++.Cm allow-remote-pkcs11
++option allows clients of a forwarded
++.Nm
++to load PKCS#11 or FIDO provider libraries.
++By default only local clients may perform this operation.
++Note that signalling that a
++.Nm
++client remote is performed by
++.Xr ssh 1 ,
++and use of other tools to forward access to the agent socket may circumvent
++this restriction.
++.Pp
++The
++.Cm no-restrict-websafe ,
++instructs
+ .It Fl P Ar provider_whitelist
+ Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
+ shared libraries that may be used with the
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 01c7f2b..40c1b6b 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -167,6 +167,12 @@ char socket_dir[PATH_MAX];
+ /* PKCS#11/Security key path whitelist */
+ static char *provider_whitelist;
+
++/*
++ * Allows PKCS11 providers or SK keys that use non-internal providers to
++ * be added over a remote connection (identified by session-bind@openssh.com).
++ */
++static int remote_add_provider;
++
+ /* locking */
+ #define LOCK_SIZE      32
+ #define LOCK_SALT_SIZE 16
+@@ -736,6 +742,15 @@ process_add_identity(SocketEntry *e)
+                if (strcasecmp(sk_provider, "internal") == 0) {
+                        debug("%s: internal provider", __func__);
+                } else {
++                       if (e->nsession_ids != 0 && !remote_add_provider) {
++                               verbose("failed add of SK provider \"%.100s\": "
++                                   "remote addition of providers is disabled",
++                                   sk_provider);
++                               free(sk_provider);
++                               free(comment);
++                               sshkey_free(k);
++                               goto send;
++                       }
+                        if (realpath(sk_provider, canonical_provider) == NULL) {
+                                verbose("failed provider \"%.100s\": "
+                                    "realpath: %s", sk_provider,
+@@ -901,6 +916,11 @@ process_add_smartcard_key(SocketEntry *e)
+                        goto send;
+                }
+        }
++       if (e->nsession_ids != 0 && !remote_add_provider) {
++               verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
++                   "providers is disabled", provider);
++               goto send;
++       }
+        if (realpath(provider, canonical_provider) == NULL) {
+                verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+                    provider, strerror(errno));
+@@ -1556,7 +1576,9 @@ main(int ac, char **av)
+                        break;
+                case 'O':
+                        if (strcmp(optarg, "no-restrict-websafe") == 0)
+-                               restrict_websafe  = 0;
++                               restrict_websafe = 0;
++                       else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
++                               remote_add_provider = 1;
+                        else
+                                fatal("Unknown -O option");
+                        break;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
new file mode 100644
index 0000000000..57c45e3d93
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
@@ -0,0 +1,468 @@
+(modified to not remove ssh_packet_read_expect(), to add to
+KexAlgorithms in sshd.c and sshconnect2.c as this version pre-dates
+kex_proposal_populate_entries(), replace debug*_f() with debug*(),
+error*_f() with error*(), and fatal_f() with fatal())
+
+Backport of:
+
+From 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:45:17 +0000
+Subject: [PATCH] upstream: implement "strict key exchange" in ssh and sshd
+
+This adds a protocol extension to improve the integrity of the SSH
+transport protocol, particular in and around the initial key exchange
+(KEX) phase.
+
+Full details of the extension are in the PROTOCOL file.
+
+with markus@
+
+OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/CVE-2023-48795.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5]
+CVE: CVE-2023-48795
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ PROTOCOL      | 26 +++++++++++++++++
+ kex.c         | 68 +++++++++++++++++++++++++++++++++-----------
+ kex.h         |  1 +
+ packet.c      | 78 ++++++++++++++++++++++++++++++++++++++-------------
+ sshconnect2.c | 14 +++------
+ sshd.c        |  7 +++--
+ 6 files changed, 146 insertions(+), 48 deletions(-)
+
+diff --git a/PROTOCOL b/PROTOCOL
+index f75c1c0..89bddfe 100644
+--- a/PROTOCOL
++++ b/PROTOCOL
+@@ -102,6 +102,32 @@ OpenSSH supports the use of ECDH in Curve25519 for key exchange as
+ described at:
+ http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519
+ 
++1.9 transport: strict key exchange extension
++
++OpenSSH supports a number of transport-layer hardening measures under
++a "strict KEX" feature. This feature is signalled similarly to the
++RFC8308 ext-info feature: by including a additional algorithm in the
++initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
++"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
++may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms
++are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
++if they are present in subsequent SSH2_MSG_KEXINIT packets.
++
++When an endpoint that supports this extension observes this algorithm
++name in a peer's KEXINIT packet, it MUST make the following changes to
++the the protocol:
++
++a) During initial KEX, terminate the connection if any unexpected or
++   out-of-sequence packet is received. This includes terminating the
++   connection if the first packet received is not SSH2_MSG_KEXINIT.
++   Unexpected packets for the purpose of strict KEX include messages
++   that are otherwise valid at any time during the connection such as
++   SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
++b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
++   packet sequence number to zero. This behaviour persists for the
++   duration of the connection (i.e. not just the first
++   SSH2_MSG_NEWKEYS).
++
+ 2. Connection protocol changes
+ 
+ 2.1. connection: Channel write close extension "eow@openssh.com"
+diff --git a/kex.c b/kex.c
+index ce85f04..3129a4e 100644
+--- a/kex.c
++++ b/kex.c
+@@ -63,7 +63,7 @@
+ #include "digest.h"
+ 
+ /* prototype */
+-static int kex_choose_conf(struct ssh *);
++static int kex_choose_conf(struct ssh *, uint32_t seq);
+ static int kex_input_newkeys(int, u_int32_t, struct ssh *);
+ 
+ static const char *proposal_names[PROPOSAL_MAX] = {
+@@ -173,6 +173,18 @@ kex_names_valid(const char *names)
+        return 1;
+ }
+ 
++/* returns non-zero if proposal contains any algorithm from algs */
++static int
++has_any_alg(const char *proposal, const char *algs)
++{
++       char *cp;
++
++       if ((cp = match_list(proposal, algs, NULL)) == NULL)
++               return 0;
++       free(cp);
++       return 1;
++}
++
+ /*
+  * Concatenate algorithm names, avoiding duplicates in the process.
+  * Caller must free returned string.
+@@ -180,7 +192,7 @@ kex_names_valid(const char *names)
+ char *
+ kex_names_cat(const char *a, const char *b)
+ {
+-       char *ret = NULL, *tmp = NULL, *cp, *p, *m;
++       char *ret = NULL, *tmp = NULL, *cp, *p;
+        size_t len;
+ 
+        if (a == NULL || *a == '\0')
+@@ -197,10 +209,8 @@ kex_names_cat(const char *a, const char *b)
+        }
+        strlcpy(ret, a, len);
+        for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
+-               if ((m = match_list(ret, p, NULL)) != NULL) {
+-                       free(m);
++               if (has_any_alg(ret, p))
+                        continue; /* Algorithm already present */
+-               }
+                if (strlcat(ret, ",", len) >= len ||
+                    strlcat(ret, p, len) >= len) {
+                        free(tmp);
+@@ -409,7 +419,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
+ {
+        int r;
+ 
+-       error("kex protocol error: type %d seq %u", type, seq);
++       /* If in strict mode, any unexpected message is an error */
++       if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) {
++               ssh_packet_disconnect(ssh, "strict KEX violation: "
++                   "unexpected packet type %u (seqnr %u)", type, seq);
++       }
++       error("type %u seq %u", type, seq);
+        if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
+            (r = sshpkt_put_u32(ssh, seq)) != 0 ||
+            (r = sshpkt_send(ssh)) != 0)
+@@ -481,6 +496,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
+        ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
+        if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
+                return r;
++       if (ninfo >= 1024) {
++               error("SSH2_MSG_EXT_INFO with too many entries, expected "
++                   "<=1024, received %u", ninfo);
++               return dispatch_protocol_error(type, seq, ssh);
++       }
+        for (i = 0; i < ninfo; i++) {
+                if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
+                        return r;
+@@ -581,7 +601,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
+                error("%s: no hex", __func__);
+                return SSH_ERR_INTERNAL_ERROR;
+        }
+-       ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
++       ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error);
+        ptr = sshpkt_ptr(ssh, &dlen);
+        if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+                return r;
+@@ -617,7 +637,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
+        if (!(kex->flags & KEX_INIT_SENT))
+                if ((r = kex_send_kexinit(ssh)) != 0)
+                        return r;
+-       if ((r = kex_choose_conf(ssh)) != 0)
++       if ((r = kex_choose_conf(ssh, seq)) != 0)
+                return r;
+ 
+        if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
+@@ -880,7 +900,13 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
+ }
+ 
+ static int
+-kex_choose_conf(struct ssh *ssh)
++kexalgs_contains(char **peer, const char *ext)
++{
++       return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
++}
++
++static int
++kex_choose_conf(struct ssh *ssh, uint32_t seq)
+ {
+        struct kex *kex = ssh->kex;
+        struct newkeys *newkeys;
+@@ -905,13 +931,23 @@ kex_choose_conf(struct ssh *ssh)
+                sprop=peer;
+        }
+ 
+-       /* Check whether client supports ext_info_c */
+-       if (kex->server && (kex->flags & KEX_INITIAL)) {
+-               char *ext;
+-
+-               ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
+-               kex->ext_info_c = (ext != NULL);
+-               free(ext);
++       /* Check whether peer supports ext_info/kex_strict */
++       if ((kex->flags & KEX_INITIAL) != 0) {
++               if (kex->server) {
++                       kex->ext_info_c = kexalgs_contains(peer, "ext-info-c");
++                       kex->kex_strict = kexalgs_contains(peer,
++                           "kex-strict-c-v00@openssh.com");
++               } else {
++                       kex->kex_strict = kexalgs_contains(peer,
++                           "kex-strict-s-v00@openssh.com");
++               }
++               if (kex->kex_strict) {
++                       debug3("will use strict KEX ordering");
++                       if (seq != 0)
++                               ssh_packet_disconnect(ssh,
++                                   "strict KEX violation: "
++                                   "KEXINIT was not the first packet");
++               }
+        }
+ 
+        /* Algorithm Negotiation */
+diff --git a/kex.h b/kex.h
+index a5ae6ac..cae38f7 100644
+--- a/kex.h
++++ b/kex.h
+@@ -145,6 +145,7 @@ struct kex {
+        u_int   kex_type;
+        char    *server_sig_algs;
+        int     ext_info_c;
++       int     kex_strict;
+        struct sshbuf *my;
+        struct sshbuf *peer;
+        struct sshbuf *client_version;
+diff --git a/packet.c b/packet.c
+index 6d3e917..43139f9 100644
+--- a/packet.c
++++ b/packet.c
+@@ -1203,8 +1203,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
+        sshbuf_dump(state->output, stderr);
+ #endif
+        /* increment sequence number for outgoing packets */
+-       if (++state->p_send.seqnr == 0)
++       if (++state->p_send.seqnr == 0) {
++               if ((ssh->kex->flags & KEX_INITIAL) != 0) {
++                       ssh_packet_disconnect(ssh, "outgoing sequence number "
++                           "wrapped during initial key exchange");
++               }
+                logit("outgoing seqnr wraps around");
++       }
+        if (++state->p_send.packets == 0)
+                if (!(ssh->compat & SSH_BUG_NOREKEY))
+                        return SSH_ERR_NEED_REKEY;
+@@ -1212,6 +1217,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
+        state->p_send.bytes += len;
+        sshbuf_reset(state->outgoing_packet);
+ 
++       if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
++               debug("resetting send seqnr %u", state->p_send.seqnr);
++               state->p_send.seqnr = 0;
++       }
++
+        if (type == SSH2_MSG_NEWKEYS)
+                r = ssh_set_newkeys(ssh, MODE_OUT);
+        else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
+@@ -1345,8 +1355,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+        /* Stay in the loop until we have received a complete packet. */
+        for (;;) {
+                /* Try to read a packet from the buffer. */
+-               r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
+-               if (r != 0)
++               if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)
+                        break;
+                /* If we got a packet, return it. */
+                if (*typep != SSH_MSG_NONE)
+@@ -1633,10 +1642,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+                if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
+                        goto out;
+        }
++
+        if (seqnr_p != NULL)
+                *seqnr_p = state->p_read.seqnr;
+-       if (++state->p_read.seqnr == 0)
++       if (++state->p_read.seqnr == 0) {
++               if ((ssh->kex->flags & KEX_INITIAL) != 0) {
++                       ssh_packet_disconnect(ssh, "incoming sequence number "
++                           "wrapped during initial key exchange");
++               }
+                logit("incoming seqnr wraps around");
++       }
+        if (++state->p_read.packets == 0)
+                if (!(ssh->compat & SSH_BUG_NOREKEY))
+                        return SSH_ERR_NEED_REKEY;
+@@ -1702,6 +1717,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ #endif
+        /* reset for next packet */
+        state->packlen = 0;
++       if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
++               debug("resetting read seqnr %u", state->p_read.seqnr);
++               state->p_read.seqnr = 0;
++       }
+ 
+        /* do we need to rekey? */
+        if (ssh_packet_need_rekeying(ssh, 0)) {
+@@ -1726,10 +1745,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+                r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
+                if (r != 0)
+                        return r;
+-               if (*typep) {
+-                       state->keep_alive_timeouts = 0;
+-                       DBG(debug("received packet type %d", *typep));
++               if (*typep == 0) {
++                       /* no message ready */
++                       return 0;
++               }
++               state->keep_alive_timeouts = 0;
++               DBG(debug("received packet type %d", *typep));
++
++               /* Always process disconnect messages */
++               if (*typep == SSH2_MSG_DISCONNECT) {
++                       if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
++                           (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
++                               return r;
++                       /* Ignore normal client exit notifications */
++                       do_log2(ssh->state->server_side &&
++                           reason == SSH2_DISCONNECT_BY_APPLICATION ?
++                           SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
++                           "Received disconnect from %s port %d:"
++                           "%u: %.400s", ssh_remote_ipaddr(ssh),
++                           ssh_remote_port(ssh), reason, msg);
++                       free(msg);
++                       return SSH_ERR_DISCONNECTED;
+                }
++
++               /*
++                * Do not implicitly handle any messages here during initial
++                * KEX when in strict mode. They will be need to be allowed
++                * explicitly by the KEX dispatch table or they will generate
++                * protocol errors.
++                */
++               if (ssh->kex != NULL &&
++                   (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)
++                       return 0;
++               /* Implicitly handle transport-level messages */
+                switch (*typep) {
+                case SSH2_MSG_IGNORE:
+                        debug3("Received SSH2_MSG_IGNORE");
+@@ -1744,19 +1792,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+                        debug("Remote: %.900s", msg);
+                        free(msg);
+                        break;
+-               case SSH2_MSG_DISCONNECT:
+-                       if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
+-                           (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
+-                               return r;
+-                       /* Ignore normal client exit notifications */
+-                       do_log2(ssh->state->server_side &&
+-                           reason == SSH2_DISCONNECT_BY_APPLICATION ?
+-                           SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
+-                           "Received disconnect from %s port %d:"
+-                           "%u: %.400s", ssh_remote_ipaddr(ssh),
+-                           ssh_remote_port(ssh), reason, msg);
+-                       free(msg);
+-                       return SSH_ERR_DISCONNECTED;
+                case SSH2_MSG_UNIMPLEMENTED:
+                        if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
+                                return r;
+@@ -2235,6 +2270,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex)
+            (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
+            (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
+            (r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
++           (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 ||
+            (r = sshbuf_put_stringb(m, kex->my)) != 0 ||
+            (r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
+            (r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
+@@ -2397,6 +2433,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp)
+            (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
+            (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
+            (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
++           (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 ||
+            (r = sshbuf_get_stringb(m, kex->my)) != 0 ||
+            (r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
+            (r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
+@@ -2724,6 +2761,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...)
+        vsnprintf(buf, sizeof(buf), fmt, args);
+        va_end(args);
+ 
++       debug2("sending SSH2_MSG_DISCONNECT: %s", buf);
+        if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
+            (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
+            (r = sshpkt_put_cstring(ssh, buf)) != 0 ||
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 5df9477..617ed9f 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -218,7 +218,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+                fatal("%s: kex_assemble_namelist", __func__);
+        free(all_key);
+ 
+-       if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
++       if ((s = kex_names_cat(options.kex_algorithms,
++           "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
+                fatal("%s: kex_names_cat", __func__);
+        myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
+        myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+@@ -343,7 +344,6 @@ struct cauthmethod {
+ };
+ 
+ static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
+-static int input_userauth_ext_info(int, u_int32_t, struct ssh *);
+ static int input_userauth_success(int, u_int32_t, struct ssh *);
+ static int input_userauth_failure(int, u_int32_t, struct ssh *);
+ static int input_userauth_banner(int, u_int32_t, struct ssh *);
+@@ -460,7 +460,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+ 
+        ssh->authctxt = &authctxt;
+        ssh_dispatch_init(ssh, &input_userauth_error);
+-       ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
++       ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info);
+        ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
+        ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
+        pubkey_cleanup(ssh);
+@@ -505,13 +505,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh)
+        return r;
+ }
+ 
+-/* ARGSUSED */
+-static int
+-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
+-{
+-       return kex_input_ext_info(type, seqnr, ssh);
+-}
+-
+ void
+ userauth(struct ssh *ssh, char *authlist)
+ {
+@@ -593,6 +586,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh)
+        free(authctxt->methoddata);
+        authctxt->methoddata = NULL;
+        authctxt->success = 1;                  /* break out */
++       ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error);
+        return 0;
+ }
+ 
+diff --git a/sshd.c b/sshd.c
+index 60b2aaf..ffea38c 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -2323,11 +2323,13 @@ static void
+ do_ssh2_kex(struct ssh *ssh)
+ {
+        char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
++       char *s;
+        struct kex *kex;
+        int r;
+ 
+-       myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+-           options.kex_algorithms);
++       if ((s = kex_names_cat(options.kex_algorithms, "kex-strict-s-v00@openssh.com")) == NULL)
++               fatal("kex_names_cat");
++       myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
+        myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
+            options.ciphers);
+        myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(
+@@ -2382,6 +2384,7 @@ do_ssh2_kex(struct ssh *ssh)
+        packet_send();
+        packet_write_wait();
+ #endif
++       free(s);
+        debug("KEX done");
+ }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
new file mode 100644
index 0000000000..0ba8c312d0
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
@@ -0,0 +1,95 @@
+From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:47:44 +0000
+Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
+
+This makes ssh(1) refuse user or host names provided on the
+commandline that contain most shell metacharacters.
+
+Some programs that invoke ssh(1) using untrusted data do not filter
+metacharacters in arguments they supply. This could create
+interactions with user-specified ProxyCommand and other directives
+that allow shell injection attacks to occur.
+
+It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
+but getting this stuff right can be tricky, so this should prevent
+most obvious ways of creating risky situations. It however is not
+and cannot be perfect: ssh(1) has no practical way of interpreting
+what shell quoting rules are in use and how they interact with the
+user's specified ProxyCommand.
+
+To allow configurations that use strange user or hostnames to
+continue to work, this strictness is applied only to names coming
+from the commandline. Names specified using User or Hostname
+directives in ssh_config(5) are not affected.
+
+feedback/ok millert@ markus@ dtucker@ deraadt@
+
+OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
+
+CVE: CVE-2023-51385
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: Hunks refreshed to apply cleanly
+
+---
+ ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/ssh.c b/ssh.c
+index 35c48e62d18..48d93ddf2a9 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -583,6 +583,41 @@ set_addrinfo_port(struct addrinfo *addrs
+        }
+ }
+ 
++static int
++valid_hostname(const char *s)
++{
++       size_t i;
++
++       if (*s == '-')
++               return 0;
++       for (i = 0; s[i] != 0; i++) {
++               if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
++                   isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++                       return 0;
++       }
++       return 1;
++}
++
++static int
++valid_ruser(const char *s)
++{
++       size_t i;
++
++       if (*s == '-')
++               return 0;
++       for (i = 0; s[i] != 0; i++) {
++               if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++                       return 0;
++               /* Disallow '-' after whitespace */
++               if (isspace((u_char)s[i]) && s[i + 1] == '-')
++                       return 0;
++               /* Disallow \ in last position */
++               if (s[i] == '\\' && s[i + 1] == '\0')
++                       return 0;
++       }
++       return 1;
++}
++
+ /*
+  * Main program for the ssh client.
+  */
+@@ -1069,6 +1104,10 @@ main(int ac, char **av)
+        if (!host)
+                usage();
+ 
++       if (!valid_hostname(host))
++               fatal("hostname contains invalid characters");
++       if (options.user != NULL && !valid_ruser(options.user))
++               fatal("remote username contains invalid characters");
+        host_arg = xstrdup(host);
+ 
+        /* Initialize the command to execute on remote host. */
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
index 12c39b26b5..8d76d62309 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,5 +1,6 @@
 [Unit]
 Conflicts=sshd.service
+Wants=sshdgenkeys.service
 
 [Socket]
 ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service
index 9d83dfb2bb..422450c7a1 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd@.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service
@@ -1,13 +1,11 @@
 [Unit]
 Description=OpenSSH Per-Connection Daemon
-Wants=sshdgenkeys.service
 After=sshdgenkeys.service
 
 [Service]
 Environment="SSHD_OPTS="
 EnvironmentFile=-/etc/default/ssh
 ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS
-ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
 StandardInput=socket
 StandardError=syslog
 KillMode=process
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index fe94f30503..9d6cf7da6c 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -5,7 +5,7 @@ Ssh (Secure Shell) is a program for logging into a remote machine \
 and for executing commands on a remote machine."
 HOMEPAGE = "http://www.openssh.com/"
 SECTION = "console/network"
-LICENSE = "BSD & ISC & MIT"
+LICENSE = "BSD-2-Clause & BSD-3-Clause & BSD-4-Clause & ISC & MIT"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3"
 
 DEPENDS = "zlib openssl virtual/crypt"
@@ -24,14 +24,63 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
+           file://CVE-2020-14145.patch \
+           file://CVE-2021-28041.patch \
+           file://CVE-2021-41617.patch \
+           file://CVE-2023-38408-01.patch \
+           file://CVE-2023-38408-02.patch \
+           file://CVE-2023-38408-03.patch \
+           file://CVE-2023-38408-04.patch \
+           file://CVE-2023-38408-05.patch \
+           file://CVE-2023-38408-06.patch \
+           file://CVE-2023-38408-07.patch \
+           file://CVE-2023-38408-08.patch \
+           file://CVE-2023-38408-09.patch \
+           file://CVE-2023-38408-10.patch \
+           file://CVE-2023-38408-11.patch \
+           file://CVE-2023-38408-12.patch \
+           file://CVE-2023-48795.patch \
+           file://CVE-2023-51385.patch \
            "
 SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
 SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
 
+# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
+CVE_CHECK_WHITELIST += "CVE-2007-2768"
+
 # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
 CVE_CHECK_WHITELIST += "CVE-2014-9278"
 
+# As per upstream, because of the way scp is based on a historical protocol called rcp
+# which relies on that style of argument passing and therefore encounters expansion
+# problems. Making changes to how the scp command line works breaks the pattern used
+# by scp consumers. Upstream therefore recommends the use of rsync in the place of
+# scp for better security. https://bugzilla.redhat.com/show_bug.cgi?id=1860487
+CVE_CHECK_WHITELIST += "CVE-2020-15778"
+
+# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux and
+# certain packages may have been compromised. This CVE is not applicable
+# as our source is OpenBSD. https://securitytracker.com/id?1020730
+# https://www.securityfocus.com/bid/30794
+CVE_CHECK_WHITELIST += "CVE-2008-3844"
+
+# openssh-ssh1 is provided for compatibility with old devices that
+# cannot be upgraded to modern protocols. Thus they may not provide security
+# support for this package because doing so would prevent access to equipment.
+# The upstream OpenSSH developers see this as an important
+# security feature and do not intend to 'fix' it.
+# https://security-tracker.debian.org/tracker/CVE-2016-20012
+# https://ubuntu.com/security/CVE-2016-20012
+CVE_CHECK_WHITELIST += "CVE-2016-20012"
+
+# As per debian, the issue is fixed by a feature called "agent restriction" in openssh 8.9
+# Urgency is unimportant as per debian, Hence this CVE is whitelisting.
+# https://security-tracker.debian.org/tracker/CVE-2021-36368
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3316#c2
+# https://docs.ssh-mitm.at/trivialauth.html
+CVE_CHECK_WHITELIST += "CVE-2021-36368"
+
 PAM_SRC_URI = "file://sshd"
 
 inherit manpages useradd update-rc.d update-alternatives systemd
@@ -155,12 +204,17 @@ FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
 FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
 FILES_${PN}-keygen = "${bindir}/ssh-keygen"
 
-RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
+RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server"
 RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
 RRECOMMENDS_${PN}-sshd_append_class-target = "\
     ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
 "
 
+# break dependency on base package for -dev package
+# otherwise SDK fails to build as the main openssh and dropbear packages
+# conflict with each other
+RDEPENDS:${PN}-dev = ""
+
 # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
 RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils"
 
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch
new file mode 100644
index 0000000000..e2a65d0998
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch
@@ -0,0 +1,38 @@
+From 679ae2f72ef8cf37609cb0eff5de3b98aa85e395 Mon Sep 17 00:00:00 2001
+From: Steve Sakoman <steve@sakoman.com>
+Date: Thu, 20 Jul 2023 04:14:42 -1000
+Subject: [PATCH] Configure: add 2 missing key sorts in generation of unified_info
+
+Otherwise generation of this section in configdata.pm is not reproducible
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+Upstream-Status: Backport [adapted from 3.x commit https://github.com/openssl/openssl/commit/764cf5b26306a8712e8b3d41599c44dc5ed07a25]
+---
+ Configure | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Configure b/Configure
+index 2a01746..8fc5a2c 100755
+--- a/Configure
++++ b/Configure
+@@ -2326,7 +2326,7 @@ EOF
+                      "dso" => [ @{$unified_info{engines}} ],
+                      "bin" => [ @{$unified_info{programs}} ],
+                      "script" => [ @{$unified_info{scripts}} ] );
+-    foreach my $type (keys %loopinfo) {
++    foreach my $type (sort keys %loopinfo) {
+         foreach my $product (@{$loopinfo{$type}}) {
+             my %dirs = ();
+             my $pd = dirname($product);
+@@ -2347,7 +2347,7 @@ EOF
+                 push @{$unified_info{dirinfo}->{$d}->{deps}}, $_
+                     if $d ne $pd;
+             }
+-            foreach (keys %dirs) {
++            foreach (sort keys %dirs) {
+                 push @{$unified_info{dirinfo}->{$_}->{products}->{$type}},
+                     $product;
+             }
+-- 
+2.34.1
+
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
new file mode 100644
index 0000000000..b3f6a942d5
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -0,0 +1,37 @@
+From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Tue, 14 Sep 2021 12:18:25 +0200
+Subject: [PATCH] Configure: do not tweak mips cflags
+
+This conflicts with mips machine definitons from yocto,
+e.g.
+| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Configure | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+Index: openssl-3.0.4/Configure
+===================================================================
+--- openssl-3.0.4.orig/Configure
++++ openssl-3.0.4/Configure
+@@ -1243,16 +1243,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+         push @{$config{shared_ldflag}}, "-mno-cygwin";
+         }
+ 
+-if ($target =~ /linux.*-mips/ && !$disabled{asm}
+-        && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+-        # minimally required architecture flags for assembly modules
+-        my $value;
+-        $value = '-mips2' if ($target =~ /mips32/);
+-        $value = '-mips3' if ($target =~ /mips64/);
+-        unshift @{$config{cflags}}, $value;
+-        unshift @{$config{cxxflags}}, $value if $config{CXX};
+-}
+-
+ # If threads aren't disabled, check how possible they are
+ unless ($disabled{threads}) {
+     if ($auto_threads) {
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
new file mode 100644
index 0000000000..3da6879ccb
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
@@ -0,0 +1,122 @@
+Backport of:
+
+From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 19 Jan 2024 11:28:58 +0000
+Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
+
+PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
+optional and can be NULL even if the "type" is a valid value. OpenSSL
+was not properly accounting for this and a NULL dereference can occur
+causing a crash.
+
+CVE-2024-0727
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23362)
+
+(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
+
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c]
+
+CVE: CVE-2024-0727
+
+Signed-off-by: virendra thakur <virendrak@kpit.com>
+---
+ crypto/pkcs12/p12_add.c  | 18 ++++++++++++++++++
+ crypto/pkcs12/p12_mutl.c |  5 +++++
+ crypto/pkcs12/p12_npas.c |  5 +++--
+ crypto/pkcs7/pk7_mime.c  |  7 +++++--
+ 4 files changed, 31 insertions(+), 4 deletions(-)
+
+--- a/crypto/pkcs12/p12_add.c
++++ b/crypto/pkcs12/p12_add.c
+@@ -76,6 +76,13 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_
+                   PKCS12_R_CONTENT_TYPE_NOT_DATA);
+         return NULL;
+     }
++
++    if (p7->d.data == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,
++                  PKCS12_R_DECODE_ERROR);
++        return NULL;
++    }
++
+     return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
+ }
+ 
+@@ -132,6 +139,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_
+ {
+     if (!PKCS7_type_is_encrypted(p7))
+         return NULL;
++
++    if (p7->d.encrypted == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR);
++        return NULL;
++    }
++
+     return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
+                                    ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
+                                    pass, passlen,
+@@ -159,6 +172,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes
+                   PKCS12_R_CONTENT_TYPE_NOT_DATA);
+         return NULL;
+     }
++
++    if (p12->authsafes->d.data == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,
++                  PKCS12_R_DECODE_ERROR);
++        return NULL;
++    }
++
+     return ASN1_item_unpack(p12->authsafes->d.data,
+                             ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
+ }
+--- a/crypto/pkcs12/p12_mutl.c
++++ b/crypto/pkcs12/p12_mutl.c
+@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c
+         return 0;
+     }
+ 
++    if (p12->authsafes->d.data == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR);
++        return 0;
++    }
++
+     salt = p12->mac->salt->data;
+     saltlen = p12->mac->salt->length;
+     if (!p12->mac->iter)
+--- a/crypto/pkcs12/p12_npas.c
++++ b/crypto/pkcs12/p12_npas.c
+@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons
+             bags = PKCS12_unpack_p7data(p7);
+         } else if (bagnid == NID_pkcs7_encrypted) {
+             bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
+-            if (!alg_get(p7->d.encrypted->enc_data->algorithm,
+-                         &pbe_nid, &pbe_iter, &pbe_saltlen))
++            if (p7->d.encrypted == NULL
++                    || !alg_get(p7->d.encrypted->enc_data->algorithm,
++                                &pbe_nid, &pbe_iter, &pbe_saltlen))
+                 goto err;
+         } else {
+             continue;
+--- a/crypto/pkcs7/pk7_mime.c
++++ b/crypto/pkcs7/pk7_mime.c
+@@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p
+ {
+     STACK_OF(X509_ALGOR) *mdalgs;
+     int ctype_nid = OBJ_obj2nid(p7->type);
+-    if (ctype_nid == NID_pkcs7_signed)
++    if (ctype_nid == NID_pkcs7_signed) {
++        if (p7->d.sign == NULL)
++            return 0;
+         mdalgs = p7->d.sign->md_algs;
+-    else
++    } else {
+         mdalgs = NULL;
++    }
+ 
+     flags ^= SMIME_OLDMIME;
+ 
diff --git a/meta/recipes-connectivity/openssl/openssl/reproducibility.patch b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch
new file mode 100644
index 0000000000..8accbc9df2
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch
@@ -0,0 +1,22 @@
+Using localtime() means the output can depend on the timezone of the build machine.
+Using gmtime() is safer. For complete reproducibility use SOURCE_DATE_EPOCH if set.
+
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Pending [should be suitable]
+
+Index: openssl-3.0.1/apps/progs.pl
+===================================================================
+--- openssl-3.0.1.orig/apps/progs.pl
++++ openssl-3.0.1/apps/progs.pl
+@@ -21,7 +21,10 @@ die "Unrecognised option, must be -C or
+ my %commands     = ();
+ my $cmdre        = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/;
+ my $apps_openssl = shift @ARGV;
+-my $YEAR         = [localtime()]->[5] + 1900;
++my $YEAR         = [gmtime()]->[5] + 1900;
++if (defined($ENV{SOURCE_DATE_EPOCH}) && $ENV{SOURCE_DATE_EPOCH} !~ /\D/) {
++    $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH})]->[5] + 1900;
++}
+ 
+ # because the program apps/openssl has object files as sources, and
+ # they then have the corresponding C files as source, we need to chain
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb
index 5d22c511aa..0e490eabc3 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb
@@ -17,13 +17,17 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://afalg.patch \
            file://reproducible.patch \
+           file://reproducibility.patch \
+           file://0001-Configure-add-2-missing-key-sorts.patch \
+           file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://CVE-2024-0727.patch \
            "
 
 SRC_URI_append_class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242"
+SRC_URI[sha256sum] = "cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8"
 
 inherit lib_package multilib_header multilib_script ptest
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -179,6 +183,7 @@ do_install_ptest () {
         install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
 
         install -d ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
         install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
 }
 
diff --git a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
index b5f68951d7..b0097aa480 100644
--- a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
+++ b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Enables PPP dial-in through a serial connection"
 SECTION = "console/network"
+DESCRIPTION = "PPP dail-in provides a point to point protocol (PPP), so that other computers can dial up to it and access connected networks."
 DEPENDS = "ppp"
 RDEPENDS_${PN} = "ppp"
 PR = "r8"
diff --git a/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch
new file mode 100644
index 0000000000..27b8863a4e
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch
@@ -0,0 +1,50 @@
+From 2aeb41a9a3a43b11b1e46628d0bf98197ff9f141 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Thu, 29 Dec 2022 18:00:20 +0100
+Subject: [PATCH] pppdump: Avoid out-of-range access to packet buffer
+
+This fixes a potential vulnerability where data is written to spkt.buf
+and rpkt.buf without a check on the array index.  To fix this, we
+check the array index (pkt->cnt) before storing the byte or
+incrementing the count.  This also means we no longer have a potential
+signed integer overflow on the increment of pkt->cnt.
+
+Fortunately, pppdump is not used in the normal process of setting up a
+PPP connection, is not installed setuid-root, and is not invoked
+automatically in any scenario that I am aware of.
+
+Ustream-Status: Backport [https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf]
+CVE: CVE-2022-4603
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+---
+ pppdump/pppdump.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
+index 87c2e8f..dec4def 100644
+--- a/pppdump/pppdump.c
++++ b/pppdump/pppdump.c
+@@ -296,6 +296,10 @@ dumpppp(f)
+                            printf("%s aborted packet:\n     ", dir);
+                            q = "    ";
+                        }
++                       if (pkt->cnt >= sizeof(pkt->buf)) {
++                           printf("%s over-long packet truncated:\n     ", dir);
++                           q = "    ";
++                       }
+                        nb = pkt->cnt;
+                        p = pkt->buf;
+                        pkt->cnt = 0;
+@@ -399,7 +403,8 @@ dumpppp(f)
+                        c ^= 0x20;
+                        pkt->esc = 0;
+                    }
+-                   pkt->buf[pkt->cnt++] = c;
++                   if (pkt->cnt < sizeof(pkt->buf))
++                           pkt->buf[pkt->cnt++] = c;
+                    break;
+                }
+            }
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
index 76c1cc62a7..51ec25e660 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
@@ -34,6 +34,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
            file://0001-ppp-Remove-unneeded-include.patch \
            file://ppp-2.4.7-DES-openssl.patch \
            file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \
+           file://CVE-2022-4603.patch \
 "
 
 SRC_URI_append_libc-musl = "\
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb b/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb
index 67959576e8..5f0a5eac70 100644
--- a/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb
+++ b/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb
@@ -11,7 +11,7 @@ AUTHOR = "Thomas Hood"
 HOMEPAGE = "http://packages.debian.org/resolvconf"
 RDEPENDS_${PN} = "bash"
 
-SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https \
+SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https;branch=unstable \
            file://fix-path-for-busybox.patch \
            file://99_resolvconf \
           "
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
new file mode 100644
index 0000000000..8c90fa3421
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
@@ -0,0 +1,45 @@
+From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Mon, 9 Nov 2020 11:43:12 +0200
+Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
+ client
+
+Parsing and copying of WPS secondary device types list was verifying
+that the contents is not too long for the internal maximum in the case
+of WPS messages, but similar validation was missing from the case of P2P
+group information which encodes this information in a different
+attribute. This could result in writing beyond the memory area assigned
+for these entries and corrupting memory within an instance of struct
+p2p_device. This could result in invalid operations and unexpected
+behavior when trying to free pointers from that corrupted memory.
+
+Upstream-Status: Backport
+CVE: CVE-2021-0326
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
+
+Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
+Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/p2p/p2p.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index a08ba02..079270f 100644
+--- a/src/p2p/p2p.c
++++ b/src/p2p/p2p.c
+@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
+        dev->info.config_methods = cli->config_methods;
+        os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
+        dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
++       if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
++               dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
+        os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
+                  dev->info.wps_sec_dev_type_list_len);
+ }
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
new file mode 100644
index 0000000000..004b1dbd19
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
@@ -0,0 +1,58 @@
+From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 8 Dec 2020 23:52:50 +0200
+Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
+
+p2p_add_device() may remove the oldest entry if there is no room in the
+peer table for a new peer. This would result in any pointer to that
+removed entry becoming stale. A corner case with an invalid PD Request
+frame could result in such a case ending up using (read+write) freed
+memory. This could only by triggered when the peer table has reached its
+maximum size and the PD Request frame is received from the P2P Device
+Address of the oldest remaining entry and the frame has incorrect P2P
+Device Address in the payload.
+
+Fix this by fetching the dev pointer again after having called
+p2p_add_device() so that the stale pointer cannot be used.
+
+Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-27803
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/p2p/p2p_pd.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
+index 3994ec0..05fd593 100644
+--- a/src/p2p/p2p_pd.c
++++ b/src/p2p/p2p_pd.c
+@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
+                        goto out;
+                }
+ 
++               dev = p2p_get_device(p2p, sa);
+                if (!dev) {
+-                       dev = p2p_get_device(p2p, sa);
+-                       if (!dev) {
+-                               p2p_dbg(p2p,
+-                                       "Provision Discovery device not found "
+-                                       MACSTR, MAC2STR(sa));
+-                               goto out;
+-                       }
++                       p2p_dbg(p2p,
++                               "Provision Discovery device not found "
++                               MACSTR, MAC2STR(sa));
++                       goto out;
+                }
+        } else if (msg.wfd_subelems) {
+                wpabuf_free(dev->info.wfd_subelems);
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
new file mode 100644
index 0000000000..e2540fc26b
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
@@ -0,0 +1,123 @@
+From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Mar 2021 18:19:31 +0200
+Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters
+
+The supported hash algorithms do not use AlgorithmIdentifier parameters.
+However, there are implementations that include NULL parameters in
+addition to ones that omit the parameters. Previous implementation did
+not check the parameters value at all which supported both these cases,
+but did not reject any other unexpected information.
+
+Use strict validation of digest algorithm parameters and reject any
+unexpected value when validating a signature. This is needed to prevent
+potential forging attacks.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport
+CVE: CVE-2021-30004
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/tls/pkcs1.c  | 21 +++++++++++++++++++++
+ src/tls/x509v3.c | 20 ++++++++++++++++++++
+ 2 files changed, 41 insertions(+)
+
+diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
+index 141ac50..e09db07 100644
+--- a/src/tls/pkcs1.c
++++ b/src/tls/pkcs1.c
+@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+                os_free(decrypted);
+                return -1;
+        }
++       wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
++                   hdr.payload, hdr.length);
+ 
+        pos = hdr.payload;
+        end = pos + hdr.length;
+@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+                os_free(decrypted);
+                return -1;
+        }
++       wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
++                   hdr.payload, hdr.length);
+        da_end = hdr.payload + hdr.length;
+ 
+        if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+                os_free(decrypted);
+                return -1;
+        }
++       wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
++                   next, da_end - next);
++
++       /*
++        * RFC 5754: The correct encoding for the SHA2 algorithms would be to
++        * omit the parameters, but there are implementation that encode these
++        * as a NULL element. Allow these two cases and reject anything else.
++        */
++       if (da_end > next &&
++           (asn1_get_next(next, da_end - next, &hdr) < 0 ||
++            !asn1_is_null(&hdr) ||
++            hdr.payload + hdr.length != da_end)) {
++               wpa_printf(MSG_DEBUG,
++                          "PKCS #1: Unexpected digest algorithm parameters");
++               os_free(decrypted);
++               return -1;
++       }
+ 
+        if (!asn1_oid_equal(&oid, hash_alg)) {
+                char txt[100], txt2[100];
+diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
+index 1bd5aa0..bf2289f 100644
+--- a/src/tls/x509v3.c
++++ b/src/tls/x509v3.c
+@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer,
+                os_free(data);
+                return -1;
+        }
++       wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
+ 
+        pos = hdr.payload;
+        end = pos + hdr.length;
+@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer,
+                os_free(data);
+                return -1;
+        }
++       wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
++                   hdr.payload, hdr.length);
+        da_end = hdr.payload + hdr.length;
+ 
+        if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer,
+                os_free(data);
+                return -1;
+        }
++       wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
++                   next, da_end - next);
++
++       /*
++        * RFC 5754: The correct encoding for the SHA2 algorithms would be to
++        * omit the parameters, but there are implementation that encode these
++        * as a NULL element. Allow these two cases and reject anything else.
++        */
++       if (da_end > next &&
++           (asn1_get_next(next, da_end - next, &hdr) < 0 ||
++            !asn1_is_null(&hdr) ||
++            hdr.payload + hdr.length != da_end)) {
++               wpa_printf(MSG_DEBUG,
++                          "X509: Unexpected digest algorithm parameters");
++               os_free(data);
++               return -1;
++       }
+ 
+        if (x509_sha1_oid(&oid)) {
+                if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch
new file mode 100644
index 0000000000..21e65ba961
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch
@@ -0,0 +1,609 @@
+From 208e5687ff2e48622e28d8888ce5444a54353bbd Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 27 Aug 2019 16:33:15 +0300
+Subject: [PATCH 1/4] crypto: Add more bignum/EC helper functions
+
+These are needed for implementing SAE hash-to-element.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+
+Upstream-Status: Backport
+https://w1.fi/security/2022-1/
+
+CVE: CVE-2022-23303 CVE-2022-23304
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ src/crypto/crypto.h         | 45 ++++++++++++++++++
+ src/crypto/crypto_openssl.c | 94 +++++++++++++++++++++++++++++++++++++
+ src/crypto/crypto_wolfssl.c | 66 ++++++++++++++++++++++++++
+ 3 files changed, 205 insertions(+)
+
+diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
+index 15f8ad04cea4..68476dbce96c 100644
+--- a/src/crypto/crypto.h
++++ b/src/crypto/crypto.h
+@@ -518,6 +518,13 @@ struct crypto_bignum * crypto_bignum_init(void);
+  */
+ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len);
+ 
++/**
++ * crypto_bignum_init_set - Allocate memory for bignum and set the value (uint)
++ * @val: Value to set
++ * Returns: Pointer to allocated bignum or %NULL on failure
++ */
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val);
++
+ /**
+  * crypto_bignum_deinit - Free bignum
+  * @n: Bignum from crypto_bignum_init() or crypto_bignum_init_set()
+@@ -612,6 +619,19 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+                      const struct crypto_bignum *b,
+                      struct crypto_bignum *c);
+ 
++/**
++ * crypto_bignum_addmod - d = a + b (mod c)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum
++ * @d: Bignum; used to store the result of (a + b) % c
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++                        const struct crypto_bignum *b,
++                        const struct crypto_bignum *c,
++                        struct crypto_bignum *d);
++
+ /**
+  * crypto_bignum_mulmod - d = a * b (mod c)
+  * @a: Bignum
+@@ -625,6 +645,28 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+                         const struct crypto_bignum *c,
+                         struct crypto_bignum *d);
+ 
++/**
++ * crypto_bignum_sqrmod - c = a^2 (mod b)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum; used to store the result of a^2 % b
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++                        const struct crypto_bignum *b,
++                        struct crypto_bignum *c);
++
++/**
++ * crypto_bignum_sqrtmod - returns sqrt(a) (mod b)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum; used to store the result
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++                         const struct crypto_bignum *b,
++                         struct crypto_bignum *c);
++
+ /**
+  * crypto_bignum_rshift - r = a >> n
+  * @a: Bignum
+@@ -731,6 +773,9 @@ const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e);
+  */
+ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e);
+ 
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e);
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e);
++
+ /**
+  * struct crypto_ec_point - Elliptic curve point
+  *
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index bab33a537293..ed463105e8f1 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -1283,6 +1283,24 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
+ }
+ 
+ 
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
++{
++       BIGNUM *bn;
++
++       if (TEST_FAIL())
++               return NULL;
++
++       bn = BN_new();
++       if (!bn)
++               return NULL;
++       if (BN_set_word(bn, val) != 1) {
++               BN_free(bn);
++               return NULL;
++       }
++       return (struct crypto_bignum *) bn;
++}
++
++
+ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
+ {
+        if (clear)
+@@ -1449,6 +1467,28 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ }
+ 
+ 
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++                        const struct crypto_bignum *b,
++                        const struct crypto_bignum *c,
++                        struct crypto_bignum *d)
++{
++       int res;
++       BN_CTX *bnctx;
++
++       if (TEST_FAIL())
++               return -1;
++
++       bnctx = BN_CTX_new();
++       if (!bnctx)
++               return -1;
++       res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
++                        (const BIGNUM *) c, bnctx);
++       BN_CTX_free(bnctx);
++
++       return res ? 0 : -1;
++}
++
++
+ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+                         const struct crypto_bignum *b,
+                         const struct crypto_bignum *c,
+@@ -1472,6 +1512,48 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ }
+ 
+ 
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++                        const struct crypto_bignum *b,
++                        struct crypto_bignum *c)
++{
++       int res;
++       BN_CTX *bnctx;
++
++       if (TEST_FAIL())
++               return -1;
++
++       bnctx = BN_CTX_new();
++       if (!bnctx)
++               return -1;
++       res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
++                        bnctx);
++       BN_CTX_free(bnctx);
++
++       return res ? 0 : -1;
++}
++
++
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++                         const struct crypto_bignum *b,
++                         struct crypto_bignum *c)
++{
++       BN_CTX *bnctx;
++       BIGNUM *res;
++
++       if (TEST_FAIL())
++               return -1;
++
++       bnctx = BN_CTX_new();
++       if (!bnctx)
++               return -1;
++       res = BN_mod_sqrt((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
++                         bnctx);
++       BN_CTX_free(bnctx);
++
++       return res ? 0 : -1;
++}
++
++
+ int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
+                         struct crypto_bignum *r)
+ {
+@@ -1682,6 +1764,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
+ }
+ 
+ 
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
++{
++       return (const struct crypto_bignum *) e->a;
++}
++
++
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
++{
++       return (const struct crypto_bignum *) e->b;
++}
++
++
+ void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
+ {
+        if (clear)
+diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
+index 4cedab4367cd..e9894b335e53 100644
+--- a/src/crypto/crypto_wolfssl.c
++++ b/src/crypto/crypto_wolfssl.c
+@@ -1042,6 +1042,26 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
+ }
+ 
+ 
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
++{
++       mp_int *a;
++
++       if (TEST_FAIL())
++               return NULL;
++
++       a = (mp_int *) crypto_bignum_init();
++       if (!a)
++               return NULL;
++
++       if (mp_set_int(a, val) != MP_OKAY) {
++               os_free(a);
++               a = NULL;
++       }
++
++       return (struct crypto_bignum *) a;
++}
++
++
+ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
+ {
+        if (!n)
+@@ -1168,6 +1188,19 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ }
+ 
+ 
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++                        const struct crypto_bignum *b,
++                        const struct crypto_bignum *c,
++                        struct crypto_bignum *d)
++{
++       if (TEST_FAIL())
++               return -1;
++
++       return mp_addmod((mp_int *) a, (mp_int *) b, (mp_int *) c,
++                        (mp_int *) d) == MP_OKAY ?  0 : -1;
++}
++
++
+ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+                         const struct crypto_bignum *b,
+                         const struct crypto_bignum *m,
+@@ -1181,6 +1214,27 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ }
+ 
+ 
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++                        const struct crypto_bignum *b,
++                        struct crypto_bignum *c)
++{
++       if (TEST_FAIL())
++               return -1;
++
++       return mp_sqrmod((mp_int *) a, (mp_int *) b,
++                        (mp_int *) c) == MP_OKAY ?  0 : -1;
++}
++
++
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++                         const struct crypto_bignum *b,
++                         struct crypto_bignum *c)
++{
++       /* TODO */
++       return -1;
++}
++
++
+ int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
+                         struct crypto_bignum *r)
+ {
+@@ -1386,6 +1440,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
+ }
+ 
+ 
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
++{
++       return (const struct crypto_bignum *) &e->a;
++}
++
++
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
++{
++       return (const struct crypto_bignum *) &e->b;
++}
++
++
+ void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
+ {
+        ecc_point *point = (ecc_point *) p;
+-- 
+2.25.1
+
+From 2232d3d5f188b65dbb6c823ac62175412739eb16 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 13:47:16 +0200
+Subject: [PATCH 2/4] dragonfly: Add sqrt() helper function
+
+This is a backport of "SAE: Move sqrt() implementation into a helper
+function" to introduce the helper function needed for the following
+patches.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/common/dragonfly.c | 34 ++++++++++++++++++++++++++++++++++
+ src/common/dragonfly.h |  2 ++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c
+index 547be66f1561..1e842716668e 100644
+--- a/src/common/dragonfly.c
++++ b/src/common/dragonfly.c
+@@ -213,3 +213,37 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order,
+                   "dragonfly: Unable to get randomness for own scalar");
+        return -1;
+ }
++
++
++/* res = sqrt(val) */
++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
++                  struct crypto_bignum *res)
++{
++       const struct crypto_bignum *prime;
++       struct crypto_bignum *tmp, *one;
++       int ret = 0;
++       u8 prime_bin[DRAGONFLY_MAX_ECC_PRIME_LEN];
++       size_t prime_len;
++
++       /* For prime p such that p = 3 mod 4, sqrt(w) = w^((p+1)/4) mod p */
++
++       prime = crypto_ec_get_prime(ec);
++       prime_len = crypto_ec_prime_len(ec);
++       tmp = crypto_bignum_init();
++       one = crypto_bignum_init_uint(1);
++
++       if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
++                                prime_len) < 0 ||
++           (prime_bin[prime_len - 1] & 0x03) != 3 ||
++           !tmp || !one ||
++           /* tmp = (p+1)/4 */
++           crypto_bignum_add(prime, one, tmp) < 0 ||
++           crypto_bignum_rshift(tmp, 2, tmp) < 0 ||
++           /* res = sqrt(val) */
++           crypto_bignum_exptmod(val, tmp, prime, res) < 0)
++               ret = -1;
++
++       crypto_bignum_deinit(tmp, 0);
++       crypto_bignum_deinit(one, 0);
++       return ret;
++}
+diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h
+index ec3dd593eda4..84d67f575c54 100644
+--- a/src/common/dragonfly.h
++++ b/src/common/dragonfly.h
+@@ -27,5 +27,7 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order,
+                              struct crypto_bignum *_rand,
+                              struct crypto_bignum *_mask,
+                              struct crypto_bignum *scalar);
++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
++                  struct crypto_bignum *res);
+ 
+ #endif /* DRAGONFLY_H */
+-- 
+2.25.1
+
+From fe534b0baaa8c0e6ddeb24cf529d6e50e33dc501 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 13:47:16 +0200
+Subject: [PATCH 3/4] SAE: Derive the y coordinate for PWE with own
+ implementation
+
+The crypto_ec_point_solve_y_coord() wrapper function might not use
+constant time operations in the crypto library and as such, could leak
+side channel information about the password that is used to generate the
+PWE in the hunting and pecking loop. As such, calculate the two possible
+y coordinate values and pick the correct one to use with constant time
+selection.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/common/sae.c | 47 +++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 33 insertions(+), 14 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 08fdbfd18173..8d79ed962768 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -286,14 +286,16 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+        int pwd_seed_odd = 0;
+        u8 prime[SAE_MAX_ECC_PRIME_LEN];
+        size_t prime_len;
+-       struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
++       struct crypto_bignum *x = NULL, *y = NULL, *qr = NULL, *qnr = NULL;
+        u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
+        u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
+        u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
+        u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
++       u8 x_y[2 * SAE_MAX_ECC_PRIME_LEN];
+        int res = -1;
+        u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+                       * mask */
++       unsigned int is_eq;
+ 
+        os_memset(x_bin, 0, sizeof(x_bin));
+ 
+@@ -402,25 +404,42 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+                goto fail;
+        }
+ 
+-       if (!sae->tmp->pwe_ecc)
+-               sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
+-       if (!sae->tmp->pwe_ecc)
+-               res = -1;
+-       else
+-               res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
+-                                                   sae->tmp->pwe_ecc, x,
+-                                                   pwd_seed_odd);
+-       if (res < 0) {
+-               /*
+-                * This should not happen since we already checked that there
+-                * is a result.
+-                */
++       /* y = sqrt(x^3 + ax + b) mod p
++        * if LSB(save) == LSB(y): PWE = (x, y)
++        * else: PWE = (x, p - y)
++        *
++        * Calculate y and the two possible values for PWE and after that,
++        * use constant time selection to copy the correct alternative.
++        */
++       y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x);
++       if (!y ||
++           dragonfly_sqrt(sae->tmp->ec, y, y) < 0 ||
++           crypto_bignum_to_bin(y, x_y, SAE_MAX_ECC_PRIME_LEN,
++                                prime_len) < 0 ||
++           crypto_bignum_sub(sae->tmp->prime, y, y) < 0 ||
++           crypto_bignum_to_bin(y, x_y + SAE_MAX_ECC_PRIME_LEN,
++                                SAE_MAX_ECC_PRIME_LEN, prime_len) < 0) {
+                wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
++               goto fail;
++       }
++
++       is_eq = const_time_eq(pwd_seed_odd, x_y[prime_len - 1] & 0x01);
++       const_time_select_bin(is_eq, x_y, x_y + SAE_MAX_ECC_PRIME_LEN,
++                             prime_len, x_y + prime_len);
++       os_memcpy(x_y, x_bin, prime_len);
++       wpa_hexdump_key(MSG_DEBUG, "SAE: PWE", x_y, 2 * prime_len);
++       crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1);
++       sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y);
++       if (!sae->tmp->pwe_ecc) {
++               wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
++               res = -1;
+        }
+ 
+ fail:
++       forced_memzero(x_y, sizeof(x_y));
+        crypto_bignum_deinit(qr, 0);
+        crypto_bignum_deinit(qnr, 0);
++       crypto_bignum_deinit(y, 1);
+        os_free(dummy_password);
+        bin_clear_free(tmp_password, password_len);
+        crypto_bignum_deinit(x, 1);
+-- 
+2.25.1
+
+From 603cd880e7f90595482658a7136fa6a7be5cb485 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 18:52:27 +0200
+Subject: [PATCH 4/4] EAP-pwd: Derive the y coordinate for PWE with own
+ implementation
+
+The crypto_ec_point_solve_y_coord() wrapper function might not use
+constant time operations in the crypto library and as such, could leak
+side channel information about the password that is used to generate the
+PWE in the hunting and pecking loop. As such, calculate the two possible
+y coordinate values and pick the correct one to use with constant time
+selection.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_common/eap_pwd_common.c | 46 ++++++++++++++++++++++++++-------
+ 1 file changed, 36 insertions(+), 10 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 2b2b8efdbd01..ff22b29b087a 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -127,7 +127,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+        u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
+        u8 x_bin[MAX_ECC_PRIME_LEN];
+        u8 prime_bin[MAX_ECC_PRIME_LEN];
+-       struct crypto_bignum *tmp2 = NULL;
++       u8 x_y[2 * MAX_ECC_PRIME_LEN];
++       struct crypto_bignum *tmp2 = NULL, *y = NULL;
+        struct crypto_hash *hash;
+        unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+        int ret = 0, res;
+@@ -139,6 +140,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+        u8 found_ctr = 0, is_odd = 0;
+        int cmp_prime;
+        unsigned int in_range;
++       unsigned int is_eq;
+ 
+        if (grp->pwe)
+                return -1;
+@@ -151,11 +153,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+        if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
+                                 primebytelen) < 0)
+                return -1;
+-       grp->pwe = crypto_ec_point_init(grp->group);
+-       if (!grp->pwe) {
+-               wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
+-               goto fail;
+-       }
+ 
+        if ((prfbuf = os_malloc(primebytelen)) == NULL) {
+                wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
+@@ -261,10 +258,37 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+         */
+        crypto_bignum_deinit(x_candidate, 1);
+        x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
+-       if (!x_candidate ||
+-           crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
+-                                         is_odd) != 0) {
+-               wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
++       if (!x_candidate)
++               goto fail;
++
++       /* y = sqrt(x^3 + ax + b) mod p
++        * if LSB(y) == LSB(pwd-seed): PWE = (x, y)
++        * else: PWE = (x, p - y)
++        *
++        * Calculate y and the two possible values for PWE and after that,
++        * use constant time selection to copy the correct alternative.
++        */
++       y = crypto_ec_point_compute_y_sqr(grp->group, x_candidate);
++       if (!y ||
++           dragonfly_sqrt(grp->group, y, y) < 0 ||
++           crypto_bignum_to_bin(y, x_y, MAX_ECC_PRIME_LEN, primebytelen) < 0 ||
++           crypto_bignum_sub(prime, y, y) < 0 ||
++           crypto_bignum_to_bin(y, x_y + MAX_ECC_PRIME_LEN,
++                                MAX_ECC_PRIME_LEN, primebytelen) < 0) {
++               wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
++               goto fail;
++       }
++
++       /* Constant time selection of the y coordinate from the two
++        * options */
++       is_eq = const_time_eq(is_odd, x_y[primebytelen - 1] & 0x01);
++       const_time_select_bin(is_eq, x_y, x_y + MAX_ECC_PRIME_LEN,
++                             primebytelen, x_y + primebytelen);
++       os_memcpy(x_y, x_bin, primebytelen);
++       wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: PWE", x_y, 2 * primebytelen);
++       grp->pwe = crypto_ec_point_from_bin(grp->group, x_y);
++       if (!grp->pwe) {
++               wpa_printf(MSG_DEBUG, "EAP-pwd: Could not generate PWE");
+                goto fail;
+        }
+ 
+@@ -289,6 +313,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+        /* cleanliness and order.... */
+        crypto_bignum_deinit(x_candidate, 1);
+        crypto_bignum_deinit(tmp2, 1);
++       crypto_bignum_deinit(y, 1);
+        crypto_bignum_deinit(qr, 1);
+        crypto_bignum_deinit(qnr, 1);
+        bin_clear_free(prfbuf, primebytelen);
+@@ -296,6 +321,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+        os_memset(qnr_bin, 0, sizeof(qnr_bin));
+        os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
+        os_memset(pwe_digest, 0, sizeof(pwe_digest));
++       forced_memzero(x_y, sizeof(x_y));
+ 
+        return ret;
+ }
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 7cc03fef7d..a8fb34b1a1 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Client for Wi-Fi Protected Access (WPA)"
 HOMEPAGE = "http://w1.fi/wpa_supplicant/"
+DESCRIPTION = "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver."
 BUGTRACKER = "http://w1.fi/security/"
 SECTION = "network"
 LICENSE = "BSD-3-Clause"
@@ -29,6 +30,10 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
            file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
            file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
            file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
+           file://CVE-2021-0326.patch \
+           file://CVE-2021-27803.patch \
+           file://CVE-2021-30004.patch \
+           file://CVE-2022-23303-4.patch \
           "
 SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
 SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"