flatcar · ader1990 · Jun 25, 2024 · Jun 25, 2024 · Jun 28, 2024 · Jun 28, 2024
diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
@@ -439,6 +439,7 @@ net-misc/ethertypes
 net-misc/iperf
 net-misc/iputils
 net-misc/ntp
+net-misc/openssh
 net-misc/rsync
 net-misc/socat
 net-misc/wget

diff --git a/build_library/ebuild_aci_util.sh b/build_library/ebuild_aci_util.sh
@@ -42,6 +42,7 @@ ebuild_aci_write_manifest() {
     case "${BOARD}" in
         amd64-usr) appc_arch=amd64 ;;
         arm64-usr) appc_arch=aarch64 ;;
+        riscv-usr) appc_arch=riscv64 ;;
         *) die_notrace "Cannot map \"${BOARD}\" to an appc arch" ;;
     esac
 

diff --git a/build_library/prefix_util.sh b/build_library/prefix_util.sh
@@ -32,6 +32,10 @@ function set_prefix_vars() {
       PREFIX_CHOST="aarch64-cros-linux-gnu"
       PREFIX_KEYWORDS="arm64 -~arm64"
       ;;
+    riscv-usr)
+      PREFIX_CHOST="riscv64-cros-linux-gnu"
+      PREFIX_KEYWORDS="riscv -~riscv"
+      ;;
   esac
 
   export EPREFIX PREFIXNAME STAGINGDIR STAGINGROOT FINALDIR FINALROOT CB_ROOT \
@@ -71,6 +75,7 @@ function setup_prefix_dirs() {
   case "${PREFIX_BOARD}" in
     amd64-usr) profile="${profile}/amd64/17.1/no-multilib/prefix/kernel-3.2+";;
     arm64-usr) profile="${profile}/arm64/17.0/prefix/kernel-3.2+";;
+    riscv-usr) profile="${profile}/riscv/20.0/rv64gc/lp64d/prefix/kernel-3.2+";;
   esac
 
   sudo ln -s "${profile}" "${STAGINGROOT}${EPREFIX}/etc/portage/make.profile"

diff --git a/build_library/toolchain_util.sh b/build_library/toolchain_util.sh
@@ -16,6 +16,7 @@ TOOLCHAIN_PKGS=(
 declare -A CROSS_PROFILES
 CROSS_PROFILES["x86_64-cros-linux-gnu"]="coreos:coreos/amd64/generic"
 CROSS_PROFILES["aarch64-cros-linux-gnu"]="coreos:coreos/arm64/generic"
+CROSS_PROFILES["riscv64-cros-linux-gnu"]="coreos:coreos/riscv/generic"
 
 # Map board names to CHOSTs and portage profiles. This is the
 # definitive list, there is assorted code new and old that either
@@ -27,6 +28,9 @@ BOARD_PROFILES["amd64-usr"]="coreos:coreos/amd64/generic"
 BOARD_CHOSTS["arm64-usr"]="aarch64-cros-linux-gnu"
 BOARD_PROFILES["arm64-usr"]="coreos:coreos/arm64/generic"
 
+BOARD_CHOSTS["riscv-usr"]="riscv64-cros-linux-gnu"
+BOARD_PROFILES["riscv-usr"]="coreos:coreos/riscv/generic"
+
 BOARD_NAMES=( "${!BOARD_CHOSTS[@]}" )
 
 # Declare the above globals as read-only to avoid accidental conflicts.
@@ -57,6 +61,7 @@ get_portage_arch() {
         s390*)      echo s390;;
         sh*)        echo sh;;
         x86_64*)    echo amd64;;
+        riscv*)     echo riscv;;
         *)          die "Unknown CHOST '$1'";;
     esac
 }
@@ -79,6 +84,7 @@ get_kernel_arch() {
         s390*)      echo s390;;
         sh*)        echo sh;;
         x86_64*)    echo x86;;
+        riscv*)     echo riscv;;
         *)          die "Unknown CHOST '$1'";;
     esac
 }
@@ -488,6 +494,12 @@ install_cross_rust() {
         [ ! -d /usr/lib/rustlib/aarch64-unknown-linux-gnu ] && ("${sudo[@]}" emerge --unmerge dev-lang/rust || true)
         "${sudo[@]}" emerge "${emerge_flags[@]}" dev-lang/rust
     fi
+    if [ "${cbuild}" = "x86_64-pc-linux-gnu" ] && [ "${cross_chost}" = "riscv64-cros-linux-gnu" ]; then
+        echo "Building Rust for riscv64"
+        # If no aarch64 folder exists, try to remove any existing Rust packages.
+        [ ! -d /usr/lib/rustlib/riscv64-unknown-linux-gnu ] && ("${sudo[@]}" emerge --unmerge dev-lang/rust || true)
+        "${sudo[@]}" emerge "${emerge_flags[@]}" dev-lang/rust
+    fi
 }
 
 # Update to the latest binutils profile for a given CHOST if required

diff --git a/changelog/security/2024-07-01-openssh-9.7_p1-r6.md b/changelog/security/2024-07-01-openssh-9.7_p1-r6.md
@@ -0,0 +1 @@
+- openssh ([CVE-2024-6387](https://nvd.nist.gov/vuln/detail/CVE-2024-6387))
diff --git a/changelog/updates/2024-06-28-linux-6.6.36-update.md b/changelog/updates/2024-06-28-linux-6.6.36-update.md
@@ -0,0 +1 @@
+- Linux ([6.6.36](https://lwn.net/Articles/979850))
diff --git a/changelog/updates/2024-07-01-ca-certificates-3.101.1-update.md b/changelog/updates/2024-07-01-ca-certificates-3.101.1-update.md
@@ -0,0 +1 @@
+- ca-certificates ([3.101.1](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_101_1.html))
diff --git a/changelog/updates/2024-07-01-openssh-9.7_p1-r6.md b/changelog/updates/2024-07-01-openssh-9.7_p1-r6.md
@@ -0,0 +1 @@
+- openssh ([9.7_p1](https://www.openssh.com/txt/release-9.7))
diff --git a/changelog/updates/2024-07-06-linux-6.6.37-update.md b/changelog/updates/2024-07-06-linux-6.6.37-update.md
@@ -0,0 +1 @@
+- Linux ([6.6.37](https://lwn.net/Articles/980860))
diff --git a/changelog/updates/2024-07-08-ca-certificates-3.102-update.md b/changelog/updates/2024-07-08-ca-certificates-3.102-update.md
@@ -0,0 +1 @@
+- ca-certificates ([3.102](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_102.html))
diff --git a/changelog/updates/2024-07-10-linux-6.6.38-update.md b/changelog/updates/2024-07-10-linux-6.6.38-update.md
@@ -0,0 +1 @@
+- Linux ([6.6.38](https://lwn.net/Articles/981255))
diff --git a/changelog/updates/2024-07-12-linux-6.6.39-update.md b/changelog/updates/2024-07-12-linux-6.6.39-update.md
@@ -0,0 +1 @@
+- Linux ([6.6.39](https://lwn.net/Articles/981719))
diff --git a/changelog/updates/2024-07-16-linux-6.6.40-update.md b/changelog/updates/2024-07-16-linux-6.6.40-update.md
@@ -0,0 +1 @@
+- Linux ([6.6.40](https://lwn.net/Articles/982050))
diff --git a/ci-automation/garbage_collect_cloud.sh b/ci-automation/garbage_collect_cloud.sh
@@ -4,7 +4,7 @@ source ci-automation/ci_automation_common.sh
 timeout --signal=SIGQUIT 60m ore aws gc --access-id "${AWS_ACCESS_KEY_ID}" --secret-key "${AWS_SECRET_ACCESS_KEY}"
 timeout --signal=SIGQUIT 60m ore do gc --config-file=<(echo "${DIGITALOCEAN_TOKEN_JSON}" | base64 --decode)
 timeout --signal=SIGQUIT 60m ore gcloud gc --json-key <(echo "${GCP_JSON_KEY}" | base64 --decode)
-timeout --signal=SIGQUIT 60m ore azure gc --duration 6h --azure-identity
+timeout --signal=SIGQUIT 60m ore azure gc --duration 6h
 timeout --signal=SIGQUIT 60m ore equinixmetal gc --duration 6h \
   --project="${EQUINIXMETAL_PROJECT}" --gs-json-key=<(echo "${GCP_JSON_KEY}" | base64 --decode) --api-key="${EQUINIXMETAL_KEY}"
 timeout --signal=SIGQUIT 60m ore openstack gc --duration 6h \

diff --git a/ci-automation/release.sh b/ci-automation/release.sh
@@ -108,7 +108,6 @@ function _inside_mantle() {
           --debug \
           --platform="${platform}" \
           --aws-credentials="${aws_credentials_config_file}" \
-          --azure-identity \
           --gce-json-key=none \
           --board="${arch}-usr" \
           --channel="${CHANNEL}" \
@@ -137,7 +136,6 @@ function _inside_mantle() {
         --publish-marketplace \
         --access-role-arn="${AWS_MARKETPLACE_ARN}" \
         --product-ids="${pid}" \
-        --azure-identity \
         --gce-json-key="${gcp_json_key_path}" \
         --gce-release-key="${google_release_credentials_file}" \
         --board="${arch}-usr" \

diff --git a/ci-automation/vendor-testing/azure.sh b/ci-automation/vendor-testing/azure.sh
@@ -52,7 +52,6 @@ run_kola_tests() {
       --platform=azure \
       --azure-image-file="${AZURE_IMAGE_NAME}" \
       --azure-location="${AZURE_LOCATION}" \
-      --azure-identity \
       --tapfile="${instance_tapfile}" \
       --azure-size="${instance_type}" \
       --azure-hyper-v-generation="${hyperv_gen}" \

diff --git a/common.sh b/common.sh
@@ -1009,6 +1009,15 @@ setup_qemu_static() {
         die "Missing basic layout in target rootfs"
       fi
     ;;
+    riscv-usr)
+      if [[ -f "${root_fs_dir}/sbin/ldconfig" ]]; then
+        sudo cp /usr/bin/qemu-riscv64 "${root_fs_dir}"/usr/bin/qemu-riscv64-static
+        echo export QEMU_LD_PREFIX=\"/build/risc-usr/\" | sudo tee /etc/profile.d/qemu-riscv64.sh
+        . /etc/profile.d/qemu-riscv64.sh
+      else
+        die "Missing basic layout in target rootfs"
+      fi
+    ;;
     *) die "Unsupported arch" ;;
   esac
 }
@@ -1024,6 +1033,13 @@ clean_qemu_static() {
         die "File not found"
       fi
     ;;
+    arm64-usr)
+      if [[ -f "${root_fs_dir}/usr/bin/qemu-riscv64-static" ]]; then
+        sudo rm "${root_fs_dir}"/usr/bin/qemu-riscv64-static
+      else
+        die "File not found"
+      fi
+    ;;
     *) die "Unsupported arch" ;;
   esac
 }
diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container
@@ -1 +1 @@
-ghcr.io/flatcar/mantle:git-60de9ff9f3d070f73c2cd69bdfdc088ea0d9f0f9
+ghcr.io/flatcar/mantle:git-1adf266089c795c4021addaa9d595627662d9e0d
diff --git a/sdk_container/.repo/manifests/version.txt b/sdk_container/.repo/manifests/version.txt
@@ -1,4 +1,4 @@
-FLATCAR_VERSION=4011.0.0+nightly-20240624-2100
-FLATCAR_VERSION_ID=4011.0.0
-FLATCAR_BUILD_ID="nightly-20240624-2100"
-FLATCAR_SDK_VERSION=4011.0.0+nightly-20240624-2100
+FLATCAR_VERSION=4012.0.1+nightly-20240716-2100
+FLATCAR_VERSION_ID=4012.0.1
+FLATCAR_BUILD_ID="nightly-20240716-2100"
+FLATCAR_SDK_VERSION=4012.0.0
diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest
@@ -1 +1 @@
-DIST nss-3.101.tar.gz 76317799 BLAKE2B 0401ed203b9be9bc9c32cbbf9763cc22ecda15f81100080c3419b55f327350e10c4a1316670515d78b42b00a5f93749825d40645520fef27dd060617556ece81 SHA512 b1596e7d74c654825eabbcc1f71b1410cf44d816c3044429576782bc800186073d43da9ad76de2fbd7de73c4460ebeb91aa244457da9d0d0cdc08a50a11a165f
+DIST nss-3.102.tar.gz 76455599 BLAKE2B 78eb95279640dcc46c29decd35fc4c2a2a591c5a39b8dbfcb232d72a08d1ee44d836ce8ee06fff2fe677d3ea19a8b6219a1fe9296f9b56ebfbab7295583e71fe SHA512 2706f15447afd6c26f6784e56c01e8328456523b464a2df2b054f230b6e6b5db2fdeccac74f4f4f0d683d7d4471a8ec1321102082d8a22d91887153a60ffac5b
diff --git a/...certificates/ca-certificates-3.101.ebuild → ...certificates/ca-certificates-3.102.ebuild b/...certificates/ca-certificates-3.101.ebuild → ...certificates/ca-certificates-3.102.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
diff --git a/...-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/...-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/README b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/README
@@ -0,0 +1,4 @@
+This profile (and its sub-profiles) should *only* contain
+architecture specific settings. Architecture independent settings should
+go under coreos/base (applies to everything) or coreos/targets/*
+(applies to the sdk, amd64-usr, etc.).
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/generic/dev/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/generic/dev/parent
@@ -0,0 +1,2 @@
+..
+:coreos/targets/generic/dev
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/generic/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/generic/make.defaults
@@ -0,0 +1,2 @@
+CFLAGS="-O2 -pipe -mtune=generic -g"
+CXXFLAGS="${CFLAGS}"
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/generic/oem-aci/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/generic/oem-aci/parent
@@ -0,0 +1,2 @@
+..
+:coreos/targets/generic/oem-aci
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/generic/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/generic/parent
@@ -0,0 +1,2 @@
+..
+:coreos/targets/generic
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/generic/prod/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/generic/prod/parent
@@ -0,0 +1,2 @@
+..
+:coreos/targets/generic/prod
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/make.defaults
@@ -0,0 +1,2 @@
+# platform "pc" is not supported for target CPU "arm64"
+GRUB_PLATFORMS="efi-64"
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/package.provided b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/package.provided
@@ -0,0 +1 @@
+# arm64 provided
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/package.use
@@ -0,0 +1,4 @@
+# arm64 use
+
+# Disable gssapi for arm64 to avoid build errors
+net-dns/bind-tools -gssapi
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/packages b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/packages
@@ -0,0 +1,3 @@
+# Disable PAX utilities, we don't use grsec kernels
+-*sys-apps/paxctl
+-*sys-apps/elfix
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/parent
@@ -0,0 +1,2 @@
+portage-stable:default/linux/riscv/20.0/rv64gc/lp64d/systemd
+:coreos/base
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/sdk/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/sdk/make.defaults
@@ -0,0 +1,2 @@
+CFLAGS="-O2 -pipe -mtune=generic"
+CXXFLAGS="${CFLAGS}"
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/sdk/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/sdk/package.use
@@ -0,0 +1,3 @@
+# Don't build the user space emulator for this arch. It's not needed and gets in
+# the way when using Catalyst with QEMU.
+app-emulation/qemu -qemu_user_targets_aarch64
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/sdk/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/sdk/parent
@@ -0,0 +1,2 @@
+..
+:coreos/targets/sdk
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/riscv/use.mask
@@ -0,0 +1 @@
+-ldap
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/make.defaults
@@ -5,13 +5,13 @@ USE="man -pam"
 CROS_SDK_HOST="cros-sdk-host"
 
 # Enable CPU architectures needed by Rust builds
-LLVM_TARGETS="X86 AArch64"
+LLVM_TARGETS="X86 AArch64 RISCV"
 
 # Both x86_64 and i386 targets are required for grub testing
-QEMU_SOFTMMU_TARGETS="x86_64 i386 aarch64"
+QEMU_SOFTMMU_TARGETS="x86_64 i386 aarch64 riscv64"
 
 # For cross build support.
-QEMU_USER_TARGETS="aarch64"
+QEMU_USER_TARGETS="aarch64 riscv64"
 
 # add cros_host to bootstrapping USE flags so SDK / toolchains bootstrapping
 # will use vim's vimrc instead of baselayouts',

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use
@@ -9,7 +9,7 @@ app-crypt/gnupg smartcard usb
 
 # for qemu
 app-arch/bzip2 static-libs
-app-emulation/qemu -doc -jpeg ncurses python static-user virtfs qemu_softmmu_targets_x86_64 qemu_softmmu_targets_aarch64
+app-emulation/qemu -doc -jpeg ncurses python static-user virtfs qemu_softmmu_targets_x86_64 qemu_softmmu_targets_aarch64 qemu_softmmu_targets_riscv64 +riscv64
 dev-libs/glib static-libs
 dev-libs/libaio static-libs
 dev-libs/libpcre2 static-libs

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/profiles.desc b/sdk_container/src/third_party/coreos-overlay/profiles/profiles.desc
@@ -7,3 +7,8 @@ arm64   coreos/arm64/generic                dev
 arm64   coreos/arm64/generic/dev            dev
 arm64   coreos/arm64/generic/prod           dev
 arm64   coreos/arm64/sdk                    dev
+
+riscv   coreos/riscv/generic                dev
+riscv   coreos/riscv/generic/dev            dev
+riscv   coreos/riscv/generic/prod           dev
+riscv   coreos/riscv/sdk                    dev
diff --git a/...coreos-kernel/coreos-kernel-6.6.35.ebuild → ...coreos-kernel/coreos-kernel-6.6.40.ebuild b/...coreos-kernel/coreos-kernel-6.6.35.ebuild → ...coreos-kernel/coreos-kernel-6.6.40.ebuild
diff --git a/...reos-modules/coreos-modules-6.6.35.ebuild → ...reos-modules/coreos-modules-6.6.40.ebuild b/...reos-modules/coreos-modules-6.6.35.ebuild → ...reos-modules/coreos-modules-6.6.40.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
@@ -1,2 +1,2 @@
 DIST linux-6.6.tar.xz 140064536 BLAKE2B 5f02fd8696d42f7ec8c5fbadec8e7270bdcfcb1f9844a6c4db3e1fd461c93ce1ccda650ca72dceb4890ebcbbf768ba8fba0bce91efc49fbd2c307b04e95665f2 SHA512 458b2c34d46206f9b4ccbac54cc57aeca1eaecaf831bc441e59701bac6eadffc17f6ce24af6eadd0454964e843186539ac0d63295ad2cc32d112b60360c39a35
-DIST patch-6.6.35.xz 2307260 BLAKE2B 79fdb1c3567356938cbd72bd0198cf07508e6ce790a7f46e72a04c692a39470b052631114b7d0ec9d7b70c0873b71fde776088fb04b273fea7f11dddf4ab2ea4 SHA512 e5f794ec8fcb5b3149ff10692274eea6367d59f7b4b42845040c31d28d1fcbcd2aa6fdfd24f69f250e89eddac88f7034f1dba3a3fc789f0648a1f7a3d8a01baa
+DIST patch-6.6.40.xz 2417316 BLAKE2B 1e0fe072ac47b28a6807a33ca026d0472934465c38040e8190777fa99182106b69ab11cf68838d91e61905688bf5c440bd76357610c02fbc0845255442c547a3 SHA512 3c53fc7179a684a0bd7ae21a0ace2d0779f01b32b497d01496f2b4f0e7852ad5a8a840fffe8731d218373b6e42d62fc3fcba1f5a3ebf6bf4734571381b411e12
diff --git a/...reos-sources/coreos-sources-6.6.35.ebuild → ...reos-sources/coreos-sources-6.6.40.ebuild b/...reos-sources/coreos-sources-6.6.35.ebuild → ...reos-sources/coreos-sources-6.6.40.ebuild
diff --git a/sdk_container/src/third_party/portage-stable/app-emulation/qemu/qemu-8.1.5.ebuild b/sdk_container/src/third_party/portage-stable/app-emulation/qemu/qemu-8.1.5.ebuild
@@ -60,7 +60,7 @@ IUSE="accessibility +aio alsa bpf bzip2 capstone +curl debug ${QEMU_DOC_USEFLAG}
 	ncurses nfs nls numa opengl +oss pam +pin-upstream-blobs pipewire
 	plugins +png pulseaudio python rbd sasl +seccomp sdl sdl-image selinux
 	+slirp
-	smartcard snappy spice ssh static-user systemtap test udev usb
+	smartcard snappy spice ssh +static-user systemtap test udev usb
 	usbredir vde +vhost-net virgl virtfs +vnc vte xattr xen
 	zstd"
 

diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest b/sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest
@@ -0,0 +1,6 @@
+DIST openssh-9.6p1.tar.gz 1857862 BLAKE2B dd7f6747fe89f7b386be4faaf7fc43398a9bf439e45608ae61c2126cf8743c64ef7b5af45c75e9007b0bda525f8809261ca0f2fc47ce60177ba769a5324719dd SHA512 0ebf81e39914c3a90d7777a001ec7376a94b37e6024baf3e972c58f0982b7ddef942315f5e01d56c00ff95603b4a20ee561ab918ecc55511df007ac138160509
+DIST openssh-9.6p1.tar.gz.asc 833 BLAKE2B 9363d02f85457aa90069020827306a2f49d8406e32f5ee1d231844648dd2ffa02fa9b7325b8677a11e46a0ba0d9ffc86d9c989435d691a02f5354a956c49f9f9 SHA512 aec5a5bd6ce480a8e5b5879dc55f8186aec90fe61f085aa92ad7d07f324574aa781be09c83b7443a32848d091fd44fb12c1842d49cee77afc351e550ffcc096d
+DIST openssh-9.7p1.tar.gz 1848766 BLAKE2B 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b SHA512 0cafc17d22851605a4a5495a1d82c2b3fbbe6643760aad226dbf2a25b5f49d4375c3172833706ea3cb6c05d5d02a40feb9a7e790eae5c4570dd344a43e94ca55
+DIST openssh-9.7p1.tar.gz.asc 833 BLAKE2B a95e952be48bd55a07d0a95a49dc06c326816c67b8b5d40bd3f64c28aa43122253817b8a088e7a3b8a190375ea39f9fc3400b22d035561f9643c1d32b5caef27 SHA512 e028978e4266de9ad513626b13d70249e4166923fc15f38751178e2b3522ff6ebb9a7ca7dc32d1bb42d42fb92adf9903dba1b734bec083010ed7323aadad8baf
+DIST openssh-9.8p1.tar.gz 1910393 BLAKE2B 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 SHA512 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a
+DIST openssh-9.8p1.tar.gz.asc 833 BLAKE2B 5291e8c03ab9a75acb44285cd7fc010f4a33551f142499624165dac708fc05a6d077df81555aa41037b45f6301e4e5db3161a7a23404473f8a233a877fc55cc3 SHA512 4df1f1be2c6ab7f3aebaedd0a773b0e8c8929abb30cd3415873ad55d012cfa113f792e888e5e772dd468c394aeb7e35d62893a514dbc0ab1a03acd79918657f7
diff --git a/...-9.3_p1-disable-conch-interop-tests.patch → ...-9.3_p1-disable-conch-interop-tests.patch b/...-9.3_p1-disable-conch-interop-tests.patch → ...-9.3_p1-disable-conch-interop-tests.patch
diff --git a/...iles/openssh-9.3_p1-fix-putty-tests.patch → ...iles/openssh-9.3_p1-fix-putty-tests.patch b/...iles/openssh-9.3_p1-fix-putty-tests.patch → ...iles/openssh-9.3_p1-fix-putty-tests.patch
diff --git a/...isc/openssh/files/openssh-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch b/...isc/openssh/files/openssh-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch
@@ -0,0 +1,44 @@
+From 45b491ce13fcf7dbc0b3bd6df986c9cf59190721 Mon Sep 17 00:00:00 2001
+From: Jordan R Abrahams-Whitehead <[email protected]>
+Date: Tue, 12 Dec 2023 22:54:02 +0000
+Subject: [PATCH] Allow MAP_NORESERVE in sandbox seccomp filter maps
+
+While debugging Scudo on ChromeOS, we found that the no reserve mode
+immediately crashed `sshd`. We tracked it down to the
+sandbox-seccomp-filter.
+
+Being able to mmap with MAP_NORESERVE is useful (if not necessary) for
+some overcommitting allocators.
+
+During mmap calls, the flag MAP_NORESERVE is used by some allocators
+such as LLVM's Scudo for layout optimisation. This causes the sandbox
+seccomp filter for the client subprocess to die with some Scudo
+configurations.
+
+Upstream patch submission:
+https://lists.mindrot.org/pipermail/openssh-unix-dev/2023-December/041095.html
+---
+ sandbox-seccomp-filter.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 23b40b643..a49c5ca99 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -190,9 +190,11 @@
+
+ #if defined(__NR_mmap) || defined(__NR_mmap2)
+ # ifdef MAP_FIXED_NOREPLACE
+-#  define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED|MAP_FIXED_NOREPLACE
++#  define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED \
++		|MAP_NORESERVE|MAP_FIXED_NOREPLACE
+ # else
+-#  define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED
++#  define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED \
++		|MAP_NORESERVE
+ # endif /* MAP_FIXED_NOREPLACE */
+ /* Use this for both __NR_mmap and __NR_mmap2 variants */
+ # define SC_MMAP(_nr) \
+-- 
+2.43.0.472.g3155946c3a-goog
+
diff --git a/.../src/third_party/portage-stable/net-misc/openssh/files/openssh-9.6_p1-CVE-2024-6387.patch b/.../src/third_party/portage-stable/net-misc/openssh/files/openssh-9.6_p1-CVE-2024-6387.patch
@@ -0,0 +1,19 @@
+https://bugs.gentoo.org/935271
+Backport proposed by upstream at https://marc.info/?l=oss-security&m=171982317624594&w=2.
+--- a/log.c
++++ b/log.c
+@@ -451,12 +451,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#ifdef SYSLOG_R_SAFE_IN_SIGHAND
+ 	va_list args;
+
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
++#endif
+ 	_exit(1);
+ }
+
diff --git a/...er/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.6_p1-chaff-logic.patch b/...er/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.6_p1-chaff-logic.patch
@@ -0,0 +1,16 @@
+"Minor logic error in ObscureKeystrokeTiming"
+https://marc.info/?l=oss-security&m=171982317624594&w=2
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
+ 		if (timespeccmp(&now, &chaff_until, >=)) {
+ 			/* Stop if there have been no keystrokes for a while */
+ 			stop_reason = "chaff time expired";
+-		} else if (timespeccmp(&now, &next_interval, >=)) {
+-			/* Otherwise if we were due to send, then send chaff */
++		} else if (timespeccmp(&now, &next_interval, >=) &&
++		    !ssh_packet_have_data_to_write(ssh)) {
++			/* If due to send but have no data, then send chaff */
+ 			if (send_chaff(ssh))
+ 				nchaff++;
+ 		}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- openssh ([CVE-2024-6387](https://nvd.nist.gov/vuln/detail/CVE-2024-6387))
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Linux ([6.6.36](https://lwn.net/Articles/979850))
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- ca-certificates ([3.101.1](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_101_1.html))
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- openssh ([9.7_p1](https://www.openssh.com/txt/release-9.7))
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Linux ([6.6.37](https://lwn.net/Articles/980860))
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- ca-certificates ([3.102](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_102.html))
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Linux ([6.6.38](https://lwn.net/Articles/981255))
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Linux ([6.6.39](https://lwn.net/Articles/981719))
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Linux ([6.6.40](https://lwn.net/Articles/982050))
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		ghcr.io/flatcar/mantle:git-60de9ff9f3d070f73c2cd69bdfdc088ea0d9f0f9
		ghcr.io/flatcar/mantle:git-1adf266089c795c4021addaa9d595627662d9e0d