To: ['Yi Zhao <yi.zhao@windriver.com>']
To: openembedded-core@lists.openembedded.org
Subject: [AUH] wget: upgrading to 1.25.0 SUCCEEDED
Attachments: /srv/pokybuild/yocto-worker/auh/build/build/upgrade-helper/20241115050525/all/wget/0001-wget-upgrade-1.24.5-1.25.0.patch /srv/pokybuild/yocto-worker/auh/build/build/upgrade-helper/20241115050525/all/wget/buildhistory-diff.txt /srv/pokybuild/yocto-worker/auh/build/build/upgrade-helper/20241115050525/all/wget/buildhistory-diff-full.txt

Hello,

this email is a notification from the Auto Upgrade Helper
that the automatic attempt to upgrade the recipe(s) *wget* to *1.25.0* has Succeeded.

Next steps:
    - apply the patch: git am 0001-wget-upgrade-1.24.5-1.25.0.patch
    - check the changes to upstream patches and summarize them in the commit message,
    - compile an image that contains the package
    - perform some basic sanity tests
    - amend the patch and sign it off: git commit -s --reset-author --amend
    - send it to the appropriate mailing list

Alternatively, if you believe the recipe should not be upgraded at this time,
you can fill RECIPE_NO_UPDATE_REASON in respective recipe file so that
automatic upgrades would no longer be attempted.

Please review the attached files for further information and build/update failures.
Any problem please file a bug at https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Automated%20Update%20Handler

Regards,
The Upgrade Helper

-- >8 --
From cd12402da929b4bf6f34d7bc903f7283d98dc0a0 Mon Sep 17 00:00:00 2001
From: Upgrade Helper <auh@yoctoproject.org>
Date: Sun, 17 Nov 2024 13:54:00 +0000
Subject: [PATCH] wget: upgrade 1.24.5 -> 1.25.0

---
 .../wget/0002-improve-reproducibility.patch   |  6 +-
 .../wget/wget/CVE-2024-38428.patch            | 79 -------------------
 .../wget/{wget_1.24.5.bb => wget_1.25.0.bb}   |  5 +-
 3 files changed, 5 insertions(+), 85 deletions(-)
 delete mode 100644 meta/recipes-extended/wget/wget/CVE-2024-38428.patch
 rename meta/recipes-extended/wget/{wget_1.24.5.bb => wget_1.25.0.bb} (46%)

diff --git a/meta/recipes-extended/wget/wget/0002-improve-reproducibility.patch b/meta/recipes-extended/wget/wget/0002-improve-reproducibility.patch
index 5438bafdcb..6ecb9ef289 100644
--- a/meta/recipes-extended/wget/wget/0002-improve-reproducibility.patch
+++ b/meta/recipes-extended/wget/wget/0002-improve-reproducibility.patch
@@ -1,4 +1,4 @@
-From b86e57b68363d108fe77c6fd588a275d2696cabe Mon Sep 17 00:00:00 2001
+From 304f55a3e2689154d829938d29e43d808ca6298a Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
 Date: Wed, 10 Jan 2018 14:43:20 +0800
 Subject: [PATCH] src/Makefile.am: improve reproducibility
@@ -44,10 +44,10 @@ Signed-off-by: Joe Slater <jslater@windriver.com>
  1 file changed, 4 insertions(+)
 
 diff --git a/src/Makefile.am b/src/Makefile.am
-index 18ec622..38d252d 100644
+index 86be533..721a401 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
-@@ -108,9 +108,13 @@ version.c:  $(wget_SOURCES) ../lib/libgnu.a
+@@ -126,9 +126,13 @@ version.c:  $(wget_SOURCES) ../lib/libgnu.a
  	echo '#include "version.h"' >> $@
  	echo 'const char *version_string = "@VERSION@";' >> $@
  	echo 'const char *compilation_string = "'$(COMPILE)'";' \
diff --git a/meta/recipes-extended/wget/wget/CVE-2024-38428.patch b/meta/recipes-extended/wget/wget/CVE-2024-38428.patch
deleted file mode 100644
index ed99a05464..0000000000
--- a/meta/recipes-extended/wget/wget/CVE-2024-38428.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
-Date: Sun, 2 Jun 2024 12:40:16 +0200
-Subject: Properly re-implement userinfo parsing (rfc2396)
-
-* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
-
-The reason why the implementation is based on RFC 2396, an outdated standard,
-is that the whole file is based on that RFC, and mixing standard here might be
-dangerous.
-
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fd6e06a11e242ace]
-CVE: CVE-2024-38428
-Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
----
- src/url.c | 40 ++++++++++++++++++++++++++++++++++------
- 1 file changed, 34 insertions(+), 6 deletions(-)
-
-diff --git a/src/url.c b/src/url.c
-index 69e948b..07c3bc8 100644
---- a/src/url.c
-+++ b/src/url.c
-@@ -41,6 +41,7 @@ as that of the covered work.  */
- #include "url.h"
- #include "host.h"  /* for is_valid_ipv6_address */
- #include "c-strcase.h"
-+#include "c-ctype.h"
- 
- #ifdef HAVE_ICONV
- # include <iconv.h>
-@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
- static const char *
- url_skip_credentials (const char *url)
- {
--  /* Look for '@' that comes before terminators, such as '/', '?',
--     '#', or ';'.  */
--  const char *p = (const char *)strpbrk (url, "@/?#;");
--  if (!p || *p != '@')
--    return url;
--  return p + 1;
-+  /*
-+   * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
-+   * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
-+   *
-+   * The RFC says
-+   * server        = [ [ userinfo "@" ] hostport ]
-+   * userinfo      = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
-+   * unreserved    = alphanum | mark
-+   * mark          = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
-+   */
-+  static const char *allowed = "-_.!~*'();:&=+$,";
-+
-+  for (const char *p = url; *p; p++)
-+    {
-+      if (c_isalnum(*p))
-+        continue;
-+
-+      if (strchr(allowed, *p))
-+        continue;
-+
-+      if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
-+        {
-+          p += 2;
-+          continue;
-+        }
-+
-+      if (*p == '@')
-+        return p + 1;
-+
-+      break;
-+    }
-+
-+  return url;
- }
- 
- /* Parse credentials contained in [BEG, END).  The region is expected
--- 
-cgit v1.1
-
diff --git a/meta/recipes-extended/wget/wget_1.24.5.bb b/meta/recipes-extended/wget/wget_1.25.0.bb
similarity index 46%
rename from meta/recipes-extended/wget/wget_1.24.5.bb
rename to meta/recipes-extended/wget/wget_1.25.0.bb
index 602fc9e627..93fefc9092 100644
--- a/meta/recipes-extended/wget/wget_1.24.5.bb
+++ b/meta/recipes-extended/wget/wget_1.25.0.bb
@@ -1,8 +1,7 @@
 SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
            file://0002-improve-reproducibility.patch \
-           file://CVE-2024-38428.patch \
-          "
+           "
 
-SRC_URI[sha256sum] = "fa2dc35bab5184ecbc46a9ef83def2aaaa3f4c9f3c97d4bd19dcb07d4da637de"
+SRC_URI[sha256sum] = "766e48423e79359ea31e41db9e5c289675947a7fcf2efdcedb726ac9d0da3784"
 
 require wget.inc
-- 
2.44.1