11 files changed, 696 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-55553.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-55553.patch
new file mode 100644
index 0000000000..1183b1e58b
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-55553.patch
@@ -0,0 +1,304 @@
+From fc6837ad68e9724d7c15db6cb01bf9bb5beea8e5 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Tue, 21 Jan 2025 16:07:10 +0200
+Subject: [PATCH] bgpd: Validate only affected RPKI prefixes instead of a full
+ RIB
+This is backport of https://github.com/FRRouting/frr/commit/b0800bfdf04b4fcf48504737ebfe4ba7f05268d3 for 8.4.
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+CVE: CVE-2024-55553
+Upstream-Status: Backport [https://github.com/opensourcerouting/frr/commit/cc1c66a7e8dd31c681f396f6635192c0d60a543c]
+The original patch is adjusted to fit for the current version.(8.2.2)
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ bgpd/bgp_rpki.c | 184 +++++++++++++++++++++---------------------------
+ bgpd/bgpd.c     |   4 ++
+ bgpd/bgpd.h     |   1 +
+ 3 files changed, 87 insertions(+), 102 deletions(-)
+diff --git a/bgpd/bgp_rpki.c b/bgpd/bgp_rpki.c
+index 0a51269d9b..69c5f44fac 100644
+--- a/bgpd/bgp_rpki.c
+++ b/bgpd/bgp_rpki.c
+@@ -67,6 +67,12 @@ static struct thread *t_rpki;
+ 
+ DEFINE_MTYPE_STATIC(BGPD, BGP_RPKI_CACHE, "BGP RPKI Cache server");
+ DEFINE_MTYPE_STATIC(BGPD, BGP_RPKI_CACHE_GROUP, "BGP RPKI Cache server group");
+
+DEFINE_MTYPE_STATIC(BGPD, BGP_RPKI_REVALIDATE, "BGP RPKI Revalidation");
+
+#define RPKI_VALID 1
+#define RPKI_NOTFOUND 2
+#define RPKI_INVALID 3
+ 
+ #define POLLING_PERIOD_DEFAULT 3600
+ #define EXPIRE_INTERVAL_DEFAULT 7200
+@@ -129,7 +135,6 @@ static enum route_map_cmd_result_t route_match(void *rule,
+                                               void *object);
+ static void *route_match_compile(const char *arg);
+ static void revalidate_bgp_node(struct bgp_dest *dest, afi_t afi, safi_t safi);
+-static void revalidate_all_routes(void);
+ 
+ static struct rtr_mgr_config *rtr_config;
+ static struct list *cache_list;
+@@ -339,10 +344,9 @@ inline int is_running(void)
+        return rtr_is_running;
+ }
+ 
+-static struct prefix *pfx_record_to_prefix(struct pfx_record *record)
+static void pfx_record_to_prefix(struct pfx_record *record,
+                                struct prefix *prefix)
+ {
+-       struct prefix *prefix = prefix_new();
+-
+        prefix->prefixlen = record->min_len;
+ 
+        if (record->prefix.ver == LRTR_IPV4) {
+@@ -353,75 +357,102 @@ static struct prefix *pfx_record_to_prefix(struct pfx_record *record)
+                ipv6_addr_to_network_byte_order(record->prefix.u.addr6.addr,
+                                                prefix->u.prefix6.s6_addr32);
+        }
+-
+-       return prefix;
+ }
+ 
+-static int bgpd_sync_callback(struct thread *thread)
+-{
+struct rpki_revalidate_prefix {
+        struct bgp *bgp;
+-       struct listnode *node;
+-       struct prefix *prefix;
+-       struct pfx_record rec;
+-       int retval;
+-       int socket = THREAD_FD(thread);
+       struct prefix prefix;
+       afi_t afi;
+       safi_t safi;
+};
+ 
+-       thread_add_read(bm->master, bgpd_sync_callback, NULL, socket, &t_rpki);
+static void rpki_revalidate_prefix(struct thread *thread)
+{
+       struct rpki_revalidate_prefix *rrp = THREAD_ARG(thread);
+       struct bgp_dest *match, *node;
+ 
+-       if (atomic_load_explicit(&rtr_update_overflow, memory_order_seq_cst)) {
+-               while (read(socket, &rec, sizeof(struct pfx_record)) != -1)
+-                       ;
+       match = bgp_table_subtree_lookup(rrp->bgp->rib[rrp->afi][rrp->safi],
+                                        &rrp->prefix);
+ 
+-               atomic_store_explicit(&rtr_update_overflow, 0,
+-                                     memory_order_seq_cst);
+-               revalidate_all_routes();
+-               return 0;
+-       }
+       node = match;
+ 
+-       retval = read(socket, &rec, sizeof(struct pfx_record));
+-       if (retval != sizeof(struct pfx_record)) {
+-               RPKI_DEBUG("Could not read from socket");
+-               return retval;
+-       }
+       while (node) {
+               if (bgp_dest_has_bgp_path_info_data(node)) {
+                       revalidate_bgp_node(node, rrp->afi, rrp->safi);
+               }
+ 
+-       /* RTR-Server crashed/terminated, let's handle and switch
+-        * to the second available RTR-Server according to preference.
+-        */
+-       if (rec.socket && rec.socket->state == RTR_ERROR_FATAL) {
+-               reset(true);
+-               return 0;
+               node = bgp_route_next_until(node, match);
+        }
+ 
+-       prefix = pfx_record_to_prefix(&rec);
+       XFREE(MTYPE_BGP_RPKI_REVALIDATE, rrp);
+}
+ 
+-       afi_t afi = (rec.prefix.ver == LRTR_IPV4) ? AFI_IP : AFI_IP6;
+static void revalidate_single_prefix(struct prefix prefix, afi_t afi)
+{
+       struct bgp *bgp;
+       struct listnode *node;
+ 
+        for (ALL_LIST_ELEMENTS_RO(bm->bgp, node, bgp)) {
+                safi_t safi;
+ 
+                for (safi = SAFI_UNICAST; safi < SAFI_MAX; safi++) {
+-                       if (!bgp->rib[afi][safi])
+                       struct bgp_table *table = bgp->rib[afi][safi];
+                       struct rpki_revalidate_prefix *rrp;
+
+                       if (!table)
+                                continue;
+ 
+-                       struct bgp_dest *match;
+-                       struct bgp_dest *node;
+                       rrp = XCALLOC(MTYPE_BGP_RPKI_REVALIDATE, sizeof(*rrp));
+                       rrp->bgp = bgp;
+                       rrp->prefix = prefix;
+                       rrp->afi = afi;
+                       rrp->safi = safi;
+                       thread_add_event(bm->master, rpki_revalidate_prefix,
+                                        rrp, 0, &bgp->t_revalidate[afi][safi]);
+               }
+       }
+}
+
+static void bgpd_sync_callback(struct thread *thread)
+{
+       struct prefix prefix;
+       struct pfx_record rec;
+       afi_t afi;
+       int retval;
+
+       if (atomic_load_explicit(&rtr_update_overflow, memory_order_seq_cst)) {
+               ssize_t size = 0;
+ 
+-                       match = bgp_table_subtree_lookup(bgp->rib[afi][safi],
+-                                                        prefix);
+-                       node = match;
+               retval = read(rpki_sync_socket_bgpd, &rec,
+                             sizeof(struct pfx_record));
+               while (retval != -1) {
+                       if (retval != sizeof(struct pfx_record))
+                               break;
+ 
+-                       while (node) {
+-                               if (bgp_dest_has_bgp_path_info_data(node)) {
+-                                       revalidate_bgp_node(node, afi, safi);
+-                               }
+                       size += retval;
+                       pfx_record_to_prefix(&rec, &prefix);
+                       afi = (rec.prefix.ver == LRTR_IPV4) ? AFI_IP : AFI_IP6;
+                       revalidate_single_prefix(prefix, afi);
+ 
+-                               node = bgp_route_next_until(node, match);
+-                       }
+                       retval = read(rpki_sync_socket_bgpd, &rec,
+                                     sizeof(struct pfx_record));
+                }
+
+               atomic_store_explicit(&rtr_update_overflow, 0,
+                                     memory_order_seq_cst);
+               return;
+        }
+ 
+-       prefix_free(&prefix);
+-       return 0;
+       retval = read(rpki_sync_socket_bgpd, &rec, sizeof(struct pfx_record));
+       if (retval != sizeof(struct pfx_record)) {
+               RPKI_DEBUG("Could not read from rpki_sync_socket_bgpd");
+               return;
+       }
+       pfx_record_to_prefix(&rec, &prefix);
+
+       afi = (rec.prefix.ver == LRTR_IPV4) ? AFI_IP : AFI_IP6;
+
+       revalidate_single_prefix(prefix, afi);
+ }
+ 
+ static void revalidate_bgp_node(struct bgp_dest *bgp_dest, afi_t afi,
+@@ -446,63 +477,12 @@ static void revalidate_bgp_node(struct bgp_dest *bgp_dest, afi_t afi,
+        }
+ }
+ 
+-static void revalidate_all_routes(void)
+-{
+-       struct bgp *bgp;
+-       struct listnode *node;
+-       afi_t afi;
+-       safi_t safi;
+-
+-       for (ALL_LIST_ELEMENTS_RO(bm->bgp, node, bgp)) {
+-               struct peer *peer;
+-               struct listnode *peer_listnode;
+-
+-               for (ALL_LIST_ELEMENTS_RO(bgp->peer, peer_listnode, peer)) {
+-                       FOREACH_AFI_SAFI (afi, safi) {
+-                               if (!peer->afc_nego[afi][safi])
+-                                       continue;
+-
+-                               if (!peer->bgp->rib[afi][safi])
+-                                       continue;
+-
+-                               bgp_soft_reconfig_in(peer, afi, safi);
+-                       }
+-               }
+-       }
+-}
+-
+-static void rpki_connection_status_cb(const struct rtr_mgr_group *group
+-                                     __attribute__((unused)),
+-                                     enum rtr_mgr_status status,
+-                                     const struct rtr_socket *socket
+-                                     __attribute__((unused)),
+-                                     void *data __attribute__((unused)))
+-{
+-       struct pfx_record rec = {0};
+-       int retval;
+-
+-       if (rtr_is_stopping ||
+-           atomic_load_explicit(&rtr_update_overflow, memory_order_seq_cst))
+-               return;
+-
+-       if (status == RTR_MGR_ERROR)
+-               rec.socket = socket;
+-
+-       retval = write(rpki_sync_socket_rtr, &rec, sizeof(rec));
+-       if (retval == -1 && (errno == EAGAIN || errno == EWOULDBLOCK))
+-               atomic_store_explicit(&rtr_update_overflow, 1,
+-                                     memory_order_seq_cst);
+-
+-       else if (retval != sizeof(rec))
+-               RPKI_DEBUG("Could not write to rpki_sync_socket_rtr");
+-}
+-
+ static void rpki_update_cb_sync_rtr(struct pfx_table *p __attribute__((unused)),
+                                    const struct pfx_record rec,
+                                    const bool added __attribute__((unused)))
+ {
+-       if (rtr_is_stopping
+-           || atomic_load_explicit(&rtr_update_overflow, memory_order_seq_cst))
+       if (rtr_is_stopping ||
+           atomic_load_explicit(&rtr_update_overflow, memory_order_seq_cst))
+                return;
+ 
+        int retval =
+diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
+index 7e528b2191..bfe96f0f01 100644
+--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
+@@ -3579,6 +3579,10 @@ int bgp_delete(struct bgp *bgp)
+ 
+        hook_call(bgp_inst_delete, bgp);
+ 
+       THREAD_OFF(bgp->t_condition_check);
+       FOREACH_AFI_SAFI (afi, safi)
+               THREAD_OFF(bgp->t_revalidate[afi][safi]);
+
+        THREAD_OFF(bgp->t_startup);
+        THREAD_OFF(bgp->t_maxmed_onstartup);
+        THREAD_OFF(bgp->t_update_delay);
+diff --git a/bgpd/bgpd.h b/bgpd/bgpd.h
+index 8b93c450e8..45db4752f4 100644
+--- a/bgpd/bgpd.h
+++ b/bgpd/bgpd.h
+@@ -426,6 +426,7 @@ struct bgp {
+        /* BGP update delay on startup */
+        struct thread *t_update_delay;
+        struct thread *t_establish_wait;
+       struct thread *t_revalidate[AFI_MAX][SAFI_MAX];
+        uint8_t update_delay_over;
+        uint8_t main_zebra_update_hold;
+        uint8_t main_peers_update_hold;
+-- 
+2.35.5
diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
index facc655e29..975607f5af 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -34,6 +34,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
           file://CVE-2024-31950.patch \
           file://CVE-2024-31951.patch \
           file://CVE-2024-31948.patch \
+           file://CVE-2024-55553.patch \
              "
 SRCREV = "79188bf710e92acf42fb5b9b0a2e9593a5ee9b05"
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-unload_all_mibs-fix-memory-leak-by-freeing-tclist.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-unload_all_mibs-fix-memory-leak-by-freeing-tclist.patch
new file mode 100644
index 0000000000..4e1d09e15a
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-unload_all_mibs-fix-memory-leak-by-freeing-tclist.patch
@@ -0,0 +1,32 @@
+From 606e2cbb2d607820345aa20d4095613b1f563a08 Mon Sep 17 00:00:00 2001
+From: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
+Date: Wed, 9 Apr 2025 09:24:45 +0800
+Subject: [PATCH] unload_all_mibs: fix memory leak by freeing tclist
+tclist is always allocated in netsnmp_init_mib_internals, when doing multiple init_snmp("")/snmp_shutdown("") this memory is never free'd.
+Remove the special character in the origin commit.
+Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/4bd0d9a8a2860c2c46307aef5ee1ccc69f7e3b62]
+Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
+---
+ snmplib/parse.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/snmplib/parse.c b/snmplib/parse.c
+index 9406f4f88..2f9a20175 100644
+--- a/snmplib/parse.c
+++ b/snmplib/parse.c
+@@ -4225,7 +4225,8 @@ unload_all_mibs(void)
+         if (ptc->description)
+             free(ptc->description);
+     }
+-    memset(tclist, 0, tc_alloc * sizeof(struct tc));
+    SNMP_FREE(tclist);
+    tc_alloc = 0;
+ 
+     memset(buckets, 0, sizeof(buckets));
+     memset(nbuckets, 0, sizeof(nbuckets));
+-- 
+2.34.1
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.3.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.3.bb
index eb8e1599fb..88466c94b4 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.3.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.9.3.bb
@@ -27,6 +27,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
           file://reproducibility-have-printcap.patch \
           file://0001-ac_add_search_path.m4-keep-consistent-between-32bit.patch \
           file://CVE-2022-44792-CVE-2022-44793.patch \
+           file://0001-unload_all_mibs-fix-memory-leak-by-freeing-tclist.patch \
           "
 SRC_URI[sha256sum] = "2097f29b7e1bf3f1300b4bae52fa2308d0bb8d5d3998dbe02f9462a413a2ef0a"
diff --git a/meta-oe/recipes-support/poppler/poppler/CVE-2025-32364.patch b/meta-oe/recipes-support/poppler/poppler/CVE-2025-32364.patch
new file mode 100644
index 0000000000..fa4310e6af
--- /dev/null
+++ b/meta-oe/recipes-support/poppler/poppler/CVE-2025-32364.patch
@@ -0,0 +1,28 @@
+From d87bc726c7cc98f8c26b60ece5f20236e9de1bc3 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Mon, 24 Mar 2025 00:44:54 +0100
+Subject: [PATCH] PSStack::roll: Protect against doing int = -INT_MIN
+CVE: CVE-2025-32364
+Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/d87bc726c7cc98f8c26b60ece5f20236e9de1bc3]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ poppler/Function.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/poppler/Function.cc b/poppler/Function.cc
+index b97ad71..3ee99d6 100644
+--- a/poppler/Function.cc
+++ b/poppler/Function.cc
+@@ -1066,7 +1066,7 @@ void PSStack::roll(int n, int j)
+     PSObject obj;
+     int i, k;
+-    if (unlikely(n == 0)) {
+    if (unlikely(n == 0 || j == INT_MIN)) {
+         return;
+     }
+     if (j >= 0) {
+--
+2.40.0
diff --git a/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch b/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch
new file mode 100644
index 0000000000..d8cda9c1c3
--- /dev/null
+++ b/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch
@@ -0,0 +1,41 @@
+From 1f151565bbca5be7449ba8eea6833051cc1baa41 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Mon, 31 Mar 2025 14:35:49 +0200
+Subject: [PATCH] Move isOk check to inside JBIG2Bitmap::combine
+CVE: CVE-2025-32365
+Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/1f151565bbca5be7449ba8eea6833051cc1baa41]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ poppler/JBIG2Stream.cc | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index b9a62e1..9cc3b82 100644
+--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
+@@ -767,6 +767,10 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
+     unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
+     bool oneByte;
+    if (unlikely(!isOk())) {
+        return;
+    }
+
+     // check for the pathological case where y = -2^31
+     if (y < -0x7fffffff) {
+         return;
+@@ -2198,9 +2202,7 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
+             if (pageH == 0xffffffff && y + h > curPageH) {
+                 pageBitmap->expand(y + h, pageDefPixel);
+             }
+-            if (pageBitmap->isOk()) {
+-                pageBitmap->combine(bitmap.get(), x, y, extCombOp);
+-            }
+            pageBitmap->combine(bitmap.get(), x, y, extCombOp);
+             // store the region bitmap
+         } else {
+--
+2.40.0
diff --git a/meta-oe/recipes-support/poppler/poppler/CVE-2025-43903.patch b/meta-oe/recipes-support/poppler/poppler/CVE-2025-43903.patch
new file mode 100644
index 0000000000..e5acf7492b
--- /dev/null
+++ b/meta-oe/recipes-support/poppler/poppler/CVE-2025-43903.patch
@@ -0,0 +1,54 @@
+From f1b9c830f145a0042e853d6462b2f9ca4016c669 Mon Sep 17 00:00:00 2001
+From: Juraj sarinay <juraj@sarinay.com>
+Date: Thu, 6 Mar 2025 02:02:56 +0100
+Subject: [PATCH] Properly verify adbe.pkcs7.sha1 signatures.
+For signatures with non-empty encapsulated content
+(typically adbe.pkcs7.sha1), we only compared hash values and
+never actually checked SignatureValue within SignerInfo.
+The bug introduced by c7c0207b
+made trivial signature forgeries possible. Fix this by calling
+NSS_CMSSignerInfo_Verify() after the hash values compare equal.
+CVE: CVE-2025-43903
+Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/f1b9c830f145a0042e853d6462b2f9ca4016c669]
+Changes:
+- Refresh patch context as per the source code.
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ poppler/SignatureHandler.cc | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+diff --git a/poppler/SignatureHandler.cc b/poppler/SignatureHandler.cc
+index 6538239..4008b2c 100644
+--- a/poppler/SignatureHandler.cc
+++ b/poppler/SignatureHandler.cc
+@@ -969,16 +969,19 @@ SignatureValidationStatus SignatureHandler::validateSignature()
+           This means it's not a detached type signature
+           so the digest is contained in SignedData->contentInfo
+         */
+-        if (memcmp(digest.data, content_info_data->data, hash_length) == 0 && digest.len == content_info_data->len) {
+-            PORT_Free(digest_buffer);
+-            return SIGNATURE_VALID;
+-        } else {
+        if (digest.len != content_info_data->len || memcmp(digest.data, content_info_data->data, digest.len) != 0) {
+             PORT_Free(digest_buffer);
+             return SIGNATURE_DIGEST_MISMATCH;
+         }
+-    } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
+        auto innerHashContext = HASH_Create(getHashAlgorithm());
+        HASH_Update(innerHashContext, content_info_data->data, content_info_data->len);
+        HASH_End(innerHashContext, digest_buffer, &result_len, hash_length);
+        digest.data = digest_buffer;
+        digest.len = hash_length;
+    }
+    if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
+         PORT_Free(digest_buffer);
+         return NSS_SigTranslate(CMSSignerInfo->verificationStatus);
+     } else {
+--
+2.40.0
diff --git a/meta-oe/recipes-support/poppler/poppler_22.04.0.bb b/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
index af6ee67496..bb6e64d657 100644
--- a/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
+++ b/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
@@ -11,6 +11,9 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
           file://CVE-2024-6239-0001.patch \
           file://CVE-2024-6239-0002.patch \
           file://CVE-2024-56378.patch \
+           file://CVE-2025-32364.patch \
+           file://CVE-2025-32365.patch \
+           file://CVE-2025-43903.patch \
           "
 SRC_URI[sha256sum] = "813fb4b90e7bda63df53205c548602bae728887a60f4048aae4dbd9b1927deff"
diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch
new file mode 100644
index 0000000000..a5bffbd5a5
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch
@@ -0,0 +1,33 @@
+From f1cb4e616e9f23b4dd044a6db44365060950c64f Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Mon, 22 Jul 2024 22:21:10 -0700
+Subject: [PATCH] Use chunking in the pipelining tests
+CVE: CVE-2024-41671
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/f1cb4e616e9f23b4dd044a6db44365060950c64f]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/twisted/web/test/test_http.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py
+index 7ffea4e..5d88ff1 100644
+--- a/src/twisted/web/test/test_http.py
+++ b/src/twisted/web/test/test_http.py
+@@ -575,9 +575,11 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
+         b"Content-Length: 10\r\n"
+         b"\r\n"
+         b"0123456789POST / HTTP/1.1\r\n"
+-        b"Content-Length: 10\r\n"
+        b"Transfer-Encoding: chunked\r\n"
+         b"\r\n"
+        b"a\r\n"
+         b"0123456789"
+        b"0\r\n"
+     )
+     expectedResponses = [
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0002.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0002.patch
new file mode 100644
index 0000000000..4775f1c55c
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0002.patch
@@ -0,0 +1,196 @@
+From ef2c755e9e9d57d58132af790bd2fd2b957b3fb1 Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Mon, 22 Jul 2024 23:21:49 -0700
+Subject: [PATCH] Tests and partial fix
+CVE: CVE-2024-41671
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/ef2c755e9e9d57d58132af790bd2fd2b957b3fb1]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/twisted/web/http.py           |   2 +-
+ src/twisted/web/test/test_http.py | 112 +++++++++++++++++++++++++++---
+ 2 files changed, 102 insertions(+), 12 deletions(-)
+diff --git a/src/twisted/web/http.py b/src/twisted/web/http.py
+index a53ebc2..96a1335 100644
+--- a/src/twisted/web/http.py
+++ b/src/twisted/web/http.py
+@@ -2256,8 +2256,8 @@ class HTTPChannel(basic.LineReceiver, policies.TimeoutMixin):
+             self.__header = line
+     def _finishRequestBody(self, data):
+-        self.allContentReceived()
+         self._dataBuffer.append(data)
+        self.allContentReceived()
+     def _maybeChooseTransferDecoder(self, header, data):
+         """
+diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py
+index 5d88ff1..86c85d2 100644
+--- a/src/twisted/web/test/test_http.py
+++ b/src/twisted/web/test/test_http.py
+@@ -136,7 +136,7 @@ class DummyHTTPHandler(http.Request):
+         data = self.content.read()
+         length = self.getHeader(b"content-length")
+         if length is None:
+-            length = networkString(str(length))
+            length = str(length).encode()
+         request = b"'''\n" + length + b"\n" + data + b"'''\n"
+         self.setResponseCode(200)
+         self.setHeader(b"Request", self.uri)
+@@ -567,7 +567,8 @@ class HTTP0_9Tests(HTTP1_0Tests):
+ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
+     """
+-    Tests that multiple pipelined requests with bodies are correctly buffered.
+    Pipelined requests get buffered and executed in the order received,
+    not processed in parallel.
+     """
+     requests = (
+@@ -578,8 +579,9 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
+         b"Transfer-Encoding: chunked\r\n"
+         b"\r\n"
+         b"a\r\n"
+-        b"0123456789"
+        b"0123456789\r\n"
+         b"0\r\n"
+        b"\r\n"
+     )
+     expectedResponses = [
+@@ -596,14 +598,16 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
+             b"Request: /",
+             b"Command: POST",
+             b"Version: HTTP/1.1",
+-            b"Content-Length: 21",
+-            b"'''\n10\n0123456789'''\n",
+            b"Content-Length: 23",
+            b"'''\nNone\n0123456789'''\n",
+         ),
+     ]
+-    def test_noPipelining(self):
+    def test_stepwiseTinyTube(self):
+         """
+-        Test that pipelined requests get buffered, not processed in parallel.
+        Imitate a slow connection that delivers one byte at a time.
+        The request handler (L{DelayedHTTPHandler}) is puppeted to
+        step through the handling of each request.
+         """
+         b = StringTransport()
+         a = http.HTTPChannel()
+@@ -612,10 +616,9 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
+         # one byte at a time, to stress it.
+         for byte in iterbytes(self.requests):
+             a.dataReceived(byte)
+-        value = b.value()
+         # So far only one request should have been dispatched.
+-        self.assertEqual(value, b"")
+        self.assertEqual(b.value(), b"")
+         self.assertEqual(1, len(a.requests))
+         # Now, process each request one at a time.
+@@ -624,8 +627,95 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
+             request = a.requests[0].original
+             request.delayedProcess()
+-        value = b.value()
+-        self.assertResponseEquals(value, self.expectedResponses)
+        self.assertResponseEquals(b.value(), self.expectedResponses)
+
+    def test_stepwiseDumpTruck(self):
+        """
+        Imitate a fast connection where several pipelined
+        requests arrive in a single read. The request handler
+        (L{DelayedHTTPHandler}) is puppeted to step through the
+        handling of each request.
+        """
+        b = StringTransport()
+        a = http.HTTPChannel()
+        a.requestFactory = DelayedHTTPHandlerProxy
+        a.makeConnection(b)
+
+        a.dataReceived(self.requests)
+
+        # So far only one request should have been dispatched.
+        self.assertEqual(b.value(), b"")
+        self.assertEqual(1, len(a.requests))
+
+        # Now, process each request one at a time.
+        while a.requests:
+            self.assertEqual(1, len(a.requests))
+            request = a.requests[0].original
+            request.delayedProcess()
+
+        self.assertResponseEquals(b.value(), self.expectedResponses)
+
+    def test_immediateTinyTube(self):
+        """
+        Imitate a slow connection that delivers one byte at a time.
+
+        (L{DummyHTTPHandler}) immediately responds, but no more
+        than one
+        """
+        b = StringTransport()
+        a = http.HTTPChannel()
+        a.requestFactory = DummyHTTPHandlerProxy  # "sync"
+        a.makeConnection(b)
+
+        # one byte at a time, to stress it.
+        for byte in iterbytes(self.requests):
+            a.dataReceived(byte)
+            # There is never more than one request dispatched at a time:
+            self.assertLessEqual(len(a.requests), 1)
+
+        self.assertResponseEquals(b.value(), self.expectedResponses)
+
+    def test_immediateDumpTruck(self):
+        """
+        Imitate a fast connection where several pipelined
+        requests arrive in a single read. The request handler
+        (L{DummyHTTPHandler}) immediately responds.
+
+        This doesn't check the at-most-one pending request
+        invariant but exercises otherwise uncovered code paths.
+        See GHSA-c8m8-j448-xjx7.
+        """
+        b = StringTransport()
+        a = http.HTTPChannel()
+        a.requestFactory = DummyHTTPHandlerProxy
+        a.makeConnection(b)
+
+        # All bytes at once to ensure there's stuff to buffer.
+        a.dataReceived(self.requests)
+
+        self.assertResponseEquals(b.value(), self.expectedResponses)
+
+    def test_immediateABiggerTruck(self):
+        """
+        Imitate a fast connection where a so many pipelined
+        requests arrive in a single read that backpressure is indicated.
+        The request handler (L{DummyHTTPHandler}) immediately responds.
+
+        This doesn't check the at-most-one pending request
+        invariant but exercises otherwise uncovered code paths.
+        See GHSA-c8m8-j448-xjx7.
+
+        @see: L{http.HTTPChannel._optimisticEagerReadSize}
+        """
+        b = StringTransport()
+        a = http.HTTPChannel()
+        a.requestFactory = DummyHTTPHandlerProxy
+        a.makeConnection(b)
+
+        overLimitCount = a._optimisticEagerReadSize // len(self.requests) * 10
+        a.dataReceived(self.requests * overLimitCount)
+
+        self.assertResponseEquals(b.value(), self.expectedResponses * overLimitCount)
+     def test_pipeliningReadLimit(self):
+         """
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb b/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb
index c55c86ea50..da83f0123a 100644
--- a/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb
+++ b/meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb
@@ -11,6 +11,9 @@ SRC_URI[sha256sum] = "57f32b1f6838facb8c004c89467840367ad38e9e535f8252091345dba5
 PYPI_PACKAGE = "Twisted"
+SRC_URI += "file://CVE-2024-41671-0001.patch \
+            file://CVE-2024-41671-0002.patch"
 inherit pypi python_setuptools_build_meta
 do_install:append() {