Merge pull request #2655 from flatcar/buildbot/weekly-portage-stable-…

…package-updates-2025-02-10

Weekly portage-stable package updates 2025-02-10

changelog/security/2025-02-10-weekly-updates.md

@@ -0,0 +1,2 @@
+- socat ([CVE-2024-54661](https://nvd.nist.gov/vuln/detail/CVE-2024-54661))
+- vim ([CVE-2024-41957](https://nvd.nist.gov/vuln/detail/CVE-2024-41957), [CVE-2024-41965](https://nvd.nist.gov/vuln/detail/CVE-2024-41965), [CVE-2024-43374](https://nvd.nist.gov/vuln/detail/CVE-2024-43374), [CVE-2024-43790](https://nvd.nist.gov/vuln/detail/CVE-2024-43790), [CVE-2024-43802](https://nvd.nist.gov/vuln/detail/CVE-2024-43802), [CVE-2024-45306](https://nvd.nist.gov/vuln/detail/CVE-2024-45306), [CVE-2024-47814](https://nvd.nist.gov/vuln/detail/CVE-2024-47814))

changelog/updates/2025-02-10-weekly-updates.md

@@ -0,0 +1,9 @@
+- SDK: qemu ([9.1.2](https://wiki.qemu.org/ChangeLog/9.1) (includes [9.0](https://wiki.qemu.org/ChangeLog/9.0)))
+- base, dev: c-ares ([1.34.4](https://github.com/c-ares/c-ares/releases/tag/v1.34.4))
+- base, dev: libsemanage ([3.7](https://github.com/SELinuxProject/selinux/releases/tag/3.7))
+- base, dev: openssh ([9.9_p1](https://www.openssh.com/txt/release-9.9))
+- base, dev: policycoreutils ([3.7](https://github.com/SELinuxProject/selinux/releases/tag/3.7))
+- base, dev: semodule-utils ([3.7](https://github.com/SELinuxProject/selinux/releases/tag/3.7))
+- base, dev: socat ([1.8.0.2](https://repo.or.cz/socat.git/blob/refs/tags/tag-1.8.0.2:/CHANGES))
+- base, dev: vim ([9.1.0794](https://github.com/vim/vim/commits/v9.1.0794/))
+- sysext-python: more-itertools ([10.6.0](https://github.com/more-itertools/more-itertools/releases/tag/v10.6.0))

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -22,9 +22,6 @@
 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =app-crypt/clevis-19-r1 **
 
-# We need the new --provider option.
-=app-crypt/p11-kit-0.25.5 ~amd64 ~arm64
-
 # Needed by arm64-native SDK.
 =app-emulation/open-vmdk-1.0 *
 
@@ -60,8 +57,8 @@
 =net-libs/libnetfilter_cthelper-1.0.1-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
 
-# Needed to address CVE-2024-11053 and CVE-2024-9681
-=net-misc/curl-8.11.1-r2 ~amd64 ~arm64
+# Needed to address CVE-2024-54661
+=net-misc/socat-1.8.0.2 ~amd64 ~arm64
 
 # Keep versions on both arches in sync.
 =net-nds/openldap-2.6.8 ~amd64
@@ -70,6 +67,8 @@
 =sys-apps/azure-vm-utils-0.4.0 ~amd64 ~arm64
 
 # Keep versions on both arches in sync.
+=sys-apps/policycoreutils-3.7 ~arm64
+=sys-apps/semodule-utils-3.7 ~arm64
 =sys-apps/zram-generator-1.2.1 ~arm64
 
 # Needed to avoid pulling python into production images.
@@ -81,8 +80,6 @@
 # Enable ipvsadm for arm64.
 =sys-cluster/ipvsadm-1.31-r1 ~arm64
 
-# Needed in SDK for Secure Boot on arm64. Also addresses CVE-2024-1298.
-=sys-firmware/edk2-bin-202408 ~amd64
-
 # Keep versions on both arches in sync.
+=sys-libs/libsemanage-3.7 ~arm64
 =sys-process/audit-4.0.2-r1 ~arm64

sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest

@@ -1,2 +1,2 @@
-DIST policycoreutils-3.6.tar.gz 755682 BLAKE2B a8b180c8006989192d152651dcfa51856956780bfe1139cc1dc0162eb66ba1eef4f7d64f68a48479572b02e2e97a68c7082722a745d22a9453e8378373319e3c SHA512 e1f32e6e0310b879a5aadab157b103314a61bf3b8fd59c1212d701fbf39900e3b9a0b727338988103d784a7e505355a871ba519dd91520b135a3b9dae40bf1b0
+DIST policycoreutils-3.7.tar.gz 757142 BLAKE2B 95794d48ef80882803199af5330f0ac4f1cee6710562a559e3d8fd94475d117286f8b612ffc5dc9027f4f8f4cd55e82ddb4d328e91d6c9846b18460c9bee159b SHA512 30e3413b15df0bf1a994d2b3a03a719f89b3ee521a708b92fcc684822152145722cb3ef28fd5b7c42b779281b0bd4d69d65c0bc2605eec1af3f388609d985500
 DIST policycoreutils-extra-1.37.tar.bz2 8809 BLAKE2B a7f6122c2e27f54b018174e962bd7f4c14af04e09bbb5300bde6967ea7f2dc5cd03b5787919a4e7f5288bcbc6747922962b5bd3b588ab1e3a035fbff4910d8f5 SHA512 0a85cd7cf279256b5e1927f9dfdd89626a1c8b77b0aeb62b496e7e8d1dccbaa315e39f9308fb2df7270f0bc1c10787b19990e7365cad74b47b61e30394c8b23f

sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.6.ebuild → sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.7.ebuild

@@ -1,8 +1,8 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI="7"
-PYTHON_COMPAT=( python3_{10..11} )
+EAPI="8"
+PYTHON_COMPAT=( python3_{10..12} )
 PYTHON_REQ_USE="xml(+)"
 
 inherit python-r1 toolchain-funcs bash-completion-r1
@@ -24,7 +24,7 @@ if [[ ${PV} == 9999 ]]; then
 else
 	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz
 		!vanilla? ( https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2 )"
-	KEYWORDS="amd64 arm arm64 ~mips x86"
+	KEYWORDS="amd64 ~arm ~arm64 ~riscv x86"
 	S1="${WORKDIR}/${MY_P}"
 	S2="${WORKDIR}/policycoreutils-extra"
 	S="${S1}"

sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest

@@ -1 +1 @@
-DIST libsemanage-3.6.tar.gz 182583 BLAKE2B 3ed9ef06601093983fa41ad6ab9f7eeae241dce98937db04efca6f421afcfd3f59cf5e51d24c596ae03997a398949ed84fbdf629518e3c382a5453129b0a87ab SHA512 8998b6a1b254a9673b99ae4d70a1edc769bb728a44f573cdf62e0a9c9392b77644ee2d70e1936a2f8a9a7f8b063ce98a981f4b8b7060f5b82791889330d69364
+DIST libsemanage-3.7.tar.gz 182896 BLAKE2B e8a4a9a57f1862efac7e46b33f34f2fdcd116a14487ca07f65aebed62b3914bb1892606a76ed8addcbdb111f361507294ae3c75975a10b90f5d554ba59d2562d SHA512 4b6370b02116364964ff24b93fb6629c885611de78419f649a027db38b4f1c3b3adf3b438efb34a92b49407ab8f9446ed4091fe4c99fa4752f0f5e3e31589415

sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.6.ebuild → sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.7.ebuild

@@ -1,8 +1,8 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
-PYTHON_COMPAT=( python3_{10..11} )
+EAPI="8"
+PYTHON_COMPAT=( python3_{10..12} )
 
 inherit python-r1 toolchain-funcs multilib-minimal
 
@@ -18,7 +18,7 @@ if [[ ${PV} == 9999 ]]; then
 	S="${WORKDIR}/${P}/${PN}"
 else
 	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz"
-	KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
+	KEYWORDS="amd64 ~arm ~arm64 ~mips ~riscv x86"
 	S="${WORKDIR}/${MY_P}"
 fi
 
@@ -103,16 +103,3 @@ multiib_src_install_all() {
 		python_fix_shebang "${ED}"/usr/libexec/selinux/semanage_migrate_store
 	fi
 }
-
-pkg_postinst() {
-	# Migrate the SELinux semanage configuration store if not done already
-	local selinuxtype=$(awk -F'=' '/SELINUXTYPE=/ {print $2}' "${EROOT}"/etc/selinux/config 2>/dev/null)
-	if [ -n "${selinuxtype}" ] && [ ! -d "${EROOT}"/var/lib/selinux/${selinuxtype}/active ] ; then
-		ewarn "Since the 2.4 SELinux userspace, the policy module store is moved"
-		ewarn "from /etc/selinux to /var/lib/selinux. The migration will be run now."
-		ewarn "If there are any issues, it can be done manually by running:"
-		ewarn "/usr/libexec/selinux/semanage_migrate_store"
-		ewarn "For more information, please see"
-		ewarn "- https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration"
-	fi
-}

sdk_container/src/third_party/portage-stable/app-admin/eselect/Manifest

@@ -1,2 +1,3 @@
 DIST eselect-1.4.27.tar.xz 184464 BLAKE2B 718874f4d0651194f361ca3202e5140982812bf486c8efe82354944d55206b0113fa135992203e8baa00019c3fd773a90ddaf67157c16f4ac2d69965d9822fbd SHA512 f534785fc1f79869840f420b4ab2b2bf35593c504cce878a6d3d07f75012cf32288009ea9ac2a5607dba216a794110a64c5f2c54d5d8a3c641328489cecc024b
 DIST eselect-1.4.28.tar.xz 184692 BLAKE2B 86d1bbc0cb618f6edf49753c9f2be0f67670590ae55b8d2a8824940a5efa8462e395e1ee7f42379bd4ea64ea74f775a78e0a3a23ed565c67c3485f7e4e2d7a83 SHA512 26ac77465e2d6ab5193083c350cfd027d73ecd6d2702fc5f3db90373e92bf3722aead99c9b00b540c7972761620a485941c897854fe110454a4c6897f3f92868
+DIST eselect-1.4.29.tar.xz 185948 BLAKE2B bb387a14c81d5ff5bf2e6e703465b24140b047f1464dee3c7fc0a125c9d94544a9afd801b42d2902dd6dee1af705f7dcfad854286d7e243a0f654cec35ab8eea SHA512 0466be2634f9d632d628cb11793d604002d989c222758ed33259c6b1dede80765d80f782242b22704e890bde84b2e1e3b3fb3d31574812cc803aad64ba8e7cf6

sdk_container/src/third_party/portage-stable/app-admin/eselect/eselect-1.4.29.ebuild

@@ -0,0 +1,61 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+# Packages sharing a common release tarball:
+# app-admin/eselect
+# app-emacs/eselect-mode
+# Please bump and mark them stable together!
+
+inherit bash-completion-r1
+
+DESCRIPTION="Gentoo's multi-purpose configuration and management tool"
+HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Eselect"
+SRC_URI="https://dev.gentoo.org/~ulm/eselect/${P}.tar.xz"
+
+LICENSE="GPL-2+ || ( GPL-2+ CC-BY-SA-4.0 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="doc emacs vim-syntax"
+
+# coreutils for realpath
+DEPEND="sys-apps/coreutils
+	sys-apps/sed"
+RDEPEND="${DEPEND}
+	sys-apps/file
+	sys-libs/ncurses:0"
+BDEPEND="doc? ( dev-python/docutils )"
+PDEPEND="emacs? ( app-emacs/eselect-mode )
+	vim-syntax? ( app-vim/eselect-syntax )"
+
+src_compile() {
+	emake
+	use doc && emake html
+}
+
+src_install() {
+	emake DESTDIR="${D}" install
+	newbashcomp misc/${PN}.bashcomp ${PN}
+	dodoc AUTHORS ChangeLog NEWS README TODO doc/*.txt
+	if use doc; then
+		docinto html
+		dodoc *.html doc/*.html doc/*.css
+	fi
+
+	# needed by news module
+	keepdir /var/lib/gentoo/news
+	if ! use prefix; then
+		fowners root:portage /var/lib/gentoo/news
+		fperms g+w /var/lib/gentoo/news
+	fi
+}
+
+pkg_postinst() {
+	# fowners in src_install doesn't work for the portage group:
+	# merging changes the group back to root
+	if ! use prefix; then
+		chgrp portage "${EROOT}/var/lib/gentoo/news" \
+			&& chmod g+w "${EROOT}/var/lib/gentoo/news"
+	fi
+}

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.6.4.ebuild

@@ -66,10 +66,6 @@ src_prepare() {
 }
 
 multilib_src_configure() {
-	# Workaround for bug #934370 (libtool-2.5.0), drop when dist tarball
-	# uses newer libtool with the fix.
-	export ac_cv_prog_ac_ct_FILECMD='file' FILECMD='file'
-
 	local myconf=(
 		--enable-threads
 		$(multilib_native_use_enable doc)

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.7.1_alpha.ebuild

@@ -66,10 +66,6 @@ src_prepare() {
 }
 
 multilib_src_configure() {
-	# Workaround for bug #934370 (libtool-2.5.0), drop when dist tarball
-	# uses newer libtool with the fix.
-	export ac_cv_prog_ac_ct_FILECMD='file' FILECMD='file'
-
 	local myconf=(
 		--enable-threads
 		$(multilib_native_use_enable doc)

sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild

@@ -1,4 +1,4 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # Remember: we cannot leverage autotools in this ebuild in order
@@ -66,10 +66,6 @@ src_prepare() {
 }
 
 multilib_src_configure() {
-	# Workaround for bug #934370 (libtool-2.5.0), drop when dist tarball
-	# uses newer libtool with the fix.
-	export ac_cv_prog_ac_ct_FILECMD='file' FILECMD='file'
-
 	local myconf=(
 		--enable-threads
 		$(multilib_native_use_enable doc)

sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest

@@ -2,3 +2,5 @@ DIST docker-cli-27.4.1-man.tar.xz 70252 BLAKE2B 3fbefe359b39cfb7eda125830dc6c8e9
 DIST docker-cli-27.4.1.tar.gz 7273057 BLAKE2B 3ebebe0e0918dd54d45c058c2922107fc2e82170c6e00540fde2c884c8f88945ceb5428fd5917014af5d35a554a0d9e83306d173ceea9c7461508b902f0023f8 SHA512 5880053d44e169b93fe50f3d4b13fa2f8f60de32a96f8ee2923a3291385532c1903027f0654a65a8eab51f29caf7b805857b491c0bfeee2e1983f822e579851e
 DIST docker-cli-27.5.0-man.tar.xz 70224 BLAKE2B 4c2a4025721fbfbb63c24e20bdbc68f3a8b2d355d57060a86190ea30ec4dc1e01eae1265a3de6077c3952e1c9d859c1c28c707caccf07260f6dabe8bf3ef5439 SHA512 4450669971503665ca644899a657c587e86edaf4462ef47bd49b09da961111e8bc27a61caf8a8dbf9a617427bb2ebf92ab8d7adb6c4f33001383e590b59cfff3
 DIST docker-cli-27.5.0.tar.gz 7462649 BLAKE2B 89ae65834c606d9ef4f8ebc9fee5052d3e12b8aa6d9f4df7c0415157b24a55e89d0758b4f5cf0e4f3f5b6ea2f9c46bfc010c604995cb5cf1d162c068ba679787 SHA512 3c7c709f38fffd4d4e134d2abd7e6dc606e1cba765d36924a53f9470d6077be2282983eb23995bd56d772da253a69a854fe3112fea1a7ed2c9a1b70d2cc45b57
+DIST docker-cli-27.5.1-man.tar.xz 70236 BLAKE2B 82bf35e1b2ec149aa64ee5c72691a1af790e02e85c02c7078f6d2cff0c52143f64270467b00cf6410b6b80cf5088b15dc0bf87b98df0091bc61fa000b4dcec29 SHA512 6cec8418851dd4226e38319038b621e4697458b18496a0a4bacf1473007d5242a56af66d2a0d90f64bd5a9ccce1777c6c0788bc649c0e6cc38be1ecf63bd64da
+DIST docker-cli-27.5.1.tar.gz 7462515 BLAKE2B cd2970ac46092bc040ebb663d1dc3bcd488f1c2e8dfc81b36f937c22cb4becbf79f8d4f537cf482d59fa032e86a183b3c4c781ccda09de68be217347320ad9d6 SHA512 165bd5984786fe6fa6398d6e2b1757ce013a91434317339b360721327d4f74bd52fe0ec3936ae3a0665f0fbbf2cd2c49bd2c503783c25651f8d91a172e1c2d3e

sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-27.5.1.ebuild

@@ -0,0 +1,68 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit bash-completion-r1 go-module
+MY_PV=${PV/_/-}
+
+# update this on every bump
+GIT_COMMIT=9f9e4058019a37304dc6572ffcbb409d529b59d8
+
+DESCRIPTION="the command line binary for docker"
+HOMEPAGE="https://www.docker.com/"
+SRC_URI="https://github.com/docker/cli/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${P}-man.tar.xz"
+S="${WORKDIR}/cli-${PV}"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc64 ~riscv ~x86"
+IUSE="hardened selinux"
+
+RDEPEND="selinux? ( sec-policy/selinux-docker )"
+
+RESTRICT="installsources strip test"
+
+src_unpack() {
+	default
+	cd "${S}"
+	ln -s vendor.mod go.mod
+	ln -s vendor.sum go.sum
+}
+
+src_prepare() {
+	default
+	sed -i 's@dockerd\?\.exe@@g' contrib/completion/bash/docker || die
+}
+
+src_compile() {
+	export DISABLE_WARN_OUTSIDE_CONTAINER=1
+	# setup CFLAGS and LDFLAGS for separate build target
+	# see https://github.com/tianon/docker-overlay/pull/10
+	CGO_CFLAGS+=" -I${ESYSROOT}/usr/include"
+	CGO_LDFLAGS+=" -L${ESYSROOT}/usr/$(get_libdir)"
+		emake \
+		LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" \
+		VERSION="${PV}" \
+		GITCOMMIT="${GIT_COMMIT}" \
+		dynbinary
+}
+
+src_install() {
+	dobin build/docker
+	doman "${WORKDIR}"/man/man?/*
+	dobashcomp contrib/completion/bash/docker
+	bashcomp_alias docker dockerd
+	insinto /usr/share/fish/vendor_completions.d/
+	doins contrib/completion/fish/docker.fish
+	insinto /usr/share/zsh/site-functions
+	doins contrib/completion/zsh/_*
+}
+
+pkg_postinst() {
+	has_version "app-containers/docker-buildx" && return
+	ewarn "the 'docker build' command is deprecated and will be removed in a"
+	ewarn "future release. If you need this functionality, install"
+	ewarn "app-containers/docker-buildx."
+}

sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest

@@ -1,2 +1,3 @@
 DIST docker-27.4.1.tar.gz 16837429 BLAKE2B da2e915944a0260619b1e036b43d40f5cbff66f07182153c0ae238ecbcecdfe2066473887882fdaaffa5ef29e2328211f1d07ba3a5239381f9e82d34d9da43fe SHA512 3d77708f7373c1b58b1c46428c2cfc9e8985076e494e40ab86709f37a686cf92b9e2c9db5aa34293f728bb7ccd6a7e08e0cbb1c6d20acfd025c4c787d5908dc0
 DIST docker-27.5.0.tar.gz 17076981 BLAKE2B 20dfdb9fb3d594520f063352c28ccc7a936ec2dc0cd6d04737c2d8c78c54db024ac33fc986ddf06cbe4f496b27bd6e63cc3a2532f3c36b83cf8f9eca0dbae3a2 SHA512 89245805edebd7d43d5b47a38aba115239c20448fc10bce5a1605f99951a303ba360456a54815ffc5346cdd97ddd08657df1881c97f79066e9e2bd075af542da
+DIST docker-27.5.1.tar.gz 17077765 BLAKE2B dc6bfa960fc5c8c45629284dcdaddd6df3295dea2259ebf003900efbb24a4f4719030b5e12baaa87e4c1e3ecf27e1c4ef9e3f9b2fccef1541908fbee4ebecbc8 SHA512 6080fa59efa5b35b23bbd363569df7261783ab2527cda9c391f0853b58b55e34824b4a6019e0366aaed5cfaba5ff70b253dcc90b1b77149a85eea0c282d05bdf