!55 [sync] PR-53: Fix CVE-2022-47184 and CVE-2023-33933

From: @openeuler-sync-bot 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia

CVE-2022-47184.patch

@@ -0,0 +1,105 @@
+From c371b7b21a7e774f852af86b85c87d5d877a14bd Mon Sep 17 00:00:00 2001
+From: Bryan Call <bcall@apache.org>
+Date: Tue, 6 Jun 2023 15:23:04 -0700
+Subject: [PATCH] Deny the TRACE method by default (#9788)
+
+(cherry picked from commit 105af3ca30e59fbb89013e83a484a04559b4cf25)
+---
+ configs/ip_allow.yaml.default                      | 4 +++-
+ doc/admin-guide/files/ip_allow.yaml.en.rst         | 9 ++++++---
+ tests/gold_tests/autest-site/min_cfg/ip_allow.yaml | 4 +++-
+ 3 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/configs/ip_allow.yaml.default b/configs/ip_allow.yaml.default
+index ff3627d23e8..16db1d2845a 100644
+--- a/configs/ip_allow.yaml.default
++++ b/configs/ip_allow.yaml.default
+@@ -24,7 +24,7 @@
+ # Rules are applied in the order listed starting from the top.
+ # That means you generally want to append your rules after the ones listed here.
+ #
+-# Allow anything on localhost, limit destructive methods elsewhere.
++# Allow anything on localhost, limit destructive and debug methods elsewhere.
+ ip_allow:
+   - apply: in
+     ip_addrs: 127.0.0.1
+@@ -41,6 +41,7 @@ ip_allow:
+       - PURGE
+       - PUSH
+       - DELETE
++      - TRACE
+   - apply: in
+     ip_addrs: ::/0
+     action: deny
+@@ -48,3 +49,4 @@ ip_allow:
+       - PURGE
+       - PUSH
+       - DELETE
++      - TRACE
+diff --git a/doc/admin-guide/files/ip_allow.yaml.en.rst b/doc/admin-guide/files/ip_allow.yaml.en.rst
+index 1f1843e21ac..db2e58dfa46 100644
+--- a/doc/admin-guide/files/ip_allow.yaml.en.rst
++++ b/doc/admin-guide/files/ip_allow.yaml.en.rst
+@@ -60,6 +60,7 @@ Format
+          - PURGE
+          - PUSH
+          - DELETE
++         - TRACE
+      - apply: in
+        ip_addrs: ::/0
+        action: deny
+@@ -67,6 +68,7 @@ Format
+          - PURGE
+          - PUSH
+          - DELETE
++         - TRACE
+ 
+ Each rule is a mapping. The YAML data must have a top level key of "ip_allow" and its value must
+ be a mapping or a sequence of mappings, each of those being one rule.
+@@ -106,7 +108,8 @@ the specified methods are denied and all other methods are allowed.
+ For example, from the default configuration, the rule for ``127.0.0.1`` is ``allow`` with all
+ methods. Therefore an inbound connection from the loopback address (127.0.0.1) is allowed to use any
+ method. The general IPv4 rule, covering all IPv4 address, is a ``deny`` rule and therefore when it
+-matches the methods "PURGE", "PUSH", and "DELETE", these methods are denied and any other method is allowed.
++matches the methods "PURGE", "PUSH", "DELETE", and "TRACE", these methods are denied and any other method
++is allowed.
+ 
+ The rules are matched in order, by IP address, therefore the general IPv4 rule does not apply to the
+ loopback address because the latter is matched first.
+@@ -224,8 +227,8 @@ As a final example, here is the default configuration in compact form::
+    ip_allow: [
+      { apply: in, ip_addrs: 127.0.0.1, action: allow },
+      { apply: in, ip_addrs: "::1", action: allow },
+-     { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE ] },
+-     { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE ] }
++     { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] },
++     { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] }
+      ]
+ 
+ .. note::
+diff --git a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
+index d13c27516ac..841286477cb 100644
+--- a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
++++ b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
+@@ -13,7 +13,7 @@
+ #  or implied. See the License for the specific language governing permissions and limitations under
+ #  the License.
+ 
+-# Allow anything on localhost, limit destructive methods elsewhere.
++# Allow anything on localhost, limit destructive and debug methods elsewhere.
+ ip_allow:
+   - apply: in
+     ip_addrs: 127.0.0.1
+@@ -34,6 +34,7 @@ ip_allow:
+       - PURGE
+       - PUSH
+       - DELETE
++      - TRACE
+   - apply: in
+     ip_addrs: ::/0
+     action: deny
+@@ -41,3 +42,4 @@ ip_allow:
+       - PURGE
+       - PUSH
+       - DELETE
++      - TRACE

CVE-2023-33933.patch

@@ -0,0 +1,202 @@
+From 726a79cb2f70fcbe0e2139aab3fe56930d3d8c27 Mon Sep 17 00:00:00 2001
+From: Masakazu Kitajo <maskit@apache.org>
+Date: Thu, 8 Jun 2023 02:27:52 +0900
+Subject: [PATCH] s3_auth: Fix hash calculation (#9779)
+
+(cherry picked from commit 867c48c1adf9e795c8d85c48d2d0f07f08aa87ec)
+---
+ plugins/s3_auth/aws_auth_v4.cc                 |  5 +++++
+ plugins/s3_auth/aws_auth_v4.h                  |  1 +
+ plugins/s3_auth/aws_auth_v4_wrap.h             |  5 +++++
+ plugins/s3_auth/unit_tests/test_aws_auth_v4.cc | 14 ++++++++++++++
+ plugins/s3_auth/unit_tests/test_aws_auth_v4.h  |  7 +++++++
+ 5 files changed, 32 insertions(+)
+
+diff --git a/plugins/s3_auth/aws_auth_v4.cc b/plugins/s3_auth/aws_auth_v4.cc
+index 3f9aea0..6ba76d8 100644
+--- a/plugins/s3_auth/aws_auth_v4.cc
++++ b/plugins/s3_auth/aws_auth_v4.cc
+@@ -303,6 +303,11 @@ getCanonicalRequestSha256Hash(TsInterface &api, bool signPayload, const StringSe
+   str = api.getPath(&length);
+   String path("/");
+   path.append(str, length);
++  str = api.getParams(&length);
++  if (length > 0) {
++    path.append(";", 1);
++    path.append(str, length);
++  }
+   String canonicalUri = canonicalEncode(path, /* isObjectName */ true);
+   sha256Update(&canonicalRequestSha256Ctx, canonicalUri);
+   sha256Update(&canonicalRequestSha256Ctx, "\n");
+diff --git a/plugins/s3_auth/aws_auth_v4.h b/plugins/s3_auth/aws_auth_v4.h
+index 865a199..984bc62 100644
+--- a/plugins/s3_auth/aws_auth_v4.h
++++ b/plugins/s3_auth/aws_auth_v4.h
+@@ -47,6 +47,7 @@ public:
+   virtual const char *getMethod(int *length) = 0;
+   virtual const char *getHost(int *length)   = 0;
+   virtual const char *getPath(int *length)   = 0;
++  virtual const char *getParams(int *length) = 0;
+   virtual const char *getQuery(int *length)  = 0;
+   virtual HeaderIterator headerBegin()       = 0;
+   virtual HeaderIterator headerEnd()         = 0;
+diff --git a/plugins/s3_auth/aws_auth_v4_wrap.h b/plugins/s3_auth/aws_auth_v4_wrap.h
+index 72221c3..3ed858a 100644
+--- a/plugins/s3_auth/aws_auth_v4_wrap.h
++++ b/plugins/s3_auth/aws_auth_v4_wrap.h
+@@ -108,6 +108,11 @@ public:
+     return TSUrlPathGet(_bufp, _url, len);
+   }
+   const char *
++  getParams(int *len) override
++  {
++    return TSUrlHttpParamsGet(_bufp, _url, len);
++  }
++  const char *
+   getQuery(int *len) override
+   {
+     return TSUrlHttpQueryGet(_bufp, _url, len);
+diff --git a/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc b/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc
+index 595fe00..a11213c 100644
+--- a/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc
++++ b/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc
+@@ -404,6 +404,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Object", "[AWS][auth][SpecByExample]")
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("test.txt");
++  api._params.assign("");
+   api._query.assign("");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Range", "bytes=0-9"));
+@@ -449,6 +450,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Bucket Lifecycle", "[AWS][auth][SpecByExamp
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("lifecycle");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
+@@ -493,6 +495,7 @@ TEST_CASE("AWSAuthSpecByExample: Get Bucket List Objects", "[AWS][auth][SpecByEx
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
+@@ -584,6 +587,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Bucket List Objects, unsigned pay-load, exc
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD"));
+@@ -633,6 +637,7 @@ TEST_CASE("AWSAuthSpecByExample: GET Bucket List Objects, query param value alre
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("PATH==");
++  api._params.assign("");
+   api._query.assign("key=TEST==");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD"));
+@@ -679,6 +684,7 @@ TEST_CASE("S3AuthV4UtilParams: signing multiple same name fields", "[AWS][auth][
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -777,6 +783,7 @@ TEST_CASE("S3AuthV4UtilParams: include all headers explicit", "[AWS][auth][SpecB
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -812,6 +819,7 @@ TEST_CASE("S3AuthV4UtilParams: exclude all headers explicit", "[AWS][auth][utili
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -847,6 +855,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude non overlapping headers", "[AWS][
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -881,6 +890,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude overlapping headers", "[AWS][auth
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -916,6 +926,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude overlapping headers missing inclu
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -951,6 +962,7 @@ TEST_CASE("S3AuthV4UtilParams: include/exclude overlapping headers missing exclu
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -989,6 +1001,7 @@ TEST_CASE("S3AuthV4UtilParams: include content type", "[AWS][auth][utility]")
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("Content-Type", "gzip"));
+@@ -1022,6 +1035,7 @@ TEST_CASE("S3AuthV4UtilParams: include missing content type", "[AWS][auth][utili
+   api._method.assign("GET");
+   api._host.assign("examplebucket.s3.amazonaws.com");
+   api._path.assign("");
++  api._params.assign("");
+   api._query.assign("max-keys=2&prefix=J");
+   api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com"));
+   api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD"));
+diff --git a/plugins/s3_auth/unit_tests/test_aws_auth_v4.h b/plugins/s3_auth/unit_tests/test_aws_auth_v4.h
+index e295d75..e4eb454 100644
+--- a/plugins/s3_auth/unit_tests/test_aws_auth_v4.h
++++ b/plugins/s3_auth/unit_tests/test_aws_auth_v4.h
+@@ -95,6 +95,12 @@ public:
+     return _path.c_str();
+   }
+   const char *
++  getParams(int *length)
++  {
++    *length = _params.length();
++    return _params.c_str();
++  }
++  const char *
+   getQuery(int *length)
+   {
+     *length = _query.length();
+@@ -114,6 +120,7 @@ public:
+   String _method;
+   String _host;
+   String _path;
++  String _params;
+   String _query;
+   HeaderMultiMap _headers;
+ };
+-- 
+2.30.0
+

Modify-storage.config-for-traffic_cache_tool.patch

@@ -0,0 +1,26 @@
+From c12d4f5a9d9e3858d4b668ffc37240b160260d5f Mon Sep 17 00:00:00 2001
+From: wk333 <13474090681@163.com>
+Date: Mon, 26 Sep 2022 09:33:45 +0800
+Subject: [PATCH 1/1] Modify storage.config for traffic_cache_tool
+
+---
+ configs/storage.config.default.in | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/configs/storage.config.default.in b/configs/storage.config.default.in
+index 0bd9384..0c56d83 100644
+--- a/configs/storage.config.default.in
++++ b/configs/storage.config.default.in
+@@ -27,7 +27,8 @@
+ #          assuming prefix of '@prefix@'
+ #      @rel_cachedir@ 512M
+ #
+-#
++# Note: The traffic_cache_tool command does not support directories
++# Refer: https://github.com/apache/trafficserver/issue/5168
+ #############################################################
+ ##              O_DIRECT Specific Configuration            ##
+ #############################################################
+-- 
+2.27.0
+

config-layout-openEuler.patch

@@ -0,0 +1,35 @@
+diff --git a/config.layout b/config.layout
+index da63e89..d46bfaf 100644
+--- a/config.layout
++++ b/config.layout
+@@ -219,6 +219,27 @@
+     cachedir:      /var/cache+
+ </Layout>
+ 
++#   openEuler Linux TrafficServer path layout.
++<Layout openEuler>
++    prefix:        /usr
++    exec_prefix:   ${prefix}
++    bindir:        ${exec_prefix}/bin
++    sbindir:       ${exec_prefix}/sbin
++    libdir:        ${exec_prefix}/lib64+
++    libexecdir:    ${libdir}/plugins
++    infodir:       ${prefix}/share/info
++    mandir:        ${prefix}/share/man
++    sysconfdir:    ${prefix}/etc+
++    datadir:       ${prefix}/share+
++    docdir:        ${prefix}/share/doc+
++    installbuilddir: ${datadir}/build
++    includedir:    ${prefix}/include
++    localstatedir: ${prefix}/var+
++    runtimedir:    ${localstatedir}/run
++    logdir:        ${localstatedir}/log
++    cachedir:      ${localstatedir}/cache
++</Layout>
++
+ #   OpenBSD path layout.
+ <Layout OpenBSD>
+     prefix:        /usr/local
+-- 
+2.27.0
+

trafficserver.spec

@@ -1,14 +1,20 @@
 %define _hardened_build 1
 Name:                trafficserver
-Version:             9.1.3
-Release:             1
+Version:             9.1.4
+Release:             2
 Summary:             Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache
 License:             Apache-2.0
 URL:                 https://trafficserver.apache.org/
 Source0:             http://www.apache.org/dist/%{name}/%{name}-%{version}.tar.bz2
 Patch0000:           Add-openeuler-support.patch
 Patch0001:           Fix-status-failure-after-stopping-service.patch
-Patch0002:           Fix-log-in-debug-mode.patch    
+Patch0002:           Fix-log-in-debug-mode.patch
+Patch0003:           config-layout-openEuler.patch
+Patch0004:           Modify-storage.config-for-traffic_cache_tool.patch
+# https://github.com/apache/trafficserver/commit/c371b7b21a7e774f852af86b85c87d5d877a14bd
+Patch0005:           CVE-2022-47184.patch
+# https://github.com/apache/trafficserver/commit/726a79cb2f70fcbe0e2139aab3fe56930d3d8c27
+Patch0006:           CVE-2023-33933.patch
 BuildRequires:       expat-devel hwloc-devel openssl-devel pcre-devel zlib-devel xz-devel
 BuildRequires:       libcurl-devel ncurses-devel gcc gcc-c++ perl-ExtUtils-MakeMaker
 BuildRequires:       libcap-devel cmake libunwind-devel automake
@@ -35,14 +41,13 @@ This package contains some Perl APIs for talking to the ATS management port.
 %autosetup -n %{name}-%{version} -p1
 
 %build
-%configure \
-  --enable-layout=Gentoo \
+autoreconf
+./configure \
+  --enable-layout=openEuler \
   --libdir=%{_libdir}/trafficserver \
   --libexecdir=%{_libdir}/trafficserver/plugins \
-  --sysconfdir=%{_sysconfdir}/trafficserver \
   --enable-experimental-plugins \
   --with-user=ats --with-group=ats \
-  %{DISABLE_UNWIND} \
   --disable-silent-rules
 make %{?_smp_mflags} V=1
 
@@ -84,7 +89,7 @@ getent passwd ats >/dev/null || useradd -r -u 176 -g ats -d / -s /sbin/nologin -
 %{!?_licensedir:%global license %%doc}
 %license LICENSE
 %doc README CHANGELOG* NOTICE STATUS
-%config(noreplace) /etc/trafficserver/*
+%config(noreplace) /usr/etc/trafficserver/*
 %{_bindir}/traffic_*
 %{_bindir}/tspush
 %dir %{_libdir}/trafficserver
@@ -92,12 +97,12 @@ getent passwd ats >/dev/null || useradd -r -u 176 -g ats -d / -s /sbin/nologin -
 %{_libdir}/trafficserver/libts*.so*
 %{_libdir}/trafficserver/plugins/*.so
 /lib/systemd/system/trafficserver.service
-%attr(0755, ats, ats) %dir /etc/trafficserver
-%attr(0755, ats, ats) %dir /var/log/trafficserver
-%attr(0755, ats, ats) %dir /run/trafficserver
-%attr(0755, ats, ats) %dir /var/cache/trafficserver
-%attr(0644, ats, ats) /etc/trafficserver/*.config
-%attr(0644, ats, ats) /etc/trafficserver/*.yaml
+%attr(0755, ats, ats) %dir /usr/etc/trafficserver
+%attr(0755, ats, ats) %dir /usr/var/trafficserver/log
+%attr(0755, ats, ats) %dir /usr/var/trafficserver/run
+%attr(0755, ats, ats) %dir /usr/var/trafficserver/cache
+%attr(0644, ats, ats) /usr/etc/trafficserver/*.config
+%attr(0644, ats, ats) /usr/etc/trafficserver/*.yaml
 
 %files perl
 %defattr(-,root,root,-)
@@ -112,6 +117,21 @@ getent passwd ats >/dev/null || useradd -r -u 176 -g ats -d / -s /sbin/nologin -
 %{_datadir}/pkgconfig/trafficserver.pc
 
 %changelog
+* Tue Dec 19 2023 yaoxin <yao_xin001@hoperun.com> - 9.1.4-2
+- Fix CVE-2022-47184 and CVE-2023-33933
+
+* Tue Dec 27 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 9.1.4-1
+- Update to 9.1.4 to fix CVE-2022-37392 and CVE-2022-32749 and CVE-2022-40743
+
+* Mon Sep 26 2022 wangkai <wangkai385@h-partners.com> - 9.1.3-4
+- Modify storage.config for traffic_cache_tool
+
+* Wed Sep 07 2022 wangkai <wangkai385@h-partners.com> - 9.1.3-3
+- Add log,run,cache dir
+
+* Tue Aug 30 2022 wangkai <wangkai385@h-partners.com> - 9.1.3-2
+- Fix traffic_layout remove core dumped
+
 * Mon Aug 22 2022 panyanshuang <panyanshuang@ncti-gba.cn> - 9.1.3-1
 - Update to 9.1.3 to  fix CVE-2022-31779