1 files changed, 40 insertions, 12 deletions

diff --git a/PKGBUILD b/PKGBUILD
index fd52073ff04..2483ec55798 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -7,7 +7,7 @@
 #pkgbase=linux               # Build stock -ARCH kernel
 pkgbase=linux-macbook       # Build kernel with a different name
 _srcname=linux-4.14
-pkgver=4.14.4
+pkgver=4.14.9
 pkgrel=1
 arch=('x86_64')
 url="https://www.kernel.org/"
@@ -23,13 +23,19 @@ source=(
   '60-linux.hook'  # pacman hook for depmod
   '90-linux.hook'  # pacman hook for initramfs regeneration
   'linux.preset'   # standard config files for mkinitcpio ramdisk
-  'macbook-wakeup.service' # service file for suspend/resume events
-  'apple-gmux.patch' # linux-macbook specific patches
-  'PCI-Work-around-poweroff-suspend-to-RAM-issue-on-Mac.patch'
-  'RFC-PCI-Workaround-to-enable-poweroff-on-Mac-Pro-11.patch'
-  'RFC-v2-PCI-Workaround-to-enable-poweroff-on-Mac-Pro-11.patch'
-  'intel-pstate-backport.patch'
-  '0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch'
+  macbook-wakeup.service # service file for suspend/resume events
+  apple-gmux.patch # linux-macbook specific patches
+  PCI-Work-around-poweroff-suspend-to-RAM-issue-on-Mac.patch
+  RFC-PCI-Workaround-to-enable-poweroff-on-Mac-Pro-11.patch
+  RFC-v2-PCI-Workaround-to-enable-poweroff-on-Mac-Pro-11.patch
+  intel-pstate-backport.patch
+  0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+  0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+  0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+  0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+  0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+  0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+  0001-ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch
 )
 validpgpkeys=(
   'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
@@ -37,9 +43,9 @@ validpgpkeys=(
 )
 sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
             'SKIP'
-            'e9dcf9aad5977289940cd6e3762af02b87a725ba6c1a9f4af86958dc621e3a84'
+            '5edc955bb67b04c7ed426b1df17a3e322e32ad9fdda9c6abb53ab6eca7faf704'
             'SKIP'
-            '12a7bd958a820315d8d8be7544976e8a8aa1fb7aa27fcf8377ca68317e3e70a9'
+            '4d12ed868b05720c3d263c8454622c67bdee6969400049d7adac7b00907ad195'
             'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
             '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
@@ -49,7 +55,13 @@ sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
             '7c99aaeaea7837f83a3ad215cf07277934ccf39720acee7f1c371dc86bdf89fc'
             '09189eb269a9fd16898cf90a477df23306236fb897791e8d04e5a75d5007bbff'
             '3d9fdbb4bee270efa6eef1d8e40a5ae562a87d5a2edae629e0829cc51714de13'
-            '37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85')
+            '37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85'
+            'c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3'
+            '1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2'
+            'ed3266ab03f836f57de0faf8a10ffd7566c909515c2649de99adaab2fac4aa32'
+            '64a014f7e1b4588728b3ea9538beee67ec63fb792d890c7be9cc13ddc2121b00'
+            '3d4c41086c077fbd515d04f5e59c0c258f700433c5da3365d960b696c2e56efb'
+            '95f0d0a94983b0dafd295f660a663f9be5ef2fcb9646098426a5d12b59f50638')
 
 _kernelname=${pkgbase#linux}
 
@@ -83,9 +95,25 @@ prepare() {
   patch -p1 -F1 -i \
     "${srcdir}/RFC-v2-PCI-Workaround-to-enable-poweroff-on-Mac-Pro-11.patch"
 
-  # https://bugs.archlinux.org/task/56207
+  # disable USER_NS for non-root users by default
   patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
 
+  # https://bugs.archlinux.org/task/56575
+  patch -Np1 -i ../0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+
+  # https://nvd.nist.gov/vuln/detail/CVE-2017-8824
+  patch -Np1 -i ../0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+
+  # https://bugs.archlinux.org/task/56605
+  patch -Np1 -i ../0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+  patch -Np1 -i ../0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+
+  # https://bugs.archlinux.org/task/56846
+  patch -Np1 -i ../0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+
+  # https://bugs.archlinux.org/task/56830
+  patch -Np1 -i ../0001-ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch
+
   cp -Tf ../config .config
 
   if [ "${_kernelname}" != "" ]; then