31053 Commits

Author SHA1 Message Date
Ankur Tyagi
d8cc4e4400 postgresql: upgrade 16.12 -> 16.14
Also refreshed patches to resolve patch fuzz QA issue.

Bug fix releases
https://www.postgresql.org/docs/release/16.13/
https://www.postgresql.org/docs/release/16.14/

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-25 08:05:43 +05:30
Jérémie Dautheribes (Schneider Electric )
91c3393ce0 python3-backports-zstd: add recipe
This recipe was previously part of the master branch but was removed
because the zstd module was integrated into the Python standard library
starting from Python 3.14.

Since Scarthgap uses Python 3.12, restore and update this recipe for users
on this branch.

Signed-off-by: Jérémie Dautheribes (Schneider Electric) <jeremie.dautheribes@bootlin.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-25 08:05:43 +05:30
Theo Gaige (Schneider Electric)
29653f38cd
nginx: patch CVE-2026-42946
Backport patches [1] and [2] mentioned in [3].

[1] baef7fdac2

[2] 39d7d0ba07

[3] https://security-tracker.debian.org/tracker/CVE-2026-42946

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:23 +05:30
Theo Gaige (Schneider Electric)
96870679e8
nginx: patch CVE-2026-42945
Backport patch [1] mentioned in [2].

[1] 524977e7c5

[2] https://security-tracker.debian.org/tracker/CVE-2026-42945

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:22 +05:30
Theo Gaige (Schneider Electric)
b7758e9380
nginx: patch CVE-2026-42934
Backport patch [1] mentioned in [2].

[1] 54b7945961

[2] https://security-tracker.debian.org/tracker/CVE-2026-42934

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:22 +05:30
Theo Gaige (Schneider Electric)
167e8b64dd
nginx: patch CVE-2026-40701
Backport patch [1] mentioned in [2].

[1] d2b8d47741

[2] https://security-tracker.debian.org/tracker/CVE-2026-40701

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:21 +05:30
Hugo SIMELIERE (Schneider Electric)
f1d78e9527
dnsmasq: Fix CVE-2026-5172
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.

[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-5172.patch

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:21 +05:30
Hugo SIMELIERE (Schneider Electric)
7dda8e9bd7
dnsmasq: Fix CVE-2026-4893
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.

[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4893.patch

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:20 +05:30
Hugo SIMELIERE (Schneider Electric)
e614003e0a
dnsmasq: Fix CVE-2026-4892
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.

[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4892.patch

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:20 +05:30
Hugo SIMELIERE (Schneider Electric)
cab6f6c603
dnsmasq: Fix CVE-2026-4891
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.

[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4891.patch

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:19 +05:30
Hugo SIMELIERE (Schneider Electric)
59f8c396f9
nss: Fix CVE-2026-2781
Pick patch from [1] as 3.9X upstream mirror backport of [2] mentioned in Debian report in [3].

[1] 870d3b013e
[2] https://hg-edge.mozilla.org/projects/nss/rev/245385e16fa6
[3] https://security-tracker.debian.org/tracker/CVE-2026-2781

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:15 +05:30
Theo Gaige
7acc744194
dash: fix CVE-2026-31323
Backport upstream fix for CVE-2026-31323 [1].

[1] https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3

Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:48 +05:30
Hitendra Prajapati
a587f53a0e
strongswan: fix for CVE-2026-35334
Pick patch according to [1]

[1] https://download.strongswan.org/security/CVE-2026-35334
[2] https://www.strongswan.org/blog/2026/04/22/strongswan-vulnerability-(cve-2026-35334).html
[3] https://security-tracker.debian.org/tracker/CVE-2026-35334

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:48 +05:30
Sudhir Dumbhare
9f70f8d461
libssh: set status for CVE-2025-14821
The vulnerability is Windows-specific and depends on loading
configuration from C:\etc, which does not apply to Linux/Yocto builds

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-14821
https://github.com/advisories/GHSA-5jf9-8f86-jhvw
https://www.libssh.org/security/advisories/CVE-2025-14821.txt

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:48 +05:30
Ankur Tyagi
797f2baebe
nanomsg: upgrade 1.2.1 -> 1.2.2
Changelog:
https://github.com/nanomsg/nanomsg/releases/tag/1.2.2

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:47 +05:30
Ankur Tyagi
c756576c1c
postfix: upgrade 3.8.12 -> 3.8.16
3.8.13
http://www.postfix.org/announcements/postfix-3.10.6.html

3.8.14
http://www.postfix.org/announcements/postfix-3.10.7.html

3.8.15
http://www.postfix.org/announcements/postfix-3.10.8.html

3.8.16
http://www.postfix.org/announcements/postfix-3.11.2.html

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:47 +05:30
Ankur Tyagi
100da99a04
lcms: patch CVE-2026-42798
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-42798

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:46 +05:30
Ankur Tyagi
49a682f2ed
lcms: patch CVE-2026-41254
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-41254

Backport the patches referenced by the NVD advisory.

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:46 +05:30
Ankur Tyagi
fdd887bc29
frr: patch CVE-2026-28532
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-28532

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:45 +05:30
Ankur Tyagi
764a8f2154
firewalld: upgrade 1.3.2 -> 1.3.4
https://github.com/firewalld/firewalld/releases/tag/v1.3.3
https://github.com/firewalld/firewalld/releases/tag/v1.3.4

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:45 +05:30
Liyin Zhang
9f64ff03f5
apache2: upgrade 2.4.66 -> 2.4.67
Security fixes:
- CVE-2026-34059
- CVE-2026-34032
- CVE-2026-33857
- CVE-2026-33523
- CVE-2026-33007
- CVE-2026-33006
- CVE-2026-29169
- CVE-2026-29168
- CVE-2026-28780
- CVE-2026-24072
- CVE-2026-23918

See: https://archive.apache.org/dist/httpd/CHANGES_2.4.67

Signed-off-by: Liyin Zhang <liyin.zhang.cn@windriver.com>
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:44 +05:30
Ankur Tyagi
92b5798115
exiftool: ignore CVE-2026-7580
The impacted function mentioned in the nvd[1] was introduced in v12.82[2],
hence we can ignore this CVE.

[1]https://nvd.nist.gov/vuln/detail/CVE-2026-7580
[2]280a7f0db7

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:44 +05:30
Jason Schonberg
5fe0fb19e7
php: upgrade 8.2.30 -> 8.2.31
This is a security release.

Changelog: https://www.php.net/ChangeLog-8.php#8.2.31

Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:43 +05:30
Het Patel
90a0e3bf89
open-vm-tools: Add entry to CVE_PRODUCT to support the product name
- Added 'vmware:open_vm_tools' to CVE_PRODUCT to align with the NVD
CPE and ensure accurate CVE reporting.

Signed-off-by: Het Patel <hetpat@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9b69587ecb92b3acb7b3092217357de9c1be14e6)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:43 +05:30
Het Patel
aaa594e19e
onig: Add CVE_PRODUCT to support product name
- Set CVE_PRODUCT to align with the NVD CPE and ensure correct CVE
reporting.

Signed-off-by: Het Patel <hetpat@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7bc5268662f1428bdbca08e14d223aa6b62e87f3)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:43 +05:30
Het Patel
9500d05195
abseil-cpp: Add CVE_PRODUCT to support product name
- Set CVE_PRODUCT to align with the NVD CPE and ensure correct CVE
reporting.

Signed-off-by: Het Patel <hetpat@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a428ea90c08fc93ce5e39612974323aad26d1ef3)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:42 +05:30
Gyorgy Sarvari
3fd10def49
python3-ecdsa: set CVE_PRODUCT
Set the correct CVE_PRODUCT value, the default python: ecdsa doesn't
match relevant entries.

The correct values were taken from the CVE db, by checking which CVEs
are relevant.

See CVE db query:
sqlite> select * from products where product like '%ecdsa%';
CVE-2019-14853|python-ecdsa_project|python-ecdsa|||0.13.3|<
CVE-2019-14859|python-ecdsa_project|python-ecdsa|||0.13.3|<
CVE-2020-12607|antonkueltz|fastecdsa|||2.1.2|<
CVE-2021-43568|starkbank|elixir_ecdsa|1.0.0|=||
CVE-2021-43569|starkbank|ecdsa-dotnet|1.3.2|=||
CVE-2021-43570|starkbank|ecdsa-java|1.0.0|=||
CVE-2021-43571|starkbank|ecdsa-node|1.1.2|=||
CVE-2021-43572|starkbank|ecdsa-python|||2.0.1|<
CVE-2022-24884|ecdsautils_project|ecdsautils|||0.4.1|<
CVE-2024-21502|antonkueltz|fastecdsa|||2.3.2|<
CVE-2024-23342|tlsfuzzer|ecdsa|||0.18.0|<=

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7f962ef1557a291545646470c03fd9c4a23eb7d9)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:42 +05:30
Peter Marko
6b76759967
python-grpcio(-tools): add grpc:grpc to cve product
These grpc python modules contain parts of grpc core.
Each CVE needs to be assessed if the patch applies also to core parts
included in each module.

Note that so far there was never a CVE specific for python module, only
for grpc:grpc and many of those needed to be fixed at leasts in grpcio:

sqlite> select vendor, product, count(*) from products where product like '%grpc%' group by vendor, product;
grpc|grpc|21
grpck|grpck|1
linuxfoundation|grpc_swift|9
microsoft|grpconv|1
opentelemetry|configgrpc|1

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f993cb2ecb62193bcce8d3d0e06e180a7fef44b8)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:41 +05:30
Hitendra Prajapati
fb4ebd1200
wireshark: fix for CVE-2025-13946
Pick patch from [1] also mentioned at NVD report in [2]

[1] https://gitlab.com/wireshark/wireshark/-/issues/20884
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-13946
[3] https://security-tracker.debian.org/tracker/CVE-2025-13946

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:37 +05:30
Khem Raj
ae7dfb1224
jq: Stick to C17 until next release
Patches are sprinkled in master branch of jq but the backports
regresses tests, so its better to keep it at C17 for now.

Backport: changed from += to :append to apply to all target, native
and nativesdk builds.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-05 06:57:17 +05:30
Mikko Rapeli
a9b7af632e onig: fix gcc 15 build
With backport from upstream 6.9.10.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 12:56:07 +05:30
Ankur Tyagi
964065663c jq: patch CVE-2026-39979
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-39979

Ptests passed:
root@qemux86:~# ptest-runner jq
START: ptest-runner
2026-04-26T11:09
BEGIN: /usr/lib/jq/ptest
PASS: optionaltest
PASS: mantest
PASS: jqtest
PASS: onigtest
PASS: shtest
PASS: utf8test
PASS: base64test
=== Test Summary ===
TOTAL: 7
PASSED: 7
FAILED: 0
SKIPPED: 0
DURATION: 44
END: /usr/lib/jq/ptest
2026-04-26T11:10
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi
6cbaf81a01 jq: patch CVE-2026-33948
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi
18de8de0ef jq: patch CVE-2026-33947
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi
9bdfbd20b2 jq: patch CVE-2026-32316
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32316

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Hitendra Prajapati
fdf83ebd28 python3-pillow: fix CVE-2026-40192
Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2].

[1] 3cb854e8b2
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-40192
[3] https://security-tracker.debian.org/tracker/CVE-2026-40192

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi
955189fbcb libssh: Fix CVE-2026-0965
Backport the patch [1] as mentioned in [2]

[1] https://git.libssh.org/projects/libssh.git/commit/?id=bf390a042623e02abc8f421c4c5fadc0429a8a76
[2] https://security-tracker.debian.org/tracker/CVE-2026-0965

Ptests passed:
root@qemux86:~# ptest-runner libssh
START: ptest-runner
2026-04-28T04:44
BEGIN: /usr/lib/libssh/ptest
...
...
DURATION: 269
END: /usr/lib/libssh/ptest
2026-04-28T04:49
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi
0f64da2ab9 libssh: patch CVE-2026-0967
Backport patch [1] as mentioned in [2]

[1] https://git.libssh.org/projects/libssh.git/commit/?id=6d74aa6138895b3662bade9bd578338b0c4f8a15
[2] https://security-tracker.debian.org/tracker/CVE-2026-0967

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi
015b974b6b libssh: patch CVE-2026-0968
Backport patches [1] and [2] as mentioned in [3]

[1] https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9
[2] https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03
[3] https://security-tracker.debian.org/tracker/CVE-2026-0968

Certain functions from sftp.c were moved to a new file sftp_common.c
in version 0.11.0 by following commit:
https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a

This is the backport of the changes using the original file sftp.c

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Gyorgy Sarvari
5ce7602ce1 corosync: patch CVE-2026-35092
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35092

Pick the patch that mentions the CVE ID explicitly (the same commit
was identified by Debian also[1])

[1]: https://security-tracker.debian.org/tracker/CVE-2026-35092

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit af73e716bc7150ae8d912d8af00f6995e25f2031)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Gyorgy Sarvari
985cc4d384 corosync: patch CVE-2026-35091
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091

Pick the patch that mentions the CVE ID explicitly (it was identified
by Debian also as the fix[1])

[1]: https://security-tracker.debian.org/tracker/CVE-2026-35091

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit 701b22fda35648efc333d6e6e7abd8e70aa49870)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi
9a19b0f3cb opensc: patch CVE-2025-66215
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66215

Backport the patches referenced by the PR[1] mentioned in the nvd.
Dropped the formatting commit from the backport.

[1] https://github.com/OpenSC/OpenSC/pull/3436

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi
91858e7ff9 opensc: patch CVE-2025-66038
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66038

Backport the patch referenced by the wiki[1] mentioned in the nvd.

[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi
a02592adda opensc: patch CVE-2025-66037
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66037

Backport the patch referenced by the wiki[1] mentioned in the nvd.

[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66037

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Ankur Tyagi
886f7d221a opensc: patch CVE-2025-49010
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49010

Backport the patch referenced by the wiki[1] mentioned in the nvd.

[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Gyorgy Sarvari
22a2ae9646 openjpeg: patch CVE-2026-6192
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6192

Backport the patch referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit 09050325e6e0736beccc40d125e56430054b7cb8)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Daniel Turull
383ff86953 jq: fix CVE-2026-40164
Backport patch to fix CVE-2026-40164.

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Hitendra Prajapati
7ba6689d13 nginx: fix CVE-2026-32647
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.

[1] https://my.f5.com/manage/s/article/K000160366
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-32647
[3] a172c880cb

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Khem Raj
bed3ecfe03 krb5: Backport additional fixes to build on clang
Enabling additional warning tightens the function prototype checks
and clang goes a step ahead to flag void foo() as well it should be
void foo(void)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Martin Jansa <martin.jansa@gmail.com>
(cherry picked from commit 37cc472e44ef5b2b8c0ae8b5bcebf875fa9dd5be)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30
Michael Opdenacker
32081787dc kernel-hardening-checker: update 0.6.10.2 -> 0.6.17.1
Following the update on master.

This version reports more hardening issues:
128 "failures" instead of 113 on the same kernel.

Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-29 10:14:29 +05:30