helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-06-09 23:19:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
36,288 Commits 64 Branches 0 Tags
Commit Graph

36288 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Gyorgy Sarvari
15f2f350cc
fontforge: patch CVE-2025-15270 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15270

Pick the patch that mentions this vulnerbaility explicitly
in its description.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-03 08:07:23 +05:30
Gyorgy Sarvari
449999f676
fontforge: patch CVE-2025-15269 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15269

Pick the patch that refers to this vulnerability ID explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-03 08:07:23 +05:30
Gyorgy Sarvari
edc3b69cef
fontforge: patch CVE-2025-15275 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15275

Pick the patch that mentions this vulnerability ID explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-03 08:07:22 +05:30
Gyorgy Sarvari
21418bce90
fontforge: patch CVE-2025-15279 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15279

Pick the patch that mentions this vulnerability ID explicitly.
Also, this patch has caused some regression - pick the patch also
that fixed that regression.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-03 08:07:22 +05:30
Tom Geelen
7283cf8b9b
unicode-ucd: adjust to correct checksum values. 
The checksums are wrong and thus this fails to build.

Signed-off-by: Tom Geelen <t.f.g.geelen@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit dc5132edf7c7464371122ea9af871406fa66635a)

Also rename the license file to avoid clashing with the previous
version in DL_DIR.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-03 08:07:18 +05:30
Trevor Gamblin
3bb2dd3414
hdf5: fix shasum, downloadfilename 
Fixes: #1023

Upstream seems to have regenerated the archive, as the checksum no
longer matches the one specified in the recipe:

|WARNING: hdf5-2.0.0-r0 do_fetch: Checksum failure encountered with download of https://support.hdfgroup.org/releases/hdf5/v2_0/v2_0_0/downloads/hdf5-2.0.0.tar.gz - will attempt other sources if available
|WARNING: hdf5-2.0.0-r0 do_fetch: Checksum mismatch for local file /buildcache/downloads/hdf5-2.0.0.tar.gz
|Cleaning and trying again.
|WARNING: hdf5-2.0.0-r0 do_fetch: Renaming /buildcache/downloads/hdf5-2.0.0.tar.gz to /buildcache/downloads/hdf5-2.0.0.tar.gz_bad-checksum_a7a8f43e76e825ea22234bc735d5b184e880d305e33e4c9bb93a3912421c9973
|ERROR: hdf5-2.0.0-r0 do_fetch: Checksum failure fetching https://support.hdfgroup.org/releases/hdf5/v2_0/v2_0_0/downloads/hdf5-2.0.0.tar.gz
|ERROR: hdf5-2.0.0-r0 do_fetch: Bitbake Fetcher Error: ChecksumError('Checksum mismatch!\nFile: \'/buildcache/downloads/hdf5-2.0.0.tar.gz\' has sha256 checksum \'a7a8f43e76e825ea22234bc735d5b184e880d305e33e4c9bb93a3912421c9973\' when \'6e45a4213cb11bb5860)
|ERROR: Logfile of failure stored in: /home/tgamblin/workspace/yocto/openembedded-core/build/tmp/work/x86-64-v3-poky-linux/hdf5/2.0.0/temp/log.do_fetch.2054297

However, the tarballs look identical. Update the hash and be explicit
about downloadfilename to avoid any mirroring issues. A note has been
left that this measure can be removed with a future upgrade.

Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f0f02434c892769a307edc6728dd667f9c31a1d1)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:13:02 +05:30
Peter Marko
060d098b4f
python3-protobuf: upgrade 6.33.2 -> 6.33.5 
Solves CVE-2026-0994.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:13:01 +05:30
Liu Yiding
7529c8a3bd
python3-protobuf: upgrade 6.33.1 -> 6.33.2 
Change log:
https://github.com/protocolbuffers/protobuf/releases/tag/v33.2

Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:13:01 +05:30
Gyorgy Sarvari
9e35ca9108
xrdp: patch CVE-2023-42822 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-42822

Pick the patch the references the github advisory[1] and the cve ID also from
the nvd report. The patch is a backported version of the patch referenced by
the nvd report.

[1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit a9fa1c5c2a83d301aa004cd16d18a516ae383042)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:13:00 +05:30
Gyorgy Sarvari
c3964035a8
xrdp: patch CVE-2023-40184 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40184

Pick the patch that is associated with the github advisory[1], which is
a backported version of the patch that is referenced by the nvd report.

[1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 259e4f9266680f4afd2c54a3a4a6358151edf41b)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:13:00 +05:30
Gyorgy Sarvari
56c1ffb74f
xrdp: patch CVE-2022-23493 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23493

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit f81041bb39d0fb10bbf3c0edcae47a65c573088c)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:12:59 +05:30
Gyorgy Sarvari
57d69cc4d4
xrdp: patch CVE-2022-23484 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23484

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 2578e5c17d95cdb56e3d85cecaf541d7473122f9)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:12:59 +05:30
Gyorgy Sarvari
d999dd3cc4
xrdp: patch CVE-2022-23483 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23483

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 8ffd8f29d5f055e390d4475c99f2d2c22f9797d9)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:12:59 +05:30
Gyorgy Sarvari
2f2e3c16c0
xrdp: patch CVE-2022-23482 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 31694c82e3269855fe6a9cc3614f66c4e1067589)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:12:58 +05:30
Gyorgy Sarvari
5655e97093
xrdp: patch CVE-2022-23481 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23481

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 64ee8f84c4edfb4d0b9b2e299e1a1afe6a6168e0)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:12:58 +05:30
Gyorgy Sarvari
563d8052cf
xrdp: patch CVE-2022-23480 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23480

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 71e9d02b125578593eebde2422223a9ede7265f6)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:12:57 +05:30
Gyorgy Sarvari
40fd2c8704
xrdp: patch CVE-2022-23479 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 19e076e66b3e3230b1fa05580e64de45a832ab13)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:12:57 +05:30
Gyorgy Sarvari
c1f03cbf71
xrdp: patch CVE-2022-23478 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23478

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 63b5fff9755a5849a0bbfba5447e117130efcf54)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:12:56 +05:30
Gyorgy Sarvari
72c3d49f78
xrdp: patch CVE-2022-23477 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23477

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit a6efc5b2850036cadb044eb8de8bde2e54c97c28)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:12:56 +05:30
Gyorgy Sarvari
c7570405e8
xrdp: patch CVE-2022-23468 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23468

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 1cb08277fe367850eb130c0995d85dca8e609787)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:12:55 +05:30
Gyorgy Sarvari
508aa14cd8
frr: patch CVE-2025-61099..61107 
Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-61099
https://nvd.nist.gov/vuln/detail/CVE-2025-61100
https://nvd.nist.gov/vuln/detail/CVE-2025-61101
https://nvd.nist.gov/vuln/detail/CVE-2025-61102
https://nvd.nist.gov/vuln/detail/CVE-2025-61103
https://nvd.nist.gov/vuln/detail/CVE-2025-61104
https://nvd.nist.gov/vuln/detail/CVE-2025-61105
https://nvd.nist.gov/vuln/detail/CVE-2025-61106
https://nvd.nist.gov/vuln/detail/CVE-2025-61107

The NVD advisory refernces a PR[1] that contains only an unfinished, and
ultimately unmerged attempt at the fixes. The actual solution comes from
a different PR[2]. These patches are 3 commits from that PR. The last
commit wasn't backported, because it is just code formatting.

[1]: https://github.com/FRRouting/frr/pull/19480
[2]: https://github.com/FRRouting/frr/pull/19983

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3cd47f72ad8d3889e2ef44c63ce6414cb1a9964d)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-02 08:12:52 +05:30
Gyorgy Sarvari
16cd5b1b8d
libowfat: update SRC_URI 
The https link does not work anymore, it just refuses the connection.
http still works though.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8cab2b2977f7cfbbf7bf1aa617070163e2eaf002)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-21 10:28:20 +05:30
Gyorgy Sarvari
0f00860e5f
ncp: update SRC_URI 
The https link does not work anymore, it just refuses the connection.
http still works though.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8da9f2fea2e4c2f525e9357814f21b70669b8d8b)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-21 10:28:09 +05:30
Gyorgy Sarvari
7856298b5f
softhsm: fix SRC_URI branch 
The "develop" branch doesn't exist anymore, the used revision can be
found on the "main" branch.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 21df5861c7e03af154b18573939649ae65dcaa92)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-21 10:27:40 +05:30
Sanjay Chitroda
8fdc4a1e4b
recipes-core/toybox: Switch SRC_URI to HTTPS for reliable fetch 
The upstream site (landley.net) serves inconsistent content when using HTTP,
causing checksum mismatches during do_fetch. Using HTTPS ensures stable
downloads and resolves checksum failures.

Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 050ffcdea2b2ac3fcfb5bc5f39d64b60b2dd1dca)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-21 10:22:57 +05:30
Peter Marko
8462fe14b8
nginx: ignore CVE-2025-53859 for 1.28.1 
Fix is included via commit [1].

[1] fbbbf189da

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5d3936d5dd0489a984e37cc00b59e6a05d9541ac)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:24 +05:30
Gyorgy Sarvari
23efe27897
nginx: set CVE_PRODUCT 
nginx has a long history, and has used multiple CPEs
over time. Set CVE_PRODUCT to reflect current and historic
vendor:product pairs.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d25aadbbb53d54382b4b82b1f78a69d4d117fd28)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:24 +05:30
Jason Schonberg
5acd5f7386
nginx: upgrade 1.28.0 -> 1.28.1 
Drop CVE patch which has been integrated into this new version.

Solves:
* CVE-2025-53859

CHANGES:
https://nginx.org/en/CHANGES-1.28

Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 222c6425644a39c9b7757792b47e500ca55f85b0)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:24 +05:30
Gyorgy Sarvari
a7e34f3531
python3-scapy: set CVE_PRODUCT 
The default ${PN} (python3-scapy) CVE fails to match relevant CVEs,
because they are tracked under the scapy:scapy CPE.

Set CVE_PRODUCT to the correct value.

See CVE db query:
sqlite> select * from products where product like '%scapy%';
CVE-2019-1010142|scapy|scapy|2.4.0|=||

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6f68f5fce766096b9d086093ca0435bc5904b8e7)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:23 +05:30
Gyorgy Sarvari
8c482ca886
tinyproxy: patch CVE-2025-63938 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-63938

Pick the patch referenced by the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7981f52062d444aed1759c674bd3ec024a4f232c)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:23 +05:30
Khem Raj
3c515557c4
dante: Add _GNU_SOURCE for musl builds 
This helps build fixes e.g. cpuset_t definitions etc.
glibc builds have _GNU_SOURCE defined inherently.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 848bac20ea27afddc3843c41ad105843ad167177)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:22 +05:30
Gyorgy Sarvari
b42c7fbb73
dante: upgrade 1.4.3 -> 1.4.4 
License-Update: copyright year bump

Changelog:
- Fix potential security issue CVE-2024-54662, related to "socksmethod"
  use in client/hostid-rules.
- Add a missing call to setgroups(2).
- Patch to fix compilation with libminiupnp 2.2.8.
- Client connectchild optimizations.
- Client SIGIO handling improvements.
- Various configure/build fixes.
- Updated to support TCP_EXP1 version of TCP hostid format.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9f12c5fbc63143c33d6c68139cccac770817b4eb)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:22 +05:30
Ankur Tyagi
d11b64e25e
frr: upgrade 10.4.1 -> 10.4.2 
Release Notes:
https://github.com/FRRouting/frr/releases/tag/frr-10.4.2

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:21 +05:30
Gyorgy Sarvari
8d54f36c15
xerces-c: set CVE_PRODUCT 
The related CVEs are tracked with "xerces-c\+\+" (sic).

See CVE db query:
sqlite> select vendor, product, count(*) from PRODUCTs where product like '%xerces%' group by 1, 2;
apache|xerces-c\+\+|29
apache|xerces-j|2
apache|xerces2_java|3
redhat|xerces|3

Set CVE_PRODUCT accordingly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 29a272744a314564035ec4a337704eb6d31e879e)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:21 +05:30
Gyorgy Sarvari
6df897e314
lmdb: patch CVE-2026-22185 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22185

Pick the patch that is mentioned as a solution in the related upstream bug[1].

[1]: https://bugs.openldap.org/show_bug.cgi?id=10421

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e0f86a4a7f8e413c682fbd4a9c01b12b0234cd71)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:20 +05:30
Gyorgy Sarvari
d30b9a5419
boinc-client: mark CVE-2013-2018 patched 
Details: https://nvd.nist.gov/vuln/detail/CVE-2013-2018

According to oss-security email[1], version 7.0.45 included
the fixes[2][3][4]

[1]: https://www.openwall.com/lists/oss-security/2013/04/29/11
[2]: 6e205de096
[3]: e8d6c33fe1
[4]: ce3110489b

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2a78ad8813845677132ad0f1552fcaa4961c3e15)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:20 +05:30
Ankur Tyagi
b6a71017ab
influxdb: ignore CVE-2024-30896 
As mentioned in the comment[1], vulnerability is in
/api/v2/authorizations API which only exists in 2.x, 1.x is not affected.

Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30896

[1] https://github.com/influxdata/influxdb/issues/24797#issuecomment-2514690740

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2f1d7a8597596d8e51a6f6f3b62e7e5f153f6e73)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:20 +05:30
Gyorgy Sarvari
6d6dbabb28
boinc-client: set CVE_PRODUCT 
The relevant CVEs are tracked with underscore in their name.

See CVE db query:
sqlite> select vendor, product, count(*) from PRODUCTs where product like '%boinc%' group by 1, 2;
berkeley|boinc_client|2
berkeley|boinc_forum|1
universityofcalifornia|boinc_client|165
universityofcalifornia|boinc_server|5

Set the CVE_PRODUCT accordingly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 31de060b48c57194ea2e6c6844d746eb59a0d056)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:19 +05:30
Gyorgy Sarvari
9cb5abd34b
asyncmqtt: set CVE_PRODUCT 
The CVEs are tracked with an underscore in the product name:

sqlite> select * from PRODUCTs where product like '%async%mq%';
CVE-2025-65503|redboltz|async_mqtt|10.2.5|=||

This patch sets the correct CVE_PRODUCT.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4da079d7f572efed610bdf1291e838d0a5fc45cc)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:19 +05:30
Gyorgy Sarvari
835f1ef688
libcereal: set CVE_PRODUCT 
The relevant CVEs are associated with usc:cereal CPE.

See CVE db query:

sqlite> select * from PRODUCTS  where PRODUCT like '%cereal%';
CVE-2020-11104|usc|cereal|||1.3.0|<=
CVE-2020-11105|usc|cereal|||1.3.0|<=

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6e936626cbccf6c17fc8b2d61fd2c7d4bcb022b5)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:20 +05:30
Gyorgy Sarvari
57b188f8bc
raptor2: set CVE_PRODUCT 
All relevant CVEs are files against these CPEs.

See CVE db query (zediious vendor is not relevant):

sqlite> select * from PRODUCTs where PRODUCT like '%raptor%' and vendor <> 'symantec' and product <> 'velociraptor';
CVE-2012-0037|librdf|raptor|||2.0.7|<
CVE-2017-18926|librdf|raptor_rdf_syntax_library|2.0.15|=||
CVE-2020-25713|librdf|raptor_rdf_syntax_library|2.0.15|=||
CVE-2023-49078|zediious|raptor-web|0.4.4|=||
CVE-2024-57822|librdf|raptor_rdf_syntax_library|||2.0.16|<=
CVE-2024-57823|librdf|raptor_rdf_syntax_library|||2.0.16|<=

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 15aca0b2fa03dc25f551e84d381295c89dae8253)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:20 +05:30
Liu Yiding
5c64a792b6
libsdl3: upgrade 3.2.28 -> 3.2.30 
Changelog:
  https://github.com/libsdl-org/SDL/releases/tag/release-3.2.30

Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a524aaddaceabedcfba002550eaef0b5aa10e0eb)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:19 +05:30
Ankur Tyagi
351df9d54e
libjxl: Fix build error with arm and musl 
Build fails for qemuarm with musl with following error:
/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1/lib/jxl/convolve_separable5.cc
| error: out of range pc-relative fixup value

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 63ae47a70d6d81937f5122c535d890678ed3c13e)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:19 +05:30
Ankur Tyagi
6cb598129d
mozjs-128: Fix build error with arm and musl 
Build fails for qemuarm with musl with following error:
mozglue/misc/StackWalk.o: in function `unwind_callback(_Unwind_Context*, void*)':
| /usr/src/debug/mozjs-128/128.5.2/mozglue/misc/StackWalk.cpp:810:(.text._ZL15unwind_callbackP15_Unwind_ContextPv+0x4): undefined reference to `_Unwind_GetIP'

Referenced commit[1] for the fix, also refreshed patches.

[1] bb86629123

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 30942cebe8997dbadcd8bcd81ed0e55d42b48677)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:18 +05:30
Wang Mingyu
91193c97a3
libsdl3-image: upgrade 3.2.4 -> 3.2.6 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

Release Notes:
https://github.com/libsdl-org/SDL_image/releases/tag/release-3.2.6

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:18 +05:30
Gyorgy Sarvari
6d1c5be67b
smarty: extend CVE_PRODUCT 
Some CVEs assign smarty-php as the vendor to the corresponding CPE.
E.g CVE-2024-35226[1] is tracked with smarty-php:smarty by mitre
(NVD tracks it without CPE).

[1]: https://cveawg.mitre.org/api/cve/CVE-2024-35226

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1aee6a403c1901bc7ae793a2f4581b3cdbd95c1d)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:18 +05:30
Khem Raj
f3407694b8
vboxguestdrivers: Upgrade to 7.2.4 
This is a maintenance release. The following items were fixed or added:

GUI: Fixed VirtualBox VM Manager crash when host was resuming from sleep (​github:gh-121, ​github:gh-170)
GUI: Updated native language support for Traditional Chinese, Greek, Swedish, Hungarian and Indonesian translations
NAT: Fixed issue when multiple port forwarding rules affected NAT functionality (​github:gh-232)
Linux host and guest: Introduced initial support for kernel 6.18
Linux Guest Additions: Introduced additional fixes for RHEL 9.6 and 9.7 kernels (​github:GH-12)
Windows Guest Additions: Introduced additional fixes for issue when installation was failing in Windows XP SP2 guest (​github:GH-142)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Bruce Ashfield <bruce.ashfield@gmail.com>
(cherry picked from commit 0ecf2814b207cc25962a3949c8265d856a355ea0)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:17 +05:30
Wang Mingyu
1b5228dcce
libdecor: upgrade 0.2.4 -> 0.2.5 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

Changelog:
https://gitlab.freedesktop.org/libdecor/libdecor/-/compare/0.2.4...0.2.5?from_project_id=18349
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:17 +05:30
Wang Mingyu
d879c37905
cryptsetup: upgrade 2.8.1 -> 2.8.3 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6f41c5872d9166aa1197ce1b51f8670561548353)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:16 +05:30
Gyorgy Sarvari
5508b827fb
nodejs: remove extra CVE_PRODUCT 
CVE_PRODUCT is specified twice - the second instance only duplicates one
value from the first instance.

Remove this extra CVE_PRODUCT.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6ff92524842233efb68eb92d4bf7637ef378900d)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:16 +05:30