Fixes several security vulnerabilities:
CVE-2025-49601, CVE-2025-49600, CVE-2025-52496,
CVE-2025-47917, CVE-2025-48965, CVE-2025-52497,
and CVE-2025-49087
The framework directory has been changed into a git submodule.[1][2]
The recipe now uses Git Submodule Fetcher (gitsm)
Changelog:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4
[1] 8cf5666a17
[2] c90c6d8ff7
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Rootfs file differs with the same project configure, add preliminary
setting to avoid this.
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The tarball of version 0.20.0 can not be found on old SRC_URI.
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
https://goodies.xfce.org/ states "Starting this month (November 2019), a project is starting
to migrate the goodies.xfce.org documentation to https://docs.xfce.org/start. The goal is to
remove deprecated projects and, eventually, de-commission the goodies.xfce.org URLs. Additional
information will be posted on https://wiki.xfce.org/projects/goodies-decomm/start as the project
proceeds."
This patch updates the URLs being used in the HOMEPAGEs to reflect where the address is actually
resolving.
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In http://ftp.debian.org/debian/pool/main/l/logcheck/, the
tarball of version 1.4.3 is not available.
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE: CVE-2024-23337
CVE: CVE-2024-53427
CVE: CVE-2025-48060
Patches CVE-2024-23337.patch and CVE-2024-53427.patch are backported from
jq-1.8.0, and CVE-2025-48060.patch is backported from jq-1.8.1.
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
tcpreplay v4.4.4 was discovered to contain an infinite loop via the tcprewrite function at get.c.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2025-6019:
A Local Privilege Escalation (LPE) vulnerability was found in
libblockdev. Generally, the "allow_active" setting in Polkit permits a
physically present user to take certain actions based on the session
type. Due to the way libblockdev interacts with the udisks daemon, an
"allow_active" user on a system may be able escalate to full root
privileges on the target host. Normally, udisks mounts user-provided
filesystem images with security flags like nosuid and nodev to prevent
privilege escalation. However, a local attacker can create a specially
crafted XFS image containing a SUID-root shell, then trick udisks into
resizing it. This mounts their malicious filesystem with root
privileges, allowing them to execute their SUID-root shell and gain
complete control of the system.
Refer:
https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In the SRC_URI, the branch of maintenance/3.1.x has been reomved,
which will cause do fetch error. So update as "branch=main"
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
0001-Add-recursion-check-when-parsing-unknown-fields-in-J.patch is
dropped because it has been in new version.
This upgrade also fixes CVE-2025-4565. The fix commit is as below:
d31100c91 Manually backport recursion limit enforcement to 25.x
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
When PACKAGECONFIG options like 'cxx' 'webp' and 'xml' are disabled,
certain files such as Magick++-config.im7, configure.xml, or
delegates.xml are not installed. Unconditionally running sed
on these files results in errors during do_install
Error:
sed: can't read .../image/usr/bin/Magick++-config.im7: No such file or directory
Signed-off-by: Nikhil R <nikhilr5@kpit.com>
Signed-off-by: Sana Kazi <sanakazi720@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The git server at git.pengutronix.de no longer supports the git
protocol, so switch to https.
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The git server at git.pengutronix.de no longer supports the git
protocol, so switch to https.
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
ChangeLog:
https://github.com/redis/redis/releases/tag/7.2.8
Update urgency: SECURITY: There are security fixes in the release.
Security fixes
==================
* (CVE-2025-21605) An unauthenticated client can cause an unlimited growth of output buffers
Bug fixes
=================
* #12817, #12905 Fix race condition issues between the main thread and module threads
* #13863 RANDOMKEY - infinite loop during client pause
* #13877 ShardID inconsistency when both primary and replica support it
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
When building with sensord disabled (PACKAGECONFIG = ""), do_install
would fail because it tried to build sensord which was skiped in
do_compile.
Error log:
make: *** No rule to make target 'rrd.h', needed by 'prog/sensord/rrd.rd'. Stop.
Avoid building sensord in do_install by explicitly setting PROG_EXTRA.
(master rev: fc88c96c4e40d9dbc6097c4679ac79ed55356730)
Fixes: 86b20b84ec27 (lmsensors: Clean stale files for sensord to avoid
incorrect GCC header dependencies)
Signed-off-by: Leonard Anderweit <l.anderweit@phytec.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* fixes:
https://lists.openembedded.org/g/openembedded-devel/message/117255
DEBUG: Executing shell function do_compile
* Getting build dependencies for wheel...
/usr/lib/ld-linux-aarch64.so.1: No such file or directory
Traceback (most recent call last):
File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/recipe-sysroot-native/usr/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py",
line 389, in <module>
main()
~~~~^^
File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/recipe-sysroot-native/usr/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py",
line 373, in main
json_out["return_val"] = hook(**hook_input["kwargs"])
~~~~^^^^^^^^^^^^^^^^^^^^^^^^
File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/recipe-sysroot-native/usr/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py",
line 143, in get_requires_for_build_wheel
return hook(config_settings)
File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/recipe-sysroot-native/usr/lib/python3.13/site-packages/setuptools/build_meta.py",
line 334, in get_requires_for_build_wheel
return self._get_build_requires(config_settings, requirements=[])
~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/recipe-sysroot-native/usr/lib/python3.13/site-packages/setuptools/build_meta.py",
line 304, in _get_build_requires
self.run_setup()
~~~~~~~~~~~~~~^^
File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/recipe-sysroot-native/usr/lib/python3.13/site-packages/setuptools/build_meta.py",
line 320, in run_setup
exec(code, locals())
~~~~^^^^^^^^^^^^^^^^
File "<string>", line 23, in <module>
File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/posix_ipc-1.2.0/build_support/discover_system_info.py",
line 409, in discover
d["QUEUE_PRIORITY_MAX"] = sniff_mq_prio_max()
~~~~~~~~~~~~~~~~~^^
File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/posix_ipc-1.2.0/build_support/discover_system_info.py",
line 238, in sniff_mq_prio_max
if max_priority < 0:
^^^^^^^^^^^^^^^^
TypeError: '<' not supported between instances of 'str' and 'int'
ERROR Backend subprocess exited when trying to invoke
get_requires_for_build_wheel
WARNING: TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/temp/run.do_compile.2736023:168
exit 1 from 'nativepython3 -m build --no-isolation --wheel --outdir
TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/dist
TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/posix_ipc-1.2.0'
WARNING: Backtrace (BB generated script):
On some hosts.
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
If CAN_ERR_CNT is set, the snprintf_can_error_frame() bails out, as it
cannot decode CAN_ERR_CNT.
Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
syslog-ng is an enhanced log daemo. Prior to version 4.8.2,
`tls_wildcard_match()` matches on certificates such as `foo.*.bar`
although that is not allowed. It is also possible to pass partial
wildcards such as `foo.a*c.bar` which glib matches but should be
avoided / invalidated. This issue could have an impact on TLS
connections, such as in man-in-the-middle situations. Version
4.8.2 contains a fix for the issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-47619
Upstream patch:
12a0624e4c
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify
the adbe.pkcs7.sha1 signatures on documents, resulting in potential
signature forgeries.
CVE-2025-43903-0001 is the dependent commit and
CVE-2025-43903-0002 is the actual CVE fix.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-43903
Upstream patches:
33672ca1b6f1b9c830f1
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Poppler before 25.04.0 allows crafted input files to trigger
out-of-bounds reads in the JBIG2Bitmap::combine function in
JBIG2Stream.cc because of a misplaced isOk check.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32365
Upstream patch:
1f151565bb
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A floating-point exception in the PSStack::roll function of
Poppler before 25.04.0 can cause an application to crash when
handling malformed inputs associated with INT_MIN.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32364
Upstream patch:
d87bc726c7
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Brotli can crash nodejs (on ARM), because the memory allocated for
brotli wasn't properly aligned.
https://github.com/google/brotli/issues/1159dc035bbc9b
Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
0001-Use-default-cc-from-environment-variable.patch
removed since it's not available in 1.2.0
License-Update: Reorg and rename files; add pyproject.toml
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Buffer Overflow vulnerability in msoulier tftpy commit 467017b844bf6e31745138a30e2509145b0c529c
allows a remote attacker to cause a denial of service via the parse function in the TftpPacketFactory class.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
As detailed in Pipewire documentation [0], the ALSA plugin requires
config files to be symlinked as follow:
```
The plugin will be picked up by alsa when the following files are in /etc/alsa/conf.d/:
/etc/alsa/conf.d/50-pipewire.conf -> /usr/share/alsa/alsa.conf.d/50-pipewire.conf
/etc/alsa/conf.d/99-pipewire-default.conf
```
The above symlinks are missing, thus the pipewire device is not properly
detected.
Fix this by creating the required symlinks and installing them in the
pipewire-alsa package.
[0] https://github.com/PipeWire/pipewire/blob/master/INSTALL.md#alsa-plugin
Link: https://github.com/openembedded/meta-openembedded/issues/704
Signed-off-by: Ariel D'Alessandro <ariel.dalessandro@collabora.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
After upgrading GCC—for example, from 14.1.0 to 14.2.0—building lmsensors that
was previously compiled with GCC 14.1.0 may fail with an error like:
lmsensors/3.6.0/recipe-sysroot-native/usr/lib/x86_64-wrs-linux/gcc/x86_64-wrs-linux/
14.1.0/include/stddef.h can't find, which is needed by 'prog/sensord/args.rd'.
This occurs because prog/sensord/args.rd still references stale headers from the
older GCC version.
The root cause is that stale *.rd and *.ro files under prog/sensord are not
properly cleaned during do_configure. This patch ensures those files are removed
to prevent broken dependencies when GCC is upgraded.
Also remove the same statement in do_compile.
(master rev: 86b20b84ec278cacf4975b7933d46b894d74796e)
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
ChangeLog:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.3
Remove mbedtls-framework repository, as the framework is now added
as a flat directory rather than a submodule[1][2].
[1] b41194ce7f
[2] 2c824b4fe5
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
