13647 Commits

Author SHA1 Message Date
Gyorgy Sarvari
626bcb7f86
imagemagick: patch CVE-2025-65955
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-65955

Pick the patch that is mentioned by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:56 +05:30
Gyorgy Sarvari
24e4caa837
imagemagick: patch CVE-2025-62171
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-62171

Pick the patch that's mentioned by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:56 +05:30
Gyorgy Sarvari
aeb80bb058
imagemagick: patch CVE-2025-57807
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57807

Backport the patch that's mentioned in the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:55 +05:30
Gyorgy Sarvari
9d92eeacdf
imagemagick: patch CVE-2025-57803
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57803

Backport the patch that is mentioned in the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:55 +05:30
Gyorgy Sarvari
29fa171a9d
imagemagick: patch CVE-2025-55212
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55212

Backport the patch that is mentioned in the NVD advisory.

Notes about the backport:
The original patch deletes two extra lines compared to the backport:
those lines were a previous attempt[1] to solve the same vulnerability,
and the final patch reverted them. Since that patch wasn't part of the
recipe, those deletions were dropped from the backported patch.

The PerceptibleReciprocal function was renamed[2] to MagickSafeReciprocal
after the recipe's revision, but there were no functional changes
in the function's behavior.

[1]: 43d92bf855
[2]: https://github.com/ImageMagick/ImageMagick/commit/7e5d87fe6e9

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:54 +05:30
Gyorgy Sarvari
118df68d25
imagemagick: patch CVE-2025-55160
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55160

Pick the patch that mentions the related github advisory[1]
in its commit message.

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:54 +05:30
Gyorgy Sarvari
dd13a60248
imagemagick: patch CVE-2025-55154
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55154

Pick the patch that mentions the related github advisory[1]
in its commit message.

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:53 +05:30
Gyorgy Sarvari
df19121bc6
imagemagick: patch CVE-2025-55005
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55005

Pick the patch that mentions the related github advisory[1] in its
commit message.

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v393-38qx-v8fp

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:53 +05:30
Gyorgy Sarvari
b32dcf53ce
imagemagick: patch CVE-2025-55004
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55004

Pick the patch that mentions the related github advisory[1] explicitly in
its commit message.

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cjc8-g9w8-chfw

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:52 +05:30
Gyorgy Sarvari
2d4ca24273
imagemagick: patch CVE-2025-53101
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53101

Backport the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:52 +05:30
Gyorgy Sarvari
482f541705
imagemagick: patch CVE-2025-53019
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53019

Pick the commit that is marked as a fix at the bottom of the relevant
github advisory[1].

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:51 +05:30
Gyorgy Sarvari
7c479d21cd
imagemagick: patch CVE-2025-53015
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53015

Backport the patches marked as a solution at the bottom of the relevant
github advisory[1].

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:51 +05:30
Gyorgy Sarvari
e9916715c9
imagemagick: patch CVE-2025-53014
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53014

Pick the commit that is mentioned as a solution at the bottom of
the relevant Github advisory[1].

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:50 +05:30
Gyorgy Sarvari
80175b4a47
imagemagick: mark CVE-2023-5341 as patched
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-5341

The fix[1] mentioned in the NVD report has been part of the recipe since
7.1.1-19.

[1]: aa673b2e4d

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:50 +05:30
Gyorgy Sarvari
90fdbcf82b
imagemagick: upgrade 7.1.1-26 -> 7.1.1-47
Contains fixes for CVE-2024-41817, CVE-2025-43965 and CVE-2025-46393

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:51:50 +05:30
Sanjay Chitroda
3835a88f94
recipes-core/toybox: Switch SRC_URI to HTTPS for reliable fetch
The upstream site (landley.net) serves inconsistent content when using HTTP,
causing checksum mismatches during do_fetch. Using HTTPS ensures stable
downloads and resolves checksum failures.

Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-12 07:50:49 +05:30
Gyorgy Sarvari
2b26d30fc7
atop: patch CVE-2025-31160
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31160

Backport the patch that's subject references the CVE id explicitly.

I was able to verify the patch with a reproducer[1] (which is mentioned
in a reference[2] in the nvd report). Without the patch atop crashed,
with the patch it worked fine (both with and without -k/-K flags).

[1]: https://blog.bismuth.sh/blog/bismuth-found-the-atop-bug
[2]: https://gist.github.com/kallsyms/3acdf857ccc5c9fbaae7ed823be0365e

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-30 07:08:16 +05:30
Gyorgy Sarvari
cf81094887
zabbix: patch CVE-2025-49643
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49643

The actual patch was identified by checking the file that was modified
in the tag 6.0.42, and also by looking at the Jira item referenced by it:
the patch references DEV-4466, the same ID that is referenced in the
Jira ticket[1] referenced by the NVD report (look in the "All Activity" tab).

[1]: https://support.zabbix.com/browse/ZBX-27284

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-30 07:08:15 +05:30
Ankur Tyagi
19d7eedf67
freerdp3: patch CVE-2025-68118
Details https://nvd.nist.gov/vuln/detail/CVE-2025-68118

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-30 07:08:12 +05:30
Ankur Tyagi
c8f7748616
cups-filters: patch CVE-2025-64524
Details https://nvd.nist.gov/vuln/detail/CVE-2025-64524

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-30 07:08:11 +05:30
Hitendra Prajapati
44bdb70034
krb5: fix for CVE-2024-3596
Upstream-Status: Backport from 871125fea8

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-30 07:08:11 +05:30
Gyorgy Sarvari
3e322cb550
postgresql: upgrade 16.10 -> 16.11
This is a bugfix release.
Contains fixes for CVE-2025-12817 and CVE-2025-12818.

Changelog: https://www.postgresql.org/docs/16/release-16-11.html

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-30 07:08:04 +05:30
Gyorgy Sarvari
9dea9286a0
fio: ignore CVE-2025-10824
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-10824

The upstream maintainer wasn't able to reproduce the issue[1],
and the related bug is closed without further action.

[1]: https://github.com/axboe/fio/issues/1981

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a275078cbeaa0fafcfa4eb60ca69f05a8fe3df99)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-30 07:08:04 +05:30
Gyorgy Sarvari
fe9360051e
minio: ignore irrelevant CVEs
The minio umbrella covers multiple projects. The recipe itself builds
"minio client", which is a set of basic tools to query data from
"minio server" - like ls, mv, find...

The CVEs were files against minio server. Looking at the go mod list,
this recipe doesn't use minio server even as a build dependency - so ignore
the CVEs.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit df462075be855c60117af661dbce1836c652fc16)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-30 07:08:03 +05:30
Vrushti Dabhi
6553182380
p7zip 16.02: Fix CVE-2022-47069
Upstream Repository: https://sourceforge.net/projects/p7zip/

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069
Type: Security Fix
CVE: CVE-2022-47069
Score: 7.8

Note:
- Commit [1] updates complete p7zip archive source for v17 and includes changes
that fixes CVE-2022-47609, adapted fix related changes in current p7zip v16.02.
- Similar changes via [2] have been integrated into the upstream 7zip package,
which replaced p7zip 16.02 in OE-Core master.
For the testing:
- Verified fix using steps mentioned at [3], trace not observed.
- Validated against known malicious ZIP samples [3]

References:
[1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
[2] https://github.com/ip7z/7zip/commit/f19f813537c7
[3] https://sourceforge.net/p/p7zip/bugs/241/
[4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069

Signed-off-by: Vrushti Dabhi <vdabhi@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-30 07:07:59 +05:30
Deepak Rathore
e76bf51a92
redis: Refine CVE-2022-0543 status description
Refine the CVE_STATUS description for CVE-2022-0543 to provide
a more precise explanation of this Debian-specific vulnerability.

The vulnerability originates from Debian's packaging methodology,
which loads system-wide Lua libraries (lua-cjson, lua-cmsgpack),
enabling Lua sandbox escape. Upstream Redis builds, including
those built by Yocto/OpenEmbedded, utilize embedded Lua from the
deps/ directory and are therefore not affected by this issue.

It is also fixed in Debian with this commit:
c7fd665150

References:
- https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
- https://nvd.nist.gov/vuln/detail/CVE-2022-0543

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7675392aa7c1bf27b8993d08936bc4bc84d1508d)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-22 07:49:04 +05:30
Ankur Tyagi
1c7b69ee0b
editorconfig-core-c: patch CVE-2024-53849
Details https://nvd.nist.gov/vuln/detail/CVE-2024-53849

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-17 11:45:21 +05:30
Ankur Tyagi
d9148434ad
flatpak: patch CVE-2024-42472
Details https://nvd.nist.gov/vuln/detail/CVE-2024-42472

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-17 11:45:21 +05:30
Ankur Tyagi
af50080591
libcupsfilters: patch CVE-2025-57812
Details https://nvd.nist.gov/vuln/detail/CVE-2025-57812

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-17 11:45:20 +05:30
Ankur Tyagi
a0292cd209
jasper: patch CVE-2024-31744
Details https://nvd.nist.gov/vuln/detail/CVE-2024-31744

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-17 11:45:20 +05:30
Viswanath Kraleti
d9e1f6f274
gflags: switch Git branch from master to main
Update SRC_URI to use the 'main' branch instead of 'master' since
the upstream GitHub repository has renamed its default branch.

Signed-off-by: Viswanath Kraleti <viswanath.kraleti@oss.qualcomm.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-11 08:00:54 +05:30
Sudhir Dumbhare
e0dbf0bcd3
hdf5 1.14.4-3: fix CVE-2025-2912
Upstream Repository: https://github.com/HDFGroup/hdf5.git

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2912
Type: Security Fix
CVE: CVE-2025-2912
Score: 4.8
Patch: https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a

Analysis:
- CVE-2025-2913 was previously fixed by [1], which is also addresses CVE-2025-2912
  as noted in [4].
- NVD [2] references the GitHub discussion [3] for CVE-2025-2912, and we successfully
  reproduced the issue following the steps outlined there.
- Applied the fix from [4] and verified resolution using the reproduction steps.
- The same patch [4] is already included in OE-scarthgap [5] for CVE-2025-2913.
- Therefore, reused the patch from [5] to resolve CVE-2025-2912.

References:
[1] https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-2912
[3] https://github.com/HDFGroup/hdf5/issues/5370#issue-2917388806
[4] https://github.com/HDFGroup/hdf5/issues/5370#issuecomment-3542881855
[5] https://git.openembedded.org/meta-openembedded/commit/meta-oe/recipes-support/hdf5?h=scarthgap&id=b42e6eb3e51a

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-11 08:00:53 +05:30
Ankur Tyagi
b7fd86557f
smarty: update CVE_PRODUCT
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-11 08:00:23 +05:30
Deepak Rathore
b09a12e166
hdf5 1.14.4-3: Fix CVE tag format in patches
- The CVE tags in multiple hdf5 patches were using comma-separated
format which caused false positives in CVE reports.
- Multiple CVEs should be separated by space in CVE-ID.patch file as
per recipe style guide in Yocto documentation so CVE report tool can
scan those CVEs and mark it as patched.

Fixed the following patches:
- CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_01.patch
- CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch
- CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch

Reference:
- https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#cve-patches

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-05 17:46:25 +05:30
Gyorgy Sarvari
a9fa1c5c2a
xrdp: patch CVE-2023-42822
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-42822

Pick the patch the references the github advisory[1] and the cve ID also from
the nvd report. The patch is a backported version of the patch referenced by
the nvd report.

[1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-04 14:10:11 +05:30
Gyorgy Sarvari
259e4f9266
xrdp: patch CVE-2023-40184
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40184

Pick the patch that is associated with the github advisory[1], which is
a backported version of the patch that is referenced by the nvd report.

[1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-04 14:10:11 +05:30
Gyorgy Sarvari
f81041bb39
xrdp: patch CVE-2022-23493
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23493

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-04 14:10:10 +05:30
Gyorgy Sarvari
2578e5c17d
xrdp: patch CVE-2022-23484
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23484

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-04 14:10:10 +05:30
Gyorgy Sarvari
8ffd8f29d5
xrdp: patch CVE-2022-23483
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23483

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-04 14:10:09 +05:30
Gyorgy Sarvari
31694c82e3
xrdp: patch CVE-2022-23482
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-04 14:10:09 +05:30
Gyorgy Sarvari
64ee8f84c4
xrdp: patch CVE-2022-23481
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23481

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-04 14:10:08 +05:30
Gyorgy Sarvari
71e9d02b12
xrdp: patch CVE-2022-23480
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23480

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-04 14:10:08 +05:30
Gyorgy Sarvari
19e076e66b
xrdp: patch CVE-2022-23479
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-04 14:10:07 +05:30
Gyorgy Sarvari
63b5fff975
xrdp: patch CVE-2022-23478
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23478

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-04 14:10:07 +05:30
Gyorgy Sarvari
a6efc5b285
xrdp: patch CVE-2022-23477
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23477

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-04 14:10:06 +05:30
Gyorgy Sarvari
1cb08277fe
xrdp: patch CVE-2022-23468
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23468

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-04 14:10:02 +05:30
Anuj Mittal
5a52615450
pidgin: fix reproducibility issues
Backport changes fixing reproducibility issues from master:

    9697fd958e      Yoann Congal    pidgin: Upgrade to 2.14.13

Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-03 11:23:31 +05:30
yuyu
9e4f627941
trace-cmd: Update SRC_URI to use HTTPS protocol
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f00b6ad12f2fead06487711c48544b3dd62bb987)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-03 10:37:26 +05:30
Yi Zhao
7e74032909
crash: add zlib-native to depends for crash-cross
Fix the following error when using buildtools-extended:

va_server.c:20:10: fatal error: zlib.h: No such file or directory
   20 | #include <zlib.h>
      |          ^~~~~~~~

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bd745115de76de7242e3e7e69b29f1ae507fea13)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-03 10:34:21 +05:30
Gyorgy Sarvari
8f602e1cfa
redis: handle CVE-2025-27151
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-27151

In redis 7 this is already patched[1], and the recipe contains the
fix.
For redis 6 backport the relevant patch (which is referenced in the
nvd report)

[1]: d0eeee6e31

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-03 10:31:33 +05:30