meta-openembedded

mirror of git://git.openembedded.org/meta-openembedded synced 2026-06-09 22:31:05 +00:00

Author	SHA1	Message	Date
Gyorgy Sarvari	449999f676	fontforge: patch CVE-2025-15269 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15269 Pick the patch that refers to this vulnerability ID explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-03 08:07:23 +05:30
Gyorgy Sarvari	edc3b69cef	fontforge: patch CVE-2025-15275 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15275 Pick the patch that mentions this vulnerability ID explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-03 08:07:22 +05:30
Gyorgy Sarvari	21418bce90	fontforge: patch CVE-2025-15279 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15279 Pick the patch that mentions this vulnerability ID explicitly. Also, this patch has caused some regression - pick the patch also that fixed that regression. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-03 08:07:22 +05:30
Tom Geelen	7283cf8b9b	unicode-ucd: adjust to correct checksum values. The checksums are wrong and thus this fails to build. Signed-off-by: Tom Geelen <t.f.g.geelen@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit dc5132edf7c7464371122ea9af871406fa66635a) Also rename the license file to avoid clashing with the previous version in DL_DIR. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-03 08:07:18 +05:30
Trevor Gamblin	3bb2dd3414	hdf5: fix shasum, downloadfilename Fixes: #1023 Upstream seems to have regenerated the archive, as the checksum no longer matches the one specified in the recipe: \|WARNING: hdf5-2.0.0-r0 do_fetch: Checksum failure encountered with download of https://support.hdfgroup.org/releases/hdf5/v2_0/v2_0_0/downloads/hdf5-2.0.0.tar.gz - will attempt other sources if available \|WARNING: hdf5-2.0.0-r0 do_fetch: Checksum mismatch for local file /buildcache/downloads/hdf5-2.0.0.tar.gz \|Cleaning and trying again. \|WARNING: hdf5-2.0.0-r0 do_fetch: Renaming /buildcache/downloads/hdf5-2.0.0.tar.gz to /buildcache/downloads/hdf5-2.0.0.tar.gz_bad-checksum_a7a8f43e76e825ea22234bc735d5b184e880d305e33e4c9bb93a3912421c9973 \|ERROR: hdf5-2.0.0-r0 do_fetch: Checksum failure fetching https://support.hdfgroup.org/releases/hdf5/v2_0/v2_0_0/downloads/hdf5-2.0.0.tar.gz \|ERROR: hdf5-2.0.0-r0 do_fetch: Bitbake Fetcher Error: ChecksumError('Checksum mismatch!\nFile: \'/buildcache/downloads/hdf5-2.0.0.tar.gz\' has sha256 checksum \'a7a8f43e76e825ea22234bc735d5b184e880d305e33e4c9bb93a3912421c9973\' when \'6e45a4213cb11bb5860) \|ERROR: Logfile of failure stored in: /home/tgamblin/workspace/yocto/openembedded-core/build/tmp/work/x86-64-v3-poky-linux/hdf5/2.0.0/temp/log.do_fetch.2054297 However, the tarballs look identical. Update the hash and be explicit about downloadfilename to avoid any mirroring issues. A note has been left that this measure can be removed with a future upgrade. Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> Reviewed-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f0f02434c892769a307edc6728dd667f9c31a1d1) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:13:02 +05:30
Peter Marko	060d098b4f	python3-protobuf: upgrade 6.33.2 -> 6.33.5 Solves CVE-2026-0994. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:13:01 +05:30
Liu Yiding	7529c8a3bd	python3-protobuf: upgrade 6.33.1 -> 6.33.2 Change log: https://github.com/protocolbuffers/protobuf/releases/tag/v33.2 Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:13:01 +05:30
Gyorgy Sarvari	9e35ca9108	xrdp: patch CVE-2023-42822 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-42822 Pick the patch the references the github advisory[1] and the cve ID also from the nvd report. The patch is a backported version of the patch referenced by the nvd report. [1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit a9fa1c5c2a83d301aa004cd16d18a516ae383042) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:13:00 +05:30
Gyorgy Sarvari	c3964035a8	xrdp: patch CVE-2023-40184 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40184 Pick the patch that is associated with the github advisory[1], which is a backported version of the patch that is referenced by the nvd report. [1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 259e4f9266680f4afd2c54a3a4a6358151edf41b) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:13:00 +05:30
Gyorgy Sarvari	56c1ffb74f	xrdp: patch CVE-2022-23493 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23493 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit f81041bb39d0fb10bbf3c0edcae47a65c573088c) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:12:59 +05:30
Gyorgy Sarvari	57d69cc4d4	xrdp: patch CVE-2022-23484 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23484 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 2578e5c17d95cdb56e3d85cecaf541d7473122f9) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:12:59 +05:30
Gyorgy Sarvari	d999dd3cc4	xrdp: patch CVE-2022-23483 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23483 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 8ffd8f29d5f055e390d4475c99f2d2c22f9797d9) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:12:59 +05:30
Gyorgy Sarvari	2f2e3c16c0	xrdp: patch CVE-2022-23482 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 31694c82e3269855fe6a9cc3614f66c4e1067589) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:12:58 +05:30
Gyorgy Sarvari	5655e97093	xrdp: patch CVE-2022-23481 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23481 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 64ee8f84c4edfb4d0b9b2e299e1a1afe6a6168e0) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:12:58 +05:30
Gyorgy Sarvari	563d8052cf	xrdp: patch CVE-2022-23480 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23480 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 71e9d02b125578593eebde2422223a9ede7265f6) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:12:57 +05:30
Gyorgy Sarvari	40fd2c8704	xrdp: patch CVE-2022-23479 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 19e076e66b3e3230b1fa05580e64de45a832ab13) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:12:57 +05:30
Gyorgy Sarvari	c1f03cbf71	xrdp: patch CVE-2022-23478 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23478 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 63b5fff9755a5849a0bbfba5447e117130efcf54) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:12:56 +05:30
Gyorgy Sarvari	72c3d49f78	xrdp: patch CVE-2022-23477 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23477 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit a6efc5b2850036cadb044eb8de8bde2e54c97c28) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:12:56 +05:30
Gyorgy Sarvari	c7570405e8	xrdp: patch CVE-2022-23468 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23468 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 1cb08277fe367850eb130c0995d85dca8e609787) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:12:55 +05:30
Gyorgy Sarvari	508aa14cd8	frr: patch CVE-2025-61099..61107 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61099 https://nvd.nist.gov/vuln/detail/CVE-2025-61100 https://nvd.nist.gov/vuln/detail/CVE-2025-61101 https://nvd.nist.gov/vuln/detail/CVE-2025-61102 https://nvd.nist.gov/vuln/detail/CVE-2025-61103 https://nvd.nist.gov/vuln/detail/CVE-2025-61104 https://nvd.nist.gov/vuln/detail/CVE-2025-61105 https://nvd.nist.gov/vuln/detail/CVE-2025-61106 https://nvd.nist.gov/vuln/detail/CVE-2025-61107 The NVD advisory refernces a PR[1] that contains only an unfinished, and ultimately unmerged attempt at the fixes. The actual solution comes from a different PR[2]. These patches are 3 commits from that PR. The last commit wasn't backported, because it is just code formatting. [1]: https://github.com/FRRouting/frr/pull/19480 [2]: https://github.com/FRRouting/frr/pull/19983 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 3cd47f72ad8d3889e2ef44c63ce6414cb1a9964d) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:12:52 +05:30
Gyorgy Sarvari	16cd5b1b8d	libowfat: update SRC_URI The https link does not work anymore, it just refuses the connection. http still works though. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8cab2b2977f7cfbbf7bf1aa617070163e2eaf002) Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-21 10:28:20 +05:30
Gyorgy Sarvari	0f00860e5f	ncp: update SRC_URI The https link does not work anymore, it just refuses the connection. http still works though. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8da9f2fea2e4c2f525e9357814f21b70669b8d8b) Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-21 10:28:09 +05:30
Gyorgy Sarvari	7856298b5f	softhsm: fix SRC_URI branch The "develop" branch doesn't exist anymore, the used revision can be found on the "main" branch. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 21df5861c7e03af154b18573939649ae65dcaa92) Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-21 10:27:40 +05:30
Sanjay Chitroda	8fdc4a1e4b	recipes-core/toybox: Switch SRC_URI to HTTPS for reliable fetch The upstream site (landley.net) serves inconsistent content when using HTTP, causing checksum mismatches during do_fetch. Using HTTPS ensures stable downloads and resolves checksum failures. Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 050ffcdea2b2ac3fcfb5bc5f39d64b60b2dd1dca) Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-21 10:22:57 +05:30
Peter Marko	8462fe14b8	nginx: ignore CVE-2025-53859 for 1.28.1 Fix is included via commit [1]. [1] `fbbbf189da` Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 5d3936d5dd0489a984e37cc00b59e6a05d9541ac) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:24 +05:30
Gyorgy Sarvari	23efe27897	nginx: set CVE_PRODUCT nginx has a long history, and has used multiple CPEs over time. Set CVE_PRODUCT to reflect current and historic vendor:product pairs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit d25aadbbb53d54382b4b82b1f78a69d4d117fd28) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:24 +05:30
Jason Schonberg	5acd5f7386	nginx: upgrade 1.28.0 -> 1.28.1 Drop CVE patch which has been integrated into this new version. Solves: * CVE-2025-53859 CHANGES: https://nginx.org/en/CHANGES-1.28 Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 222c6425644a39c9b7757792b47e500ca55f85b0) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:24 +05:30
Gyorgy Sarvari	a7e34f3531	python3-scapy: set CVE_PRODUCT The default ${PN} (python3-scapy) CVE fails to match relevant CVEs, because they are tracked under the scapy:scapy CPE. Set CVE_PRODUCT to the correct value. See CVE db query: sqlite> select * from products where product like '%scapy%'; CVE-2019-1010142\|scapy\|scapy\|2.4.0\|=\|\| Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6f68f5fce766096b9d086093ca0435bc5904b8e7) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:23 +05:30
Gyorgy Sarvari	8c482ca886	tinyproxy: patch CVE-2025-63938 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-63938 Pick the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 7981f52062d444aed1759c674bd3ec024a4f232c) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:23 +05:30
Khem Raj	3c515557c4	dante: Add _GNU_SOURCE for musl builds This helps build fixes e.g. cpuset_t definitions etc. glibc builds have _GNU_SOURCE defined inherently. Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 848bac20ea27afddc3843c41ad105843ad167177) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:22 +05:30
Gyorgy Sarvari	b42c7fbb73	dante: upgrade 1.4.3 -> 1.4.4 License-Update: copyright year bump Changelog: - Fix potential security issue CVE-2024-54662, related to "socksmethod" use in client/hostid-rules. - Add a missing call to setgroups(2). - Patch to fix compilation with libminiupnp 2.2.8. - Client connectchild optimizations. - Client SIGIO handling improvements. - Various configure/build fixes. - Updated to support TCP_EXP1 version of TCP hostid format. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9f12c5fbc63143c33d6c68139cccac770817b4eb) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:22 +05:30
Ankur Tyagi	d11b64e25e	frr: upgrade 10.4.1 -> 10.4.2 Release Notes: https://github.com/FRRouting/frr/releases/tag/frr-10.4.2 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:21 +05:30
Gyorgy Sarvari	8d54f36c15	xerces-c: set CVE_PRODUCT The related CVEs are tracked with "xerces-c\+\+" (sic). See CVE db query: sqlite> select vendor, product, count(*) from PRODUCTs where product like '%xerces%' group by 1, 2; apache\|xerces-c\+\+\|29 apache\|xerces-j\|2 apache\|xerces2_java\|3 redhat\|xerces\|3 Set CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 29a272744a314564035ec4a337704eb6d31e879e) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:21 +05:30
Gyorgy Sarvari	6df897e314	lmdb: patch CVE-2026-22185 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22185 Pick the patch that is mentioned as a solution in the related upstream bug[1]. [1]: https://bugs.openldap.org/show_bug.cgi?id=10421 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e0f86a4a7f8e413c682fbd4a9c01b12b0234cd71) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:20 +05:30
Gyorgy Sarvari	d30b9a5419	boinc-client: mark CVE-2013-2018 patched Details: https://nvd.nist.gov/vuln/detail/CVE-2013-2018 According to oss-security email[1], version 7.0.45 included the fixes[2][3][4] [1]: https://www.openwall.com/lists/oss-security/2013/04/29/11 [2]: `6e205de096` [3]: `e8d6c33fe1` [4]: `ce3110489b` Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 2a78ad8813845677132ad0f1552fcaa4961c3e15) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:20 +05:30
Ankur Tyagi	b6a71017ab	influxdb: ignore CVE-2024-30896 As mentioned in the comment[1], vulnerability is in /api/v2/authorizations API which only exists in 2.x, 1.x is not affected. Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30896 [1] https://github.com/influxdata/influxdb/issues/24797#issuecomment-2514690740 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 2f1d7a8597596d8e51a6f6f3b62e7e5f153f6e73) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:20 +05:30
Gyorgy Sarvari	6d6dbabb28	boinc-client: set CVE_PRODUCT The relevant CVEs are tracked with underscore in their name. See CVE db query: sqlite> select vendor, product, count(*) from PRODUCTs where product like '%boinc%' group by 1, 2; berkeley\|boinc_client\|2 berkeley\|boinc_forum\|1 universityofcalifornia\|boinc_client\|165 universityofcalifornia\|boinc_server\|5 Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 31de060b48c57194ea2e6c6844d746eb59a0d056) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:19 +05:30
Gyorgy Sarvari	9cb5abd34b	asyncmqtt: set CVE_PRODUCT The CVEs are tracked with an underscore in the product name: sqlite> select * from PRODUCTs where product like '%async%mq%'; CVE-2025-65503\|redboltz\|async_mqtt\|10.2.5\|=\|\| This patch sets the correct CVE_PRODUCT. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 4da079d7f572efed610bdf1291e838d0a5fc45cc) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:17:19 +05:30
Gyorgy Sarvari	835f1ef688	libcereal: set CVE_PRODUCT The relevant CVEs are associated with usc:cereal CPE. See CVE db query: sqlite> select * from PRODUCTS where PRODUCT like '%cereal%'; CVE-2020-11104\|usc\|cereal\|\|\|1.3.0\|<= CVE-2020-11105\|usc\|cereal\|\|\|1.3.0\|<= Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6e936626cbccf6c17fc8b2d61fd2c7d4bcb022b5) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:15:20 +05:30
Gyorgy Sarvari	57b188f8bc	raptor2: set CVE_PRODUCT All relevant CVEs are files against these CPEs. See CVE db query (zediious vendor is not relevant): sqlite> select * from PRODUCTs where PRODUCT like '%raptor%' and vendor <> 'symantec' and product <> 'velociraptor'; CVE-2012-0037\|librdf\|raptor\|\|\|2.0.7\|< CVE-2017-18926\|librdf\|raptor_rdf_syntax_library\|2.0.15\|=\|\| CVE-2020-25713\|librdf\|raptor_rdf_syntax_library\|2.0.15\|=\|\| CVE-2023-49078\|zediious\|raptor-web\|0.4.4\|=\|\| CVE-2024-57822\|librdf\|raptor_rdf_syntax_library\|\|\|2.0.16\|<= CVE-2024-57823\|librdf\|raptor_rdf_syntax_library\|\|\|2.0.16\|<= Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 15aca0b2fa03dc25f551e84d381295c89dae8253) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:15:20 +05:30
Liu Yiding	5c64a792b6	libsdl3: upgrade 3.2.28 -> 3.2.30 Changelog: https://github.com/libsdl-org/SDL/releases/tag/release-3.2.30 Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a524aaddaceabedcfba002550eaef0b5aa10e0eb) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:15:19 +05:30
Ankur Tyagi	351df9d54e	libjxl: Fix build error with arm and musl Build fails for qemuarm with musl with following error: /build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1/lib/jxl/convolve_separable5.cc \| error: out of range pc-relative fixup value Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 63ae47a70d6d81937f5122c535d890678ed3c13e) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:15:19 +05:30
Ankur Tyagi	6cb598129d	mozjs-128: Fix build error with arm and musl Build fails for qemuarm with musl with following error: mozglue/misc/StackWalk.o: in function `unwind_callback(_Unwind_Context, void)': \| /usr/src/debug/mozjs-128/128.5.2/mozglue/misc/StackWalk.cpp:810:(.text._ZL15unwind_callbackP15_Unwind_ContextPv+0x4): undefined reference to `_Unwind_GetIP' Referenced commit[1] for the fix, also refreshed patches. [1] `bb86629123` Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 30942cebe8997dbadcd8bcd81ed0e55d42b48677) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:15:18 +05:30
Wang Mingyu	91193c97a3	libsdl3-image: upgrade 3.2.4 -> 3.2.6 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Release Notes: https://github.com/libsdl-org/SDL_image/releases/tag/release-3.2.6 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:15:18 +05:30
Gyorgy Sarvari	6d1c5be67b	smarty: extend CVE_PRODUCT Some CVEs assign smarty-php as the vendor to the corresponding CPE. E.g CVE-2024-35226[1] is tracked with smarty-php:smarty by mitre (NVD tracks it without CPE). [1]: https://cveawg.mitre.org/api/cve/CVE-2024-35226 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 1aee6a403c1901bc7ae793a2f4581b3cdbd95c1d) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:15:18 +05:30
Khem Raj	f3407694b8	vboxguestdrivers: Upgrade to 7.2.4 This is a maintenance release. The following items were fixed or added: GUI: Fixed VirtualBox VM Manager crash when host was resuming from sleep (github:gh-121, github:gh-170) GUI: Updated native language support for Traditional Chinese, Greek, Swedish, Hungarian and Indonesian translations NAT: Fixed issue when multiple port forwarding rules affected NAT functionality (github:gh-232) Linux host and guest: Introduced initial support for kernel 6.18 Linux Guest Additions: Introduced additional fixes for RHEL 9.6 and 9.7 kernels (github:GH-12) Windows Guest Additions: Introduced additional fixes for issue when installation was failing in Windows XP SP2 guest (github:GH-142) Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Bruce Ashfield <bruce.ashfield@gmail.com> (cherry picked from commit 0ecf2814b207cc25962a3949c8265d856a355ea0) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:15:17 +05:30
Wang Mingyu	1b5228dcce	libdecor: upgrade 0.2.4 -> 0.2.5 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Changelog: https://gitlab.freedesktop.org/libdecor/libdecor/-/compare/0.2.4...0.2.5?from_project_id=18349 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:15:17 +05:30
Wang Mingyu	d879c37905	cryptsetup: upgrade 2.8.1 -> 2.8.3 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6f41c5872d9166aa1197ce1b51f8670561548353) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:15:16 +05:30
Gyorgy Sarvari	5508b827fb	nodejs: remove extra CVE_PRODUCT CVE_PRODUCT is specified twice - the second instance only duplicates one value from the first instance. Remove this extra CVE_PRODUCT. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6ff92524842233efb68eb92d4bf7637ef378900d) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:15:16 +05:30
Ankur Tyagi	441cf7db11	php: upgrade 8.4.16 -> 8.4.17 Changelog: https://www.php.net/ChangeLog-8.php#8.4.17 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-20 10:15:15 +05:30

1 2 3 4 5 ...

36337 Commits