Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3949
Backport the patch that is referenced by the NVD report (in the description)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-1013
The vulnerability has been patched since 2.3.13[1], however
NVD tracks it without version info.
Due to this, mark it patched explicitly.
[1]: 249bfcc511
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Contains fix for CVE-2026-32597. Since NVD tracks this CVE
without version info, mark the CVE explicitly patched.
Changes:
2.12.1:
Add typing_extensions dependency for Python < 3.11
2.12.0:
chore(docs): fix docs build
Annotate PyJWKSet.keys for pyright
fix: close HTTPError to prevent ResourceWarning on Python 3.14
chore: remove superfluous constants
chore(tests): enable mypy
Bump actions/download-artifact from 7 to 8
fix: do not store reference to algorithms dict on PyJWK
Use PyJWK algorithm when encoding without explicit algorithm
Validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. (CVE-2026-32597)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The CVE fix is correct, but the CVE ID contains a typo. The correct
ID is CVE-2026-3606.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27631
Though NVD indicates that 0.28.8 is still vulnerable, that does
not seem to be the case: the fix that is referenced by the advisory
has been backported[1] to this verison. Due to this, mark this
CVE as patched.
[1]: 21d129c842
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69277
The vulnerability has been fixed[1] since version 1.0.20, but NVD
tracks it without version info. Mark it patched explicitly.
[1]: f2da4cd8cb
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- remove a backport patch
- rework the fix for host systems that dont provide iso-codes
- update mypaint-brushes dependency to 2.x
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Contains many bugfixes and CVE fixes:
https://github.com/FreeRDP/FreeRDP/releases/tag/3.24.0
Added build option to use internal rc4 and md4 ciphers: this is due
to a recent change in oe-core. OpenSSL's legacy ciphers (like RC4 and MD4)
are now disabled by default (with 'legacy' PACKAGECONFIG), however
FreeRDP3 relies on them.
To ensure that the required ciphers are available, build the
recipe with this ciphers' internal implementations instead of
expecting OpenSSL to support them.
Ptests passed successfully.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: updated to latest GPLv2 text version [1]
Changelog [2]
- Bug 5501: Squid may exit when ACLs decode an invalid URI
- ICP: Fix HttpRequest lifetime for ICP v3 queries
- ICP: Fix validation of packet sizes and URLs
- Do not escape malformed URI twice when sending ICP errors
- ... and some code, CI, and documentation cleanups
[1] 765c7f4e7f
[2] https://github.com/squid-cache/squid/releases/tag/SQUID_7_5
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Squid tags are in form SQUID_<MAJ>_<MIN>.
This can also be seen in SRC_URI download link.
This change will make "devtool latest-version squid" correctly show 7.5
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade OpenGL ES CTS to the last release, mostly bringing up fixes for
the existing tests.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade Vulkan CTS, fixing several small issues in the tests.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
OE-Core has dropped gstreamer1.0-vaaapi, breaking spice-gtk. Drop the
dependency and, while we are at it, enable libva as a dependency, making
sure VA-API is enabled.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Redis 8.0 and later are tri-licensed, the licence options are:
* Redis Source Available License v2
* Server Side Public License v1.0
* GNU Affero GPL v3.0
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Use this recipe to break a circular dependency between libfido2 and
systemd when systemd's fido PACKAGECONFIG is enabled. systemd depends
on libfido2, and libfido2 depends on udev provided by systemd. However,
systemd only depends on the headers provided by libfido2 and its pkgconf
data. systemd uses only the datatypes provided, and opportunistically
enables fido support if libfido2 is found.
This recipe provides only the headers and pkgconf data. This is
sufficient to allow systemd to build support for libfido2.
It only works with a related change I've submitted to openembedded core.
Signed-off-by: Dan McGregor <danmcgr@protonmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* bash and python3 are only needed by the ptest package.
* xz appears to not be needed at all.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
With the current recipe I am getting
```
gn: error while loading shared libraries: libc++abi.so.1: cannot open shared object file: No such file or directory
```
on my aarch64 machine
This is due to gn having a relative library runpath causing the interpreter not finding the shared libraries
Instead of copying the binary just directly execute it
Additionally remove the unnecessary download of the prebuilt gn binary
Signed-off-by: Willi Ye <zye2@snap.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Labeled adb binary
- Moved adb shell from initrc_t to unconfined_t
- meta-selinux does not provide adb domain added policy in meta-oe
instead of refpolicy: SELinuxProject/refpolicy#1085
Signed-off-by: Gargi Misra <gmisra@qti.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Enable aptX/aptX-HD codec support in PipeWire's Bluetooth A2DP codec.
This allows A2DP streaming with aptX-capable headsets when libfreeaptx
is available.
Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add a libfreeaptx recipe (LGPL-2.1+) to provide aptX/aptX-HD codec
support for Bluetooth A2DP audio codec.
Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0846
It has been fixed in version 3.9.3, however NVD tracks it
without CPE/version info.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Change build tools from setuptools3 to python_setuptools_build_meta
Add cython depends and change cython requirement from cython==3.1.1 to
cython>=3.1.1. Currently we use cython version 3.2.4
Changelog:
https://github.com/grpc/grpc/releases/tag/v1.78.0
Changes for python:
- aio: fix race condition causing asyncio.run() to hang forever during the shutdown process.
- Migrate to pyproject.toml build system from setup.py builds.
- Log error details when ExecuteBatchError occurs (at DEBUG level).
- Update setuptools min version to 77.0.1.
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: copyright years refreshed
Removed patch included in this release
Add path to fix compilation with gcc on aarch64
Changelog:
https://github.com/jedisct1/libsodium/releases/tag/1.0.21-RELEASE
Changes:
Version 1.0.21
- security fix for the crypto_core_ed25519_is_valid_point() function
- new crypto_ipcrypt_* functions
- sodium_bin2ip and sodium_ip2bin helper functions
- XOF: the crypto_xof_shake* and crypto_xof_turboshake* functions
Version 1.0.20-stable
- XCFramework: cross-compilation is now forced on Apple Silicon to avoid Rosetta-related build issues
- The Fil-C compiler is supported out of the box
- The CompCert compiler is supported out of the box
- MSVC 2026 (Visual Studio 2026) is now supported
- Zig builds now support FreeBSD targets
- Performance of AES256-GCM and AEGIS on ARM has been improved with some compilers
- Android binaries have been added to the NuGet package
- Windows ARM binaries have been added to the NuGet package
- The Android build script has been improved. The base SDK is now 27c, and the default platform is 21, supporting 16 KB page sizes.
- The library can now be compiled with Zig 0.15 and Zig 0.16
- Zig builds now generate position-independent static libraries by default on targets that support PIC
- arm64e builds have been added to the XCFramework packages
- XCFramework packages are now full builds instead of minimal builds
- MSVC builds have been enabled for ARM64
- iOS 32-bit (armv7/armv7s) support has been removed from the XCFramework build script
- Security: optblockers have been introduced in critical code paths to prevent compilers from introducing unwanted side channels via conditional jumps. This was observed on RISC-V targets with specific compilers and options.
- Security: crypto_core_ed25519_is_valid_point() now properly rejects small-order points that are not in the main subgroup
- ((nonnull)) attributes have been relaxed on some crypto_stream* functions to allow NULL output buffers when the output length is zero
- A cross-compilation issue with old clang versions has been fixed
- JavaScript: support for Cloudflare Workers has been added
- JavaScript: WASM_BIGINT is forcibly disabled to retain compatibility with older runtimes
- A compilation issue with old toolchains on Solaris has been fixed
- crypto_aead_aes256gcm_is_available is exported to JavaScript
- libsodium is now compatible with Emscripten 4.x
- Security: memory fences have been added after MAC verification in AEAD to prevent speculative access to plaintext before authentication is complete
- Assembly files now include .gnu.property notes for proper IBT and Shadow Stack support when building with CET instrumentation.
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Contains fix for CVE-2026-32239 and CVE-2026-32240
Also, mark these CVEs explicitly patched, because NVD tracks them
without version info at this time.
Shortlog:
https://github.com/capnproto/capnproto/compare/v1.0.2...v1.4.0
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
https://github.com/scikit-build/ninja-python-distributions/releases
Upstream commit [1] switched build system from scikit-build to
scikit-build-core, which changed pyproject.toml structure and rewrote
__init__.py. Update patches accordingly:
- no-scikit-build.patch: rewrite for new pyproject.toml structure,
replace scikit-build-core with setuptools, and remove 'readme'
from dynamic fields as setuptools cannot handle the fancy-pypi-readme
plugin.
- run-ninja-from-path.patch: drop. Old version imported skbuild
modules in __init__.py which caused ImportError in OE since
scikit-build is not installed. New version replaced these imports
with stdlib sysconfig, so the patch is no longer needed.
- CMakeLists.txt: drop. This was a stub file added to prevent
scikit-build from failing when it could not find CMakeLists.txt.
Since we now use setuptools which does not require it, the file
can be removed.
[1] https://github.com/scikit-build/ninja-python-distributions/commit/f3b4a786be
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Bug-fix release addressing a memory leak and a couple minor issues.
We now ship the license file with the dist tarball so update the recipe
to take this into account. While at it: trim the LICENSE value to only
include LGPL-v2.1-or-later as the other two licenses cover tests and
text files.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add a recipe for the cxx crate, which provides a safe and efficient
bridge for interoperability between Rust and C++ code. It allows
defining the FFI boundary in a shared Rust module and generates
compatible bindings for both languages during the build process.
The crate is implemented in Rust and supports zero-overhead FFI with
common Rust and C++ standard library types.
More information: https://crates.io/crates/cxx
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Move gnutls from a hard dependency to a PACKAGECONFIG option defaulting
to gnutls. This allows users to select openssl as an alternative crypto
library by setting PACKAGECONFIG.
Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
Signed-off-by: Sujeet Nayak <sujeetnayak1976@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
* Feature: session affinity support; the "sticky" directive in the
"upstream" block of the "http" module; the "server" directive supports
the "route" and "drain" parameters.
* Change: now nginx limits the size and rate of QUIC stateless reset
packets.
* Bugfix: receiving a QUIC packet by a wrong worker process could cause the
connection to terminate.
* Bugfix: "[crit] cache file ... contains invalid header" messages might
appear in logs when sending a cached HTTP/2 response.
* Bugfix: proxying to scgi backends might not work when using chunked
transfer encoding and the "scgi_request_buffering" directive.
* Bugfix: in the ngx_http_mp4_module.
* Bugfix: nginx treated a comma as separator in the "Cookie" request header
line when evaluating "$cookie_..." variables.
* Bugfix: in IMAP command literal argument parsing.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Also, add a patch to be able to build with Setuptools 82.
This patch is oe-specific, but upstream has already merged[1] a
patch that should make it compatible with the latest Setuptools.
It however seems to require multiple patches to apply clean. The
patch in this change is expected to be a short term workaround until
the next version is released.
Changelog:
Features
- Upgraded cython to 3.0.x
- Add support for DSE 6.9.x and HCD releases to CI
- Add execute_concurrent_async and expose execute_concurrent_* in Session
Bug Fixes
- Update geomet to align with requirements.txt
- Connection failure to SNI endpoint when first host is unavailable
- Maintain compatibility with CPython 3.13
Others
- Remove duplicated condition in primary key check
- Remove Python 3.8 which reached EOL on Oct 2024, update cryptography lib to 42
- Remove obsolete urllib2 from ez_setup.py
- Remove stale dependency on sure
- Removed 2.7 Cpython defines
[1]: https://github.com/apache/cassandra-python-driver/pull/1268
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Setuptools 82 dropped pkg_resources module. It is not used
by the setup script, nevertheless, it is imported, and this
missing module fails compilation.
This patch removes this import.
Upstream started to work on refactoring their setup scripts, so
this patch is not appropriate to them - once/if they release, most
likely this patch can be dropped.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
By default this recipe requires Setuptools with strictly version 80.9.0.
oe-core has updated Setuptools to 82.0, and this recipe failed to build.
This patch relaxes the Setuptools version requirements.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Gcc complains about:
| ../../sources/gd-2.3.3/src/gd_filename.c: In function 'ftype':
| ../../sources/gd-2.3.3/src/gd_filename.c:99:9: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
| 99 | ext = strrchr(filename, '.');
| | ^
| cc1: all warnings being treated as errors
Even the newest git master commit does not fix this.
Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
