The CVE is now tracked by NVD with a version that is earlier than
the recipe, the vulnerability doesn't show up in the CVE report
anymore.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes:
* Support Python 3.14
* Fix bug in Levenshtein distance when substitution_cost > 2
* Fix bug in Treebank detokeniser re quote ordering
* Fix bug in Jaro similarity for empty strings
* Several security enhancements
* Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
* Implement TextTiling vocabulary introduction method (Hearst 1997)
* Fix ALINE feature matrix errors and add comprehensive tests
* Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
* Let downloader fallback to md5 when sha256 is unavailable
* Several other minor bugfixes and code cleanups
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This CVE is disputed, and it is now tracked with an old version
of the application, it doesn't show up in the CVE report anymore.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes:
- zlib is now a mandatory dependency
- freetype support added
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Drop patch which is included in this release, and add a patch that
adapts a lua api call to the lua version that is used in OE.
License-Change: the unicode license text has been updated, there should
be no material change. However while examining these changes, I noticed
that some parts of the code are covered by licenses not mentined in the
recipe. It should reflect all licenses now.
Tis version contains fixes fox CVE-2025-59028, CVE-2025-59031, CVE-2026-24031,
CVE-2026-27859, CVE-2026-27860, CVE-2026-27857, CVE-2026-27856 and CVE-2026-27855
Changelog: https://github.com/dovecot/core/blob/main/NEWS
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
1.Changelog
https://github.com/arvidn/libtorrent/releases/tag/v2.0.12
2. Add 0001-Fix-Python3-site-packages-path-to-fix-package-QA-Iss.patch to fix package QA Issue:
libtorrent-rasterbar-2.0.12-r0 do_package: QA Issue: libtorrent-rasterbar: Files/directories were installed but not shipped in any package:
/lib/python3.14/site-packages/libtorrent.so
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Version 1.84.2
--------------
- Closed bugs and merge requests:
* GtkNotebook.pages GListModel is inaccessible from GJS [#686, !992, Philip
Chimento]
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Backport patch to make libtimezonemap port to libsoup3
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Refer [1], this can fix do_configure failure:
| checking for libsoup-3.0... no
| configure: error: Package requirements (libsoup-3.0) were not met:
|
| Package 'libsoup-3.0' not found
[1] 6ddabf52d5
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
While in this case `SYSROOT_PREPROCESS_FUNCS:class-target +=` wouldn't
result in any unwanted override, there is no guarantee there won't be a
change, which would be hidden by this override. To avoid any surprises
in the future let's use `:append:class-target =` syntax here.
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
While in this case `RPROVIDES:${PN}:class-native +=` wouldn't
result in any unwanted override, there is no guarantee there won't be a
change, which would be hidden by this override. To avoid any surprises
in the future let's use `:append:class-native =` syntax here.
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Those LIC_FILES_CHKSUM:class-native(sdk) were actually overriding the
rest of LIC_FILES_CHKSUM.
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Either I am missing something or it isn't needed in the build time and
should maybe be a RRECOMMENDS:${PN}?
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Cc: Stefan Wiehler <me@sephalon.net>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
It actually overrides value of FILES:${PN} instead of appending.
In this case SDKPATHNATIVE is the prefix so everything was still
working, but let's convert it to a proper conditional append.
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
`EXTRA_OECONF:sh4 += "--disable-spinlocks"` was supposed to simply
disable unsupported spinlocks, but was also overriding other
configuration defined in EXTRA_OECONF above.
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
While in this case override caused by `EXTRA_OEMESON:class-native +=` is
desirable, the `+=` can be confusing. Let's avoid that and use explicit
assignment.
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
While in this case `RDEPENDS:class-target +=` wouldn't result in any
unwanted override, there is no guarantee there won't be a change, which
would be hidden by this override. To avoid any surprises in the future
let's use `:append:class-target =` syntax here.
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
While in this case `RRECOMMENDS:class-target +=` wouldn't result in any
unwanted override, there is no guarantee there won't be a change, which
would be hidden by this override. To avoid any surprises in the future
let's use `:append:class-target =` syntax here.
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
While in this case `EXTRA_OEMESON:libc-musl +=` wouldn't result in any
unwanted override, there is no guarantee there won't be a change, which
would be hidden by this override. To avoid any surprises in the future
let's use `:append:libc-musl =` syntax here.
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
While in this case `RRECOMMENDS:class-target +=` wouldn't result in any
unwanted override, there is no guarantee there won't be a change, which
would be hidden by this override. To avoid any surprises in the future
let's use `:append:class-target =` syntax here.
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
While in this case `RDEPENDS:class-target +=` wouldn't result in any
unwanted override, there is no guarantee there won't be a change, which
would be hidden by this override. To avoid any surprises in the future
let's use `:append:class-target =` syntax here.
Signed-off-by: Michal Sieron <michalwsieron@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Isocline is a pure C library that can be used as an alternative to the GNU readline library.
Signed-off-by: Michael Fitzmayer <mail@michael-fitzmayer.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Fixes the below error during do_configure:
../sources/xfce4-session-4.21.1/meson.build:50:21: ERROR: Program '/usr/bin/gdk-pixbuf-csource' not found or not executable
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
When ndiff was disabled by default in 51e070301e ("nmap: disable
ndiff"), the python3 RDEPENDS were left unconditional on the main
package. This causes python3-difflib, python3-asyncio and python3-xml
to be pulled into every image that includes nmap, even though ndiff is
not built and the core nmap binary (C++) does not need Python.
Gate the RDEPENDS behind the ndiff PACKAGECONFIG so that Python is only
required when ndiff is actually enabled.
Signed-off-by: Paolo Barbolini <paolo.barbolini@m4ss.net>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
License-Update: Re-scope secondary licenses [1]
Release information [2]:
This is release 1.80.0 (glimmering) of gRPC Core.
Core
* [ssl] Implement TLS private key signer in Python. (#41701)
* [TLS Credentials]: Private Key Offload Implementation. (#41606)
* Fix max sockaddr struct size on OpenBSD. (#40454)
* [core] Enable EventEngine for Python by default, and EventEngine fork support in Python and Ruby. (#41432)
* [TLS Credentials]: Create InMemoryCertificateProvider to update certificates independently. (#41484)
* [Ruby] Build/test ruby 4.0 and build native gems with Ruby 4.0 support. (#41324)
* [EventEngine] Remove an incorrect std::move in DNSServiceResolver constructor. (#41502)
* [RR and WRR] enable change to connect from a random index. (#41472)
* [xds] Implement gRFC A101. (#41051)
C++
* [C++] Add SNI override option to C++ channel credentials options API. (#41460)
[1] fb53717dfa
[2] https://github.com/grpc/grpc/releases/tag/v1.80.0
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes in 50.0
=================
- Make the Clipboard portal return errors instead of succeeding
- Fix a bug in the Print portal where it was accidentally closing fd 0
- Translation updates
Changes in 50.rc
=================
- Translation updates
Changes in 50.beta
=================
- Update libgxdp
- Remove ellipse from the app chooser list header
- Fix a memory leak in the Print portal implementation
- Fix icon size in the Dynamic Launcher portal
- Various fixes in the Remote Desktop portal
- Fix monitor identification in VMs
- Fix an issue with mismatching GVariant type unwrapping
- Translation updates
Changes in 50.alpha
=================
- Fix a potential source of crashes in the ScreenCast portal code
- Properly send the Global Shortcut activation token to the portal frontend
- Update libgxdp to override GTK settings
- Use a GNOME OS based CI template
- Translation updates
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Version 50.0
~~~~~~~~~~~~
Released: 2026-03-13
This is a stable release with updated translations:
* Danish (Alan Mortensen)
* English (United Kingdom) (Bruce Cowan)
* Japanese (小山田 純 - Oyamada Jun)
* Occitan (post 1500) (Quentin PAGÈS)
* Polish (Victoria)
* Portuguese (Hugo Carvalho)
Version 50~rc
~~~~~~~~~~~~~
Released: 2026-02-27
This is an unstable release with the following changes:
* Remember window size between app restarts
* Updates page could be sometimes hidden after resume from suspend
* Allow remove also Flatpak remotes from system installation
* Correct check for add-ons when app's ID changed
* Improve socket permissions checks for Flatpak apps
This release also updates translations:
* Basque (Asier Saratsua Garmendia)
* Catalan (Jordi Mas, Victor Dargallo)
* Chinese (China) (luming zh)
* Czech (Daniel Rusek)
* Finnish (Jiri Grönroos)
* French (Lucien Ouoba, Guillaume Bernard)
* Galician (Fran Diéguez)
* German (Christian Kirbach)
* Greek, Modern (1453-) (Efstathios Iosifidis)
* Hungarian (Balázs Úr)
* Interlingua (International Auxiliary Language Association) (Emilio Sepúlveda)
* Italian (Davide Ferracin)
* Japanese (Makoto Sakaguchi)
* Kazakh (Baurzhan Muftakhidinov)
* Korean (Seong-ho Cho)
* Spanish (Daniel Mustieles)
* Swedish (Anders Jonsson)
* Turkish (Sabri Ünal)
Version 50~beta
~~~~~~~~~~~~~~~
Released: 2026-01-30
This is an unstable release with the following changes:
* Show install and uninstall progress of an add-on
* Use lower thread priority when running in background
* Fix possible crash on session permission change
* Fix possible crash after XbSilo rebuild
This release also updates translations:
* Bulgarian (twlvnn kraftwerk)
* Georgian (Ekaterine Papava)
* Hebrew (Yaron Shahrabani)
* Indonesian (Andika Triwidada)
* Kazakh (Baurzhan Muftakhidinov)
* Lithuanian (Aurimas Aurimas Černius)
* Portuguese (Brazil) (Juliano de Souza Camargo)
* Romanian (Antonio Marin)
* Russian (Artur S0)
* Slovenian (Martin)
* Uighur (Abduqadir Abliz)
* Ukrainian (Yuri Chornoivan)
Version 50~alpha
~~~~~~~~~~~~~~~~
Released: 2026-01-15
This is an unstable release with the following changes:
* Improve display of long repository names
* Clarify warning about removing data when uninstalling an app
* Fix minor UI issues when scrolling using gestures on a touchpad
* Don’t show firmware warning on Installed Updates page
* Several fixes to update history on rpm-ostree systems
* Improve notifying the user about newly installed trivial flatpak app updates
* Improve display of keyboard shortcuts
* Split rpm-ostree changelogs by app
* Display error toasts in the repositories dialog when something goes wrong
This release also updates translations:
* Catalan (Victor Dargallo)
* Indonesian (Andika Triwidada)
* Japanese (Makoto Sakaguchi)
* Kazakh (Baurzhan Muftakhidinov)
* Portuguese (Hugo Carvalho)
* Portuguese (Brazil) (Juliano de Souza Camargo)
* Russian (Artur S0)
* Slovenian (Martin)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
* libsoup-2.4 is deprecated, and some recipes already stop support of
soup2, soup2 and soup3 cannot be used together
* ostree upstream already stop test of soup2, refer [1]
* Remove unnecessary comments, PACKAGECONFIG for ptest already set in bb
[1] https://github.com/ostreedev/ostree/pull/3531
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
libsoup-2.4 is deprecated, and other recipes already stop support of
soup2, soup2 and soup3 cannot be used together, and the latest version
of yelp also drop option webkit2gtk-4-0
[1] 1b0ccdae25
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
User space-side features
* bpf_map__set_exclusive_program() and bpf_map__exclusive_program() APIs for exclusive map creation;
* bpf_program__assoc_struct_ops() and bpf_prog_assoc_struct_ops() APIs to associate a non-struct_ops BPF program with a struct_ops map;
* btf__permute() API to rearrange BTF types in-place according to a provided mapping;
* BTF type lookup optimization: binary search for btf__find_by_name() and btf__find_by_name_kind();
* btf__add_btf() now accepts split BTF sources;
* fsession support (SEC("fsession+") / SEC("fsession.s+"));
* BPF_F_CPU and BPF_F_ALL_CPUS flags support for per-CPU map operations;
* arena globals are moved to the end of the arena mmap region if kernel supports it;
* support for LLVM-generated indirect jump tables (BPF ISA v4) via .jumptables ELF section and BPF_MAP_TYPE_INSN_ARRAY maps;
* avoid expensive kallsyms parsing when kprobe.session target is an exact function match;
* new dont_enable option in struct bpf_perf_event_opts to suppress perf event auto-enablement;
BPF-side features
* USDT SIB (Scale-Index-Base) addressing support;
* dynptr helper signatures (bpf_dynptr_from_mem, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data) widened from 32-bit to 64-bit size/offset parameters;
Bug fixes
* As usual, a number of bug fixes included, see full commit log for details.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
*) Feature: the "multipath" parameter of the "listen" directive.
*) Feature: the "local" parameter of the "keepalive" directive in the
"upstream" block.
*) Change: now the "keepalive" directive in the "upstream" block is
enabled by default.
*) Change: now ngx_http_proxy_module supports keepalive by default; the
default value for "proxy_http_version" is "1.1"; the "Connection"
proxy header is not sent by default anymore.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream if buffered body was used in the
ngx_http_grpc_module.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
*) Change: now nginx limits the size and rate of QUIC stateless reset
packets.
*) Bugfix: receiving a QUIC packet by a wrong worker process could cause
the connection to terminate.
*) Bugfix: in the ngx_http_mp4_module.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add a backport patch to fix an issue with glibc >= 2.43
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Enhancements:
* Improve check for --filesystem paths pointing to a parent folder (#6473)
* Fail if non-interactive and multiple refs, remotes or installations match
(#5754)
* Default to text auth on WSL (#6491)
* Add build instructions for Ubuntu 24.04 (#6498)
* Show a better message when there are no refs to update (#6521)
* Silence AppStream refresh output on non-interactive runs (#6521)
* Translation updates: pt_BR (#6483), sl (#6468, #6475), sv (#6514), tr (#6528),
zh_CN (#6469, #6477)
Bug fixes:
* Map the font-dirs.xml file more selectively (#6450)
* Change const pointers. This fixes build issues with glibc 2.43. (#6490)
* Add custom type flatpak_home_t for ~/.local/share/flatpak for SELinux (#6437)
* Fix build warnings when compiling with -Wanalyzer-null-argument and with
-Wanalyzer-null-dereference (#6527)
* Use raw string for regular expression in the flatpak-bisect script (#6519)
Internal changes:
* Set the `FLATPAK_TRIGGERSDIR` environment variable when running
installed tests. This fixes a regression with autopkg tests in
Debian. (#6444)
* Add translator comments for some translatable strings (#6462)
* Fix typos in translatable strings (#6463)
* Fix lots of typos in code comments (#6482)
* Remove an unused function (#6529)
* Update two strings (#6464)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
