Changelog:
============
- SECURITY FIX CVE-2025-14550
- Fixed a regression in 3.11.0 in "sync_to_async" when wrapping a callable
with an attribute named "context".
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- 282 new ATRs
- pcsc_scan: display what the program expect from the user
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
- os_stub/openssllib: Allow building with older OpenSSL versions
- Ignore MSVC warning when compiling OpenSSL
- Bring fixes from main to 3.8
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Improve as_date narrowing conversion from C4244 warning
- update trait dependencies to support CMake v4
- Fix linter error
- Update workflows for new GitHub Action Runner Images
- Support passing ssl library key handles to algorithms
- Update CMP0135 to new behaviour
- Fix error in CMake config-file package
- CMake: synchronize cmake_minimum_required from main CMakeLists.txt
- Reduce usage of std::time_t, std::chrono::system_clock::to_time_t and
system_clock::from_time_t in order to get correct dates when working with a
32bit application
- Fix set_expires_in not accepting non-default Period
- AppVeyor Warnings
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
* Annotations: draw a background behind annotations; align to the right
when they fit (e.g. for diagnostics)
* GObject Introspection: fix nullable and callback destroy annotations
(get_location, get_match_style, scheduler, callbacks)
* Fix gutter text renderer text layout snapshot deprecation
* PHP language: highlight PHP 8.0 attributes and add new keywords
* New language: Cornish
* Translation updates
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
- Fix afskmdm shutdown issues
- Fix a crash if gensio_acc_disable() is called more than once.
- Allow the pcre2 package to be used.
- Fix a locking issue in cm108gpio.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Support DOS-style \r\n line breaks when loading filelists. Note that
they will be saved with UNIX-style \n line breaks regardless of input
format. This is intentional.
* Fix --action, --info, --title and similar commands hard-coding the
maximum length of the formatted output to 4095 characters.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Fix license checksum: Copyright year has been changed
- Add support for av1 and jxl
- libavif is in meta-multimedia -> disable av1 by default
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix the following error:
ERROR: core-image-minimal-1.0-r0 do_rootfs: Postinstall scriptlets of ['tigervnc'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget:${PN} ().
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CPEs are registered for iperf_project2:iperf2 in addition to
iperf_project:iperf. By changing CVE_PRODUCT to an appends, this ensures
that both iperf and iperf2 CPEs are used for CVE matching.
Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 4.7.1:
- Add controls for verify_sub option in PyJWT
From release 4.7.0:
- Drop support for python 3.7 and 3.8, add 3.13
- Fix documentation around identity needing to be a string
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 3.0.1:
- Fix link rendering in readme
- Fix handling of _version.py file
From release 3.0.0:
- Support Flask 3.0+ and PyMongo 4.0+.
- Support Python 3.9-3.13.
- Support MongoDB 4.4+.
- Add support for ~flask.json.jsonify().
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 6.0.2:
- Update license pyproject.toml
From 6.0.1:
- Invert regex sorting to make it correctly match the intent
(sorting by specificity descending)
- Fix README file extension in pyproject.toml
From 6.0.0:
- [CVE-2024-6839] Sort Paths by Regex Specificity
- [CVE-2024-6844] Replace use of (urllib) unquote_plus with unquote
- [CVE-2024-6866] Case Sensitive Request Path Matching
License-Update: Use line 6 from PKG-INFO
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 1.4.0:
- Add missing commas in error message for validate.FileType
- Support Python 3.10-3.14
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 3.1.3:
- The session is marked as accessed for operations that only access
the keys but not the values, such as in and len.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 4.1.0:
- Accept arguments such as --directory in environment variables
- Fix minor typos in documentation
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 0.10.0:
- Drop support for Python < 3.8.
- Use pyproject.toml for packaging metadata.
- Use flit_core as build backend.
- Apply code formatting and linting tools.
- Add static type annotations.
- Deprecate the __version__ attribute. Use feature detection or
importlib.metadata.version("flask-mail") instead.
- Indicate that the deprecated is_bad_headers will be removed in
the next version.
- Fix the email_dispatched signal to pass the current app as the
sender and message as an argument, rather than the other way around.
- Attachment.data may not be None.
- Attachment.content_type will be detected based on filename and
data and will not be None.
License-Update: Use LICENSE.txt
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-37065
The vulnerability is about a 3rd party Windows-only GUI frontend for
the streamripper library, and not for the CLI application that the
recipe builds. Due to this ignore this CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Contains fix for CVE-2026-27199
Changelog: safe_join on Windows does not allow special devices names in multi-segment paths
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994
The vulnerability impacts only the python bindings of protobuf, which
is in a separate recipe (python3-protobuf, where it is patched).
Ignore this CVE in this recipe due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2016-2568
This commit mostly just tries to add some info to this issue, in the
hope that it will save some time for others who try to investigate it.
This CVE most probably will stay open in meta-oe in the foreseeable future,
although it can be mitigated reasonably easily by the users of the layer.
The description of the vulnerability is short enough that it can be
reproduced here: "pkexec, when used with --user nonpriv, allows local
users to escape to the parent session via a crafted TIOCSTI ioctl call,
which pushes characters to the terminal's input buffer."
The general consensus amongst developers/major distros[1][2][3] seems to be that
it should be mitigated on the kernel side, to not allow non-privileged
users to fake input.
To this end, the kernel has introduced a new config in v6.2, called
CONFIG_LEGACY_TIOCSTI - when it is enabled, non-privileged used can
also fake input. It is however by default enabled (and it is also enabled
in the kernels shipped in oe-core, at least at the time of writing this).
Disabling this kernel config is considered to be the mitigation, to allow
input-faking only by privileged users.
[1]: https://security-tracker.debian.org/tracker/CVE-2016-2568
[2]: https://bugzilla.suse.com/show_bug.cgi?id=968674
[3]: https://marc.info/?t=145694748900001&r=1&w=2 / https://marc.info/?l=util-linux-ng&m=145702209921574&w=2
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
