Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
*) Feature: the "multipath" parameter of the "listen" directive.
*) Feature: the "local" parameter of the "keepalive" directive in the
"upstream" block.
*) Change: now the "keepalive" directive in the "upstream" block is
enabled by default.
*) Change: now ngx_http_proxy_module supports keepalive by default; the
default value for "proxy_http_version" is "1.1"; the "Connection"
proxy header is not sent by default anymore.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream if buffered body was used in the
ngx_http_grpc_module.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
*) Change: now nginx limits the size and rate of QUIC stateless reset
packets.
*) Bugfix: receiving a QUIC packet by a wrong worker process could cause
the connection to terminate.
*) Bugfix: in the ngx_http_mp4_module.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add a backport patch to fix an issue with glibc >= 2.43
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Enhancements:
* Improve check for --filesystem paths pointing to a parent folder (#6473)
* Fail if non-interactive and multiple refs, remotes or installations match
(#5754)
* Default to text auth on WSL (#6491)
* Add build instructions for Ubuntu 24.04 (#6498)
* Show a better message when there are no refs to update (#6521)
* Silence AppStream refresh output on non-interactive runs (#6521)
* Translation updates: pt_BR (#6483), sl (#6468, #6475), sv (#6514), tr (#6528),
zh_CN (#6469, #6477)
Bug fixes:
* Map the font-dirs.xml file more selectively (#6450)
* Change const pointers. This fixes build issues with glibc 2.43. (#6490)
* Add custom type flatpak_home_t for ~/.local/share/flatpak for SELinux (#6437)
* Fix build warnings when compiling with -Wanalyzer-null-argument and with
-Wanalyzer-null-dereference (#6527)
* Use raw string for regular expression in the flatpak-bisect script (#6519)
Internal changes:
* Set the `FLATPAK_TRIGGERSDIR` environment variable when running
installed tests. This fixes a regression with autopkg tests in
Debian. (#6444)
* Add translator comments for some translatable strings (#6462)
* Fix typos in translatable strings (#6463)
* Fix lots of typos in code comments (#6482)
* Remove an unused function (#6529)
* Update two strings (#6464)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
It was only required for gimp, which now uses mypaint-brushes v2
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This prevents the wrong mypaint-brushes package from being installed
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==========
- Enable ascii plugin to be built using autotools.
- Processing 'concentrate=true' graphs no longer crashes Graphviz. Processing of
'concentrate=true' graphs still often errors out.
License_Update: Change Eclipse Public License from version 1.0 to 2.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Fix do_install failure:
sed: can't read ../dlt-daemon/3.0.0/image/usr/lib/pkgconfig/automotive-dlt.pc: No such file or directory
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The openvpn 2.7.0 upgrade refactored
tests/unit_tests/openvpn/Makefile.am, changing how test_binaries is
defined. This caused autoreconf to generate Makefiles where
buildtest-TESTS and runtest-TESTS no longer have rule bodies, breaking
the existing ptest recipe which relied on these targets for compilation
and execution. The fix replaces these internal automake targets with
stable interfaces: check-am for compilation and direct binary execution
on target.
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
These tests are disabled in recipe, re-add them here once that is fixed
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Cc: Ross Burton <ross.burton@arm.com>
This dependency was replaced with the standard compression.zstd module
in 1.1.0[1].
[1] ccf0def15e
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
- rework reproducibility patch
- disable functional_tests to avoid python3-dbusmock-native dependency
- add PACKAGECONFIG for libzip and enable by default
NEW in 3.11.0 - 2026-03-15
==========================
* Memory leak fixes
* Stability fixes
* Fixes to tv series/season extraction from video files
Translations: ca, da, en_GB, pl
Notable changes since 3.10.0:
* Default configuration change, the user home directory will now be indexed
recursively as a whole, instead of XDG folders
* Major change in handling of removable devices. When enabled, removable
devices will get a `.localsearch3` folder with a self-contained database
for the removable device indexed data, instead of being included in the
main database in the user home folder. The setting default remains off.
* The set of dependencies was modernized and sanitized. GExiv2 is now used
for more metadata, libzip is now used for bundled files.
NEW in 3.11.rc - 2026-03-03
===========================
* Reliability improvements to the test suite
Translations: es, hu, ko, ne, oc, pt
NEW in 3.11.beta - 2026-02-18
=============================
* Fixes for possible buffer overflows and NULL pointer dereferences
in MP3 extractor
* Fix seccomp jail in database helper process for removable devices
* Replace libgsf with libzip for ZIP content handling
* Improve reliability of the test suite in slow scenarios (e.g. CI)
Translations: bg, ca, cs, el, eu, fa, fr, gl, he, ka, kk, lt, pt_BR, ro, ru,
sl, sv, tr, ug, uk, zh_CN
NEW in 3.11.alpha - 2026-01-05
==============================
* Default configuration change, the user home directory will now be indexed
recursively as a whole, instead of XDG folders
* Major change in handling of removable devices. When enabled, removable
devices will get a `.localsearch3` folder with a self-contained database
for the removable device indexed data, instead of being included in the
main database in the user home folder. The setting default remains off.
* Improved handling of indexed folder changes found on restart
* Improved handling of indexing cancellation in deleted folders
* Improved handling of BTRFS filesystems
* Dropped libexif dependency, EXIF data is now extracted through gexiv2
* Dropped libpiptcdata dependency, IPTC data is now extracted through
gexiv2
* Consistency improvements to extracted metadata
* Fixes to SHSTK handling in the sandboxed process
* Further extended test coverage
Translations: ca, el, fur, id, oc, sr, sr@latin
NEW in 3.10.1 - 2025-10-13
==========================
* Improvements to the handling of corrupted databases
* Avoid session startup issues if database initialization takes long
* Handle compressed Abiword documents
* Memory usage improvements indexing WEBP files
* Support gexiv2 >= 0.16
* Unify metadata extraction deadline mechanisms
* Test suite improvements
Translations: bg, ca, es, kab, pt, ro, tr, ug
NEW in 3.10.0 - 2025-09-14
==========================
* Fixes to handling of configuration changes
* Improvements to the test suite
Translations: da, en_GB, eo, es, eu, fa, he, hu, ka, ko, lt, nl, pt_BR, ru, sv, tr, uk, zh_CN
Notable changes since 3.9.0:
* A number of behavioral settings has been deprecated
* Webp file format now has a metadata extractor
NEW in 3.10.rc - 2025-09-01
===========================
* Webp file format now has a metadata extractor
* Indexer refactors and cleanups
Translations: ca, cs, gl, pl, sl
NEW in 3.10.beta - 2025-08-03
=============================
* Fix service files with -Ddomain-ontology option
* Fixes for Alpine and similar distributions without merged /usr
NEW in 3.10.alpha - 2025-07-01
==============================
* Systemd integration improvements
* A number of behavioral settings has been deprecated
* Fixes handling /var/home directories
* Many improvements to the command line tool
* The tracker:available property is again set on all graphs, for
indexed folders
* Fixes handling XML documents
* Fixes for possible crashes handling large PDF files
* Fixes for coverity warnings
* Code cleanups and refactors
Translations: be, ca, uz
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
$ echo 'MACHINE = "qemuarm"' >> conf/local.conf
$ bitbake webkitgtk3
...
| {standard input}:43622: Error: symbol `op_instanceof_return_location' is already defined
| {standard input}:43623: Error: symbol `.Lop_instanceof_return_location' is already defined
| {standard input}:44352: Error: symbol `op_instanceof_return_location_wide16' is already defined
| {standard input}:44353: Error: symbol `.Lop_instanceof_return_location_wide16' is already defined
| {standard input}:45090: Error: symbol `op_instanceof_return_location_wide32' is already defined
| {standard input}:45091: Error: symbol `.Lop_instanceof_return_location_wide32' is already defined
...
Drop 0001-Fix-32bit-arm.patch which conflicts with upstream solution [1]
[1] fcaa289f60
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- Added dns cache
- Fix crash on double scrape request
- Use callback in DnsBuffer result and catch EINTR in Listen
- Fixed various SCGI issues
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- Use bytearray for request body accumulation to avoid O(n^2) allocation on fragmented bodies
- Escape brackets and backslash in httptools HEADER_RE regex
- Fix multiple issues in websockets sans-io implementation
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==============
- 'GenericPlainRegistry.parse_expression' now correctly returns a dimensionless
Quantity when taking a float, int, or NaN
- Replace MIP with scipy in 'Quantity.to_preferred'
- New unit formatting modifier added ('^') to format unit with negative
exponents
- Add atomic unit of electric field gradient
('atomic_unit_of_electric_field_gradient', 'a_u_efg')
- Defer expensive loading of dask.array
- Add support for numpy's 'vdot', 'inner', 'outer', 'linalg.outer', 'matvec',
'vecmat', 'tensordot', and 'linalg.tensordot'
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
============
- Fix test_hexadecimal_with_libc_bulk()
- Keep available deprecated aliases for mpc/mpf_log()
- Use version_file option of setuptools-scm to keep version info
- Add workaround for test on s390x
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
License-Update: Copyright year updated to 2026
Changelog:
==========
- add support for CMakeLists
- implement more move constructor in the C++ code
- add C++ tests
- add support for GraalPy
- add RiscV support
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
