Upgrade to release 1.23.1.
New features:
- FFmpeg decoder plugin gains AV1, VVC, JPEG, and JPEG 2000/HTJ2K
decoding
- SVT-AV1 encoder: new tune=iq and ms-ssim tune parameters
- C++ API: added getters/setters for the CLLI and MDCV HDR metadata
boxes
- Sequence decoder now scales the alpha auxiliary track to the main
image size
Bug fixes:
- Fixed pixi box writing for multi-channel images
- Corrected the placement of the TAI clock_type field into the top
2 bits
- Empty/unset plugin directory is no longer scanned
Security fixes:
- CVE-TBD (GHSA-jc8f-p23p-5hjg) Integer underflow in Fraction
constructor via double clap transform application
- CVE-TBD (GHSA-73p7-m7gg-w2jv) Out-of-bounds read in uncompressed
unci tile range slicing
= CVE-TBD (GHSA-xpw3-9rhw-482x) Heap out of bounds write in libheif
uncompressed encoder when writing images with mismatched
auxiliary alpha dimensions
- CVE-TBD (GHSA-9ww4-9v47-m7pj) Reachable assertion in
HeifContext::get_track() aborts on a valid-but-empty HEIF
sequence file
- (GHSA-46rp-pcq2-rpmr) Heap out-of-bounds write in the
uncompressed encoder for RRGGBB images with interleaved bit-depth
lower or equal to 8
Remove CVE-2026-3949.patch because the fix has been included in
the source code for this release of libheif.
This work was sponsored by GOVCERT.LU.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add a new recipe for flaky, plugin for pytest that automatically
reruns flaky tests. It is required by pycurl tests.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Upgrade to release 7.47.0:
- Use dynamic SSL ports in certificate tests
- Harden test_clear_assignment_inside_socket_callback_resets_socketp
test
- Rename index field to idx in HstsIndex to avoid shadowing
- Fix test_callbacks_non_minus_one_return_continues_transfer on macOS
- Use PYCURL_REQUIRE_HANDLE and PYCURL_REQUIRE_NOT_RUNNING instead of
magic numbers
- Convert pycurl to a Python package with the C extension renamed to
pycurl._pycurl
- Fix flaky CONNECT_ONLY send/recv tests by waiting on active socket
readiness instead of sleeping after EAGAIN
- Add PyMutex support on Python 3.13+
- Modernize ssh_key_cb_test and use a local SFTP server
- Use set instead of dict for saving refs to easy objects in multi
- Make closed as property instead a method
- Add free-threaded CPython support
- Add AsyncCurlMulti
- Fix flaky memory_mgmt callback
- Add libcurl strerror wrappers (easy/multi/share/url)
- Modernize write/header tests
- Implement Curl multi notify API
- Pin socket callback tests to IPv4 to handle dual-stack localhost
resolution
- Integrate notify in AsyncCurlMulti
- Review GIL management
- Capture more expected warnings during tests
- Fix/update/remove some examples
- Fix truncated timeout value in multi timer callback
- Fix incorrect argument type in debug callback
- Fix some reference leaks
- Ensure errors are logged in progress/xferinfo callbacks
- Support zero-copy write/header callbacks
- Evolve CurlShare with share()/unshare(), Python-level thread safety,
and CURLSHcode error propagation
- Fix test_default_mode_autopongs_server_ping with libcurl 8.21.0
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Upgrade to release 3.29.6:
- serialise singleton construction in FileLockMeta
- _util: drop the dead st_mtime=0 short-circuit in
raise_on_not_writable_file
- test: silence fork DeprecationWarning on 3.15
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The upstream tarball fetched from pypi contains `.hash` files like these:
$ cat aiohttp/.hash/hdrs.py.hash
a46ad6c3a2faf8d26a2c6afc1a2210ce379a23f2799fce7b26a01f6ce5a40642 /home/runner/work/aiohttp/aiohttp/aiohttp/hdrs.py
These file trigger the relatively new HOME buildpath check _if_ the recipe
happens to be built by someone with HOME set to /home/runner
(for example someone building in a GitHub workflow):
ERROR: python3-aiohttp-3.14.1-r0 do_package_qa: QA Issue:
File /usr/lib/python3.14/site-packages/aiohttp/.hash/hdrs.py.hash
in package python3-aiohttp contains a reference to the build host HOME directory.
If upstream hardcodes a directory path that matches your home,
you can set OEQA_BUILDPATHS_SKIP = "/home/runner" in the recipe. [buildpaths]
Follow the suggested fix of setting `OEQA_BUILDPATHS_SKIP`.
See also openembedded-core commit ee29a9132a ("oeqa: allow exceptions in
buildpath HOME checks") for an example of `OEQA_BUILDPATHS_SKIP` used.
Signed-off-by: Leonard Göhrs <l.goehrs@pengutronix.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
python3-sqlite is required by the NDB code, irrespective of ptest:
File "/usr/lib/python3.14/site-packages/pyroute2/__init__.py", line 31, in <module>
File "/usr/lib/python3.14/site-packages/pyroute2/ipdb/__init__.py", line 16, in <module>
File "/usr/lib/python3.14/site-packages/pyroute2/ndb/main.py", line 317, in <module>
File "/usr/lib/python3.14/site-packages/pyroute2/ndb/task_manager.py", line 9, in <module>
File "/usr/lib/python3.14/site-packages/pyroute2/ndb/schema.py", line 99, in <module>
ModuleNotFoundError: No module named 'sqlite3'
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Analysis:
- The Mbed TLS advisory states the issue occurs when LLVM
select-optimize is enabled. [1]
- The same advisory also states that Arm/x86 builds with
MBEDTLS_HAVE_ASM enabled are not affected. The default mbedtls
configuration in this branch enables MBEDTLS_HAVE_ASM.
- NVD also describes the issue as occurring only with LLVM's
select-optimize feature. [2]
- The mbedtls recipes now evaluate the effective build flags across
target, native, and nativesdk variants, handle the supported
-mllvm spellings, and only mark the CVE unpatched when the
vulnerable LLVM option combination is explicitly enabled and the
Arm/x86 MBEDTLS_HAVE_ASM carve-out does not apply.
- When those conditions are not met, the current mbedtls build
configuration is not affected.
- Hence ignoring/deferred the CVE for now.
Reference:
[1] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-66442
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This file hardcodes a specific compiler for aarch64-linux builds, which
is not the compiler that we provide. As it's otherwise useless, we can
just delete the file.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
nasm is an x86 assembler, so only depend on it (and work around the
build paths errors) on x86-64 (the assembler fastpaths are explicitly
64-bit only).
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Inherit ptest and include tests for genson. The PyPI package
omits files for testing so use the GitHub source instead.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Upgrade to release 1.4.0:
- add enum support, activated per node by seed schemas
- Performance: strategy deduplication when defining custom
SchemaBuilder classes is now O(n) instead of O(n2)
- include the complete, runnable test suite in the source
distribution
- Bugfix: fix "noting to do" typo in the CLI error message
and remove dead code
- Docs: document the required-dropping behavior and the
builder-merge gotcha; explain why same-type inputs merge
rather than producing anyOf; add a NoRequiredObject example
for suppressing required
- declare python_requires >= 3.10, matching the tested Python
versions
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Upgrade to release 5.9.0:
- zuul: Use openstack-python3-next-jobs template
- Do not install code to build release notes
- Drop support for Python 3.10
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Upgrade to release 7.15.0:
- Since 7.14.0, reporting commands implicitly combine parallel data
files. Now those commands have a new option --keep-combined to retain
the data files after combining them instead of the default, which is
to delete them.
- Fix: the LCOV report would incorrectly count excluded functions as
uncovered, as described in issue 2205. This is now fixed thanks to
Martin Kuntz Jacobsen.
- When running your program, coverage now correctly sets
yourmodule.__spec__.loader as strongly recommended, avoiding the
deprecation warning.
- Fix: with Python 3.10, running with the -I (isolated mode) option
didn't correctly omit the current directory from the module search
path. That is now fixed thanks to Ilia Sorokin.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Upgrade to release 6.2.3:
- Fix quadratic expansion of comma-separated range lists for a large
speed-up on expressions with many ranges.
- Reject a zero step (e.g. 5-5/0) in equal and reversed cron ranges
instead of silently accepting it.
- Fix expand_from_start_time month low-bound off-by-one so stepped
month ranges start on the correct month.
- Fix zizmor-reported security findings in GitHub Actions workflows.
- Bump pinned build and CI dependencies via dependabot.
- Upgrade locked development and build dependencies (uv lock --upgrade).
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This bugfix release addresses several build issues after the transision
to meson. These bugs didn't really affect the yocto recipe but let's
update the package for completness.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add a PipeWire Pulse virtual sink and forwarder for compressed offload, enabling MP3 compressed Pulse streams to be routed to a PAL compressed sink.
Signed-off-by: Harsh Rai <harsh.rai@oss.qualcomm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The PACKAGECONFIG entries introduced by the conversion were all missing
their build-dependency in the third field (the only exception was raqm,
which already had libraqm there). As a result the hard-coded DEPENDS
line was compensating by always pulling in every library regardless of
which features were actually selected.
Evidence from the configure logs confirms which libraries were found or
missed across the three configurations:
pre-conversion:
checking for zlib... yes
checking for libpng... yes
checking for freetype2 >= 9.8.3... yes
checking for libjpeg... yes
checking for libtiff-4... yes
post-conversion, unfixed (zlib, png, and tiff checks absent entirely):
checking for freetype2 >= 9.8.3... yes
checking for libjpeg... yes
post-conversion, fixed:
checking for zlib... yes
checking for libpng... yes
checking for freetype2 >= 9.8.3... yes
checking for libjpeg... yes
checking for libtiff-4... yes
Add the correct Yocto package name to the third field of every entry:
avif -> libavif
fontconfig -> fontconfig
freetype -> freetype
heif -> libheif
jpeg -> jpeg
liq -> libimagequant
png -> libpng
tiff -> tiff
webp -> libwebp
x -> virtual/libx11
xpm -> libxpm
zlib -> zlib
With the dependencies now managed by PACKAGECONFIG, the unconditional
DEPENDS assignment is redundant and can be removed.
Fixes: be9f029b6c ("gd: Support PACKAGECONFIG")
AI-Generated: codex/claude-sonnet 4.6 (high)
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Before the PACKAGECONFIG conversion, png, zlib, and tiff support was
always enabled: those libraries were in DEPENDS and autoconf picked
them up automatically because no --without-* flag was passed for them.
The conversion introduced a regression by not including them in the
default PACKAGECONFIG, causing the mechanism to emit --without-png,
--without-zlib, and --without-tiff, silently disabling those features.
Evidence from the configure logs:
pre-conversion:
--with-jpeg=<sysroot>/usr/lib/.. --with-freetype=yes
--without-fontconfig --without-webp --without-xpm --without-x
(no --with/--without for png, zlib, or tiff; autoconf detects them)
post-conversion, unfixed:
--with-freetype --with-jpeg
--without-png --without-tiff --without-zlib <-- regression
post-conversion, fixed:
--with-freetype --with-jpeg
--with-png --with-tiff --with-zlib <-- restored
Add png, zlib, and tiff to the default PACKAGECONFIG so the out-of-
the-box feature set is unchanged from before the conversion.
Fixes: be9f029b6c ("gd: Support PACKAGECONFIG")
AI-Generated: codex/claude-sonnet 4.6 (high)
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
- New API function: can_find_interfaces_mask()
License-Update: update year in copyright
Signed-off-by: Michael Fitzmayer <mail@michael-fitzmayer.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
License-Update: copyright year span has been updated.
- Added new script to interface CiA 305: Layer setting services (LSS)
- New API function to set baud rate: can_set_baudrate()
- Remove usage of white text-color
Signed-off-by: Michael Fitzmayer <mail@michael-fitzmayer.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
update version of xorg-xserver according to oe-core
WARNING: tigervnc-1.16.2-r0 do_configure: TigerVNC xorg-server version (21.1.22) is different from oe-core's xorg-xserver version (21.1.23)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The native tools include compilation of zip_writter, where it include
gtest/gtest_prod.h. So native build need to depend on gtest-native.
Signed-off-by: Claus Stovgaard <claus@stovgaard.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This is a major release for gpiod-sysfs-proxy. Upstream now ships
systemd unit files so drop those from the recipe. The project was
updated to using the more modern pyfuse3 package. Other than that: it
works the same and passes the same set of tests. For sysvinit: some of
the command-line arguments are no longer supported in pyfuse3 so remove
them from the init script.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
pcp-native compiles the pcp sources src/pmns/lex.l which does
'#include <readline/readline.h>'. The native recipe only depended on
python3/setuptools/flex/bison, so with the header search correctly
limited to the sysroot
0001-configure-Limit-the-header-search-to-sysroot.patch
the build fails on hosts without readline development headers installed:
lex.l:25:10: fatal error: readline/readline.h: No such file or directory
Depend on readline-native (and ncurses-native, which readline links
against) so the headers and libraries come from the native sysroot
rather than the build host, mirroring the target recipe DEPENDS. This
makes the native build reproducible and host independent.
Verified by building pcp-native from scratch
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The upstream crash Makefile CONF_TARGET_ARCH mapping (used when
CROSS_COMPILE is set) enumerates most of OE supported arches
but omits 32-bit arm. Building with CROSS_COMPILE=arm-*
therefore aborts at Makefile parse time:
Makefile:75: *** The current Arch(arm) does not support cross compilation. Stop.
ARM is already a valid crash target (defs.h/configure.c), so add a patch
mapping the normalized "arm" arch to CONF_TARGET_ARCH=ARM like every
other supported arch.
Verified by cross building crash for qemuarm (arm-yoe-linux-gnueabi-):
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Cc: Ricardo Salveti <ricardo.salveti@oss.qualcomm.com>
The function uio_line_from_file() fails to close the FILE pointer
when fgets() returns NULL, causing a file descriptor leak.
This can be triggered when reading from /sys files that return
empty content, leading to resource exhaustion over time.
Fix this by using goto-based error handling to ensure fclose()
is called on all exit paths.
Signed-off-by: Qliangw <qili00001@gmail.com>
* Refresh lua-update-Makefile-to-use-environment-build-setting.patch
* Use ${@oe.utils.trim_version(d.getVar('PV'), 2)} to dynamically
determine branch= in SRC_URI
Valkey 9.1.0 GA - Released Tue May 19 2026
---------------------
Upgrade urgency LOW: This is the first stable release of Valkey 9.1.
* Security fixes
- (CVE-2026-23479) Use-After-Free in unblock client flow
- (CVE-2026-25243) Invalid Memory Access in RESTORE command
- (CVE-2026-23631) Use-after-free when full sync occurs during a
yielding Lua/function execution
* New Features and enhanced behavior
- Add cluster bus network traffic usage metric in bytes by @hpatro
(#3396)
- Reduce latency spikes during rehashing via incremental page release
by @chzhoo (#3481)
* Bug Fixes
- Fix(syncio): Set errno on EOF in syncRead and propagate to
conn->last by @abmathur-ie (#3580)
- Fix GEOSEARCH BYPOLYGON leak on invalid COUNT by @bandalgomsu (#3568)
- Handle NULL pointer in streamTrim listpack delta calculation by
@smkher (#3591)
- Fixes server crash when RDMA benchmark clients disconnect by
@quanyeyang (#3448)
- Fix the memory leak in valkey-benchmark by @nmvk (#3643)
Release announcment:
https://valkey.io/blog/valkey-9-1-delivers-improvements-in-security-performance-and-more/
For full comparison of changes, see:
https://github.com/valkey-io/valkey/compare/9.0.4...9.1.0
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==========
- Fix memory leak in copy() and new() when memory allocation fails (rare edge
case)
- Fix seed/reset state initialization in xxh32 and xxh64 (unlikely to affect
normal usage)
- Replace Py_BuildValue with PyLong_FromUnsignedLong/LongLong for performance
- Update README examples to use bytes literals
- Add CodSpeed performance benchmarks and CI workflow
- Build aarch64/armv7l on native Arm runners; test against Python 3.15.0-beta.2
- Speed up module-level one-shot digest(), intdigest(), and hexdigest()
functions by switching them to METH_FASTCALL.
- Keep one-shot argument handling consistent with hash constructors, including
positional and keyword input/seed arguments, duplicate argument errors, and
oversized seed wrapping.
- Fix error handling in the xxh3_128 integer digest path so allocation failures
are reported cleanly.
- Fix Python 3.8 builds by adding a PyModule_AddType compatibility fallback
with correct reference counting.
- Correct type stubs for xxh64_digest(), xxh64_hexdigest(), and
xxh64_intdigest(), they were incorrectly aliased to xxh3_64 functions.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
============
- Fix type errors flagged by ty 0.0.43
- Drop obsolete ty: ignore directives
- docs: Use double backquotes for git command in development.rst
- docs: Fix indent misalignment in reference/config.rst
- docs: replace http://tox.readthedocs.org with https://tox.wiki
- fix(config): restore skip_missing_interpreters default to False
- feat(virtualenv): auto-pin virtualenv for end-of-life Python
- treat scalar string then/else as a single item in if-replace extend
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
============
- Python support 3.8+ only
- decompression limited by size and ratio
- decoder foundation to support more compression algorithms
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>