92b5798115
exiftool: ignore CVE-2026-7580
...
The impacted function mentioned in the nvd[1] was introduced in v12.82[2],
hence we can ignore this CVE.
[1]https://nvd.nist.gov/vuln/detail/CVE-2026-7580
[2]https://github.com/exiftool/exiftool/commit/280a7f0db71b5887be492d57723723cb196ad2f9
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:44 +05:30
5fe0fb19e7
php: upgrade 8.2.30 -> 8.2.31
...
This is a security release.
Changelog: https://www.php.net/ChangeLog-8.php#8.2.31
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:43 +05:30
9500d05195
abseil-cpp: Add CVE_PRODUCT to support product name
...
- Set CVE_PRODUCT to align with the NVD CPE and ensure correct CVE
reporting.
Signed-off-by: Het Patel <hetpat@cisco.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a428ea90c0hjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:42 +05:30
ae7dfb1224
jq: Stick to C17 until next release
...
Patches are sprinkled in master branch of jq but the backports
regresses tests, so its better to keep it at C17 for now.
Backport: changed from += to :append to apply to all target, native
and nativesdk builds.
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Cc: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-05 06:57:17 +05:30
964065663c
jq: patch CVE-2026-39979
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-39979
Ptests passed:
root@qemux86:~# ptest-runner jq
START: ptest-runner
2026-04-26T11:09
BEGIN: /usr/lib/jq/ptest
PASS: optionaltest
PASS: mantest
PASS: jqtest
PASS: onigtest
PASS: shtest
PASS: utf8test
PASS: base64test
=== Test Summary ===
TOTAL: 7
PASSED: 7
FAILED: 0
SKIPPED: 0
DURATION: 44
END: /usr/lib/jq/ptest
2026-04-26T11:10
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
6cbaf81a01
jq: patch CVE-2026-33948
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
18de8de0ef
jq: patch CVE-2026-33947
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
9bdfbd20b2
jq: patch CVE-2026-32316
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32316
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
383ff86953
jq: fix CVE-2026-40164
...
Backport patch to fix CVE-2026-40164.
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
0ef4a2ecee
grpc: set status for CVE-2026-33186
...
CPE per NVD report is for "go", while this is C++ component:
* cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*
Also the link to adisory within NVD report says "grpc-go":
* https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
c14dcffcd7
yasm: fix CVE-2021-33454
...
An issue was discovered in yasm version 1.3.0. There is a
NULL pointer dereference in yasm_expr_get_intnum() in
libyasm/expr.c.
Backport patch to fix CVE-2021-33454 per reference [1].
[1]: https://security-tracker.debian.org/tracker/CVE-2021-33454
Signed-off-by: Guocai He <guocai.he.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:10:33 +05:30
07c2b52840
nodejs: upgrade 20.20.0 -> 20.20.2
...
License Update: Update minimatch to the Blue Oak Model License[1]
nodejs LTS releases containing security and bugfixes.
https://nodejs.org/en/blog/release/v20.20.1
https://nodejs.org/en/blog/release/v20.20.2
[1] https://github.com/nodejs/node/commit/f0ef221b0d458d9358c6e6e49094da475e86c229
Ptests passed:
root@qemux86:~# ptest-runner nodejs
START: ptest-runner
2026-04-09T10:37
BEGIN: /usr/lib/nodejs/ptest
Running main() from /usr/src/debug/nodejs/20.20.2/deps/googletest/src/gtest_main.cc
[==========] Running 152 tests from 23 test suites.
[----------] Global test environment set-up.
...
...
[----------] Global test environment tear-down
[==========] 152 tests from 23 test suites ran. (30533 ms total)
[ PASSED ] 152 tests.
PASS: nodejs
DURATION: 31
END: /usr/lib/nodejs/ptest
2026-04-09T10:37
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
7e723ad1c7
giflib: patch CVE-2025-31344
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31344
Backport the commit that mentions this CVE ID explicitly
in its message.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
7cc6fe87bc
abseil-cpp: ignore CVE-2025-0838
...
The commit[1] mentioned in the NVD[2] is part of the current version[3].
[1] https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-0838
[3] https://github.com/abseil/abseil-cpp/commit/54fac219c4ef0bc379dfffb0b8098725d77ac81b
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
b13ae5a8eb
giflib: Fix CVE-2026-23868
...
Pick patch according to [1]
[1] https://www.facebook.com/security/advisories/cve-2026-23868
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-23868
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:47 +05:30
d5de98d28b
capnproto: patch CVE-2026-32239 and CVE-2026-32240
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32239
https://nvd.nist.gov/vuln/detail/CVE-2026-32240
Backport the patch that is referenced by the NVD advisories.
(Same patch for both vulnerabilities)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:13 +05:30
af2304fcb9
php: upgrade 8.2.29 -> 8.2.30
...
Drop patches that are included in this release.
Changes: https://www.php.net/ChangeLog-8.php#8.2.30
- Curl: Fix curl build and test failures with version 8.16.
- Opcache: Reset global pointers to prevent use-after-free in zend_jit_status().
- PDO: PDO quoting result null deref - CVE-2025-14180
- Null byte termination in dns_get_record()
- Heap buffer overflow in array_merge() - CVE-2025-14178
- Information Leak of Memory in getimagesize - CVE-2025-14177
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:08 +05:30
6dd3de0d5d
yasm: extend recipe for nativesdk builds
...
Some SDK dependency chains require yasm to be available
as SDK artifacts. The current metadata only partially provides this,
which can lead to dependency resolution failures when this recipe is pulled
into SDK-oriented builds.
This change does not alter target package behavior; it only enables required
nativesdk variant for build and SDK integration paths.
Signed-off-by: Deepak Rathore <deeratho@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:06 +05:30
c73a2a0435
protobuf: ignore CVE-2026-0994
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994
The vulnerability impacts only the python bindings of protobuf, which
is in a separate recipe (python3-protobuf, where it is patched).
Ignore this CVE in this recipe due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 398fa05aa8skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:02 +05:30
a831c03427
exiftool: ignore CVE-2026-3102
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3102
The vulnerability impacts only MacOS - ignore it.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:46:57 +05:30
560eef1dc2
nodejs: add missing Upstream-Status
...
The patch was introduced in:
https://git.openembedded.org/meta-openembedded/commit/?h=scarthgap&id=3f9623aaefed5b070294a0d52a54a50ea709b389
and it's the only one in missing it (as default ERROR_QA in scarthgap
doesn't have patch-status).
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-25 13:00:45 +05:30
ec0469748b
nodejs: fix gcc compile failed for 32 bit arm target
...
Use gcc to compile failed for 32 bit arm target
$ echo 'MACHINE = "qemuarm"' >> conf/local.conf
$ bitbake nodejs
...
2645 | );
| ^
../deps/llhttp/src/llhttp.c:2643:11: error: incompatible type for argument 1 of 'vandq_u16'
2643 | vcgeq_u8(input, vdupq_n_u8(' ')),
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| uint8x16_t
...
Use '-flax-vector-conversions' to permit conversions between vectors
with differing element types or numbers of subparts
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit fe7aaabb1cskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-12 15:59:04 +05:30
3f9623aaef
nodejs: upgrade 20.18.2 -> 20.20.0
...
Part of nodejs LTS release, contains many security- and bugfixes.
Ptests passed successfully.
Full changelog:
https://github.com/nodejs/node/blob/v20.x/doc/changelogs/CHANGELOG_V20.md
Dropped patches that are included in this release.
Added 0001-Revert-stop-using-deprecated-ares_query.patch:
Nodejs has changed a deprecated c-ares call to a newer version,
however this newer method is not available in the c-ares shipped
in meta-oe, and it failed to compile (the new call was added to c-ares
in v1.28.0, but Scarthgap comes with v1.27.0). This patch reverts this
failing commit completely. Based on the PR/issue discussions, the
only goal was to eliminate deprecation warnings. There seem to be
no logic change from this change.
License-Update:
- The license file was regenerated, to ensure it is up to date.
It contains all licenses from all vendored dependecies. This
resulted in adding nlohmann-json license to the file, which
is MIT. There were already other MIT dependencies, so this
didn't change the overall license declaration.
- base64 related license was removed, because base64 code was
simplified, so it doesn't depend on this library anymore.
(It was BSD-2-Clause, but there ar other dependencies using
this license, so the overall license didn't change)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-12 15:58:49 +05:30
70822f1a81
php 8.2.29: Fix CVE-2025-14180
...
Upstream Repository: https://github.com/php/php-src.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14180
Type: Security Fix
CVE: CVE-2025-14180
Score: 7.5
Patch: https://github.com/php/php-src/commit/5797b94652c3
Signed-off-by: Anil Dongare <adongare@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:51 +05:30
4750244921
php 8.2.29: Fix CVE-2025-14178
...
Upstream Repository: https://github.com/php/php-src.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14178
Type: Security Fix
CVE: CVE-2025-14178
Score: 8.2
Patch: https://github.com/php/php-src/commit/c4268c15e361
Signed-off-by: Anil Dongare <adongare@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:51 +05:30
ab85e58b91
xerces-c: set CVE_PRODUCT
...
The related CVEs are tracked with "xerces-c\+\+" (sic).
See CVE db query:
sqlite> select vendor, product, count(*) from PRODUCTs where product like '%xerces%' group by 1, 2;
apache|xerces-c\+\+|29
apache|xerces-j|2
apache|xerces2_java|3
redhat|xerces|3
Set CVE_PRODUCT accordingly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 29a272744aanuj.mittal@oss.qualcomm.com >
2026-01-26 11:16:24 +05:30
2759d8870e
php 8.2.29: CVE-2025-14177
...
Upstream Repository: https://github.com/php/php-src.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14177
Type: Security Fix
CVE: CVE-2025-14177
Score: 7.5
Patch: https://github.com/php/php-src/commit/c5f28c7cf0a0
Signed-off-by: Anil Dongare <adongare@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-19 12:15:49 +05:30
1c7b69ee0b
editorconfig-core-c: patch CVE-2024-53849
...
Details https://nvd.nist.gov/vuln/detail/CVE-2024-53849
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:21 +05:30
ed345fca57
yasm: patch CVE-2021-33456
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33465
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1020-hash-null-CVE-2021-33456.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1e2731fce0anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:32 +05:30
782c49a05a
yasm: patch CVE-2021-33464
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33464
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1010-nasm-pp-no-env-CVE-2021-33464.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 66a0b01b52anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:32 +05:30
138ac945d9
yasm: patch CVE-2023-29579
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-29579
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1000-x86-dir-cpu-CVE-2023-29579.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit cc30757a7fanuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:31 +05:30
05fd7d83ff
yasm: add alternative CVE_PRODUCT
...
There are multiple vendors for yasm:
$ sqlite3 ./nvdcve_2-2.db "select distinct vendor, product from products where product = 'yasm';"
tortall|yasm
yasm_project|yasm
Both products refer to the same application
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 93f85e4fd2anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:31 +05:30
2e768a8261
uw-imap: patch CVE-2018-19518
...
Take patch from Debian from
https://salsa.debian.org/lts-team/packages/uw-imap/-/commit/873b07f46ce40f43bca10ec85fe63a7a0b934294
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9f7c1e6bd1adongare@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-11-25 17:14:44 +05:30
f6c6cdce9d
iptraf-ng: patch CVE-2024-52949
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-52949
Pick the commit that mentions the CVE in its description.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
(cherry picked from commit 16071ef98fankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-11-19 08:46:56 +05:30
a68e046d52
breakpad: correct SRC_URI branch
...
Master branch was renamed to main, causing fetching failures.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-11-12 11:32:41 +05:30
a4ce304cf1
mercurial: set CVE_PRODUCT to "mercurial-scm:mercurial"
...
Other product "mercurial" introduce false CVE finding like:
https://nvd.nist.gov/vuln/detail/CVE-2022-43410
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-11-12 10:44:37 +05:30
30f6c5ae79
cjson: upgrade 1.7.18 -> 1.7.19
...
This includes CVE-fix for CVE-2023-26819.
Removed CVE-2025-57052, as the issue was already resolved
in v1.7.19.
Changelog:
==========
https://github.com/DaveGamble/cJSON/blob/master/CHANGELOG.md
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com >
2025-10-30 15:12:09 +08:00
62b9edf47b
jq: fix CVE-2025-9403
...
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the
function run_jq_tests of the file jq_test.c of the component JSON Parser.
Executing manipulation can lead to reachable assertion. The attack
requires local access. The exploit has been publicly disclosed and may be
utilized. Other versions might be affected as well.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9403
Upstream-patch:
https://github.com/jqlang/jq/commit/a4d9d540103ff9a262e304329c277ec89b27e5f9
Signed-off-by: Divya Chellam <divya.chellam@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com >
2025-10-30 15:11:47 +08:00
ed71c716fa
yasm: fix CVE-2024-22653
...
yasm commit 9defefae was discovered to contain a NULL pointer
dereference via the yasm_section_bcs_append function at section.c.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-22653
Upstream-patch:
https://github.com/yasm/yasm/commit/121ab150b3577b666c79a79f4a511798d7ad2432
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com >
2025-10-30 14:43:36 +08:00
49db959f00
nodejs: ignore CVE-2024-3566
...
CVE-2024-3566 only effects Microsoft Windows.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com >
2025-10-06 16:05:40 +08:00
0b7b87ad31
php: ignore CVE-2024-3566
...
CVE-2024-3566 only effects Microsoft Windows.
Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d68c56e1edjhofstee@victronenergy.com >
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com >
2025-10-06 16:05:40 +08:00
d9e2cae64f
cjson 1.7.18: Fix CVE-2025-57052
...
Upstream Repository: https://github.com/DaveGamble/cJSON.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57052
Type: Security Fix
CVE: CVE-2025-57052
Score: 9.8
Patch: https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com >
2025-09-23 10:16:33 +08:00
db93848ead
nodejs: fix build with gcc-15 on host
...
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com >
2025-09-23 09:59:39 +08:00
b9fb6556a3
protobuf 4.25.8: Mark CVE-2024-7254 as patched
...
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-7254
Type: Security Fix
CVE: CVE-2024-7254
Score: 8.7
Patch: https://github.com/protocolbuffers/protobuf/commit/850fcce9176e
Analysis:
The original fix [1] for CVE-2024-7254 is listed in the NVD security
tracker (https://nvd.nist.gov/vuln/detail/CVE-2024-7254 ) and was
subsequently backported to the v4.25.8 version via commit [2].
Hence, this CVE is considered patched in the current source.
Reference:
[1] https://github.com/protocolbuffers/protobuf/commit/cc8b3483a558
[2] https://github.com/protocolbuffers/protobuf/commit/850fcce9176e (v4.25.8)
Signed-off-by: Deepak Rathore <deeratho@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com >
2025-09-12 08:15:13 +08:00
d90b295188
abseil-cpp: fix build with gcc-15 on host
...
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com >
2025-09-12 08:15:11 +08:00
1095ea81ed
luajit: fix several CVEs
...
Fix CVE-2024-25176, CVE-2024-25177, CVE-2024-25178
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com >
2025-09-12 08:15:10 +08:00
e099b1462d
jq: add Upstream-Status and CVE tags into .patch files
...
v1 version was merged instead of v2 from:
https://lists.openembedded.org/g/openembedded-devel/message/118302
add missing Upstream-Status and CVE tags from v2.
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech >
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com >
2025-09-12 08:15:10 +08:00
3fbbd2c080
php: upgrade 8.2.28 -> 8.2.29
...
This upgrade fixes below CVEs.
CVE-2025-1735
CVE-2025-6491
CVE-2025-1220
Changelog: https://www.php.net/ChangeLog-8.php#8.2.29
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com >
2025-09-12 08:15:06 +08:00
3d03058fe2
jq-1.7.1: Backport multiple CVE fixes
...
CVE: CVE-2024-23337
CVE: CVE-2024-53427
CVE: CVE-2025-48060
Patches CVE-2024-23337.patch and CVE-2024-53427.patch are backported from
jq-1.8.0, and CVE-2025-48060.patch is backported from jq-1.8.1.
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2025-07-10 20:23:11 -04:00
7c3e7a6d5d
protobuf: upgrade from 4.25.3 to 4.25.8
...
0001-Add-recursion-check-when-parsing-unknown-fields-in-J.patch is
dropped because it has been in new version.
This upgrade also fixes CVE-2025-4565. The fix commit is as below:
d31100c91 Manually backport recursion limit enforcement to 25.x
Signed-off-by: Chen Qi <Qi.Chen@windriver.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2025-07-06 19:46:40 -04:00
Ankur Tyagi
Jason Schonberg
Het Patel
Khem Raj
Daniel Turull
Peter Marko
Guocai He
Gyorgy Sarvari
Vijay Anusuri
Deepak Rathore
Martin Jansa
Hongxu Jia
Anil Dongare
Praveen Kumar
Divya Chellam
Jeroen Hofstee
Shubham Pushpkar
Changqing Li
Roland Kovacs
Chen Qi