Commit Graph

31082 Commits

Author SHA1 Message Date
Anuj Mittal 29a0442182 python3-matplotlib: fix build
Changes in oe-core commit a0151ab56cf3 (setuptools3: clean the build
directory in configure) cause the build directory to be cleared during
configure step. To avoid the downloaded sources from getting cleaned,
pre-fetch them to a separate downloads/ directory and patch source to
look there.

Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-02 15:08:44 +05:30
Wang Mingyu dae9f04be9 haveged: upgrade 1.9.20 -> 1.9.22
Backport from wrynose (8bd9783601). Fixes CVE-2026-41054 (local
privilege escalation via command socket credential check bypass).

Changelog:
===========
* Add ReadWritePaths=/dev/shm to systemd service for semaphore creation
  under ProtectSystem=full sandboxing
* Fix privilege escalation via command socket (CVE-2026-41054)
* Check peer credentials before reading command (CVE-2026-41054)
* Handle failing opening of semaphore
* Fix /dev/shm permissions to use sticky bit
* Use chmod after mkdir to ensure correct /dev/shm permissions
* Update libtool: add lib64 search paths, remove dead code

Tested: Built core-image-full-cmdline for qemux86-64 (scarthgap,
bitbake 2.8). Booted in QEMU, verified haveged 1.9.22 starts and
provides entropy (entropy_avail=256, pool full).

(cherry picked from commit 8bd9783601)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Signed-off-by: Venkatasainath Ravikanti <venkatasainath.ravikanti@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Assisted-by: Kiro (Amazon)
Signed-off-by: Venkatasainath Ravikanti <venkatasainath.ravikanti@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:36 +05:30
Li Zhou a553f99002 haveged: upgrade 1.9.18 -> 1.9.20
Backport from wrynose (bcc1c15a3f). Adapted from the 1.9.19 -> 1.9.20
upgrade since scarthgap ships 1.9.18.

ChangeLog:
https://github.com/jirka-h/haveged/releases/tag/v1.9.20

(cherry picked from commit bcc1c15a3f)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Signed-off-by: Venkatasainath Ravikanti <venkatasainath.ravikanti@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
[scarthgap: adapted for 1.9.18 base recipe]
Assisted-by: Kiro (Amazon)
Signed-off-by: Venkatasainath Ravikanti <venkatasainath.ravikanti@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:36 +05:30
Venkatasainath Ravikanti 32c83597c2 syslog-ng: update config version to match installed binary
syslog-ng 4.6.0 ships with Config version 4.2, but the configuration
files still declare @version: 3.36. This causes two warnings at startup:

  WARNING: Configuration file format is too old, syslog-ng is running
  in compatibility mode
  WARNING: Your configuration file uses an obsoleted keyword

Update the @version to 4.2 to match the binary's config version.
Also replace the deprecated stats_freq() option with the modern
stats(freq()) syntax, and add @include "scl.conf" for the systemd
config to align with current upstream recommendations.

These changes mirror what was done in fee1274169 ("syslog-ng: upgrade
4.7.0 -> 4.8.1") for the master branch, adapted for the 4.6.0 version
on scarthgap.

Signed-off-by: Venkatasainath Ravikanti <venkatasainath.ravikanti@windriver.com>
Assisted-by: Kiro:claude-sonnet-4
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:35 +05:30
Theo Gaige (Schneider Electric) bc3f9f396d nginx: patch CVE-2026-48142
Backport patch [1] mentioned in [2].

[1] https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7

[2] https://security-tracker.debian.org/tracker/CVE-2026-48142

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:35 +05:30
Shubham Pushpkar 1d301aca63 jq: Fix CVE-2026-43896
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43896.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:34 +05:30
Shubham Pushpkar ed1d6f1e0a jq: Fix CVE-2026-43894
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43894.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:34 +05:30
Shubham Pushpkar 69716b15d8 jq: Fix CVE-2026-41257
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41257.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:33 +05:30
Shubham Pushpkar d2c778bb20 jq: Fix CVE-2026-41256
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41256.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/5a015deae35d19e3ebbc65db6c157a80e76df738

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:33 +05:30
Shubham Pushpkar 92546d9ec0 jq: Fix CVE-2026-40612
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-40612.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:32 +05:30
Nitin Wankhade 9f47f2e912 strongswan: Fix CVE-2026-35333
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/e067d24293953cff56011a1ea6989872bdd98fcd]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:32 +05:30
Nitin Wankhade a7dc4178c9 strongswan: Fix CVE-2026-35332
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/1e0643bef105704337efc141a37dfcfbaa53cb1f]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:32 +05:30
Nitin Wankhade fca99be2d5 strongswan: Fix CVE-2026-35331
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/64130ede5cd8f61edd35a1b488c874fa328a42b0]
                          [https://github.com/strongswan/strongswan/commit/c66143db48bab9eb82cc86190687938b809611eb]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:31 +05:30
Nitin Wankhade 0d3124974e strongswan: Fix CVE-2026-35330
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/aa5aaebc33e0f326d8a0dbe01b236f2bfa0e6ea1]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 08:29:24 +05:30
Nitin Wankhade 2150ad1cbf strongswan: Fix CVE-2026-35329
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/8dae5605a79666c6def907efd8c872c91d93de5b]
                          [https://github.com/strongswan/strongswan/commit/4da84019ccec87fea161797af2901244fa5f170e]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 07:45:19 +05:30
Nitin Wankhade 25d2ef6ebb strongswan: Fix CVE-2026-35328
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/56c7f0d13dffcfebf4255470e375234144d28134]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-07-01 07:45:15 +05:30
Nelson Garcia b0c2c648a1 nginx: backport fix for CVE-2026-9256
A heap memory buffer overflow might occur in a worker process when
using a configuration with overlapping captures in
ngx_http_rewrite_module, potentially resulting in arbitrary code
execution.

The buffer length calculation for static-length rewrite replacements
incorrectly used r->uri.data/r->uri.len for escape-size accounting
across all captures instead of the actual per-capture offsets into
r->captures_data.  This allowed overlapping captures to exceed the
allocated buffer.

Fix by iterating captures using the captures[] offsets into
captures_data rather than the full URI string.

Upstream-Status: Backport [https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068]
CVE: CVE-2026-9256
Signed-off-by: Nelson Garcia <nelson831002@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Sudhir Dumbhare 85aa67fa07 python3-tornado: Fix CVE-2026-31958
This patch applies the upstream fix as referenced in [2], which addresses a Tornado flaw where
crafted multipart/form-data requests can trigger excessive synchronous parsing and cause
denial of service using the commit shown in [1].

[1] https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839
[2] https://security-tracker.debian.org/tracker/CVE-2026-31958

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-31958

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Sudhir Dumbhare 0cbca3f031 python3-grpcio-tools: set status for CVE-2024-11407
Analysis:
- CVE-2024-11407 [1] affects gRPC-C++ servers with transmit zero copy enabled.
- The upstream fix modifies gRPC core runtime source
  src/core/lib/event_engine/posix_engine/posix_endpoint.cc [2].
- python3-grpcio-tools does not include or compile this runtime source.
- Hence CVE-2024-11407 is not applicable to python3-grpcio-tools.

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-11407
[2] https://github.com/grpc/grpc/commit/e9046b2bbebc0cb7f5dc42008f807f6c7e98e791

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Sudhir Dumbhare 90446e0fd3 python3-grpcio-tools: set status for CVE-2024-7246
Analysis:
- CVE-2024-7246 [4] affects gRPC-C++ CHTTP2 HPACK parser error handling.
- The upstream fix from v1.62.3 [1] modifies gRPC core runtime source
  src/core/ext/transport/chttp2/transport/hpack_parser.cc.
  aligned with the original fix in v1.60.2 [2] as referenced in [3].
- python3-grpcio-tools does not include or compile this runtime source.
- Hence CVE-2024-7246 is not applicable to python3-grpcio-tools.

[1] https://github.com/grpc/grpc/commit/1d172cfca56440889ca32ae516b8c2767321f5b5
[2] https://github.com/grpc/grpc/commit/88b1244fd43e81860baa60cc7fb3945a2cca0d11
[3] https://bugzilla.suse.com/show_bug.cgi?id=1228919
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-7246

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Sudhir Dumbhare 483bf9ea00 python3-grpcio-tools: set status for CVE-2026-33186
The vulnerability only affects the Go implementation of the library,
not the Python one. Ignore this CVE due to this.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-33186
https://github.com/advisories/GHSA-p77j-4mvh-x3m3

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Ankur Tyagi a742dae3f2 postfix: upgrade 3.8.16 -> 3.8.17
https://www.postfix.org/announcements/postfix-3.11.3.html

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Gyorgy Sarvari f686a459c5 python3-supervisor: set CVE_PRODUCT
This recipe's CVEs are tracked using supervisord:supervisor CPE by nist,
so the default python:supervisor CPE doesn't match relevant CVEs.

See CVE db query (home-assisstant vendor is not relevant):
sqlite> select * from products where PRODUCT like 'supervisor';
CVE-2017-11610|supervisord|supervisor|||3.0|<=
CVE-2017-11610|supervisord|supervisor|3.1.0|=||
CVE-2017-11610|supervisord|supervisor|3.1.1|=||
CVE-2017-11610|supervisord|supervisor|3.1.2|=||
CVE-2017-11610|supervisord|supervisor|3.1.3|=||
CVE-2017-11610|supervisord|supervisor|3.2.0|=||
CVE-2017-11610|supervisord|supervisor|3.2.1|=||
CVE-2017-11610|supervisord|supervisor|3.2.2|=||
CVE-2017-11610|supervisord|supervisor|3.2.3|=||
CVE-2017-11610|supervisord|supervisor|3.3.0|=||
CVE-2017-11610|supervisord|supervisor|3.3.1|=||
CVE-2017-11610|supervisord|supervisor|3.3.2|=||
CVE-2019-12105|supervisord|supervisor|||4.0.2|<=
CVE-2023-27482|home-assistant|supervisor|||2023.03.1|<

Set the CVE_PRODUCT explicitly to match relevant CVEs.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 77ba5f31e2)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Gyorgy Sarvari 6011a79bb1 python3-pydantic: set CVE_PRODUCT
Set correct CVE_PRODUCT - the default ${PN} value doesn't match relevant
CVEs.

See CVE query (n8n vendor is not relevant):
sqlite> select * from products where product like '%pydantic%';
CVE-2021-29510|pydantic|pydantic|||1.6.2|<
CVE-2021-29510|pydantic|pydantic|1.7|>=|1.7.4|<
CVE-2021-29510|pydantic|pydantic|1.8|>=|1.8.2|<
CVE-2024-3772|pydantic|pydantic|||1.10.13|<
CVE-2024-3772|pydantic|pydantic|2.0|>=|2.4.0|<
CVE-2025-55526|n8n|pydantic|2.11.7|=||

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b4fd4a6217)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Gyorgy Sarvari a6e3b8edb6 python3-priority: set CVE_PRODUCT
Set CVE_PRODUCT to the value that is used to track CVEs for this
recipe in the CVE db.

See CVE db query (priority-software vendor is not relevant):
sqlite> select * from products where product like '%priority%';
CVE-2016-6580|python|python_priority_library|1.0.0|=||
CVE-2016-6580|python|python_priority_library|1.1.0|=||
CVE-2016-6580|python|python_priority_library|1.1.1|=||
CVE-2021-26832|priority-software|priority_enterprise_management_system|8.00|=||
CVE-2022-23172|priority-software|priority|||22.0|<
CVE-2022-23173|priority-software|priority|||22.0|<
CVE-2023-23459|priority-software|priority|||22.1|<
CVE-2023-23460|priority-software|priority|19.1.0.68|=||
CVE-2024-41697|priority-software|priority|||24.0|<
CVE-2024-41698|priority-software|priority|||24.0|<
CVE-2024-41699|priority-software|priority|||24.0|<

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 96c3818f22)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Gyorgy Sarvari 208c434236 python3-paramiko: set CVE_PRODUCT
Set correct CVE_PRODUCT for paramiko. The default python:paramiko value
doesn't match CVEs, because the product has its own set of CPEs associated
with CVEs.

See CVE db query:
sqlite> select * from products where PRODUCT = 'paramiko';
CVE-2008-0299|python_software_foundation|paramiko|1.7.1|=||
CVE-2018-1000805|paramiko|paramiko|1.17.6|=||
CVE-2018-1000805|paramiko|paramiko|1.18.5|=||
CVE-2018-1000805|paramiko|paramiko|2.0.8|=||
CVE-2018-1000805|paramiko|paramiko|2.1.5|=||
CVE-2018-1000805|paramiko|paramiko|2.2.3|=||
CVE-2018-1000805|paramiko|paramiko|2.3.2|=||
CVE-2018-1000805|paramiko|paramiko|2.4.1|=||
CVE-2018-7750|paramiko|paramiko|||1.17.6|<
CVE-2018-7750|paramiko|paramiko|1.18.0|>=|1.18.5|<
CVE-2018-7750|paramiko|paramiko|2.0.0|>=|2.0.8|<
CVE-2018-7750|paramiko|paramiko|2.1.0|>=|2.1.5|<
CVE-2018-7750|paramiko|paramiko|2.2.0|>=|2.2.3|<
CVE-2018-7750|paramiko|paramiko|2.3.0|>=|2.3.2|<
CVE-2018-7750|paramiko|paramiko|2.4.0|=||
CVE-2022-24302|paramiko|paramiko|||2.10.1|<
CVE-2023-48795|paramiko|paramiko|||3.4.0|<

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e22d2a7ba6)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Sudhir Dumbhare a218d02b51 python3-grpcio: set status for CVE-2026-33186
The vulnerability only affects the Go implementation of the library,
not the Python one. Ignore this CVE due to this.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-33186

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Sudhir Dumbhare bc70f00d38 python3-grpcio: Fix CVE-2024-7246
Apply the nearest upstream fix from v1.62.3 [1] for HPACK parser error
handling to prevent header table desynchronization, aligned with the original
fix in v1.60.2 [2] as referenced in [3].

[1] https://github.com/grpc/grpc/commit/1d172cfca56440889ca32ae516b8c2767321f5b5
[2] https://github.com/grpc/grpc/commit/88b1244fd43e81860baa60cc7fb3945a2cca0d11
[3] https://bugzilla.suse.com/show_bug.cgi?id=1228919

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-7246

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Naman Jain 8d7e7fa162 libssh: ignore CVE-2025-14821
Ignore CVE-2025-14821 as it is only applicable
for windows.

Reference: [https://security-tracker.debian.org/tracker/CVE-2025-14821]

Signed-off-by: Naman Jain <naman.jain@partner.bmw.de>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-09 11:37:19 +05:30
Ankur Tyagi d8cc4e4400 postgresql: upgrade 16.12 -> 16.14
Also refreshed patches to resolve patch fuzz QA issue.

Bug fix releases
https://www.postgresql.org/docs/release/16.13/
https://www.postgresql.org/docs/release/16.14/

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-25 08:05:43 +05:30
Jérémie Dautheribes (Schneider Electric ) 91c3393ce0 python3-backports-zstd: add recipe
This recipe was previously part of the master branch but was removed
because the zstd module was integrated into the Python standard library
starting from Python 3.14.

Since Scarthgap uses Python 3.12, restore and update this recipe for users
on this branch.

Signed-off-by: Jérémie Dautheribes (Schneider Electric) <jeremie.dautheribes@bootlin.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-25 08:05:43 +05:30
Theo Gaige (Schneider Electric) 29653f38cd nginx: patch CVE-2026-42946
Backport patches [1] and [2] mentioned in [3].

[1] https://github.com/nginx/nginx/commit/baef7fdac28e4e1fe26509b50b8d15603393e28e

[2] https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd

[3] https://security-tracker.debian.org/tracker/CVE-2026-42946

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:23 +05:30
Theo Gaige (Schneider Electric) 96870679e8 nginx: patch CVE-2026-42945
Backport patch [1] mentioned in [2].

[1] https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686

[2] https://security-tracker.debian.org/tracker/CVE-2026-42945

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:22 +05:30
Theo Gaige (Schneider Electric) b7758e9380 nginx: patch CVE-2026-42934
Backport patch [1] mentioned in [2].

[1] https://github.com/nginx/nginx/commit/54b7945961b2eaafc480d6b85d9635d0db1c126a

[2] https://security-tracker.debian.org/tracker/CVE-2026-42934

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:22 +05:30
Theo Gaige (Schneider Electric) 167e8b64dd nginx: patch CVE-2026-40701
Backport patch [1] mentioned in [2].

[1] https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1

[2] https://security-tracker.debian.org/tracker/CVE-2026-40701

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:21 +05:30
Hugo SIMELIERE (Schneider Electric) f1d78e9527 dnsmasq: Fix CVE-2026-5172
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.

[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-5172.patch

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:21 +05:30
Hugo SIMELIERE (Schneider Electric) 7dda8e9bd7 dnsmasq: Fix CVE-2026-4893
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.

[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4893.patch

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:20 +05:30
Hugo SIMELIERE (Schneider Electric) e614003e0a dnsmasq: Fix CVE-2026-4892
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.

[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4892.patch

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:20 +05:30
Hugo SIMELIERE (Schneider Electric) cab6f6c603 dnsmasq: Fix CVE-2026-4891
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.

[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4891.patch

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:19 +05:30
Hugo SIMELIERE (Schneider Electric) 59f8c396f9 nss: Fix CVE-2026-2781
Pick patch from [1] as 3.9X upstream mirror backport of [2] mentioned in Debian report in [3].

[1] https://github.com/nss-dev/nss/commit/870d3b013e6b39540d14e67b3db89da5a96381bf
[2] https://hg-edge.mozilla.org/projects/nss/rev/245385e16fa6
[3] https://security-tracker.debian.org/tracker/CVE-2026-2781

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 09:56:15 +05:30
Theo Gaige 7acc744194 dash: fix CVE-2026-31323
Backport upstream fix for CVE-2026-31323 [1].

[1] https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3

Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:48 +05:30
Hitendra Prajapati a587f53a0e strongswan: fix for CVE-2026-35334
Pick patch according to [1]

[1] https://download.strongswan.org/security/CVE-2026-35334
[2] https://www.strongswan.org/blog/2026/04/22/strongswan-vulnerability-(cve-2026-35334).html
[3] https://security-tracker.debian.org/tracker/CVE-2026-35334

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:48 +05:30
Sudhir Dumbhare 9f70f8d461 libssh: set status for CVE-2025-14821
The vulnerability is Windows-specific and depends on loading
configuration from C:\etc, which does not apply to Linux/Yocto builds

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-14821
https://github.com/advisories/GHSA-5jf9-8f86-jhvw
https://www.libssh.org/security/advisories/CVE-2025-14821.txt

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:48 +05:30
Ankur Tyagi 797f2baebe nanomsg: upgrade 1.2.1 -> 1.2.2
Changelog:
https://github.com/nanomsg/nanomsg/releases/tag/1.2.2

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:47 +05:30
Ankur Tyagi c756576c1c postfix: upgrade 3.8.12 -> 3.8.16
3.8.13
http://www.postfix.org/announcements/postfix-3.10.6.html

3.8.14
http://www.postfix.org/announcements/postfix-3.10.7.html

3.8.15
http://www.postfix.org/announcements/postfix-3.10.8.html

3.8.16
http://www.postfix.org/announcements/postfix-3.11.2.html

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:47 +05:30
Ankur Tyagi 100da99a04 lcms: patch CVE-2026-42798
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-42798

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:46 +05:30
Ankur Tyagi 49a682f2ed lcms: patch CVE-2026-41254
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-41254

Backport the patches referenced by the NVD advisory.

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:46 +05:30
Ankur Tyagi fdd887bc29 frr: patch CVE-2026-28532
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-28532

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:45 +05:30
Ankur Tyagi 764a8f2154 firewalld: upgrade 1.3.2 -> 1.3.4
https://github.com/firewalld/firewalld/releases/tag/v1.3.3
https://github.com/firewalld/firewalld/releases/tag/v1.3.4

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:45 +05:30
Liyin Zhang 9f64ff03f5 apache2: upgrade 2.4.66 -> 2.4.67
Security fixes:
- CVE-2026-34059
- CVE-2026-34032
- CVE-2026-33857
- CVE-2026-33523
- CVE-2026-33007
- CVE-2026-33006
- CVE-2026-29169
- CVE-2026-29168
- CVE-2026-28780
- CVE-2026-24072
- CVE-2026-23918

See: https://archive.apache.org/dist/httpd/CHANGES_2.4.67

Signed-off-by: Liyin Zhang <liyin.zhang.cn@windriver.com>
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-05-21 08:57:44 +05:30