Anuj Mittal
29a0442182
python3-matplotlib: fix build
...
Changes in oe-core commit a0151ab56cf3 (setuptools3: clean the build
directory in configure) cause the build directory to be cleared during
configure step. To avoid the downloaded sources from getting cleaned,
pre-fetch them to a separate downloads/ directory and patch source to
look there.
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-02 15:08:44 +05:30
Wang Mingyu
dae9f04be9
haveged: upgrade 1.9.20 -> 1.9.22
...
Backport from wrynose (8bd9783601 ). Fixes CVE-2026-41054 (local
privilege escalation via command socket credential check bypass).
Changelog:
===========
* Add ReadWritePaths=/dev/shm to systemd service for semaphore creation
under ProtectSystem=full sandboxing
* Fix privilege escalation via command socket (CVE-2026-41054)
* Check peer credentials before reading command (CVE-2026-41054)
* Handle failing opening of semaphore
* Fix /dev/shm permissions to use sticky bit
* Use chmod after mkdir to ensure correct /dev/shm permissions
* Update libtool: add lib64 search paths, remove dead code
Tested: Built core-image-full-cmdline for qemux86-64 (scarthgap,
bitbake 2.8). Booted in QEMU, verified haveged 1.9.22 starts and
provides entropy (entropy_avail=256, pool full).
(cherry picked from commit 8bd9783601 )
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
Signed-off-by: Venkatasainath Ravikanti <venkatasainath.ravikanti@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
Assisted-by: Kiro (Amazon)
Signed-off-by: Venkatasainath Ravikanti <venkatasainath.ravikanti@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:36 +05:30
Li Zhou
a553f99002
haveged: upgrade 1.9.18 -> 1.9.20
...
Backport from wrynose (bcc1c15a3f ). Adapted from the 1.9.19 -> 1.9.20
upgrade since scarthgap ships 1.9.18.
ChangeLog:
https://github.com/jirka-h/haveged/releases/tag/v1.9.20
(cherry picked from commit bcc1c15a3f )
Signed-off-by: Li Zhou <li.zhou@windriver.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
Signed-off-by: Venkatasainath Ravikanti <venkatasainath.ravikanti@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
[scarthgap: adapted for 1.9.18 base recipe]
Assisted-by: Kiro (Amazon)
Signed-off-by: Venkatasainath Ravikanti <venkatasainath.ravikanti@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:36 +05:30
Venkatasainath Ravikanti
32c83597c2
syslog-ng: update config version to match installed binary
...
syslog-ng 4.6.0 ships with Config version 4.2, but the configuration
files still declare @version: 3.36. This causes two warnings at startup:
WARNING: Configuration file format is too old, syslog-ng is running
in compatibility mode
WARNING: Your configuration file uses an obsoleted keyword
Update the @version to 4.2 to match the binary's config version.
Also replace the deprecated stats_freq() option with the modern
stats(freq()) syntax, and add @include "scl.conf" for the systemd
config to align with current upstream recommendations.
These changes mirror what was done in fee1274169 ("syslog-ng: upgrade
4.7.0 -> 4.8.1") for the master branch, adapted for the 4.6.0 version
on scarthgap.
Signed-off-by: Venkatasainath Ravikanti <venkatasainath.ravikanti@windriver.com >
Assisted-by: Kiro:claude-sonnet-4
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:35 +05:30
Theo Gaige (Schneider Electric)
bc3f9f396d
nginx: patch CVE-2026-48142
...
Backport patch [1] mentioned in [2].
[1] https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7
[2] https://security-tracker.debian.org/tracker/CVE-2026-48142
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:35 +05:30
Shubham Pushpkar
1d301aca63
jq: Fix CVE-2026-43896
...
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].
[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43896.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2
Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:34 +05:30
Shubham Pushpkar
ed1d6f1e0a
jq: Fix CVE-2026-43894
...
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].
[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43894.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4
Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:34 +05:30
Shubham Pushpkar
69716b15d8
jq: Fix CVE-2026-41257
...
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].
[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41257.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:33 +05:30
Shubham Pushpkar
d2c778bb20
jq: Fix CVE-2026-41256
...
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].
[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41256.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/5a015deae35d19e3ebbc65db6c157a80e76df738
Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:33 +05:30
Shubham Pushpkar
92546d9ec0
jq: Fix CVE-2026-40612
...
The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].
[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-40612.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2
Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:32 +05:30
Nitin Wankhade
9f47f2e912
strongswan: Fix CVE-2026-35333
...
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/e067d24293953cff56011a1ea6989872bdd98fcd ]
Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:32 +05:30
Nitin Wankhade
a7dc4178c9
strongswan: Fix CVE-2026-35332
...
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/1e0643bef105704337efc141a37dfcfbaa53cb1f ]
Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:32 +05:30
Nitin Wankhade
fca99be2d5
strongswan: Fix CVE-2026-35331
...
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/64130ede5cd8f61edd35a1b488c874fa328a42b0 ]
[https://github.com/strongswan/strongswan/commit/c66143db48bab9eb82cc86190687938b809611eb ]
Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:31 +05:30
Nitin Wankhade
0d3124974e
strongswan: Fix CVE-2026-35330
...
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/aa5aaebc33e0f326d8a0dbe01b236f2bfa0e6ea1 ]
Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 08:29:24 +05:30
Nitin Wankhade
2150ad1cbf
strongswan: Fix CVE-2026-35329
...
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/8dae5605a79666c6def907efd8c872c91d93de5b ]
[https://github.com/strongswan/strongswan/commit/4da84019ccec87fea161797af2901244fa5f170e ]
Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 07:45:19 +05:30
Nitin Wankhade
25d2ef6ebb
strongswan: Fix CVE-2026-35328
...
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/56c7f0d13dffcfebf4255470e375234144d28134 ]
Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-07-01 07:45:15 +05:30
Nelson Garcia
b0c2c648a1
nginx: backport fix for CVE-2026-9256
...
A heap memory buffer overflow might occur in a worker process when
using a configuration with overlapping captures in
ngx_http_rewrite_module, potentially resulting in arbitrary code
execution.
The buffer length calculation for static-length rewrite replacements
incorrectly used r->uri.data/r->uri.len for escape-size accounting
across all captures instead of the actual per-capture offsets into
r->captures_data. This allowed overlapping captures to exceed the
allocated buffer.
Fix by iterating captures using the captures[] offsets into
captures_data rather than the full URI string.
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068 ]
CVE: CVE-2026-9256
Signed-off-by: Nelson Garcia <nelson831002@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Sudhir Dumbhare
85aa67fa07
python3-tornado: Fix CVE-2026-31958
...
This patch applies the upstream fix as referenced in [2], which addresses a Tornado flaw where
crafted multipart/form-data requests can trigger excessive synchronous parsing and cause
denial of service using the commit shown in [1].
[1] https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839
[2] https://security-tracker.debian.org/tracker/CVE-2026-31958
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-31958
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Sudhir Dumbhare
0cbca3f031
python3-grpcio-tools: set status for CVE-2024-11407
...
Analysis:
- CVE-2024-11407 [1] affects gRPC-C++ servers with transmit zero copy enabled.
- The upstream fix modifies gRPC core runtime source
src/core/lib/event_engine/posix_engine/posix_endpoint.cc [2].
- python3-grpcio-tools does not include or compile this runtime source.
- Hence CVE-2024-11407 is not applicable to python3-grpcio-tools.
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-11407
[2] https://github.com/grpc/grpc/commit/e9046b2bbebc0cb7f5dc42008f807f6c7e98e791
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Sudhir Dumbhare
90446e0fd3
python3-grpcio-tools: set status for CVE-2024-7246
...
Analysis:
- CVE-2024-7246 [4] affects gRPC-C++ CHTTP2 HPACK parser error handling.
- The upstream fix from v1.62.3 [1] modifies gRPC core runtime source
src/core/ext/transport/chttp2/transport/hpack_parser.cc.
aligned with the original fix in v1.60.2 [2] as referenced in [3].
- python3-grpcio-tools does not include or compile this runtime source.
- Hence CVE-2024-7246 is not applicable to python3-grpcio-tools.
[1] https://github.com/grpc/grpc/commit/1d172cfca56440889ca32ae516b8c2767321f5b5
[2] https://github.com/grpc/grpc/commit/88b1244fd43e81860baa60cc7fb3945a2cca0d11
[3] https://bugzilla.suse.com/show_bug.cgi?id=1228919
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-7246
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Sudhir Dumbhare
483bf9ea00
python3-grpcio-tools: set status for CVE-2026-33186
...
The vulnerability only affects the Go implementation of the library,
not the Python one. Ignore this CVE due to this.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-33186
https://github.com/advisories/GHSA-p77j-4mvh-x3m3
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Ankur Tyagi
a742dae3f2
postfix: upgrade 3.8.16 -> 3.8.17
...
https://www.postfix.org/announcements/postfix-3.11.3.html
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Gyorgy Sarvari
f686a459c5
python3-supervisor: set CVE_PRODUCT
...
This recipe's CVEs are tracked using supervisord:supervisor CPE by nist,
so the default python:supervisor CPE doesn't match relevant CVEs.
See CVE db query (home-assisstant vendor is not relevant):
sqlite> select * from products where PRODUCT like 'supervisor';
CVE-2017-11610|supervisord|supervisor|||3.0|<=
CVE-2017-11610|supervisord|supervisor|3.1.0|=||
CVE-2017-11610|supervisord|supervisor|3.1.1|=||
CVE-2017-11610|supervisord|supervisor|3.1.2|=||
CVE-2017-11610|supervisord|supervisor|3.1.3|=||
CVE-2017-11610|supervisord|supervisor|3.2.0|=||
CVE-2017-11610|supervisord|supervisor|3.2.1|=||
CVE-2017-11610|supervisord|supervisor|3.2.2|=||
CVE-2017-11610|supervisord|supervisor|3.2.3|=||
CVE-2017-11610|supervisord|supervisor|3.3.0|=||
CVE-2017-11610|supervisord|supervisor|3.3.1|=||
CVE-2017-11610|supervisord|supervisor|3.3.2|=||
CVE-2019-12105|supervisord|supervisor|||4.0.2|<=
CVE-2023-27482|home-assistant|supervisor|||2023.03.1|<
Set the CVE_PRODUCT explicitly to match relevant CVEs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 77ba5f31e2 )
Signed-off-by: Himanshu Jadon <hjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Gyorgy Sarvari
6011a79bb1
python3-pydantic: set CVE_PRODUCT
...
Set correct CVE_PRODUCT - the default ${PN} value doesn't match relevant
CVEs.
See CVE query (n8n vendor is not relevant):
sqlite> select * from products where product like '%pydantic%';
CVE-2021-29510|pydantic|pydantic|||1.6.2|<
CVE-2021-29510|pydantic|pydantic|1.7|>=|1.7.4|<
CVE-2021-29510|pydantic|pydantic|1.8|>=|1.8.2|<
CVE-2024-3772|pydantic|pydantic|||1.10.13|<
CVE-2024-3772|pydantic|pydantic|2.0|>=|2.4.0|<
CVE-2025-55526|n8n|pydantic|2.11.7|=||
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit b4fd4a6217 )
Signed-off-by: Himanshu Jadon <hjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Gyorgy Sarvari
a6e3b8edb6
python3-priority: set CVE_PRODUCT
...
Set CVE_PRODUCT to the value that is used to track CVEs for this
recipe in the CVE db.
See CVE db query (priority-software vendor is not relevant):
sqlite> select * from products where product like '%priority%';
CVE-2016-6580|python|python_priority_library|1.0.0|=||
CVE-2016-6580|python|python_priority_library|1.1.0|=||
CVE-2016-6580|python|python_priority_library|1.1.1|=||
CVE-2021-26832|priority-software|priority_enterprise_management_system|8.00|=||
CVE-2022-23172|priority-software|priority|||22.0|<
CVE-2022-23173|priority-software|priority|||22.0|<
CVE-2023-23459|priority-software|priority|||22.1|<
CVE-2023-23460|priority-software|priority|19.1.0.68|=||
CVE-2024-41697|priority-software|priority|||24.0|<
CVE-2024-41698|priority-software|priority|||24.0|<
CVE-2024-41699|priority-software|priority|||24.0|<
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 96c3818f22 )
Signed-off-by: Himanshu Jadon <hjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Gyorgy Sarvari
208c434236
python3-paramiko: set CVE_PRODUCT
...
Set correct CVE_PRODUCT for paramiko. The default python:paramiko value
doesn't match CVEs, because the product has its own set of CPEs associated
with CVEs.
See CVE db query:
sqlite> select * from products where PRODUCT = 'paramiko';
CVE-2008-0299|python_software_foundation|paramiko|1.7.1|=||
CVE-2018-1000805|paramiko|paramiko|1.17.6|=||
CVE-2018-1000805|paramiko|paramiko|1.18.5|=||
CVE-2018-1000805|paramiko|paramiko|2.0.8|=||
CVE-2018-1000805|paramiko|paramiko|2.1.5|=||
CVE-2018-1000805|paramiko|paramiko|2.2.3|=||
CVE-2018-1000805|paramiko|paramiko|2.3.2|=||
CVE-2018-1000805|paramiko|paramiko|2.4.1|=||
CVE-2018-7750|paramiko|paramiko|||1.17.6|<
CVE-2018-7750|paramiko|paramiko|1.18.0|>=|1.18.5|<
CVE-2018-7750|paramiko|paramiko|2.0.0|>=|2.0.8|<
CVE-2018-7750|paramiko|paramiko|2.1.0|>=|2.1.5|<
CVE-2018-7750|paramiko|paramiko|2.2.0|>=|2.2.3|<
CVE-2018-7750|paramiko|paramiko|2.3.0|>=|2.3.2|<
CVE-2018-7750|paramiko|paramiko|2.4.0|=||
CVE-2022-24302|paramiko|paramiko|||2.10.1|<
CVE-2023-48795|paramiko|paramiko|||3.4.0|<
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit e22d2a7ba6 )
Signed-off-by: Himanshu Jadon <hjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Sudhir Dumbhare
a218d02b51
python3-grpcio: set status for CVE-2026-33186
...
The vulnerability only affects the Go implementation of the library,
not the Python one. Ignore this CVE due to this.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-33186
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Sudhir Dumbhare
bc70f00d38
python3-grpcio: Fix CVE-2024-7246
...
Apply the nearest upstream fix from v1.62.3 [1] for HPACK parser error
handling to prevent header table desynchronization, aligned with the original
fix in v1.60.2 [2] as referenced in [3].
[1] https://github.com/grpc/grpc/commit/1d172cfca56440889ca32ae516b8c2767321f5b5
[2] https://github.com/grpc/grpc/commit/88b1244fd43e81860baa60cc7fb3945a2cca0d11
[3] https://bugzilla.suse.com/show_bug.cgi?id=1228919
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-7246
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Naman Jain
8d7e7fa162
libssh: ignore CVE-2025-14821
...
Ignore CVE-2025-14821 as it is only applicable
for windows.
Reference: [https://security-tracker.debian.org/tracker/CVE-2025-14821 ]
Signed-off-by: Naman Jain <naman.jain@partner.bmw.de >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-06-09 11:37:19 +05:30
Ankur Tyagi
d8cc4e4400
postgresql: upgrade 16.12 -> 16.14
...
Also refreshed patches to resolve patch fuzz QA issue.
Bug fix releases
https://www.postgresql.org/docs/release/16.13/
https://www.postgresql.org/docs/release/16.14/
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-25 08:05:43 +05:30
Jérémie Dautheribes (Schneider Electric )
91c3393ce0
python3-backports-zstd: add recipe
...
This recipe was previously part of the master branch but was removed
because the zstd module was integrated into the Python standard library
starting from Python 3.14.
Since Scarthgap uses Python 3.12, restore and update this recipe for users
on this branch.
Signed-off-by: Jérémie Dautheribes (Schneider Electric) <jeremie.dautheribes@bootlin.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-25 08:05:43 +05:30
Theo Gaige (Schneider Electric)
29653f38cd
nginx: patch CVE-2026-42946
...
Backport patches [1] and [2] mentioned in [3].
[1] https://github.com/nginx/nginx/commit/baef7fdac28e4e1fe26509b50b8d15603393e28e
[2] https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd
[3] https://security-tracker.debian.org/tracker/CVE-2026-42946
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 09:56:23 +05:30
Theo Gaige (Schneider Electric)
96870679e8
nginx: patch CVE-2026-42945
...
Backport patch [1] mentioned in [2].
[1] https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686
[2] https://security-tracker.debian.org/tracker/CVE-2026-42945
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 09:56:22 +05:30
Theo Gaige (Schneider Electric)
b7758e9380
nginx: patch CVE-2026-42934
...
Backport patch [1] mentioned in [2].
[1] https://github.com/nginx/nginx/commit/54b7945961b2eaafc480d6b85d9635d0db1c126a
[2] https://security-tracker.debian.org/tracker/CVE-2026-42934
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 09:56:22 +05:30
Theo Gaige (Schneider Electric)
167e8b64dd
nginx: patch CVE-2026-40701
...
Backport patch [1] mentioned in [2].
[1] https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1
[2] https://security-tracker.debian.org/tracker/CVE-2026-40701
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 09:56:21 +05:30
Hugo SIMELIERE (Schneider Electric)
f1d78e9527
dnsmasq: Fix CVE-2026-5172
...
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.
[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-5172.patch
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com >
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 09:56:21 +05:30
Hugo SIMELIERE (Schneider Electric)
7dda8e9bd7
dnsmasq: Fix CVE-2026-4893
...
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.
[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4893.patch
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com >
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 09:56:20 +05:30
Hugo SIMELIERE (Schneider Electric)
e614003e0a
dnsmasq: Fix CVE-2026-4892
...
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.
[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4892.patch
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com >
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 09:56:20 +05:30
Hugo SIMELIERE (Schneider Electric)
cab6f6c603
dnsmasq: Fix CVE-2026-4891
...
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.
[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4891.patch
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com >
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 09:56:19 +05:30
Hugo SIMELIERE (Schneider Electric)
59f8c396f9
nss: Fix CVE-2026-2781
...
Pick patch from [1] as 3.9X upstream mirror backport of [2] mentioned in Debian report in [3].
[1] https://github.com/nss-dev/nss/commit/870d3b013e6b39540d14e67b3db89da5a96381bf
[2] https://hg-edge.mozilla.org/projects/nss/rev/245385e16fa6
[3] https://security-tracker.debian.org/tracker/CVE-2026-2781
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com >
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 09:56:15 +05:30
Theo Gaige
7acc744194
dash: fix CVE-2026-31323
...
Backport upstream fix for CVE-2026-31323 [1].
[1] https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3
Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:48 +05:30
Hitendra Prajapati
a587f53a0e
strongswan: fix for CVE-2026-35334
...
Pick patch according to [1]
[1] https://download.strongswan.org/security/CVE-2026-35334
[2] https://www.strongswan.org/blog/2026/04/22/strongswan-vulnerability-(cve-2026-35334).html
[3] https://security-tracker.debian.org/tracker/CVE-2026-35334
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:48 +05:30
Sudhir Dumbhare
9f70f8d461
libssh: set status for CVE-2025-14821
...
The vulnerability is Windows-specific and depends on loading
configuration from C:\etc, which does not apply to Linux/Yocto builds
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-14821
https://github.com/advisories/GHSA-5jf9-8f86-jhvw
https://www.libssh.org/security/advisories/CVE-2025-14821.txt
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:48 +05:30
Ankur Tyagi
797f2baebe
nanomsg: upgrade 1.2.1 -> 1.2.2
...
Changelog:
https://github.com/nanomsg/nanomsg/releases/tag/1.2.2
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:47 +05:30
Ankur Tyagi
c756576c1c
postfix: upgrade 3.8.12 -> 3.8.16
...
3.8.13
http://www.postfix.org/announcements/postfix-3.10.6.html
3.8.14
http://www.postfix.org/announcements/postfix-3.10.7.html
3.8.15
http://www.postfix.org/announcements/postfix-3.10.8.html
3.8.16
http://www.postfix.org/announcements/postfix-3.11.2.html
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:47 +05:30
Ankur Tyagi
100da99a04
lcms: patch CVE-2026-42798
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-42798
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:46 +05:30
Ankur Tyagi
49a682f2ed
lcms: patch CVE-2026-41254
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-41254
Backport the patches referenced by the NVD advisory.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:46 +05:30
Ankur Tyagi
fdd887bc29
frr: patch CVE-2026-28532
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-28532
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:45 +05:30
Ankur Tyagi
764a8f2154
firewalld: upgrade 1.3.2 -> 1.3.4
...
https://github.com/firewalld/firewalld/releases/tag/v1.3.3
https://github.com/firewalld/firewalld/releases/tag/v1.3.4
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:45 +05:30
Liyin Zhang
9f64ff03f5
apache2: upgrade 2.4.66 -> 2.4.67
...
Security fixes:
- CVE-2026-34059
- CVE-2026-34032
- CVE-2026-33857
- CVE-2026-33523
- CVE-2026-33007
- CVE-2026-33006
- CVE-2026-29169
- CVE-2026-29168
- CVE-2026-28780
- CVE-2026-24072
- CVE-2026-23918
See: https://archive.apache.org/dist/httpd/CHANGES_2.4.67
Signed-off-by: Liyin Zhang <liyin.zhang.cn@windriver.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:44 +05:30