mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity
31,053 Commits 64 Branches 0 Tags
scarthgap
Commit Graph

31053 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Gyorgy Sarvari 0febf2f87d python3-tornado: set CVE_PRODUCT 
The default "python:tornado" CVE_PRODUCT doesn't match relevant CVEs, because
the project's CPE is "tornadoweb:tornado".

See cve db query (docmosis is an irrelevant vendor):

sqlite> select * from products where PRODUCT = 'tornado';
CVE-2012-2374|tornadoweb|tornado|||2.2|<=
CVE-2012-2374|tornadoweb|tornado|1.0|=||
CVE-2012-2374|tornadoweb|tornado|1.0.1|=||
CVE-2012-2374|tornadoweb|tornado|1.1|=||
CVE-2012-2374|tornadoweb|tornado|1.1.1|=||
CVE-2012-2374|tornadoweb|tornado|1.2|=||
CVE-2012-2374|tornadoweb|tornado|1.2.1|=||
CVE-2012-2374|tornadoweb|tornado|2.0|=||
CVE-2012-2374|tornadoweb|tornado|2.1|=||
CVE-2012-2374|tornadoweb|tornado|2.1.1|=||
CVE-2014-9720|tornadoweb|tornado|||3.2.2|<
CVE-2023-25264|docmosis|tornado|||2.9.5|<
CVE-2023-25265|docmosis|tornado|||2.9.5|<
CVE-2023-25266|docmosis|tornado|||2.9.5|<
CVE-2023-28370|tornadoweb|tornado|||6.3.2|<
CVE-2024-42733|docmosis|tornado|||2.9.7|<=
CVE-2024-52804|tornadoweb|tornado|||6.4.2|<
CVE-2025-47287|tornadoweb|tornado|||6.5.0|<
CVE-2025-67724|tornadoweb|tornado|||6.5.3|<
CVE-2025-67725|tornadoweb|tornado|||6.5.3|<
CVE-2025-67726|tornadoweb|tornado|||6.5.3|<

Set the CVE_PRODUCT accordingly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 139cc15de3)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Libo Chen c40989630d hdf5: fix CVE-2025-6857 
According to [1], A vulnerability has been found in HDF5 1.14.6 and
classified as problematic. Affected by this vulnerability is the function
H5G__node_cmp3 of the file src/H5Gnode.c. The manipulation leads to
stack-based buffer overflow. It is possible to launch the attack on the
local host. The exploit has been disclosed to the public and may be used.

Backport patch [2] from upstream to fix CVE-2025-6857

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-6857
[2] https://github.com/HDFGroup/hdf5/commit/a8ceb1d95bb997f548c1129363dad53c18540096

Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Libo Chen 4ab556ad1e hdf5: fix CVE-2025-2308 
According to [1], A vulnerability, which was classified as critical, was
found in HDF5 1.14.6. This affects the function
H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter.
The manipulation leads to heap-based buffer overflow. An attack has to be
approached locally. The exploit has been disclosed to the public and may be
used. The vendor plans to fix this issue in an upcoming release.

Backport patch [2] from upstream to fix CVE-2025-2308

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2308
[2] https://github.com/HDFGroup/hdf5/commit/2ce7fdc4cf147d280aa6d49686297faacc250e40

Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Gyorgy Sarvari a26a769011 nginx: set CVE_PRODUCT 
nginx has a long history, and has used multiple CPEs
over time. Set CVE_PRODUCT to reflect current and historic
vendor:product pairs.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d25aadbbb5)
Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Zahir Hussain 6f90f29b18 rocksdb: packageconfig knob for set static library option 
Adding PACKAGECONFIG knob for enable/disable the static library option

It is just a follow-up changes of previous commit
https://git.openembedded.org/meta-openembedded/commit/?h=scarthgap&id=72018ca1b1a471226917e8246e8bbf9a374ccf97
and also this changes are already accepted and integrated in kirkstone branch.

Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Naman Jain 098a230565 imagemagick: Fix CVEs 
Fix the following CVEs-
CVE-2026-24481 CVE-2026-25638 CVE-2026-25794 CVE-2026-25795
CVE-2026-25796 CVE-2026-25797 CVE-2026-25798 CVE-2026-25799
CVE-2026-25897 CVE-2026-25898 CVE-2026-25965 CVE-2026-25966
CVE-2026-25967 CVE-2026-25968 CVE-2026-25969 CVE-2026-25970
CVE-2026-25982 CVE-2026-25985 CVE-2026-25986 CVE-2026-25987
CVE-2026-25988 CVE-2026-26066 CVE-2026-26283 CVE-2026-26284
CVE-2026-26983

Signed-off-by: Naman Jain <namanj1@kpit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:24 +05:30
Ankur Tyagi 5124ac4a65 nginx: fix CVE-2026-28753 
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.

[1] https://my.f5.com/manage/s/article/K000160367
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-28753
[3] https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Ankur Tyagi 24459e3f5c nginx: fix CVE-2026-27654 
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.

[1] https://my.f5.com/manage/s/article/K000160382
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27654
[3] https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Ankur Tyagi 958cca3987 nginx: fix CVE-2026-27651 
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.

[1] https://my.f5.com/manage/s/article/K000160383
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27651
[3] https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Peter Marko 0ef4a2ecee grpc: set status for CVE-2026-33186 
CPE per NVD report is for "go", while this is C++ component:
* cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*
Also the link to adisory within NVD report says "grpc-go":
* https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Ankur Tyagi a1b14b7a3a python3-werkzeug: ignore CVE-2026-27199 
Vvulnerability affects Windows application and can be ignored.

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27199

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Ankur Tyagi 3b6292cfbe python3-tornado: fix CVE-2026-35536 
Backport the commit[1] from version 6.5.5 which fixes this vulnerability
according to the NVD[2].

[1] https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-35536

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Ankur Tyagi 6679171034 python3-flask: upgrade 3.0.2 -> 3.0.3 
License Update: File renamed as txt[1]

Release Notes:
https://github.com/pallets/flask/releases/tag/3.0.3

[1] https://github.com/pallets/flask/commit/87d5f5b9a9697434e6d972b021201105eabb54e6

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Ankur Tyagi 8ce4b233c6 python3-ecdsa: fix CVE-2026-33936 
Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-33936

Ptests passed:

root@qemux86:~# ptest-runner python3-ecdsa
START: ptest-runner
2026-04-11T08:04
BEGIN: /usr/lib/python3-ecdsa/ptest
...
...
Testsuite summary
# TOTAL: 1978
# PASS: 1974
# SKIP: 4
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
DURATION: 386
END: /usr/lib/python3-ecdsa/ptest
2026-04-11T08:10
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Ankur Tyagi 8e106a9b12 python3-django: upgrade 4.2.29 -> 4.2.30 
Release Notes:
https://docs.djangoproject.com/en/dev/releases/4.2.30/

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Jinfeng Wang f3e47be00a nmap: rename enum PCAP_SOCKET 
The enum PCAP_SOCKET conflicts with the PCAP_SOCKET macro introduced in
libpcap 1.10.5. Use ifdefs to handle both old and new libpcap versions,
renaming the enum to NM_PCAP_SOCKET when the PCAP_SOCKET macro is defined.

Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Haixiao Yan 9757d0151b python3-django: fix CVE-2025-59681 
QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and
QuerySet.extra() methods were subject to SQL injection in column aliases, using
a suitably crafted dictionary, with dictionary expansion, as the **kwargs
passed to these methods on MySQL and MariaDB.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-59681

Upstream-patch:
https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5

Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Haixiao Yan 838ca22808 python3-django: fix CVE-2025-57833 
FilteredRelation was subject to SQL injection in column aliases, using a
suitably crafted dictionary, with dictionary expansion, as the **kwargs
passed QuerySet.annotate() or QuerySet.alias().

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-57833

Upstream-patch:
https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92

Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Libo Chen 6f240eceb0 hdf5: fix CVE-2025-2309 
According to [1], A vulnerability has been found in HDF5 1.14.6 and
classified as critical. This vulnerability affects the function
H5T__bit_copy of the component Type Conversion Logic. The manipulation
leads to heap-based buffer overflow. Local access is required to approach
this attack. The exploit has been disclosed to the public and may be used.
The real existence of this vulnerability is still doubted at the moment.
The vendor plans to fix this issue in an upcoming release.

Backport patch [2] from upstream to fix CVE-2025-2309

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2309
[2] https://github.com/HDFGroup/hdf5/commit/9d90b21ef5c5373978014f1a711795aa653bd9a1

Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Libo Chen 69fcb4d4b1 hdf5: fix CVE-2025-44905 
According to [1], hdf5 v1.14.6 was discovered to contain a heap buffer
overflow via the H5Z__filter_scaleoffset function.

Backport patch [2] from upstream to fix CVE-2025-44905

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-44905
[2] https://github.com/HDFGroup/hdf5/commit/42588aeba786a121fec1fbad72cf39d8f60a4983

Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Libo Chen c96f578f10 hdf5: fix CVE-2025-2310 
According to [1], A vulnerability was found in HDF5 1.14.6 and classified
as critical. This issue affects the function H5MM_strndup of the component
Metadata Attribute Decoder. The manipulation leads to heap-based buffer
overflow. Attacking locally is a requirement. The exploit has been
disclosed to the public and may be used.

Backport patch [2] from upstream to fix CVE-2025-2310

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2310
[2] https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4

Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:18 +05:30
Libo Chen 43572581cf hdf5: fix CVE-2025-2153 
According to [1], A vulnerability, which was classified as critical, was
found in HDF5 1.14.6. Affected is the function H5SM_delete of the file
H5SM.c of the component h5 File Handler. The manipulation leads to
heap-based buffer overflow. It is possible to launch the attack remotely.
The complexity of an attack is rather high. The exploitability is told to
be difficult. The exploit has been disclosed to the public and may be used.

Backport patch [2] from upstream to fix CVE-2025-2153

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2153
[2] https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0

Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:12:15 +05:30
Haixiao Yan 151e634ed2 python3-django: fix CVE-2025-64459 
The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the
class Q() were subject to SQL injection when using a suitably crafted
dictionary, with dictionary expansion, as the _connector argument.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-64459
https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html

Upstream-patch:
https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241
https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671

Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:10:33 +05:30
Guocai He c14dcffcd7 yasm: fix CVE-2021-33454 
An issue was discovered in yasm version 1.3.0. There is a
NULL pointer dereference in yasm_expr_get_intnum() in
libyasm/expr.c.

Backport patch to fix CVE-2021-33454 per reference [1].
[1]: https://security-tracker.debian.org/tracker/CVE-2021-33454

Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:10:33 +05:30
Jackson James fc30bb5eed unbound: Fix CVE-2025-11411 
Backport complete patch to fix CVE-2025-11411

The existing scarthgap patch is a partial backport with hardcoded logic,
causing incorrect behavior and ptest failures. Backport the full upstream
fix along with the follow-up patch to ensure correct functionality.

Add below patch to fix
0001-CVE-2025-11411-1.patch
0002-CVE-2025-11411-2.patch

Signed-off-by: Jackson James <jacksonj2@kpit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 07c2b52840 nodejs: upgrade 20.20.0 -> 20.20.2 
License Update: Update minimatch to the Blue Oak Model License[1]

nodejs LTS releases containing security and bugfixes.

https://nodejs.org/en/blog/release/v20.20.1
https://nodejs.org/en/blog/release/v20.20.2

[1] https://github.com/nodejs/node/commit/f0ef221b0d458d9358c6e6e49094da475e86c229

Ptests passed:

root@qemux86:~# ptest-runner nodejs
START: ptest-runner
2026-04-09T10:37
BEGIN: /usr/lib/nodejs/ptest
Running main() from /usr/src/debug/nodejs/20.20.2/deps/googletest/src/gtest_main.cc
[==========] Running 152 tests from 23 test suites.
[----------] Global test environment set-up.
...
...
[----------] Global test environment tear-down
[==========] 152 tests from 23 test suites ran. (30533 ms total)
[  PASSED  ] 152 tests.
PASS: nodejs
DURATION: 31
END: /usr/lib/nodejs/ptest
2026-04-09T10:37
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Gyorgy Sarvari 42bf9aa27a mbedtls: upgrade 3.6.5 -> 3.6.6 
Contains fixes for CVE-2026-25833, CVE-2026-25834, CVE-2026-25835,
CVE-2026-34872, CVE-2026-34873, CVE-2026-34874 and CVE-2026-34875.

Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6

Ptests passed:

root@qemux86:~# ptest-runner mbedtls
START: ptest-runner
2026-04-09T10:41
BEGIN: /usr/lib/mbedtls/ptest
...
...
DURATION: 508
END: /usr/lib/mbedtls/ptest
2026-04-09T10:49
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit fe1b038cd8)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 39924b5b88 libvncserver: fix CVE-2026-32854 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32854

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi c56964fcf2 libvncserver: fix CVE-2026-32853 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32853

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 964432f3af libraw: ignore CVE-2026-5318 
Vulnerability exists in the function which was added in version 0.22.0[1]

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-5318

[1] https://github.com/LibRaw/LibRaw/commit/12b0e5d60c57bb795382fda8494fc45f683550b8

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi d17d94e0e0 libde265: upgrade 1.0.12 -> 1.0.16 
Dropped patches which are part of the upstream version.

https://github.com/strukturag/libde265/releases/tag/v1.0.16
https://github.com/strukturag/libde265/releases/tag/v1.0.15
https://github.com/strukturag/libde265/releases/tag/v1.0.14
https://github.com/strukturag/libde265/releases/tag/v1.0.13

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Gyorgy Sarvari 7e723ad1c7 giflib: patch CVE-2025-31344 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31344

Backport the commit that mentions this CVE ID explicitly
in its message.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 6d5a42a5e0 freerdp3: fix CVE-2026-33984 
Detaisl: https://nvd.nist.gov/vuln/detail/CVE-2026-33984

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 262e656885 freerdp3: fix CVE-2026-31897 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-31897

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 73ae0a8034 freerdp3: fix CVE-2026-31806 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-31806

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 7025c461c7 freerdp3: fix CVE-2026-29776 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29776

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 1bc75cd389 freerdp3: fix CVE-2026-29775 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29775

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 2d96f24f2d freerdp3: fix CVE-2026-29774 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29774

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 53ab8b4a5a freerdp3: fix CVE-2026-24683 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24683

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 2beb2f81e7 freerdp3: fix CVE-2026-24682 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24682

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 799cfe0cfa freerdp3: fix CVE-2026-24681 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24681

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi b343c96d52 freerdp3: fix CVE-2026-24680 and CVE-2026-27950 
There was only SDL2 client until commit[1] created SDL2 and SDL3 clients
from version 3.6.0 onwards.
[1] https://github.com/FreeRDP/FreeRDP/commit/8281186a6d9dad20e8345d85a1732e2974636555

Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-24680
https://nvd.nist.gov/vuln/detail/CVE-2026-27950

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 27ba3fb054 freerdp3: fix CVE-2026-24679 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24679

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 09cd8e482a freerdp3: ignore CVE-2026-24677 and CVE-2026-24678 
Both vulnerabilities exists in the functions which were added in
version 3.6.0[1]

Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-24677
https://nvd.nist.gov/vuln/detail/CVE-2026-24678

[1] https://github.com/FreeRDP/FreeRDP/commit/a81d111ac4023d31e10ebf579fa34c93bf56bce5

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 8cc0cd3deb freerdp3: fix CVE-2026-24676 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24676

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 4784f85b09 freerdp3: fix CVE-2026-24675 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24675
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi c9763be62b freerdp3: fix CVE-2026-24491 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24491

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi a0221753e4 freerdp3: fix CVE-2026-23948 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-23948

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 21af1f7e13 freerdp3: fix CVE-2026-33952 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33952

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 421f659e20 freerdp3: fix CVE-2026-25941 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25941

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30