f52f32952c
wolfssl: patch CVE-2026-5778
...
Backport commit from the PR[1] mentioned in the nvd[2]
[1]https://github.com/wolfSSL/wolfssl/pull/10125
[2]https://nvd.nist.gov/vuln/detail/CVE-2026-5778
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:28:45 +05:30
0722748606
wolfssl: patch CVE-2026-5772
...
Backport commits from the PR[1] mentioned in the nvd[2]
[1]https://github.com/wolfSSL/wolfssl/pull/10119
[2]https://nvd.nist.gov/vuln/detail/CVE-2026-5772
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:28:45 +05:30
2306b7a87e
wolfssl: patch CVE-2026-5447
...
Backport commit from the PR[1] mentioned in the nvd[2]
[1]https://github.com/wolfSSL/wolfssl/pull/10112
[2]https://nvd.nist.gov/vuln/detail/CVE-2026-5447
Dropped unit test changes during the backport.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:28:45 +05:30
f75da20d3e
wolfssl: patch CVE-2026-5446
...
Backport commits from the PR[1] mentioned in the nvd[2]
[1]https://github.com/wolfSSL/wolfssl/pull/10111
[2]https://nvd.nist.gov/vuln/detail/CVE-2026-5446
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:28:45 +05:30
8939b43735
wolfssl: patch CVE-2026-5392
...
Backport commit from the PR[1] mentioned in the nvd[2]
[1]https://github.com/wolfSSL/wolfssl/pull/10039
[2]https://nvd.nist.gov/vuln/detail/CVE-2026-5392
Dropped unit test changes during the backport.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:28:45 +05:30
bec67650c1
wolfssl: patch CVE-2026-5188
...
Backport commit from the PR[1] mentioned in the nvd[2]
[1]https://github.com/wolfSSL/wolfssl/pull/10024
[2]https://nvd.nist.gov/vuln/detail/CVE-2026-5188
Dropped unit test changes during the backport.
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:28:45 +05:30
6ed3dfda05
wolfssl: patch CVE-2026-3580
...
Backport commit from the PR[1] mentioned in the nvd[2]
[1]https://github.com/wolfSSL/wolfssl/pull/9855
[2]https://nvd.nist.gov/vuln/detail/CVE-2026-3580
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:27:43 +05:30
657e8af9b5
wolfssl: patch CVE-2026-1005
...
Backport commit from the PR[1] mentioned in the nvd[2]
[1]https://github.com/wolfSSL/wolfssl/pull/9571
[2]https://nvd.nist.gov/vuln/detail/CVE-2026-1005
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:26:30 +05:30
8a69f13465
python3-django: upgrade 4.2.29 -> 4.2.30
...
Release Notes:
https://docs.djangoproject.com/en/dev/releases/4.2.30/
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
e424330cc1
python3-django: upgrade 5.2.12 -> 5.2.13
...
Contains fixes for CVE-2026-3902, CVE-2026-4277, CVE-2026-4292,
CVE-2026-33033 and CVE-2026-33034.
Changelog: https://docs.djangoproject.com/en/6.0/releases/5.2.13/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
d301c5a3e0
python3-gpiod: update to v2.4.2
...
Bug-fix release addressing a buffer overflow bug discovered during an
AI-augmented security audit as well as another minor issue with
unnecessarily duplicated code.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 7e24f2b5a8ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
2259e75e79
python3-bitarray: upgrade 3.8.0 -> 3.8.1
...
Changelog:
==========
* fixed critial findings in C Extension Analysis Report
* add tests, in particular 'devel/test_capi.py'
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 041704b01cankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
f92680f61d
python3-tzdata: upgrade 2025.3 -> 2026.1
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 36111dde1aankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
8ecca3786c
python3-tzdata: upgrade 2025.2 -> 2025.3
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 2c0a4edb58ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
2ce4783d77
python3-werkzeug: upgrade 3.1.7 -> 3.1.8
...
Request.host and get_host return the empty string if the header is missing or has invalid characters.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit d8c310aa52ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
f110ce82a6
python3-werkzeug: upgrade 3.1.6 -> 3.1.7
...
Changelog:
==========
- parse_list_header preserves partially quoted items, discards empty items, and
returns empty for unclosed quoted values.
- WWWAuthenticate.to_header does not produce a trailing space when there are no
parameters.
- Transfer-Encoding is parsed as a set.
- Request.host, get_host, and host_is_trusted validate the characters of the
value. An empty value is no longer allowed. A Unix socket server address is
ignored. The trusted_list argument to host_is_trusted is optional.
- Fix multipart form parser handling of newline at boundary.
- Response.make_conditional sets the Accept-Ranges header even if it is not a
satisfiable range request.
- merge_slashes merges any number of consecutive slashes.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit db8bd24b0dankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
6ae02f0f60
python3-ecdsa: Upgrade 0.19.1 -> 0.19.2
...
Changlog:
https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2
Signed-off-by: Mingli Yu <mingli.yu@windriver.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 27d096d984ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
822ae72861
xdg-dbus-proxy: upgrade 0.1.6 -> 0.1.7
...
Contains fix for CVE-2026-34080. Since it is tracked without version info
by NVD, mark it explicitily as patched.
Drop the patch that is included in this release.
While here, also add the recipe to the ptest list - it's a fast one,
runs under a second.
Changelog:
- Drop the autotools build system
- Unbreak the CI
- Prevent a crash on disconnect
- Fix building with glibc >= 2.43
- Fix the eavesdrop filtering to prevent message interception
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
326e8481b8
libgpiod: update to v2.2.4
...
Bug-fix release addressing several issues discovered during an
AI-augmented security audit. The most severe bug was found in the C
extension code of the python bindings - which also get an update - but
there were some memory leaks and integer overflow bugs in the core C
library as well as in tools and DBus daemon.
Full changelog:
Bug fixes:
- fix buffer over-read bugs when translating uAPI structs to library types
- fix variable and argument types where necessary
- sanitize values returned by the kernel to avoid potential buffer overflows
- fix memory leaks in gpio-tools
- add missing return value checks in gpio-tools
- fix period parsing in gpio-tools
- use correct loop counter in error path in gpio-manager
Improvements:
- make tests work with newer coreutils by removing cases checking tools'
behavior on SIGINT which stopped working due to changes in behavior of the
timeout tool
Also: drop the patch that's now upstream from the recipe.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
9f66cce6da
libgpiod: update to v2.2.3
...
Bug-fix release addressing a couple problems in gpio-manager and tests.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 172c473cafankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
3f2293398f
nodejs: mark CVE-2026-21710 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-21710
The CVE is fixed in the current recipe version[1], but NVD tracks it
without verison info.
Mark it as patched in the recipe.
[1]: https://github.com/nodejs/node/blob/v22.x/doc/changelogs/CHANGELOG_V22.md
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit b483760dbaskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
61f2155c03
freeipmi: mark CVE-2026-33554 patched
...
The CVE is tracked by NVD without version info. It's description
confirms that it is fixed in version 1.6.17.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 21f792ff63skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
2d10d4a11d
libsoup-2.4: fix several CVEs
...
Fix CVE-2026-1539,CVE-2026-1761,CVE-2026-1801,CVE-2026-2443,
CVE-2026-2369,CVE-2026-1760,CVE-2025-14523,CVE-2025-32049,CVE-2026-1467
Refer:
CVE-2026-1801 https://gitlab.gnome.org/GNOME/libsoup/-/issues/481
CVE-2026-1761 https://gitlab.gnome.org/GNOME/libsoup/-/issues/493
CVE-2026-2443 https://gitlab.gnome.org/GNOME/libsoup/-/issues/487
CVE-2026-1539 https://gitlab.gnome.org/GNOME/libsoup/-/issues/489
CVE-2026-2369 https://gitlab.gnome.org/GNOME/libsoup/-/issues/498
CVE-2026-1760 https://gitlab.gnome.org/GNOME/libsoup/-/issues/475
CVE-2025-14523 https://gitlab.gnome.org/GNOME/libsoup/-/issues/472
CVE-2025-32049 https://gitlab.gnome.org/GNOME/libsoup/-/issues/390
CVE-2026-1467 https://gitlab.gnome.org/GNOME/libsoup/-/issues/488
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 07d6722816ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
9f003507af
python3-grpcio: ignore CVE-2026-33186
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
The vulnerability only affects the Go implememtation of the library,
not the Python one. Ignore this CVE due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 468ee626f8ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
850b7f6fd7
protobuf, python3-protobuf: ignore CVE-2026-6409
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6409
The vulnerability impacts only the PHP library component, not the
cpp/python one. Ignore this CVE due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit aef8bc3422ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
d91b26edec
libcoap: patch CVE-2026-29013
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29013
Debian[1] also identified this as a fix.
[1] https://security-tracker.debian.org/tracker/CVE-2026-29013
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
c50a1edbcf
lcms: patch CVE-2026-41254
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-41254
Backport the patches referenced by the NVD advisory.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
d861698ab8
lshw: Fix binmerge
...
In case $sbindir = $bindir we have to pass this setting to make.
Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit d09f50438fanuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:21 +05:30
76819dfd4c
libdvdnav: use https for fetching code
...
Signed-off-by: Markus Volk <f_l_k@t-online.de >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit b50fbdd66banuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:21 +05:30
e1fba4cbbc
libdvdcss: use https for fetching code
...
Signed-off-by: Markus Volk <f_l_k@t-online.de >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit ae92a2993canuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:21 +05:30
50cde1e649
libdvdread: use https for fetching code
...
Signed-off-by: Markus Volk <f_l_k@t-online.de >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 7bf89d06a4anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:21 +05:30
c72fd80a5c
jq: patch CVE-2026-39979
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-39979
Backport the patch that is referenced by the NVD advisory.y
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 2b1e34f0f5anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:21 +05:30
2732cd42ec
jq: patch CVE-2026-33948
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 8d399af333anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:21 +05:30
f251c27025
jq: patch CVE-2026-33947
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947
Backport the patch that is referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 525e18ce21anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
c547565088
jq: patch CVE-2026-32316
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32316
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit e94ab85126anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
1574d0ed55
jq: Use Git to fetch the code
...
There is a bug (see https://github.com/jqlang/jq/issues/434 ), which
results in an empty version being used if autoreconf is run on the jq
sources when using a release tar ball. The incorrect assumption is that
autoreconf is only used when fetching the code using Git.
The empty version results in an incorrect libjq.pc file being created
where the version is not set, which results in, e.g.,
`pkgconf --libs 'libjq > 1.6'` failing even if version 1.8.1 of jq is
actually installed.
Switch to fetching the code using Git to workaround the bug.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit ed33569f82anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
3ed2bdeb7d
libgphoto2: patch CVE-2026-40341
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40341
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit de5f93f95danuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
2a3142c8fc
libgphoto2: patch CVE-2026-40340
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40340
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 420e5aec46anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
c7d9a8a5bf
libgphoto2: patch CVE-2026-40339
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40339
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 2e3be1dddcanuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
6ea6840dd3
libgphoto2: patch CVE-2026-40338
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40338
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit f22e17508eanuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
0d7e46071f
libgphoto2: patch CVE-2026-40336
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40336
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 078f26b084anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
52e89178e6
libgphoto2: patch CVE-2026-40335
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40335
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit f735ea20b1anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
866c25643a
libgphoto2: patch CVE-2026-40334
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40334
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit ce3fa8ad2aanuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
9e9977200d
libgphoto2: patch CVE-2026-40333
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40333
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 754e02c668anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
ba9800188e
openjpeg: patch CVE-2026-6192
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6192
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 09050325e6anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
c642dbf8e7
monkey: patch CVEs
...
These patches are about a number of CVEs files against the application:
CVE-2025-63649, CVE-2025-63650, CVE-2025-63651, CVE-2025-63652, CVE-2025-63653, CVE-2025-63655,
CVE-2025-63656, CVE-2025-63657 and CVE-2025-63658.
These patches are taken from a pull request[1] that is referenced in the relevant bug report[2].
The patches don't target specific CVEs on separately, but they fix a number of CVEs altogether.
Based on upstream analysis (in the linked issue) a number of these CVEs are duplicates of each
other and/or not exploitable. The valid CVEs are fixed by these patches.
I haven't added specific CVE info to the patches, one hand because of the above, it is hard to
separate the patches by CVE, and secondarily because NVD tracks these CVEs with incorrect version
info: NVD considers 1.8.6 fully fixed, even though the patches are only in the master branch,
untagged at this time. After updating the recipe to 1.8.6+, the vulnerabilites will disappear
from the CVE report due to this.
[1]: https://github.com/monkey/monkey/pull/434
[2]: https://github.com/monkey/monkey/issues/426
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit d31f07340fanuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
a7b755fbd0
monkey: upgrade 1.8.4 -> 1.8.7
...
Shortlog:
https://github.com/monkey/monkey/compare/v1.8.4...v1.8.7
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 22277ca3a3anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
133678b770
hiawatha: upgrade 11.7 -> 11.8
...
Drop patches that are included in this release.
Changes:
* mbed TLS updated to 3.6.4.
* Small bugfixes.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d92fa873e5ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
1df4552b9e
imagemagick: upgrade 7.1.2-18 -> 7.1.2-19
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 946243ec05skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
ae59325285
corosync: patch CVE-2026-35092
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35092
Pick the patch that mentions the CVE ID explicitly (the same commit
was identified by Debian also[1])
[1]: https://security-tracker.debian.org/tracker/CVE-2026-35092
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
Ankur Tyagi
Gyorgy Sarvari
Bartosz Golaszewski
Wang Mingyu
Mingli Yu
Changqing Li
Jörg Sommer
Markus Volk
Peter Kjellerstedt