Changes with nginx 1.30.1
*) Security: when using the "proxy_set_body" directive, an attacker
might inject data in the proxied request to an HTTP/2 backend
(CVE-2026-42926).
*) Security: a heap memory buffer overflow might occur in a worker
process while handling a specially crafted request by
ngx_http_rewrite_module, potentially resulting in arbitrary code
execution (CVE-2026-42945).
*) Security: a heap memory buffer overread might occur in a worker
process while handling a specially crafted response by
ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an attacker
to cause a disclosure of worker process memory or segmentation fault
in a worker process (CVE-2026-42946).
*) Security: a heap memory buffer overread might occur in a worker
process while handling a specially sent response with decoding from
UTF-8 via the "charset_map" directive, allowing an attacker to cause
a limited disclosure of worker proccess memory or segmentation fault
in a worker process (CVE-2026-42934).
*) Security: when using HTTP/3, processing of connection migration might
cause new QUIC streams to receive a new client address before
validation, allowing an attacker to cause address spoofing
(CVE-2026-40460).
*) Security: use-after-free might occur during DNS server response
processing if the "ssl_ocsp" directive was used, allowing an attacker
to cause worker process memory corruption or segmentation fault in a
worker process (CVE-2026-40701).
*) Bugfix: connections with HTTP/2 backends might not be cached when
using the "proxy_set_body" or "proxy_pass_request_body" directives.
*) Bugfix: proxied HTTP/0.9, SCGI, or uWSGI responses might be
transferred incorrectly if the first line was not fully read.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add Node.js 24.16.0 [1] recipe based on 22.22.3. Patches reviewed against
the 24.15.0 source tree and rebased where needed:
- 0001: rebased for Makefile changes (common_node.gypi removed, line
offsets shifted); merged with Disable-running-gyp-files patch since
both modify the same Makefile hunk. Remove deps/simdutf/simdutf.gyp;
no longer vendored here.
- 0005: rebased for v8.gyp libatomic condition change (clang condition
folded upstream, ppc removed)
- v24.16.0 bumps bundled llhttp to 9.3.1 (LLHTTP_VERSION_MAJOR/MINOR/PATCH
= 9/3/1 in deps/llhttp/include/llhttp.h).
Five patches dropped as no longer needed:
- build-remove-redundant-mXX-flags-for-V8: backport already merged
upstream in Node.js 24
- ppc64-Do-not-use-mminimal-toc-with-clang: Node.js 24 common.gypi
already gates -mminimal-toc behind clang==0
- fix-arm-Neon-intrinsics-types: the v24.16.0 source already uses
vandq_u8/vorrq_u8 and vshrn_n_u16(vreinterpretq_u16_u8(mask), 4).
- detect-aarch64-Neon-correctly: #ifdef __ARM_NEON__ →
#if defined(__ARM_NEON__) || defined(__ARM_NEON) — already present
at lines 13 and 2628.
- llhttp-fix-NEON-header-value-__builtin_ctzll-undefin: wanted the
match_mask == 0 guard around __builtin_ctzll — already present.
"This patch can be dropped when nodejs updates its bundled llhttp
to >= 9.3.1.")
Remaining 9 patches renumbered sequentially 0001-0009. All verified to
apply cleanly against the v24.16.0 source tarball.
NOTE: The "current" release is v26.2.0 [1], but this is not yet an LTS
release. Application stacks frequently lag new releases, so
it makes sense to have support for the v24 LTS release.
[1] https://nodejs.org/en/blog/release/v24.16.0
[2] https://nodejs.org/en/blog/release/v26.2.0
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add oe-cache recipe for Node.js 24.16, replacing the existing 22.22
version. This provides the npm cache helper used during SDK builds.
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
zlib compression was introduced in version 9.3.3. However, when
cross-compiling kmscon for an architecture other than x86_64, the
genunifont executable tries to use the build-systems zlib instead
of the hosts zlib.
This leads to the following error during compiling:
libz.so: error adding symbols: file in wrong format
Fix this by adding a new native zlib dependency specifically for the
genunifont executable.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Version 1.02.214 of lvm2 installs this executable as an alias
to dmsetup vdostats.
This conflicts with the executable installed by libdevmapper.
Remove this binary from the sysroot, just like dmsetup and dmstats.
Signed-off-by: Félix Piédallu <felix.piedallu@non.se.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add ptest support to enable runtime testing of openjpeg library.
Only unit tests are included, excluding tests that require external
data files (NR-/CONF-/ETS-/testjp2).
Tested on intel-x86-64: all 29 unit tests passed.
Signed-off-by: sjiao <Shilong.Jiao@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Referring to the VERSION file within the released source tarball, the
version string for --with-version option should be ${PV}-0-g${SRCREV}.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==============
* Fixed: [CVE-2026-44927]
Stop truncating 'ptrdiff_t' to 'int'
* Fixed: [CVE-2026-44928]
Fix 'EqualsUri' with regard to '.absolutePath'
* Fixed: Fix OOM related memory leak in 'CopyUriMm'
* Improved: Simplify internal function 'CompareRange' into 'RangeEquals'
* Improved: Make function 'RangeEquals' use size_t' internally
* Soname: 3:2:2 - see https://verbump.de/ for what these numbers do
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
Fixed IndexError raised from check_signature_compatible when the subject method has no positional parameters
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- test(conftest): strip broken nspkg.pth files under py3.15
- feat(packaging): declare tox.pytest deps via a testing extra
- fix(schema): cover every replace form in the TOML schema
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
Reverse matching with full unicode casefolding could lead to out-of-range string indexes.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
New Features
============
- Add "alert" syntax extension for GFM alerts (e.g. > [!NOTE])
- Add "gfm_autolink" syntax extension for GFM autolinks
- Add myst_strikethrough_single_tilde config option to allow single tilde (~)
for strikethrough
- Add myst_colon_fence_exact_match config option to require the closing colon
fence to have exactly the same number of colons as the opening
Improvements =============
- Update myst_gfm_only mode to use the unified gfm_plugin, which now includes
GFM autolinks, alerts, and improved strikethrough/tasklist handling
- Improve MathJax 4 compatibility for Sphinx 9
- Stop directive-option parsing at colon fences, fixing nested colon fence
directives
Bug Fixes ===========
- Use docname instead of source path in warning locations
- Correctly encode & in Markdown URLs by not HTML-escaping refuri
- Fix RemovedInSphinx10Warning for inventory item iteration
- Pin mdit-py-plugins>=0.6.1 for nested field list fix
Dependency Upgrades ====================
- Upgrade to markdown-it-py~=4.2 and mdit-py-plugins~=0.6
- Update pygments requirement from <2.20 to <2.21
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==========
- Fix bug in redis version parsing when using Elasticache or any other that
sends major/minor. redis-py incorrectly parses these as floats because
there's only a single decimal, so the version check was breaking.
- Rename max task option --max-tasks (previously was --max_tasks).
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
setup.py: bump PyJWT floor to >=2.11.0 to match the actual runtime requirement
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
=============
- MIX_DestroyTrack may now be called from a mixer callback
- Fixed WAV decoding on big-endian systems
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==========
- Fixed sonames generation when using autotools
- Recovered an undocumented memory write feature lost because a "security" report.
- Fixed documentation pointers on visual studio project.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==========
- Fixes media length detection for Chrome on Linux (Media, Linux)
- Fixes segmentation fault when specifying unsupported modules on command line
- Disables usage of Netlink for Wi-Fi detection on s390x architectures (Wifi, Linux)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Ankur Tyagi
Tim Orling
Adam Duskett
Khem Raj
Guocai He
Felix Piedallu
sjiao
Yi Zhao
Wang Mingyu