ab68fc6dd9
php: ignore CVE-2024-3566
...
CVE-2024-3566 only effects Microsoft Windows.
Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d68c56e1edskandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
42e868a468
net-snmp: Fix for CVE-2025-68615
...
Upstream-Status: Backport from https://github.com/net-snmp/net-snmp/commit/b4e6f826d9ddcc2d72eac432746807e1234266db
Reference: https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
53abba638b
python3-m2crypto: ignore CVE-2009-0127
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2009-0127
The vulnerability is disputed[1] by upstream:
"There is no vulnerability in M2Crypto. Nowhere in the functions
are the return values of OpenSSL functions interpreted incorrectly.
The functions provide an interface to their users that may be
considered confusing, but is not incorrect, nor it is a vulnerability."
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
1bd2effd23
python3-waitress: patch CVE-2024-49769
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49769
Pick the patch that is referenced in the NVD report (which is
a merge commit. The patches here are the individual patches from
that merge).
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
1ea440cd62
python3-waitress: patch CVE-2024-49768
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49768
Pick the patch mentioned in the NVD report (which is a merge commit,
and the patches here are the individual commits from that merge)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
e330e3508d
python3-werkzeug: ignore CVE-2024-49766 and CVE-2025-66221
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49766
https://nvd.nist.gov/vuln/detail/CVE-2025-66221
Both vulnerabilities affect Windows only - ignore them.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
ff3f1c9fab
python3-waitress: upgrade 2.1.1 -> 2.1.2
...
Remove change of default for clear_untrusted_proxy_headers
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit ef4e48c7a0skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
b1d0a5d8d0
Add missing HOMEPAGEs to xfce recipes
...
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4d964d4d79schonm@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
2adb3d6734
python3-mpmath: patch CVE-2021-29063
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-29063
Pick the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
304c0c6643
python3-pyjwt: patch CVE-2022-29217
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-29217
Pick the patch referenced by the NVD advsory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
f6d4f623c1
python3-joblib: upgrade 1.1.0 -> 1.1.1
...
The only change is a fix for CVE-2022-21797
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
bbcf3d7d14
python3-ipython: patch CVE-2023-24816
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-24816
Pick the patch referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
fa7d1a059e
tinyproxy: patch CVE-2025-63938
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-63938
Pick the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
292baf6ad8
python3-flask: patch CVE-2023-30861
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30861
Pick the patch referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
2e557033bd
python3-configobj: patch CVE-2023-26112
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112
Pick the patch that resolves the issue referenced in the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
cc53827cc3
python3-cbor2: ignore CVE-2025-64076
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64076
The vunerability was introduced in v5.6.0[1], the recipe version doesn't
contain the vulnerable piece of code.
[1]: https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
d5e94ee2b8
python3-protobuf: set CVE_PRODUCT
...
Similarly to c++ protobuf, add products matching historical entries.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit ae7556a737skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
e231647a9b
python-grpcio(-tools): add grpc:grpc to cve product
...
These grpc python modules contain parts of grpc core.
Each CVE needs to be assessed if the patch applies also to core parts
included in each module.
Note that so far there was never a CVE specific for python module, only
for grpc:grpc and many of those needed to be fixed at leasts in grpcio:
sqlite> select vendor, product, count(*) from products where product like '%grpc%' group by vendor, product;
grpc|grpc|21
grpck|grpck|1
linuxfoundation|grpc_swift|9
microsoft|grpconv|1
opentelemetry|configgrpc|1
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f993cb2ecbskandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
60f0e23124
lldpd: patch CVE-2021-43612
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-43612
Pick the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
80ed7802ad
spitools: upgrade 1.0.1 -> 1.0.2
...
This is a bugfix release, with some ioctl handling fixes.
Changelog:
- Adjust the handling of SPI_IOC_RD_LSB_FIRST ioctl call
- Parameter for SPI_IOC_WR_LSB_FIRST ioctl is {0, 1}.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
bd17a0d132
tree: upgrade 2.0.2 -> 2.0.4
...
Changelog:
2.0.4:
- Fix missing comma in JSON output.
2.0.3:
- Fix segfault when filelimit is used and tree encounters a directory it
cannot enter.
- Use += when assigning CFLAGS and LDFLAGS in the Makefile allowing
them to be modified by environment variables during make. (Ben Brown)
Possibly assumes GNU make.
- Fixed broken -x option (stops recursing.)
- Fix use after free (causing segfault) for dir/subdir in list.c
- Fixes for .gitignore functionality
- Fixed * handing in patmatch. Worked almost like ** before, now properly
stops at /'s. These issues were the result of forgetting that patmatch()
was just to match filenames to patterns, not paths.
- Patterns starting with / are actually relative to the .gitignore file,
not the root of the filesystem, go figure.
- Patterns without /'s in .gitignore apply to any file in any directory
under the .gitignore, not just the .gitignore directory
- Remove "All rights reserved" from copyright statements. A left-over from
trees original artistic license.
- Add in --du and --prune to --help output
- Fixed segfault when an unknown directory is given with -X
- Fixed output up for -X and -J options.
- Remove one reference to strnlen which isn't necessary since it may not
be available on some OS's.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
3f9744d6b2
usb-modeswitch: upgrade 2.6.0 -> 2.6.2
...
Changelog:
2.6.2:
- Bug in C code (with gcc 1.5) fixed
2.6.1:
- Wrapper now handles devices with non-continuous interface numbering:
www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?f=2&t=2915&p=19605
- catch error with retrieving the active configuration, exit gracefully:
https://bugs.launchpad.net/bugs/1880191
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
ecf59eb1a1
xdg-user-dirs: upgrade 0.17 -> 0.18
...
Changelog:
- Fixed minor leak
- Documentation fixes
- Updated translations
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
672f5f28e8
recipes-core/toybox: Switch SRC_URI to HTTPS for reliable fetch
...
The upstream site (landley.net) serves inconsistent content when using HTTP,
causing checksum mismatches during do_fetch. Using HTTPS ensures stable
downloads and resolves checksum failures.
Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
08c486ce76
netdata: ignore CVE-2024-32019
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32019
The vulnerability affects the ndsudo binary, part of netdata.
This binary was introduced in version 1.45.0[1], and the recipe
contains v1.34.1 - which is not vulnerable yet.
Ignore the CVE due to this.
[1]: https://github.com/netdata/netdata/commit/0c8b46cbfd05109a45ee4de27f034567569fa3fa
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
3dc63bce4d
nodejs: ignore CVE-2024-36137
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36137
The vulnerability affects the permission model, which was introduced[1]
in v20 - the recipe version isn't vulerable yet.
[1]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
e88e353f30
nodejs: ignore CVE-2024-3566 and CVE-2024-36138
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-3566
https://nvd.nist.gov/vuln/detail/CVE-2024-36138
This vulnerabilities affect Windows only.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
9e38c37a62
sassc: ignore CVE-2022-43357
...
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.
[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
are not present in this repository.
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] https://github.com/sass/libsass/issues/3177
[3] https://github.com/sass/libsass/pull/3184
[4] https://github.com/sass/sassc/
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 576b84263bskandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
4e2c202346
phpmyadmin: ignore CVE-2020-22452
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-22452
The fix is present in the recipe version (5.1.4)[1]
[1]: https://github.com/phpmyadmin/phpmyadmin/pull/16004/commits/ca42395ee4b2936d3702524f8fb8bec1e9502bc7
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
8e69851e6d
nodejs: patch CVE-2024-27983
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-27983
Pick the patch that mentions this CVE ID explcitly in its commit message.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
ab83c61385
nodejs: ignore CVE-2024-22017
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-22017
The vulnerability is related to the io_uring usage of libuv.
Libuv first introduced io_uring support in v1.45[1].
oe-core ships a non-vulnerable version (1.44.2), and nodejs
vendors also an older version (1.43).
Mark this CVE as ignored for this recipe version.
[1]: https://github.com/libuv/libuv/commit/d2c31f429b87b476a7f1344d145dad4752a406d4
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
f9ed3b8197
nodejs: patch CVE-2023-39333
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39333
Backport the patch that mentions this CVE ID explicitly in its
commit message.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
04f577d527
nodejs: ignore CVE-2023-30583, CVE-2023-30584 and CVE-2023-30587
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30583
https://nvd.nist.gov/vuln/detail/CVE-2023-30584
https://nvd.nist.gov/vuln/detail/CVE-2023-30587
None of these vulnerabilities are present in the recipe version.
CVE-2023-30583: While the main feature (blob) was intruced in v16, the vulnerable
code (load blobs from file) was introduced in v20[1], and as such,
the vulnerability is not present in the recipe version.
CVE-2023-30584, CVE-2023-30587: The whole vulnerable feature (permission model) was
introduced[2] in v20.
Ignore these CVE IDs.
[1]: https://github.com/nodejs/node/commit/950cec4c2642c15e2913f35babadda56c1d8a723
[2]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
9608348824
fio: ignore CVE-2025-10824
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-10824
The upstream maintainer wasn't able to reproduce the issue[1],
and the related bug is closed without further action.
[1]: https://github.com/axboe/fio/issues/1981
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a275078cbeskandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
c7127b94f3
python3-django: ignore CVE-2024-22199
...
This CVE is not for python-django, but for some go project
which shares the same name.
Ignore this CVE due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
6b7a0197f9
proftpd: set status of CVE-2001-0027
...
This ancient CVE [1] is unversioned ("*") in NVD DB.
"mod_sqlpw module in ProFTPD does not reset a cached password..."
Looking at history and changelog, the module was removed [2] around
the time when this CVE was published, likely as reaction to this CVE.
"mod_sqlpw.c, mod_mysql.c and mod_pgsql.c have been REMOVED from the
distribution. They are currently unmaintained and have numerous bugs."
Note: It was later re-introduced as mod_sql when it got fixed under
new maintainer.
[1] https://nvd.nist.gov/vuln/detail/CVE-2001-0027
[2] https://github.com/proftpd/proftpd/blob/v1.3.8b/NEWS#L3362
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 03a1b56bc7skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
71adc2f371
civetweb: patch CVE-2025-9648
...
Details https://nvd.nist.gov/vuln/detail/CVE-2025-9648
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit eb338ebb60skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
15750d5584
atop: patch CVE-2025-31160
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31160
Backport the patch that's subject references the CVE id explicitly.
I was able to verify the patch with a reproducer[1] (which is mentioned
in a reference[2] in the nvd report). Without the patch atop crashed,
with the patch it worked fine (both with and without -k/-K flags).
[1]: https://blog.bismuth.sh/blog/bismuth-found-the-atop-bug
[2]: https://gist.github.com/kallsyms/3acdf857ccc5c9fbaae7ed823be0365e
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
f3df89aedb
php: upgrade 8.1.33 -> 8.1.34
...
Comes with fixes for CVE-2025-14177, CVE-2025-14178 and CVE-2025-14180
Changelog:
- Curl: Fix curl build and test failures with version 8.16.
- Opcache: Reset global pointers to prevent use-after-free in zend_jit_status().
- PDO: Fixed: PDO quoting result null deref. (CVE-2025-14180)
- Standard:
* Fixed: Null byte termination in dns_get_record().
* Fixed: Heap buffer overflow in array_merge(). (CVE-2025-14178)
* Fixed: Information Leak of Memory in getimagesize. (CVE-2025-14177)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
6d28476b74
nbdkit: remove unused patch
...
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
2ab2b60609
nbdkit: patch CVE-2025-47712
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47712
Pick the patch from the project's repository which explicitly
mentions this vulnerability ID.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
4a97186719
nbdkit: patch CVE-2025-47711
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47711
Pick the patch from the repository which explicitly mentions
this CVE ID.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
d618b8dc84
xmlsec1: update SRC_URI
...
The tarball was moved to a subfolder. Adapt the SRC_URI.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
dcf2b5030d
softhsm: correct SRC_URI branch
...
The develop branch doesn't exist anymore. The fetched commit is on the main branch.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
11b7fe9a91
thrift: fix SRC_URI
...
The tarball was moved to an archive server, so the link stopped
working. Update it to the new location.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
feb9c53544
srecord: fix SRC_URI
...
The tarball was moved to a new folder in the SourceForge project,
and the original convenience link stopped working.
Use the direct link instead.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
02422765c6
pcp: switch SRC_URI to git
...
The original link stopped working.
I have compared the original tarball's content with this revision: the contents
are bit-identical to each other. The only difference is that the original
tarball came with an extra "debian/control" file which is not present in
the git repository, but it not using for compiling.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
0ac70cf0bb
tcsh: update SRC_URI
...
The tarball was moved to a new subfolder, making do_fetch fall back to a mirror.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
75080e6708
hunspell: patch CVE-2019-16707
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-16707
Pick the patch that resolves the Github issue[1] that tracked
this vulnerability.
[1]: https://github.com/hunspell/hunspell/issues/624
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
6ba8215d31
smarty: patch CVE-2023-28447
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28447
Pick the patch that is referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
Jeroen Hofstee
Vijay Anusuri
Gyorgy Sarvari
wangmy
Jason Schonberg
Peter Marko
Sanjay Chitroda
Ankur Tyagi