mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity
30,981 Commits 64 Branches 0 Tags
151e634ed297eec8d9b269c2b08001fd76f4cc62
Commit Graph

30981 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Haixiao Yan 151e634ed2 python3-django: fix CVE-2025-64459 
The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the
class Q() were subject to SQL injection when using a suitably crafted
dictionary, with dictionary expansion, as the _connector argument.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-64459
https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html

Upstream-patch:
https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241
https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671

Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:10:33 +05:30
Guocai He c14dcffcd7 yasm: fix CVE-2021-33454 
An issue was discovered in yasm version 1.3.0. There is a
NULL pointer dereference in yasm_expr_get_intnum() in
libyasm/expr.c.

Backport patch to fix CVE-2021-33454 per reference [1].
[1]: https://security-tracker.debian.org/tracker/CVE-2021-33454

Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-15 14:10:33 +05:30
Jackson James fc30bb5eed unbound: Fix CVE-2025-11411 
Backport complete patch to fix CVE-2025-11411

The existing scarthgap patch is a partial backport with hardcoded logic,
causing incorrect behavior and ptest failures. Backport the full upstream
fix along with the follow-up patch to ensure correct functionality.

Add below patch to fix
0001-CVE-2025-11411-1.patch
0002-CVE-2025-11411-2.patch

Signed-off-by: Jackson James <jacksonj2@kpit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 07c2b52840 nodejs: upgrade 20.20.0 -> 20.20.2 
License Update: Update minimatch to the Blue Oak Model License[1]

nodejs LTS releases containing security and bugfixes.

https://nodejs.org/en/blog/release/v20.20.1
https://nodejs.org/en/blog/release/v20.20.2

[1] https://github.com/nodejs/node/commit/f0ef221b0d458d9358c6e6e49094da475e86c229

Ptests passed:

root@qemux86:~# ptest-runner nodejs
START: ptest-runner
2026-04-09T10:37
BEGIN: /usr/lib/nodejs/ptest
Running main() from /usr/src/debug/nodejs/20.20.2/deps/googletest/src/gtest_main.cc
[==========] Running 152 tests from 23 test suites.
[----------] Global test environment set-up.
...
...
[----------] Global test environment tear-down
[==========] 152 tests from 23 test suites ran. (30533 ms total)
[  PASSED  ] 152 tests.
PASS: nodejs
DURATION: 31
END: /usr/lib/nodejs/ptest
2026-04-09T10:37
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Gyorgy Sarvari 42bf9aa27a mbedtls: upgrade 3.6.5 -> 3.6.6 
Contains fixes for CVE-2026-25833, CVE-2026-25834, CVE-2026-25835,
CVE-2026-34872, CVE-2026-34873, CVE-2026-34874 and CVE-2026-34875.

Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6

Ptests passed:

root@qemux86:~# ptest-runner mbedtls
START: ptest-runner
2026-04-09T10:41
BEGIN: /usr/lib/mbedtls/ptest
...
...
DURATION: 508
END: /usr/lib/mbedtls/ptest
2026-04-09T10:49
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit fe1b038cd8)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 39924b5b88 libvncserver: fix CVE-2026-32854 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32854

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi c56964fcf2 libvncserver: fix CVE-2026-32853 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32853

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 964432f3af libraw: ignore CVE-2026-5318 
Vulnerability exists in the function which was added in version 0.22.0[1]

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-5318

[1] https://github.com/LibRaw/LibRaw/commit/12b0e5d60c57bb795382fda8494fc45f683550b8

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi d17d94e0e0 libde265: upgrade 1.0.12 -> 1.0.16 
Dropped patches which are part of the upstream version.

https://github.com/strukturag/libde265/releases/tag/v1.0.16
https://github.com/strukturag/libde265/releases/tag/v1.0.15
https://github.com/strukturag/libde265/releases/tag/v1.0.14
https://github.com/strukturag/libde265/releases/tag/v1.0.13

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Gyorgy Sarvari 7e723ad1c7 giflib: patch CVE-2025-31344 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31344

Backport the commit that mentions this CVE ID explicitly
in its message.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 6d5a42a5e0 freerdp3: fix CVE-2026-33984 
Detaisl: https://nvd.nist.gov/vuln/detail/CVE-2026-33984

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 262e656885 freerdp3: fix CVE-2026-31897 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-31897

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 73ae0a8034 freerdp3: fix CVE-2026-31806 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-31806

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 7025c461c7 freerdp3: fix CVE-2026-29776 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29776

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 1bc75cd389 freerdp3: fix CVE-2026-29775 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29775

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 2d96f24f2d freerdp3: fix CVE-2026-29774 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29774

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 53ab8b4a5a freerdp3: fix CVE-2026-24683 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24683

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 2beb2f81e7 freerdp3: fix CVE-2026-24682 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24682

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 799cfe0cfa freerdp3: fix CVE-2026-24681 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24681

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi b343c96d52 freerdp3: fix CVE-2026-24680 and CVE-2026-27950 
There was only SDL2 client until commit[1] created SDL2 and SDL3 clients
from version 3.6.0 onwards.
[1] https://github.com/FreeRDP/FreeRDP/commit/8281186a6d9dad20e8345d85a1732e2974636555

Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-24680
https://nvd.nist.gov/vuln/detail/CVE-2026-27950

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 27ba3fb054 freerdp3: fix CVE-2026-24679 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24679

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 09cd8e482a freerdp3: ignore CVE-2026-24677 and CVE-2026-24678 
Both vulnerabilities exists in the functions which were added in
version 3.6.0[1]

Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-24677
https://nvd.nist.gov/vuln/detail/CVE-2026-24678

[1] https://github.com/FreeRDP/FreeRDP/commit/a81d111ac4023d31e10ebf579fa34c93bf56bce5

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 8cc0cd3deb freerdp3: fix CVE-2026-24676 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24676

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 4784f85b09 freerdp3: fix CVE-2026-24675 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24675
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi c9763be62b freerdp3: fix CVE-2026-24491 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24491

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi a0221753e4 freerdp3: fix CVE-2026-23948 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-23948

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 21af1f7e13 freerdp3: fix CVE-2026-33952 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33952

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 421f659e20 freerdp3: fix CVE-2026-25941 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25941

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 7cc6fe87bc abseil-cpp: ignore CVE-2025-0838 
The commit[1] mentioned in the NVD[2] is part of the current version[3].

[1] https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-0838
[3] https://github.com/abseil/abseil-cpp/commit/54fac219c4ef0bc379dfffb0b8098725d77ac81b

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Hitendra Prajapati d086d0b43e nginx: Fix for CVE-2026-28755 
Pick patch from [1] which mentioned in debian report [2]
[1] https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8
[2] https://security-tracker.debian.org/tracker/CVE-2026-28755

Note: Add different patch for both version to resolve fuzz issue.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:15 +05:30
Hitendra Prajapati 9310c3b1a4 nginx: Fix for CVE-2026-27784 
Pick patch from [1] which mentioned in debian report with [2]
[1] https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018
[2] https://security-tracker.debian.org/tracker/CVE-2026-27784

More details: https://nvd.nist.gov/vuln/detail/CVE-2026-27784

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:31:29 +05:30
Vijay Anusuri 1ad0d777d1 strongswan: Fix CVE-2026-25075 
Pick patch according to [1]

[1] https://download.strongswan.org/security/CVE-2026-25075/
[2] https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-25075).html

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-03 15:00:48 +05:30
Markus Volk 4feb9130b0 flatpak: add PACKAGECONFIG for dconf 
Disable by default to avoid a requirement for meta-gnome

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-03 15:00:48 +05:30
Hitendra Prajapati 4810cd8c5b python3-cbor2: patch CVE-2026-26209 
Backport the patch[1] which fixes this vulnerability as mentioned in the
comment[3].

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-26209

[1] https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b
[2] https://github.com/agronholm/cbor2/commit/fb4ee1612a8a1ac0dbd8cf2f2f6f931a4e06d824 (pre patch)
[3] https://github.com/agronholm/cbor2/pull/275

Dropped changes to the changelog from the original commit.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-03 15:00:47 +05:30
Vijay Anusuri b13ae5a8eb giflib: Fix CVE-2026-23868 
Pick patch according to [1]

[1] https://www.facebook.com/security/advisories/cve-2026-23868
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-23868

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-03 15:00:47 +05:30
Vijay Anusuri 57fc94a42d libssh: Fix CVE-2026-0966 
Pick commits according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-0966
[2] https://www.libssh.org/security/advisories/CVE-2026-0966.txt

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-03 15:00:47 +05:30
Vijay Anusuri 3b8e032dbc libssh: Fix CVE-2026-0964 
Pick commits according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-0964
[2] https://www.libssh.org/security/advisories/CVE-2026-0964.txt

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-03 15:00:46 +05:30
Martin Jansa 0e43651ad3 freerdp: remove 0001-Fix-const-qualifier-error.patch 
Instead of fixing the build with clang this is now breaking it after 2.11.8 commit:
https://github.com/FreeRDP/FreeRDP/commit/67818bddb31900cdf3acb26cb0b673cc90b71cc9

freerdp/2.11.8/git/client/Wayland/wlfreerdp.c:637:19: error: incompatible function pointer types assigning to 'OBJECT_NEW_FN' (aka 'void *(*)(const void *)') from 'void *(void *)' [-Wincompatible-function-pointer-types]
  637 |         obj->fnObjectNew = uwac_event_clone;
      |                          ^ ~~~~~~~~~~~~~~~~

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-03 15:00:40 +05:30
Matthias Proske 06f846a325 bluealsa: fix QA issue staticdev 
When building bluealsa with building static libraries NOT disabled, you
get the following error:

ERROR: bluealsa-4.3.0-r0 do_package_qa: QA Issue: non -staticdev package
contains static .a library: bluealsa path
'/usr/lib/alsa-lib/libasound_module_pcm_bluealsa.a' [staticdev]
ERROR: bluealsa-4.3.0-r0 do_package_qa: QA Issue: non -staticdev package
contains static .a library: bluealsa path
'/usr/lib/alsa-lib/libasound_module_ctl_bluealsa.a' [staticdev]
ERROR: bluealsa-4.3.0-r0 do_package_qa: Fatal QA errors were found,
failing task.

Fix this by explicitly putting these files in the -staticdev package.

Signed-off-by: Matthias Proske <matthias.p@variscite.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1a9744b3ca)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 15:53:24 +05:30
Martin Jansa acbcafe3f5 krb5: fix build with gcc-15 
* fixes:
  http://errors.yoctoproject.org/Errors/Details/848727/

ss_internal.h:88:6: error: conflicting types for 'ss_delete_info_dir'; have 'void(void)'
   88 | void ss_delete_info_dir();
      |      ^~~~~~~~~~~~~~~~~~
...

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f26536c2f6)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 15:51:50 +05:30
Aviv Daum 4439caa199 lldpd: fix xml PACKAGECONFIG dependency 
The xml PACKAGECONFIG entry uses libxm2, which is a typo and not a
valid dependency in OE.

Replace it with libxml2 so enabling PACKAGECONFIG:xml pulls in the
correct provider.

Signed-off-by: Aviv Daum <aviv.daum@gmail.com>
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit cec3e0fd96)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 15:48:20 +05:30
Gyorgy Sarvari 2ca25f2279 libde265: patch CVE-2025-61147 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61147

Backport the patch referenced by the NVD advisory.

Note that this is a partial backport - only the parts that are
used by the application, and without pulling in c++17 headers.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:16 +05:30
Gyorgy Sarvari 54c8a4ad6c mariadb: upgrade 10.11.12 -> 10.11.16 
10.11 is an LTS version of MariaDB. This upgrade is part of that commitment.

Release notes:
https://mariadb.com/docs/release-notes/community-server/10.11/10.11.16
https://mariadb.com/docs/release-notes/community-server/10.11/10.11.15
https://mariadb.com/docs/release-notes/community-server/10.11/10.11.14
https://mariadb.com/docs/release-notes/community-server/10.11/10.11.13

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:15 +05:30
Gyorgy Sarvari bd41441bf3 libjxl: mark CVE-2025-12474 and CVE-2026-1837 patched 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-12474
https://nvd.nist.gov/vuln/detail/CVE-2026-1837

Both vulnerabilities have been fixed in 0.10.5.

Relevant commits:
CVE-2025-12474: https://github.com/libjxl/libjxl/commit/5ce68976a5abfaea7b3086036ab9f6543ab5b29e
CVE-2026-1837: https://github.com/libjxl/libjxl/commit/36b0cecaa12f643d03c16bd32e5f83775c912b07

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:15 +05:30
Sujeet Nayak 76abb03c21 libnice: make crypto library configurable via PACKAGECONFIG 
Move gnutls from a hard dependency to a PACKAGECONFIG option defaulting
to gnutls. This allows users to select openssl as an alternative crypto
library by setting PACKAGECONFIG.

Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
Signed-off-by: Sujeet Nayak <sujeetnayak1976@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:15 +05:30
Hitendra Prajapati 808d3a73de python3-pillow: fix CVE-2026-25990 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990

Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2].

[1] https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-25990

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:14 +05:30
Hitendra Prajapati d3a45ead9c python3-pyjwt: Fix CVE-2026-32597 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32597

Backport commit[1] which fixes this vulnerability as mentioned in [2].

[1] https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92
[2] https://security-tracker.debian.org/tracker/CVE-2026-32597

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:14 +05:30
Gyorgy Sarvari d5de98d28b capnproto: patch CVE-2026-32239 and CVE-2026-32240 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32239
https://nvd.nist.gov/vuln/detail/CVE-2026-32240

Backport the patch that is referenced by the NVD advisories.
(Same patch for both vulnerabilities)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:13 +05:30
Gyorgy Sarvari 86dc3a4fe4 openjpeg: patch CVE-2023-39327 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39327

Take the patch that is used by OpenSUSE to mitigate this vulnerability.
Upstream seems to be unresponsive to this issue.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit fdddf2bdd3)
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:13 +05:30
Gyorgy Sarvari 2a5987979a hiawatha: fix SRC_URI 
The tarball was moved to a new folder on the source server.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:12 +05:30