1a18d1ac74
protobuf: ignore CVE-2026-0994
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994
The vulnerability impacts only the python bindings of protobuf, which
is in a separate recipe (python3-protobuf, where it is patched).
Ignore this CVE in this recipe due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:08 +05:30
3ad174f956
postgresql: upgrade 17.7 -> 17.8
...
License-Update: Update license year to 2026
Refreshed patches for version 17.8
Includes fix for CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006
Release Notes:
https://www.postgresql.org/docs/release/17.8/
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:07 +05:30
fdddf2bdd3
openjpeg: patch CVE-2023-39327
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39327
Take the patch that is used by OpenSUSE to mitigate this vulnerability.
Upstream seems to be unresponsive to this issue.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:07 +05:30
9039381ef0
systemd-netlogd: upgrade 1.4.4 -> 1.4.5
...
Fixes build with 32 bit machines.
- Fix build on 32-bit with 64-bit time_t by @cgzones in #136
- Misc by @cgzones in #137
- Add terminating newline also for TLS connections by @Googulator in #139
- Add RFC5425 length field by @derobert in #140
- Correct examples for ExcludeSyslogFacility and ExcludeSyslogLevel by @ngraziano in #141
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:04 +05:30
12fc4c6584
tomoyo-tools: update SRC_URI
...
The previous one became inaccessible.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-24 18:46:45 +05:30
24a99d095d
php: upgrade 8.4.17 -> 8.4.18
...
This is a bug fix release.
Changelog: https://www.php.net/ChangeLog-8.php#8.4.18
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:36:42 +05:30
6763e7828d
libtracefs: upgrade 1.8.2 -> 1.8.3
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 0fbbddd537https://git.kernel.org/pub/scm/libs/libtrace/libtracefs.git/tag/?h=libtracefs-1.8.3
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:34 +05:30
980fca8629
usbids: upgrade 2025.09.15 -> 2025.12.13
...
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 5aca0a216dankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:34 +05:30
f11e6285f8
minizip-ng: 4.0.8 -> 4.0.10
...
1.Changelog:
https://github.com/zlib-ng/minizip-ng/releases/tag/4.0.10
2.Remove 0001-crypt.h-Remove-register-keyword.patch as it was merged upstream.
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 5f6dbb284aankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:33 +05:30
a96f3a8194
paho-mqtt-c: upgrade 1.3.14 -> 1.3.15
...
Drop patch to fix gcc15 compatibility - the problem has been solved by upstream.
Changelog:
- Update getaddrinfo options to support IPv6 hostname resolution
- Removed unnecessary _WIN64 conditional checks
- Fixed condition variable timed wait
- Support tls:// prefix
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit cb9d043f46ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:33 +05:30
0831fc038d
libx86-1: upgrade 1.1 -> 1.1.1
...
Bugfix release, mostly with patches applied from other distros.
Also fixes the SRC_URI which became inaccessible over time.
Drop patches that are included in this release.
Shortlog:
https://gitlab.archlinux.org/grawlinson/libx86/-/compare/v1.1...v1.1.1
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 19fdc49db3ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:32 +05:30
1597f7ba50
libsdl2-compat: update 2.32.58 -> 2.32.62
...
Changelog:
2.32.62:
This is a stable bugfix release, with the following changes:
Improved support for GNU/Hurd
Fixed crash if hidapi strings are not available
2.32.60:
This is a stable bugfix release, with the following changes:
Fixed crash at startup in Dwarf Fortress
Fixed crash at startup in Stellaris
Fixed mouse stuttering in Amiberry
Fixed the viewport not being reset when the window is resized
Signed-off-by: Markus Volk <f_l_k@t-online.de >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Adapted for Whinlatter to keep x11 in REQUIRED_DISTRO_FEATURES
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:32 +05:30
f195fb8e78
cryptsetup: upgrade 2.8.3 -> 2.8.4
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Stable bug-fix release
https://gitlab.com/cryptsetup/cryptsetup/-/blob/v2.8.4/docs/v2.8.4-ReleaseNotes?ref_type=tags
(cherry picked from commit 9111684d67ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:31 +05:30
80a5465833
redis: ignore CVE-2025-46686
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-46686
Upstream disputes that it is a security violation, and says that
implementing a mitigation for this would negatively affect the rest
of the application, so they elected to ignore it.
See Github advisory about the same vulnerability:
https://github.com/redis/redis/security/advisories/GHSA-2r7g-8hpc-rpq9
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 868b4b2959skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:28 +05:30
effd66ea21
raptor2: patch CVE-2024-57822 and CVE-2024-57823
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-57822
https://nvd.nist.gov/vuln/detail/CVE-2024-57823
Pick the patches mentioned in the github issue[1] mentioned
in the NVD advisories (both of them are covered by the same issue)
[1]: https://github.com/dajobe/raptor/issues/70
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit dc2c6a514eskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:28 +05:30
677f28e90b
ttf-vlgothic: fix SRC_URI
...
The old URL is inoperable since a while - switch to Ubuntu's mirror.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d99c82c088anuj.mittal@oss.qualcomm.com >
2026-02-03 08:10:07 +05:30
35b59ba864
anthy: fix SRC_URI
...
The old URL is gone - switch to a working mirror.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit fd562c65c6anuj.mittal@oss.qualcomm.com >
2026-02-03 08:09:40 +05:30
1b80e12617
sblim-sfcc: fix SRC_URI
...
The old URL is gone - set a working mirror.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 47efd1f9b8anuj.mittal@oss.qualcomm.com >
2026-02-03 08:09:14 +05:30
bbbc6c50d4
nodejs: upgrade 22.21.1 -> 22.22.0
...
This is the December 2025 security release that the nodejs team released
January 13, 2026.
3 high severity issues.
4 medium severity issues.
1 low severity issue.
High priority fixes:
CVE-2025-55131
CVE-2025-55130
CVE-2025-59465
Medium priority fixes:
CVE-2025-59466
CVE-2025-59464
CVE-2026-21636 *
CVE-2026-21637
Low priority fixes:
CVE-2025-55132
* note that this medium priority CVE only effects Nodejs v25.
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
Changelog: https://github.com/nodejs/node/releases/tag/v22.22.0
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 0bb156371eskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-03 08:07:27 +05:30
dfc0632585
libcupsfilters: patch CVE-2025-64503
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64503
Pick the patch that explicitly refernces the CVE ID in its message.
(The NVD advisory mentions only the cups-filters patch, but
the developer indicated the CVE ID in the libcupsfilters patch also)
Between this recipe version and the patch the project has decided to
eliminate c++ from the project, and use c only. The patch however
is straightforward enough that it could be backported with very small
modifications.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-03 08:07:26 +05:30
fa4ceb7b5d
libcdio: patch CVE-2024-36600
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36600
Backport the patch from the PR that is referenced in the NVD advisory.
Note that there are two PRs mentioned: one is the fix, and the other
is just readme update with the CVE ID. The latter wasn't backported.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-03 08:07:26 +05:30
9df99ae97a
imagemagick: upgrade 7.1.2-12 -> 7.1.2-13
...
License-Update: change license url to https://imagemagick.org/license/
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit c2b4809fe8skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-03 08:07:25 +05:30
f6226c4b84
gpsd: patch CVE-2025-67269
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-67269
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-03 08:07:25 +05:30
4b7fc39111
gpsd: patch CVE-2025-67268
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-67268
Pick the patch that is referenced by the NVD advisory.
The original commit also contains a lot of commenting style
changes (// vs /* */) and whitespace changes which were removed from
the backport.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-03 08:07:24 +05:30
15f2f350cc
fontforge: patch CVE-2025-15270
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15270
Pick the patch that mentions this vulnerbaility explicitly
in its description.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-03 08:07:23 +05:30
449999f676
fontforge: patch CVE-2025-15269
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15269
Pick the patch that refers to this vulnerability ID explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-03 08:07:23 +05:30
edc3b69cef
fontforge: patch CVE-2025-15275
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15275
Pick the patch that mentions this vulnerability ID explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-03 08:07:22 +05:30
21418bce90
fontforge: patch CVE-2025-15279
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15279
Pick the patch that mentions this vulnerability ID explicitly.
Also, this patch has caused some regression - pick the patch also
that fixed that regression.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-03 08:07:22 +05:30
7283cf8b9b
unicode-ucd: adjust to correct checksum values.
...
The checksums are wrong and thus this fails to build.
Signed-off-by: Tom Geelen <t.f.g.geelen@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit dc5132edf7skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-03 08:07:18 +05:30
3bb2dd3414
hdf5: fix shasum, downloadfilename
...
Fixes : #1023
Upstream seems to have regenerated the archive, as the checksum no
longer matches the one specified in the recipe:
|WARNING: hdf5-2.0.0-r0 do_fetch: Checksum failure encountered with download of https://support.hdfgroup.org/releases/hdf5/v2_0/v2_0_0/downloads/hdf5-2.0.0.tar.gz - will attempt other sources if available
|WARNING: hdf5-2.0.0-r0 do_fetch: Checksum mismatch for local file /buildcache/downloads/hdf5-2.0.0.tar.gz
|Cleaning and trying again.
|WARNING: hdf5-2.0.0-r0 do_fetch: Renaming /buildcache/downloads/hdf5-2.0.0.tar.gz to /buildcache/downloads/hdf5-2.0.0.tar.gz_bad-checksum_a7a8f43e76e825ea22234bc735d5b184e880d305e33e4c9bb93a3912421c9973
|ERROR: hdf5-2.0.0-r0 do_fetch: Checksum failure fetching https://support.hdfgroup.org/releases/hdf5/v2_0/v2_0_0/downloads/hdf5-2.0.0.tar.gz
|ERROR: hdf5-2.0.0-r0 do_fetch: Bitbake Fetcher Error: ChecksumError('Checksum mismatch!\nFile: \'/buildcache/downloads/hdf5-2.0.0.tar.gz\' has sha256 checksum \'a7a8f43e76e825ea22234bc735d5b184e880d305e33e4c9bb93a3912421c9973\' when \'6e45a4213cb11bb5860)
|ERROR: Logfile of failure stored in: /home/tgamblin/workspace/yocto/openembedded-core/build/tmp/work/x86-64-v3-poky-linux/hdf5/2.0.0/temp/log.do_fetch.2054297
However, the tarballs look identical. Update the hash and be explicit
about downloadfilename to avoid any mirroring issues. A note has been
left that this measure can be removed with a future upgrade.
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com >
Reviewed-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f0f02434c8skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:13:02 +05:30
9e35ca9108
xrdp: patch CVE-2023-42822
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-42822
Pick the patch the references the github advisory[1] and the cve ID also from
the nvd report. The patch is a backported version of the patch referenced by
the nvd report.
[1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit a9fa1c5c2askandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:13:00 +05:30
c3964035a8
xrdp: patch CVE-2023-40184
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40184
Pick the patch that is associated with the github advisory[1], which is
a backported version of the patch that is referenced by the nvd report.
[1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 259e4f9266skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:13:00 +05:30
56c1ffb74f
xrdp: patch CVE-2022-23493
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23493
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit f81041bb39skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:12:59 +05:30
57d69cc4d4
xrdp: patch CVE-2022-23484
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23484
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 2578e5c17dskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:12:59 +05:30
d999dd3cc4
xrdp: patch CVE-2022-23483
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23483
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 8ffd8f29d5skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:12:59 +05:30
2f2e3c16c0
xrdp: patch CVE-2022-23482
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 31694c82e3skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:12:58 +05:30
5655e97093
xrdp: patch CVE-2022-23481
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23481
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 64ee8f84c4skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:12:58 +05:30
563d8052cf
xrdp: patch CVE-2022-23480
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23480
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 71e9d02b12skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:12:57 +05:30
40fd2c8704
xrdp: patch CVE-2022-23479
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 19e076e66bskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:12:57 +05:30
c1f03cbf71
xrdp: patch CVE-2022-23478
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23478
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 63b5fff975skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:12:56 +05:30
72c3d49f78
xrdp: patch CVE-2022-23477
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23477
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit a6efc5b285skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:12:56 +05:30
c7570405e8
xrdp: patch CVE-2022-23468
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23468
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 1cb08277feskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-02 08:12:55 +05:30
7856298b5f
softhsm: fix SRC_URI branch
...
The "develop" branch doesn't exist anymore, the used revision can be
found on the "main" branch.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 21df5861c7anuj.mittal@oss.qualcomm.com >
2026-01-21 10:27:40 +05:30
8fdc4a1e4b
recipes-core/toybox: Switch SRC_URI to HTTPS for reliable fetch
...
The upstream site (landley.net) serves inconsistent content when using HTTP,
causing checksum mismatches during do_fetch. Using HTTPS ensures stable
downloads and resolves checksum failures.
Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 050ffcdea2anuj.mittal@oss.qualcomm.com >
2026-01-21 10:22:57 +05:30
8d54f36c15
xerces-c: set CVE_PRODUCT
...
The related CVEs are tracked with "xerces-c\+\+" (sic).
See CVE db query:
sqlite> select vendor, product, count(*) from PRODUCTs where product like '%xerces%' group by 1, 2;
apache|xerces-c\+\+|29
apache|xerces-j|2
apache|xerces2_java|3
redhat|xerces|3
Set CVE_PRODUCT accordingly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 29a272744aankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:17:21 +05:30
6df897e314
lmdb: patch CVE-2026-22185
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22185
Pick the patch that is mentioned as a solution in the related upstream bug[1].
[1]: https://bugs.openldap.org/show_bug.cgi?id=10421
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit e0f86a4a7fankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:17:20 +05:30
d30b9a5419
boinc-client: mark CVE-2013-2018 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2013-2018
According to oss-security email[1], version 7.0.45 included
the fixes[2][3][4]
[1]: https://www.openwall.com/lists/oss-security/2013/04/29/11
[2]: https://github.com/BOINC/boinc/commit/6e205de096da83b12ffb2f0183b43e51261eb0c4
[3]: https://github.com/BOINC/boinc/commit/e8d6c33fe158129a5616e18eb84a7a9d44aca15f
[4]: https://github.com/BOINC/boinc/commit/ce3110489bc139b8218252ba1cb0862d69f72ae3
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 2a78ad8813ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:17:20 +05:30
b6a71017ab
influxdb: ignore CVE-2024-30896
...
As mentioned in the comment[1], vulnerability is in
/api/v2/authorizations API which only exists in 2.x, 1.x is not affected.
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30896
[1] https://github.com/influxdata/influxdb/issues/24797#issuecomment-2514690740
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 2f1d7a8597ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:17:20 +05:30
6d6dbabb28
boinc-client: set CVE_PRODUCT
...
The relevant CVEs are tracked with underscore in their name.
See CVE db query:
sqlite> select vendor, product, count(*) from PRODUCTs where product like '%boinc%' group by 1, 2;
berkeley|boinc_client|2
berkeley|boinc_forum|1
universityofcalifornia|boinc_client|165
universityofcalifornia|boinc_server|5
Set the CVE_PRODUCT accordingly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 31de060b48ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:17:19 +05:30
9cb5abd34b
asyncmqtt: set CVE_PRODUCT
...
The CVEs are tracked with an underscore in the product name:
sqlite> select * from PRODUCTs where product like '%async%mq%';
CVE-2025-65503|redboltz|async_mqtt|10.2.5|=||
This patch sets the correct CVE_PRODUCT.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4da079d7f5ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-20 10:17:19 +05:30
Gyorgy Sarvari
Ankur Tyagi
Anuj Mittal
Jason Schonberg
Wang Mingyu
Liu Yiding
Markus Volk
Tom Geelen
Trevor Gamblin
Sanjay Chitroda