252b82edd5
python3-django: upgrade 3.2.23 -> 3.2.25
...
Fixes CVE-2024-27351, CVE-2024-24680 and other bugfixes.
Release notes:
https://docs.djangoproject.com/en/dev/releases/3.2.24/
https://docs.djangoproject.com/en/dev/releases/3.2.25/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:24 +01:00
a12478e722
libraw: patch CVE-2025-43964
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43964
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
0e30e2ab37
libraw: patch CVE-2025-43963
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43963
Pick the patch that is referenced in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
cb0fcd1ae4
libraw: patch CVE-2025-43961 and CVE-2025-43962
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43961
https://nvd.nist.gov/vuln/detail/CVE-2025-43962
Pick the patch that is mentioned by the nvd reports - the
same patch fixes both vulnerabilities.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
309e9688d5
libraw: patch CVE-2023-1729
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1729
Pick the patch that is mentioned to solve the issue in the issue
linked from the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
730f4c000c
libraw: ignore CVE-2020-35535
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35535
The fix is already included in the used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
298f329594
libraw: ignore CVE-2020-35534
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35534
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
ce9b6df403
libraw: ignore CVE-2020-35533
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35533
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
73891ac756
libraw: ignore CVE-2020-35532
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35532
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
34f34b93d9
libraw: ignore CVE-2020-35531
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35531
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
27f77ae006
libraw: ignore CVE-2020-35530
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35530
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
8f89a8c732
tigervnc: ignore CVE-2014-8241
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2014-8241
The vulnerability is about a potential null-pointer dereference, because
of a malloc result is not verified[1].
The vulnerable code has been refactored since completely[2], and the code isn't
present anymore in the codebase.
[1]: https://github.com/TigerVNC/tigervnc/issues/993#issuecomment-612874972 - attachment
[2]: https://github.com/TigerVNC/tigervnc/commit/b8a24f055f1a29886d8b18bb3f0902144dc5bd14
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
4cf5f8cc31
libao: ignore CVE-2017-11548
...
Both Suse[1] and Debian[2] disputes that this is a vulnerability in libao.
Based on their investigation while an issue exists, it is not in libao, however
higher in the audio-toolchain, most likely in libmad or mpg321. There seem to
be nothing to be fixed about this in libao - ignore this CVE due to this.
[1]: https://bugzilla.suse.com/show_bug.cgi?id=1081767
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a993eb8b93skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
f81db4757e
cockpit: set correct CVE_PRODUCT
...
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit af4df551ee
2025-11-30 15:13:57 +01:00
91c15953c0
libde265: patch CVE-2022-1253
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-1253
Pick the patch from the nvd report.
The patch is only partially backported, because part of the vulnerable
code was introuced only in a later version.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
7965aa0704
links: set CVE_PRODUCT
...
There are some unrelated software called "links", which cases
false-positive CVEs to be reported by the CVE checker.
Set the vendor/product pairs that were historically used with
CVEs for this software.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 62a5309732
2025-11-30 15:13:57 +01:00
afb1296723
jasper: patch CVE-2025-8837
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8837
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
42058c8120
jasper: patch CVE-2025-8836
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8836
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
95ecb0c563
jasper: patch CVE-2025-8835
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8835
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
163eb9faca
jasper: patch CVE-2023-51257
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-51257
Pick the patch that's marked to solve the issue linked in the
nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
89e6b49f2d
redis-7: ignore CVE-2022-3734 and CVE-2022-0543
...
CVE-2022-3734 only affects Windows.
CVE-2022-0543 affects only packages that were packaged for Debian and
Debian-derivative distros.
Neither of these issues is present in upstream Redis.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
a5217f562a
redis: upgrade 7.0.13 -> 7.0.15
...
Contains fixes for CVE-2023-41056 and CVE-2023-45145.
Dropped the backported patches that are included.
Release notes: https://github.com/redis/redis/blob/7.0.15/00-RELEASENOTES
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
d86503aa21
redis: upgrade 6.2.12 -> 6.2.21
...
This upgrade contains a list of vunerability fixes: CVE-2025-49844,
CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-32023,
CVE-2025-48367, CVE-2025-21605, CVE-2024-46981, CVE-2024-31449,
CVE-2024-31228, CVE-2023-45145, CVE-2022-24834
Dropped the CVE patches that are included above.
Release notes: https://github.com/redis/redis/blob/6.2.21/00-RELEASENOTES
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
caea02d115
redis: ignore CVE-2022-3734 and CVE-2022-0543
...
CVE-2022-3734 only affects Windows.
CVE-2022-0543 affects only packages that were packaged for Debian and
Debian-derivative distros.
Neither of these issues is present in upstream Redis.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8f1269507askandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
8602562caa
exiv2: patch CVE-2021-34335
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-34335
Pick the patches from the PR mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
41e6c428c8
exiv2: patch CVE-2021-34334
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-34334
Pick the patches from the PR mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
0f89f58111
exiv2: patch CVE-2021-32815
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32815
Pick the patch from the PR mentioned in he nvd report.
This patch is a combination of 3 commits, which are so
small, that it is still very readable in this form also.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
19fb28a912
exiv2: patch CVE-2021-32617
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32617
Pick the patch from the PR that's mentioned by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
3a8bb65960
exiv2: add missing CVE tag to patch
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-29458
https://nvd.nist.gov/vuln/detail/CVE-2021-31292
The patch is already present, but it was missing the CVE tag, which
is added in this change.
The same patch fixes both CVEs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
aa979d9766
exiv2: patch CVE-2021-29623
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-29623
Pick the patch from the PR mentioned in teh nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
b91b961b3f
libtorrent: ignore CVE-2016-5301
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2016-5301
This vulnerability is for another libtorrent (https://github.com/arvidn/libtorrent )
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
124826c549
logcheck: ignore CVE-2017-20148
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-20148
The issue is specific to the postinstall script that Gentoo packages
with this application - we can ignore it.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
3bd62901b3
monkey: ignore CVE-2013-1771
...
This is gentoo specific CVE.
NVD tracks this as version-less CVE.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 36a7e409d8skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
370cc5e372
monkey: Update status for CVE-2013-2183
...
Current version (1.6.9) is not affected. Issue was addressed in version 1.3.0
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 17bcf478a5skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
de561a26c0
poco: patch CVE-2023-52389
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-52389
Pick the patch from the PR mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
8c086ec3df
p7zip: ignore CVE-2022-47069
...
According to debian, this issue is due to crash in CLI tool with
no security impact, hence ignore this CVE
Reference: https://security-tracker.debian.org/tracker/CVE-2022-47069
Signed-off-by: Naman Jain <namanj1@kpit.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
668cef8d6b
wxwidgets: fix CVE-2024-58249
...
CVE-2024-58249:
In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when
connections are refused in wxWebRequestCURL.
References:
[https://nvd.nist.gov/vuln/detail/CVE-2024-58249 ]
Upstream patch:
[https://github.com/wxWidgets/wxWidgets/commit/f2918a9ac823074901ce27de939baa57788beb3d ]
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
fb79c60c57
imagemagick: adds ptest for imagemagick recipe
...
Backport of the commit 96b97c0c64ashishkumar.mishra@bmwtechworks.in >
Adapted to Kirkstone.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
4ae2ec4620
libssh : fix CVE-2025-8114
...
A flaw was found in libssh, a library that implements the SSH protocol.
When calculating the session ID during the key exchange (KEX) process,
an allocation failure in cryptographic functions may lead to a NULL
pointer dereference. This issue can cause the client or server to crash.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-8114
Upstream-patch:
https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb2c5463f6c4cd1525331bd578812d
Signed-off-by: Divya Chellam <divya.chellam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
44689d795c
libwebsockets: fix buildpath warnings from libcap.so
...
The ${STAGING_LIBDIR} used in scarthgap doesn't catch this, because
in kirkstone without usrmerge libcap is installed in base_libdir which
is different from libdir.
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
3a29688a37
libwebsockets: remove STAGING_LIBDIR with /
...
* after buildpath warnings fix from:
https://git.openembedded.org/meta-openembedded/commit/?id=eeef1fddd9052bed4b1a91565260518eb042fed2
the LibwebsocketsTargets.cmake ends with:
INTERFACE_LINK_LIBRARIES "ssl;crypto;ssl;crypto;/libcap.so;-lpthread"
instead of:
INTERFACE_LINK_LIBRARIES "ssl;crypto;ssl;crypto;/OE/build/.../libwebsockets/4.3.3/lib32-recipe-sysroot/usr/lib/libcap.so;-lpthread"
which causes e.g. mosquitto to fail in do_compile with:
ninja: error: '/libcap.so', needed by 'src/mosquitto', missing and no known rule to make it
* this happens only when libwebsocket is built with libcap enabled
(by libcap in DEPENDS)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
94188ba657
libwebsockets: fix buildpath warnings
...
In order to remove absolute paths from the cmake artifacts, paths from
the `$lib` folder should also be stripped off, otherwise internally
linked libraries (e.g. libz) may appear.
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
ae9b7bf469
libwebsockets: Fix reference to TMPDIR
...
.cmake files encoded absolute paths, fixed thusly
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
d77da5b656
nspr: fix buildpaths issue
...
Fixes:
WARNING: nspr-4.29-r0 do_package_qa: QA Issue: File /usr/bin/nspr-config in package nspr-dev contains reference to TMPDIR [buildpaths]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
7590de304a
linuxptp: ignore CVE-2024-42861
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-42861
The vulnerability report is considered to be bogus and a non-issue
(or at least not a security issue) by upstream[1] and by major
Linux distros[2][3][4].
[1]: https://lists.nwtime.org/sympa/arc/linuxptp-devel/2024-09/msg00080.html
[2]: Ubuntu: https://ubuntu.com/security/CVE-2024-42861
[3]: Debian: https://security-tracker.debian.org/tracker/CVE-2024-42861
[4]: Suse: https://bugzilla.suse.com/show_bug.cgi?id=1230935
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
3693ee5670
rtmpdump: mark CVE-2015-8270, CVE-2015-8271 and CVE-2015-8272 as fixed
...
This CVE is marked as fixed by Debian.
Extracting Debian jessie Debian sources [1] shows 4 commits uses for
backports. All these commits are already included in current hash
([2]-[5]).
../tmp/work/core2-64-poky-linux/rtmpdump/2.4/git$ git log | grep 'commit \(10b580aabcec1621b25518271ba1ab2b018be88e\|...\|4312322107a94c81d3ec5b98f91bc6b923551dc5\)'
commit 530f9bb2a02a78c1198fb2bf0293a12d225e4691
commit 4312322107a94c81d3ec5b98f91bc6b923551dc5
commit 39ec7eda489717d503bc4cbfaa591c93205695b6
commit 10b580aabcec1621b25518271ba1ab2b018be88e
[1] https://snapshot.debian.org/archive/debian/20170704T094954Z/pool/main/r/rtmpdump/rtmpdump_2.4%2B20150115.gita107cef-1%2Bdeb8u1.debian.tar.xz
[2] https://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/10b580aabcec1621b25518271ba1ab2b018be88e
[3] https://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/39ec7eda489717d503bc4cbfaa591c93205695b6
[4] https://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/530f9bb2a02a78c1198fb2bf0293a12d225e4691
[5] https://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/4312322107a94c81d3ec5b98f91bc6b923551dc5
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d7758a8d0cskandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
3422f5d809
evince: fix typo in CVE_CHECK_IGNORE
...
The CVE to be ignored is from 2011, not from 2021.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
9ba02ea6a3
audiofile: Fix build with clang++
...
When tests are enabled additional C++ code is compiled and clang does
not like the code.
Cc: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 78f49691d7skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
ac4f6f8b40
audiofile: patch CVE-2018-13440 and CVE-2018-17059
...
Details:
https://nvd.nist.gov/vuln/detail/CVE-2018-13440
https://nvd.nist.gov/vuln/detail/CVE-2018-17059
The patches have been backported from Debian - upstream
has been inactive for almost a decade by now.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit e16a7d11d1
2025-11-30 15:13:57 +01:00
1e1ace84a9
audiofile: backport test for CVE-2015-7747
...
This is a backported patch from opensuse, which contains a testcase
for CVE-2015-7747 (which is already patched in ths recipe, but not
tested explicitly).
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 6c98db2449
2025-11-30 15:13:57 +01:00
Saravanan
Gyorgy Sarvari
Peter Marko
Ninette Adhikari
Naman Jain
Zhang Peng
AshishKumar Mishra
Divya Chellam
Martin Jansa
Gerard Salvatella
Khem Raj
Mingli Yu