27206f97e6
emlog: set CVE_PRODUCT
...
This will remove false-positive CVE-2024-50655 from reports.
There are different emlog components from other vendors around.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d8d45d9093skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
df0b60ad51
apache2: ignore CVE-2025-3891
...
The vulnerability was reported against mod_auth_openidc, which module
is a 3rd party one, and not part of the apache2 source distribution.
The affected module is not part of the meta-oe universe currently,
so ignore the CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
8d733ee01b
st: Update status for CVE-2017-16224
...
The recipe used in the meta-openembedded is a different st package compared to the one which has the CVE issue.
Package used in meta-embedded: https://st.suckless.org/
Package with CVE issue: https://www.npmjs.com/package/st
No action required.
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit eb9c7bb564skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
80b5365780
webmin: patch CVE-2022-0829
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0829
Pick the patch from the nvd report details.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
b4c4f0c525
webmin: patch CVE-2022-0824
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0824
Pick the patch mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
241abdec12
webmin: patch CVE-2019-15642
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-15642
Pick the patch mentioned in the nvm report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
85933945fb
webmin: patch CVE-2017-17089
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-17089
Pick the patch referenced in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
4c602e88b9
webmin: patch CVE-2017-15644, CVE-2017-15645 and CVE-2017-15646
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15644
https://nvd.nist.gov/vuln/detail/CVE-2017-15645
https://nvd.nist.gov/vuln/detail/CVE-2017-15646
Pick the patch mentioned in the nvd report (same patch is marked to
fix all three vulnerabilities).
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
529b31ef7f
poppler: fix CVE-2025-43718
...
Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption
and a SIGSEGV via deeply nested structures within the metadata (such
as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for
a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata,
and associated functions in PDFDoc, with deep recursion in the regex
executor (std::__detail::_Executor).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-43718
Upstream patch:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/f54b815672117c250420787c8c006de98e8c7408
Signed-off-by: Yogita Urade <yogita.urade@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
5fd149feb4
xsp: CVE status update for CVE-2006-2658
...
The recipe used in the `meta-openembedded` is a different xsp package compared to the one which has the CVE issue.
Package used in `meta-embedded`: maemo xsp http://repository.maemo.org/pool/maemo/ossw/source/x/xsp/
Package with CVE issue: mono xsp https://github.com/mono/xsp
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3cb411a057skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
f4adc003e4
zchunk: patch CVE-2023-46228
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46228
Pick the patch that's mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
ed6bb390fe
zlog: patch CVE-2021-43521
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-43521
Pick the patch that resolves the issue linked in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
155ac93191
iniparser: Fix CVE-2025-0633
...
Heap-based Buffer Overflow vulnerability in iniparser_dumpsection_ini() in iniparser
allows attacker to read out of bound memory
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-0633
https://security-tracker.debian.org/tracker/CVE-2025-0633
Upstream patch:
https://gitlab.com/iniparser/iniparser/-/commit/072a39a772a38c475e35a1be311304ca99e9de7f
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
fff1d56fe1
iperf2: ignore irrelevant CVEs
...
These CVEs are for iperf3 - which is a similar application in its goals (and name),
but an independent project from this, and the projects are independent implementations
also, they share no common code.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit aedf74e082skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
7eadf76d76
open-vm-tools: fix CVE-2025-41244
...
VMware Aria Operations and VMware Tools contain a local privilege
escalation vulnerability. A malicious local actor with non-administrative
privileges having access to a VM with VMware Tools installed and managed
by Aria Operations with SDMP enabled may exploit this vulnerability
to escalate privileges to root on the same VM.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-41244
Upstream-patch:
https://github.com/vmware/open-vm-tools/commit/7ed196cf01f8acd09011815a605b6733894b8aab
Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
93826fffc5
imagemagick: Fix CVE-2022-28463
...
Imagemagick is vulnerable to buffer overflow.
Reference: https://github.com/ImageMagick/ImageMagick/commit/ca3654ebf7a439dc736f56f083c9aa98e4464b7f
Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
b6c9eb2ce5
tcpreplay: fix CVE-2025-51006
...
Within tcpreplay's tcprewrite, a double free vulnerability has been identified
in the dlt_linuxsll2_cleanup() function in plugins/dlt_linuxsll2/linuxsll2.c.
This vulnerability is triggered when tcpedit_dlt_cleanup() indirectly
invokes the cleanup routine multiple times on the same memory region.
By supplying a specifically crafted pcap file to the tcprewrite binary,
a local attacker can exploit this flaw to cause a Denial of Service (DoS) via memory corruption.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
0538af085a
tcpreplay: fix CVE-2025-9157
...
A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2.
The impacted element is the function untrunc_packet of the file
src/tcpedit/edit_packet.c of the component tcprewrite. Executing
manipulation can lead to use after free. It is possible to launch
the attack on the local host. The exploit has been publicly disclosed
and may be utilized. This patch is called 73008f261f1cdf7a1087dc8759115242696d35da.
Applying a patch is advised to resolve this issue.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
bf223a6c9a
cryptsetup: Update the license field
...
The below reference clearly states that GPL-2.0-with-OpenSSL-exception
is to be used with GPL 2.0 or GPL3.0 and not as a standalone license.
Therefore, update the correct license.
Reference:
https://github.com/aboutcode-org/scancode-licensedb/blob/569d72e13e7c8d14a44380f91e80c5a2d4091f8f/docs/openssl-exception-gpl-2.0.yml#L7
Signed-off-by: Sana Kazi <Sana.Kazi@bmwtechworks.in >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
fbb3d46fad
udisks2: fix CVE-2025-8067
...
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-8067
Upstream-patch:
https://github.com/storaged-project/udisks/commit/9ed2186f668c76aeb472de170d62b499d85a1915
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:23 +02:00
9c51a98b4f
botan: patch CVE-2024-50382 and CVE-2024-50383
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-50382
https://nvd.nist.gov/vuln/detail/CVE-2024-50383
Pick patch mentioned in the URL list of the nist page - the
same patch fixes both vulnerabilities.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:49 +02:00
a742bea992
botan: patch CVE-2024-39312
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-39312
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:46 +02:00
6c5e7ee581
botan: patch CVE-2022-43705
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-43705
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:41 +02:00
bf9fc50ccc
dovecot: patch CVE-2021-33515
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33515
Backport the relevant patch.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:38 +02:00
91a9a3d61f
dovecot: patch CVE-2022-30550
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-30550
Pick the commit referenced in https://www.openwall.com/lists/oss-security/2022/07/08/1
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:33 +02:00
b157fa0412
civetweb: patch CVE-2020-27304
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-27304
Take the patches referenced in
https://jfrog.com/blog/cve-2020-27304-rce-via-directory-traversal-in-civetweb-http-server/
(which URL is also referenced by NIST)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:29 +02:00
49c4e29bc9
apache2: ignore irrelevant CVEs
...
Ignore a number of CVEs for this recipe (because they are for another software,
outdated version, or because they affect only non-Linux platforms). This commit
is a backport of a number of commits from the master branch (which uses the same
version of the recipe):
0e7733f1b81b86a60f6259d3949e3e1b86a60f62da2b5e8b930e7733f1b8skandigraun@gmail.com >
2025-10-12 13:08:23 +02:00
5e398bfa67
ace: ignore CVE-2009-1147
...
The CVE is for another product, for VMWare ACE, not for this one.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:13 +02:00
93fc9a2c0c
fbida: fix make fbpdf build optional
...
this is a backport-like from scarthgap branch: fbida_git.bb and patch 0001-meson.build-make-fbpdf-build-optional.patch
From Github Pull request: https://github.com/openembedded/meta-openembedded/pull/1008
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-10 11:09:27 +02:00
96fbc15636
collectd: set working SRC_URI
...
The project started to outsource the source hosting to Google storage
and Github.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
f7b1663333
psqlodbc: set valid SRC_URI
...
The old URI stopped working.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
325b2b6238
xfce4-sensors-plugin: correct netcat PACKAGECONFIG
...
In case netcat PACKAGECONFIG is enabled, do_configure fails
with the following error message:
| configure: error: hddtemp isn't queryable via netcat (use --disable-pathchecks to disable this check)
hddtemp service keeps a TCP port open to query the sensor data.
In case netcat is enabled for this recipe, the configure script
will search for the netcat binary, and will try to query this
hddtemp port, as a sanity check. This check is performed
independently from the hddtemp PACKAGECONFIG. Since hddtemp
isn't running in the build environment (probably) and
network connection is also disabled, this check fails.
To avoid this problem, add the extra config argument suggested by the
error message.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit b16f9c6f04skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
f62b1d0e44
python3-send2trash: add missing run-time dependencies
...
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit e7430b5874skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
e66e1917b6
python3-pyparted: add missing run-time dependencies
...
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9249052f98skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
1d09e1628b
python3-thrift: add missing run-time dependencies
...
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit e015b0e996skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
0f0ab90c20
python3-hpack: add missing run-time dependencies
...
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1659a00086skandigraun@gmail.com >
2025-10-02 15:16:46 +02:00
7e1af614e2
python3-txws: add missing run-time dependencies
...
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d334d496c3skandigraun@gmail.com >
2025-10-02 15:16:40 +02:00
5023aa82bc
python3-pyconnman: Add 'future' runtime dependency
...
pyconnman has an install_requires on 'future', but the corresponding
'python3-future' is missing from the recipes RDEPENDS.
Signed-off-by: Marcus Flyckt <mafl@kvaser.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4ccb2fa47fskandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
a72092583c
python3-gsocketpool: add missing run-time dependencies
...
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit b630485986skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
d8d1b71a50
libcrypt-openssl-guess-perl: fix syntax for PROVIDES
...
PROVIDES_${PN} -> PROVIDES
Signed-off-by: Yi Zhao <yi.zhao@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9d54352564skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
e73a317cb7
tree: fix broken links
...
New tarball location is:
http://oldmanprogrammer.net/tar/tree/
Homepage is:
http://oldmanprogrammer.net/source.php?dir=projects/tree
Signed-off-by: Benjamin Szőke <egyszeregy@freemail.hu >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 0c4079fc28skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
7336283ec9
span-lite: do not inherit ptest
...
This recipe provides no run-ptest script.
Signed-off-by: Tim Orling <tim.orling@konsulko.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 0fc5f550d3skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
0b97d9ec03
smarty: upgrade 4.1.0 -> 4.1.1
...
Changelog:
==========
Security
--------
Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221
Fixed
-------
Exclude docs and demo from export and composer #751
PHP 8.1 deprecation notices in demo/plugins/cacheresource.pdo.php #706
PHP 8.1 deprecation notices in truncate modifier #699
Math equation max(x, y) didn't work anymore #721
Fix PHP 8.1 deprecated warning when calling rtrim #743
PHP 8.1: fix deprecation in escape modifier #727
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9374648c39skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
e985e34d03
lcov: Fix Perl Path
...
Fixes an issue where lcov is using the system Perl rather than the yocto
provided Perl. This causes packages to not be found during runtime such
as PerlIO::gzip.
Signed-off-by: Alex Yao <alexyao1@meraki.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit e66ae31c95skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
9573809997
synergy: patch CVE-2020-15117
...
Pick commit based on [1].
Note that the pick is node from deskflow, which is open-source successor
of synergy.
If anyone uses thie recipe, it should be switched.
[1] https://github.com/deskflow/deskflow/security/advisories/GHSA-chfm-333q-gfpp
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit db283053d0skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
5e835d8e12
procmail: patch CVE-2017-16844.
...
Take patch from Debian.
https://sources.debian.org/data/main/p/procmail/3.22-26%2Bdeb10u1/debian/patches/30
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3d97f4c13dskandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
3de4b5bc92
procmail: patch CVE-2014-3618
...
Take patch from Debian.
https://sources.debian.org/data/main/p/procmail/3.22-20%2Bdeb7u1/debian/patches/CVE-2014-3618.patch
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8378820dabskandigraun@gmail.com >
2025-10-01 19:40:58 +02:00
746ef0c9fb
procmail: Update status for CVE-1999-0475
...
Current version 3.22 is not affected by the issue.
Affected versions: Up to (excl.) 3.2.1
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 30e6d975e8skandigraun@gmail.com >
2025-10-01 19:40:58 +02:00
b4ff519ab2
openct: Fix typo in SUMMARY variable
...
Signed-off-by: Julian Haller <julian.haller@philips.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 38f62a5fb3skandigraun@gmail.com >
2025-10-01 19:40:58 +02:00
ac94ea5c21
ne10: append +git instead of gitr+
...
* looks like a typo introduced in:
https://git.openembedded.org/meta-openembedded/commit/?id=6e431331d18ded23a78e238ed40d03434e7719d9
* use +git as most other recipes are using
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
(cherry picked from commit 10703e5c6askandigraun@gmail.com >
2025-10-01 19:40:58 +02:00
Peter Marko
Gyorgy Sarvari
Ninette Adhikari
Yogita Urade
Soumya Sambu
Rajeshkumar Ramasamy
virendra thakur
Archana Polampalli
Sana Kazi
Saravanan
simoneScaravati
Bartosz Golaszewski
Marcus Flyckt
Yi Zhao
Benjamin Szőke
Tim Orling
Wang Mingyu
Alex Yao
Julian Haller
Martin Jansa