29be38f0b1
synergy: patch CVE-2020-15117
...
Pick commit based on [1].
Note that the pick is node from deskflow, which is open-source successor
of synergy.
If anyone uses thie recipe, it should be switched.
[1] https://github.com/deskflow/deskflow/security/advisories/GHSA-chfm-333q-gfpp
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit db283053d0ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:25 +05:30
c1075f0312
usb-modeswitch-data: upgrade 20191128 -> 20251207
...
20251207:
- Added device: [0bda:a192] MERCURY MW310UH (Wifi, based on RTL8192FU),
thanks to Zenm Chen for the report
https://www.draisberghof.de/usb_modeswitch/ChangeLogData
Also drop unnecessary SRC_URI md5sum
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:25 +05:30
5dffed1382
usb-modeswitch: upgrade 2.6.1 -> 2.6.2
...
2.6.2:
- Bug in C code (with gcc 1.5) fixed
https://www.draisberghof.de/usb_modeswitch/ChangeLog
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:24 +05:30
b76d5a084b
networkmanager: upgrade 1.46.0 -> 1.46.6
...
Solves CVE-2024-6501 (in 1.46.4).
Release notes:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/1.46.6/NEWS?ref_type=tags
Switch SRC_URI for gnome Gitlab as gnome mirror no longer contains new
releases.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:24 +05:30
0bca0e04c8
libsodium: patch CVE-2025-69277
...
Pick patch per [1].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-69277
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:23 +05:30
e434c0b06a
libwebsockets: ignore CVE-2025-1866
...
Only affects Windows and can be ignored.
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-1866
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:23 +05:30
6a3a40c102
libtar: patch CVEs
...
cve-check.bbclass reported unpatched vulnerabilities in libtar
[1,2,3,4,5]. The NIST assigned base score for the worst vulnerability
is 9.1 / critical.
The patches were taken from the libtar [6] master branch after the
latest tag v1.2.20 (the changes in libtar master mostly originate from
Fedora and their patches), and from the Fedora 41 libtar source package
[7] and the Debian libtar package 1.2.20-8 [8] where the patches were
not available in the libtar repository itself.
The Fedora patch series was taken in its entirety in order to minimize
differences to Fedora's source tree instead of cherry-picking only CVE
fixes. Minimizing the differences should avoid issues with potential
inter-dependencies between the patches, and hopefully provide better
confidence as even the newest patches have been in use in Fedora for
nearly 2 years (since December 2022; Fedora rpms/libtar.git commit
e25b692fc7ceaa387dafb865b472510754f51bd2). The series includes even the
Fedora patch libtar-1.2.20-no-static-buffer.patch, which contains
changes *) that match the libtar commit
ec613af2e9371d7a3e1f7c7a6822164a4255b4d1 ("decode: avoid using a static
buffer in th_get_pathname()") whose commit message says
Note this can break programs that expect sizeof(TAR) to be fixed.
The patches applied cleanly except for the Fedora srpm patch
libtar-1.2.11-bz729009.patch, which is identical with the pre-existing
meta-oe patch 0002-Do-not-strip-libtar.patch and is thus omitted.
The meta-openembedded recipe does not include any of the patches in
Kirkstone [9] nor the current master [10].
libtar does not have newer releases, and the libtar master doesn't
contain all of the changes included in the patches. Fedora's
libtar.1.2.11-*.patch are not included in the libtar v1.2.20 release
either but only in the master branch after the tag v1.2.20. The version
number in the filename is supposedly due to the patches being created
originally against v1.2.11 but have been upstreamed or at least
committed to the master only after v1.2.20.
The commit metadata could not be practically completed in most of the
cases due to missing commit messages in the original commits and
patches. The informal note about the author ("Authored by") was added to
the patch commit messages where the commit message was missing the
original author(s)' Signed-off-by.
*) The patch also contains the changes split to the libtar commits
495d0c0eabc5648186e7d58ad54b508d14af38f4 ("Check for NULL before
freeing th_pathname") and 20aa09bd7775094a2beb0f136c2c7d9e9fd6c7e6
("Added stdlib.h for malloc() in lib/decode.c"))
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-33643
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-33644
[3] https://nvd.nist.gov/vuln/detail/CVE-2021-33645
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-33646
[5] https://nvd.nist.gov/vuln/detail/CVE-2013-4420
[6] https://repo.or.cz/libtar.git
[7] https://src.fedoraproject.org/rpms/libtar/tree/f41
[8] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/
[9] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=kirkstone&id=9a24b7679810628b594cc5a9b52f77f53d37004f
[10] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master&id=9356340655b3a4f87f98be88f2d167bb2514a54c
Signed-off-by: Katariina Lounento <katariina.lounento@vaisala.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3c9b5b36c8skandigraun@gmail.com >
(cherry picked from commit 505f2defdcankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:22 +05:30
5e650cf2e5
krb5: ignore CVE-2025-3576
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-3576
As mentioned[1], vulnerability is fixed since upstream 1.21
[1] https://security-tracker.debian.org/tracker/CVE-2025-3576
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:22 +05:30
a99dac1be4
influxdb: ignore CVE-2024-30896
...
As mentioned in the comment[1], vulnerability is in
/api/v2/authorizations API which only exists in 2.x, 1.x is not affected.
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30896
[1] https://github.com/influxdata/influxdb/issues/24797#issuecomment-2514690740
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:21 +05:30
305fef50c7
freerdp3: ignore CVE-2025-68118
...
Only affects Windows and can be ignored.
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68118
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:21 +05:30
3d4aef2b2d
opusfile: patch CVE-2022-47021
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47021
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:20 +05:30
23edbe268c
vlc: patch CVE-2024-46461
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-46461
Backport the patch mentioned in the news[1] that fixes this vulnerabililty.
https://code.videolan.org/videolan/vlc/-/blob/3.0.21/NEWS?ref_type=tags#L44
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:20 +05:30
774c7ed3fd
sox: extend CVE_PRODUCT
...
Add all relevant items from queries:
$ sqlite3 nvdcve_2-2.db
sqlite> select vendor, product, count(*) from products where product like '%sox%' group by vendor, product;
commugen|sox_365|1
libsox_project|libsox|1
sox|sox|3
sox_project|sox|10
sqlite> select vendor, product, count(*) from products where product like '%sound_exchange%' group by vendor, product;
sound_exchange_project|sound_exchange|16
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a68c3df41cankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:19 +05:30
42b615f953
libde265: patch CVE-2023-47471
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-47471
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:19 +05:30
e83565b24a
libde265: patch CVE-2023-43887
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-43887
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:19 +05:30
c49bff1273
wolfssl: patch CVE-2025-7394
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7394
Backport patches from the PR[1][2][3] mentioned in the changelog[4].
[1] https://github.com/wolfSSL/wolfssl/pull/8849
[2] https://github.com/wolfSSL/wolfssl/pull/8867
[3] https://github.com/wolfSSL/wolfssl/pull/8898
[4] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:18 +05:30
df26bbaaba
tinyproxy: patch CVE-2025-63938
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-63938
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:13 +05:30
e90c455347
znc: patch CVE-2024-39844
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-39844
Backport commit[1] from https://github.com/znc/znc/releases/tag/znc-1.9.1
[1] https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:52:00 +05:30
bfd8dda3ba
proftpd: patch CVE-2024-48651
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-48651
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:52:00 +05:30
bad750ad27
open62541: patch CVE-2024-53429
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-53429
Backport the patch mentioned in the comment[1] which fixed this CVE.
[1] https://github.com/open62541/open62541/issues/6825#issuecomment-2460650733
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:59 +05:30
c73fe4bd7e
mtr: patch CVE-2025-49809
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49809
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:59 +05:30
b45ac4e0ef
libcoap: patch CVE-2025-34468
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-34468
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:58 +05:30
c0c54373e9
frr: ignore CVE-2024-44070
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-44070
The PR[1] fixing this CVE was backported[2] to stable/9.1 and commit[3]
exists in the current version so we can ignore it.
$ git tag --contains 21cd931 | grep frr-9.1.3
frr-9.1.3
[1] https://github.com/FRRouting/frr/pull/16497
[2] https://github.com/FRRouting/frr/pull/16504
[3] https://github.com/FRRouting/frr/commit/21cd931a5f9303e12104c72ce31ca383c0c57514
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:58 +05:30
7e4c89a25e
dante: Add _GNU_SOURCE for musl builds
...
This helps build fixes e.g. cpuset_t definitions etc.
glibc builds have _GNU_SOURCE defined inherently.
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 848bac20eaankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:57 +05:30
f0fa984d16
dante: upgrade 1.4.3 -> 1.4.4
...
License-Update: copyright year bump
Changelog:
- Fix potential security issue CVE-2024-54662, related to "socksmethod"
use in client/hostid-rules.
- Add a missing call to setgroups(2).
- Patch to fix compilation with libminiupnp 2.2.8.
- Client connectchild optimizations.
- Client SIGIO handling improvements.
- Various configure/build fixes.
- Updated to support TCP_EXP1 version of TCP hostid format.
https://www.inet.no/dante/announce-1.4.4
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:57 +05:30
2aa20b7141
cifs-utils: patch CVE-2025-2312
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:56 +05:30
626bcb7f86
imagemagick: patch CVE-2025-65955
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-65955
Pick the patch that is mentioned by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:56 +05:30
24e4caa837
imagemagick: patch CVE-2025-62171
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-62171
Pick the patch that's mentioned by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:56 +05:30
aeb80bb058
imagemagick: patch CVE-2025-57807
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57807
Backport the patch that's mentioned in the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:55 +05:30
9d92eeacdf
imagemagick: patch CVE-2025-57803
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57803
Backport the patch that is mentioned in the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:55 +05:30
29fa171a9d
imagemagick: patch CVE-2025-55212
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55212
Backport the patch that is mentioned in the NVD advisory.
Notes about the backport:
The original patch deletes two extra lines compared to the backport:
those lines were a previous attempt[1] to solve the same vulnerability,
and the final patch reverted them. Since that patch wasn't part of the
recipe, those deletions were dropped from the backported patch.
The PerceptibleReciprocal function was renamed[2] to MagickSafeReciprocal
after the recipe's revision, but there were no functional changes
in the function's behavior.
[1]: https://github.com/ImageMagick/ImageMagick/commit/43d92bf855155e8e716ecbb50ed94c2ed41ff9f6
[2]: https://github.com/ImageMagick/ImageMagick/commit/7e5d87fe6e9
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:54 +05:30
118df68d25
imagemagick: patch CVE-2025-55160
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55160
Pick the patch that mentions the related github advisory[1]
in its commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:54 +05:30
dd13a60248
imagemagick: patch CVE-2025-55154
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55154
Pick the patch that mentions the related github advisory[1]
in its commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:53 +05:30
df19121bc6
imagemagick: patch CVE-2025-55005
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55005
Pick the patch that mentions the related github advisory[1] in its
commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v393-38qx-v8fp
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:53 +05:30
b32dcf53ce
imagemagick: patch CVE-2025-55004
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55004
Pick the patch that mentions the related github advisory[1] explicitly in
its commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cjc8-g9w8-chfw
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:52 +05:30
2d4ca24273
imagemagick: patch CVE-2025-53101
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53101
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:52 +05:30
482f541705
imagemagick: patch CVE-2025-53019
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53019
Pick the commit that is marked as a fix at the bottom of the relevant
github advisory[1].
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:51 +05:30
7c479d21cd
imagemagick: patch CVE-2025-53015
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53015
Backport the patches marked as a solution at the bottom of the relevant
github advisory[1].
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:51 +05:30
e9916715c9
imagemagick: patch CVE-2025-53014
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53014
Pick the commit that is mentioned as a solution at the bottom of
the relevant Github advisory[1].
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:50 +05:30
80175b4a47
imagemagick: mark CVE-2023-5341 as patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-5341
The fix[1] mentioned in the NVD report has been part of the recipe since
7.1.1-19.
[1]: https://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:50 +05:30
90fdbcf82b
imagemagick: upgrade 7.1.1-26 -> 7.1.1-47
...
Contains fixes for CVE-2024-41817, CVE-2025-43965 and CVE-2025-46393
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:50 +05:30
98f1eff432
net-snmp: patch CVE-2025-68615
...
Pick patch per [1].
[1] https://security-tracker.debian.org/tracker/CVE-2025-68615
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:50:50 +05:30
1477114ae4
nginx: Fix CVE-2025-23419 for 1.25.5
...
Updates nginx.inc to apply CVE-2025-23419.patch to both 1.24.0 and
1.25.5. However, a unique patch is provided for 1.25.5 since the
upstream patch for CVE-2025-23419 can be cleanly applied to 1.25.5.
Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com >
Change-Id: Ia7b8e16067781776cf0a39fac757f8d25ac118fa
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:50:50 +05:30
63e2e60787
nginx: upgrade 1.25.4 -> 1.25.5
...
Changelog:
==========
https://nginx.org/en/CHANGES
*) Feature: virtual servers in the stream module.
*) Feature: the ngx_stream_pass_module.
*) Feature: the "deferred", "accept_filter", and "setfib" parameters of
the "listen" directive in the stream module.
*) Feature: cache line size detection for some architectures.
*) Feature: support for Homebrew on Apple Silicon.
*) Bugfix: Windows cross-compilation bugfixes and improvements.
*) Bugfix: unexpected connection closure while using 0-RTT in QUIC.
Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:50:49 +05:30
3835a88f94
recipes-core/toybox: Switch SRC_URI to HTTPS for reliable fetch
...
The upstream site (landley.net) serves inconsistent content when using HTTP,
causing checksum mismatches during do_fetch. Using HTTPS ensures stable
downloads and resolves checksum failures.
Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:50:49 +05:30
93d489967c
python3-cbor2: Fix CVE-2025-64076
...
Upstream-Status: Backport from https://github.com/agronholm/cbor2/commit/2349197bea8ebd1bf57a68f4a6549d8fd7585e66
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:50:45 +05:30
2b26d30fc7
atop: patch CVE-2025-31160
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31160
Backport the patch that's subject references the CVE id explicitly.
I was able to verify the patch with a reproducer[1] (which is mentioned
in a reference[2] in the nvd report). Without the patch atop crashed,
with the patch it worked fine (both with and without -k/-K flags).
[1]: https://blog.bismuth.sh/blog/bismuth-found-the-atop-bug
[2]: https://gist.github.com/kallsyms/3acdf857ccc5c9fbaae7ed823be0365e
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:16 +05:30
02dbaa8843
Add missing HOMEPAGEs to xfce recipes
...
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4d964d4d79schonm@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:16 +05:30
cf81094887
zabbix: patch CVE-2025-49643
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49643
The actual patch was identified by checking the file that was modified
in the tag 6.0.42, and also by looking at the Jira item referenced by it:
the patch references DEV-4466, the same ID that is referenced in the
Jira ticket[1] referenced by the NVD report (look in the "All Activity" tab).
[1]: https://support.zabbix.com/browse/ZBX-27284
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:15 +05:30
b7180060eb
wolfssl: patch CVE-2025-7395
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395
Backport the patches from the PR[1] that is referenced by the project's
changelog[2] to fix this issue.
[1]: https://github.com/wolfSSL/wolfssl/pull/8833
[2]: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:15 +05:30
Peter Marko
Ankur Tyagi
Katariina Lounento
Khem Raj
Gyorgy Sarvari
Colin McAllister
Sanjay Chitroda
Vijay Anusuri
Jason Schonberg