Changelog:
==========
* remove use of eval in globmapper. #73
* Update zipdetails to version 4.006.
* Fix typo in fastForward #72
* Fix issue with "rawdeflate` option in AnyInflate.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
License-Update: Copyright year updated to 2026
Changelog:
=============
* Added CTAP 2.3 support.
* Restrict webauthn.dll search paths; YSA-2026-01.
* Support application-managed PIN/UV Auth tokens; gh#806.
* Support 64-byte hmac-secret salts when using windows://hello.
* Fixed a U2F transaction handling bug when a timeout had been set; gh#917.
* Fixed a bug where stdin was closed on fido_nl_new failure; gh#923.
* fido2-token: new -G -t mode to to retrieve a PPUAT.
* fido2-token: new -I -t mode for deciphering encrypted fields.
* fido2-cred -M: support the -t toggle argument
* Improved documentation and examples.
* Removed tools from SDK packaging on Windows.
* New API calls
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
* Add ReadWritePaths=/dev/shm to systemd service for semaphore creation
under ProtectSystem=full sandboxing
* Fix privilege escalation via command socket (CVE-2026-41054)
* Check peer credentials before reading command (CVE-2026-41054)
* Handle failing opening of semaphore
* Fix /dev/shm permissions to use sticky bit
* Use chmod after mkdir to ensure correct /dev/shm permissions
* Update libtool: add lib64 search paths, remove dead code
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- The MinGW packages no longer have libgd-dependent components enabled.
- **Breaking**: The 'diffimg' utility has been removed.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
QA Issue: inherits setuptools3 but has pyproject.toml with setuptools.build_meta, use the correct class [pep517-backend]
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
SDL2_net does not install SDL2_net.pc. Thus, libsdl2-net cannot package
the file. Fix this by applying an upstream patch.
Signed-off-by: Mark Jonas <toertel@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Playerctl is a command-line utility and library for controlling media players that
implement the MPRIS D-Bus Interface Specification. Playerctl makes it easy to bind
player actions, such as play and pause, to media keys. You can also get metadata
about the playing track such as the artist and title for integration into statusline
generators or other command-line tools.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Remove .h header files from the SOURCES compilation list inside adbd.mk
to resolve a Clang warning regarding treating 'c-header' input as 'c++-header'
Moved the header files into a separate HEADERS variable to act purely as a
GNU Make dependency trigger, keeping them off the direct compiler
execution string.
Signed-off-by: AshishKumar Mishra <ashishkumar.mishra@bmwtechworks.in>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Relocate the recipe from dynamic-layers/selinux/ to the main
meta-oe/recipes-devtools/ directory.
The android-tools recipe (version 29.0.6.r14) was previously restricted
to the selinux dynamic-layer.
Investigation shows that version 29.0.6.r14 does not have a hard dependency
on libselinux for core tool functionality.
(adb, fastboot, and sparse image tools).
- Basic runable test was done for binaries in android-tools-native
- Checked for selinux absense by looking for selinx using $ ldd binary-name
Changes:
- Relocate recipe from dynamic-layers/selinux/ to recipes-devtools/
Signed-off-by: AshishKumar Mishra <ashishkumar.mishra@bmwtechworks.in>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
We plan to upgrade android-tools from the legacy 5.1.1 version to 29.0.6.r14
To achive this we are removing the older version from meta-oe/recipes-devtools/
Signed-off-by: AshishKumar Mishra <ashishkumar.mishra@bmwtechworks.in>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes with nginx 1.30.2
*) Security: a heap memory buffer overflow might occur in a worker
process when using a configuration with overlapping captures in
ngx_http_rewrite_module, potentially resulting in arbitrary code
execution (CVE-2026-9256).
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
=============
- attrlist parameter is now properly checked before use, avoiding memory
errors due to type mismatches
- Fixed errors with requestName/requestValue in extop.dds
- ldif and ldap.schema modules now actively close sockets as they're
finished with them
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Without the option , the command procmail|lockfile|formail will not be installed to target.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
update version of xorg-xserver according to oe-core
WARNING: tigervnc-1.16.2-r0 do_configure: TigerVNC xorg-server version (21.1.21) is different from oe-core's xorg-xserver version (21.1.22)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
xdg-desktop-portal-gnome is no longer used exclusively by gnome-shell. For example, it is also used by
niri to provide support for screencasts.
It is not necessary for xdg-desktop-portal-gnome to add runtime dependencies for mutter and gnome-shell.
In this context, doing so is actually counterproductive.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes with nginx 1.30.1
*) Security: when using the "proxy_set_body" directive, an attacker
might inject data in the proxied request to an HTTP/2 backend
(CVE-2026-42926).
*) Security: a heap memory buffer overflow might occur in a worker
process while handling a specially crafted request by
ngx_http_rewrite_module, potentially resulting in arbitrary code
execution (CVE-2026-42945).
*) Security: a heap memory buffer overread might occur in a worker
process while handling a specially crafted response by
ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an attacker
to cause a disclosure of worker process memory or segmentation fault
in a worker process (CVE-2026-42946).
*) Security: a heap memory buffer overread might occur in a worker
process while handling a specially sent response with decoding from
UTF-8 via the "charset_map" directive, allowing an attacker to cause
a limited disclosure of worker proccess memory or segmentation fault
in a worker process (CVE-2026-42934).
*) Security: when using HTTP/3, processing of connection migration might
cause new QUIC streams to receive a new client address before
validation, allowing an attacker to cause address spoofing
(CVE-2026-40460).
*) Security: use-after-free might occur during DNS server response
processing if the "ssl_ocsp" directive was used, allowing an attacker
to cause worker process memory corruption or segmentation fault in a
worker process (CVE-2026-40701).
*) Bugfix: connections with HTTP/2 backends might not be cached when
using the "proxy_set_body" or "proxy_pass_request_body" directives.
*) Bugfix: proxied HTTP/0.9, SCGI, or uWSGI responses might be
transferred incorrectly if the first line was not fully read.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add Node.js 24.16.0 [1] recipe based on 22.22.3. Patches reviewed against
the 24.15.0 source tree and rebased where needed:
- 0001: rebased for Makefile changes (common_node.gypi removed, line
offsets shifted); merged with Disable-running-gyp-files patch since
both modify the same Makefile hunk. Remove deps/simdutf/simdutf.gyp;
no longer vendored here.
- 0005: rebased for v8.gyp libatomic condition change (clang condition
folded upstream, ppc removed)
- v24.16.0 bumps bundled llhttp to 9.3.1 (LLHTTP_VERSION_MAJOR/MINOR/PATCH
= 9/3/1 in deps/llhttp/include/llhttp.h).
Five patches dropped as no longer needed:
- build-remove-redundant-mXX-flags-for-V8: backport already merged
upstream in Node.js 24
- ppc64-Do-not-use-mminimal-toc-with-clang: Node.js 24 common.gypi
already gates -mminimal-toc behind clang==0
- fix-arm-Neon-intrinsics-types: the v24.16.0 source already uses
vandq_u8/vorrq_u8 and vshrn_n_u16(vreinterpretq_u16_u8(mask), 4).
- detect-aarch64-Neon-correctly: #ifdef __ARM_NEON__ →
#if defined(__ARM_NEON__) || defined(__ARM_NEON) — already present
at lines 13 and 2628.
- llhttp-fix-NEON-header-value-__builtin_ctzll-undefin: wanted the
match_mask == 0 guard around __builtin_ctzll — already present.
"This patch can be dropped when nodejs updates its bundled llhttp
to >= 9.3.1.")
Remaining 9 patches renumbered sequentially 0001-0009. All verified to
apply cleanly against the v24.16.0 source tarball.
NOTE: The "current" release is v26.2.0 [1], but this is not yet an LTS
release. Application stacks frequently lag new releases, so
it makes sense to have support for the v24 LTS release.
[1] https://nodejs.org/en/blog/release/v24.16.0
[2] https://nodejs.org/en/blog/release/v26.2.0
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add oe-cache recipe for Node.js 24.16, replacing the existing 22.22
version. This provides the npm cache helper used during SDK builds.
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
zlib compression was introduced in version 9.3.3. However, when
cross-compiling kmscon for an architecture other than x86_64, the
genunifont executable tries to use the build-systems zlib instead
of the hosts zlib.
This leads to the following error during compiling:
libz.so: error adding symbols: file in wrong format
Fix this by adding a new native zlib dependency specifically for the
genunifont executable.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Version 1.02.214 of lvm2 installs this executable as an alias
to dmsetup vdostats.
This conflicts with the executable installed by libdevmapper.
Remove this binary from the sysroot, just like dmsetup and dmstats.
Signed-off-by: Félix Piédallu <felix.piedallu@non.se.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Add ptest support to enable runtime testing of openjpeg library.
Only unit tests are included, excluding tests that require external
data files (NR-/CONF-/ETS-/testjp2).
Tested on intel-x86-64: all 29 unit tests passed.
Signed-off-by: sjiao <Shilong.Jiao@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Referring to the VERSION file within the released source tarball, the
version string for --with-version option should be ${PV}-0-g${SRCREV}.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==============
* Fixed: [CVE-2026-44927]
Stop truncating 'ptrdiff_t' to 'int'
* Fixed: [CVE-2026-44928]
Fix 'EqualsUri' with regard to '.absolutePath'
* Fixed: Fix OOM related memory leak in 'CopyUriMm'
* Improved: Simplify internal function 'CompareRange' into 'RangeEquals'
* Improved: Make function 'RangeEquals' use size_t' internally
* Soname: 3:2:2 - see https://verbump.de/ for what these numbers do
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
Fixed IndexError raised from check_signature_compatible when the subject method has no positional parameters
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- test(conftest): strip broken nspkg.pth files under py3.15
- feat(packaging): declare tox.pytest deps via a testing extra
- fix(schema): cover every replace form in the TOML schema
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Wang Mingyu
Adam Duskett
Mark Jonas
Guocai He
Markus Volk
AshishKumar Mishra
Ankur Tyagi
Tim Orling
Khem Raj
Felix Piedallu
sjiao
Yi Zhao