Bug fixes
- Fixed "Unclosed client session" when initialization of
:py:class:~aiohttp.ClientSession fails.
- Fixed regression (from :pr:8280) with adding Content-Disposition to the form-data
part after appending to writer.
- Added default Content-Disposition in multipart/form-data responses to avoid broken
form-data responses.
https://github.com/aio-libs/aiohttp/releases/tag/v3.9.5
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The CVE is also ignored in the same recipe, because it is a Windows-
only vulnerability. Due to this, the patch isn't required.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been
discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is
also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND
configured to send ECS information along with queries to upstream name servers
CVE: CVE-2025-5994
Signed-off-by: Naman Jain <namanj1@kpit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
libvpx-configure-support-blank-prefix.patch
refreshed for 1.14.1
Changelog:
============
- Improved the detection of compiler support for AArch64 extensions,
particularly SVE.
- Added vpx_codec_get_global_headers() support for VP9.
- Added buffer bounds checks to vpx_writer and vpx_write_bit_buffer.
- Fix to GetSegmentationData() crash in aq_mode=0 for RTC rate control.
- Fix to alloc for row_base_thresh_freq_fac.
- Free row mt memory before freeing cpi->tile_data.
- Fix to buffer alloc for vp9_bitstream_worker_data.
- Fix to VP8 race issue for multi-thread with pnsr_calc.
- Fix to uv width/height in vp9_scale_and_extend_frame_ssse3.
- Fix to integer division by zero and overflow in calc_pframe_target_size().
- Fix to integer overflow in vpx_img_alloc() & vpx_img_wrap()(CVE-2024-5197).
- Fix to UBSan error in vp9_rc_update_framerate().
- Fix to UBSan errors in vp8_new_framerate().
- Fix to integer overflow in vp8 encodeframe.c.
- Handle EINTR from sem_wait().
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 911023b521)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
cve-check.bbclass reported unpatched vulnerabilities in libtar
[1,2,3,4,5]. The NIST assigned base score for the worst vulnerability
is 9.1 / critical.
The patches were taken from the libtar [6] master branch after the
latest tag v1.2.20 (the changes in libtar master mostly originate from
Fedora and their patches), and from the Fedora 41 libtar source package
[7] and the Debian libtar package 1.2.20-8 [8] where the patches were
not available in the libtar repository itself.
The Fedora patch series was taken in its entirety in order to minimize
differences to Fedora's source tree instead of cherry-picking only CVE
fixes. Minimizing the differences should avoid issues with potential
inter-dependencies between the patches, and hopefully provide better
confidence as even the newest patches have been in use in Fedora for
nearly 2 years (since December 2022; Fedora rpms/libtar.git commit
e25b692fc7ceaa387dafb865b472510754f51bd2). The series includes even the
Fedora patch libtar-1.2.20-no-static-buffer.patch, which contains
changes *) that match the libtar commit
ec613af2e9371d7a3e1f7c7a6822164a4255b4d1 ("decode: avoid using a static
buffer in th_get_pathname()") whose commit message says
Note this can break programs that expect sizeof(TAR) to be fixed.
The patches applied cleanly except for the Fedora srpm patch
libtar-1.2.11-bz729009.patch, which is identical with the pre-existing
meta-oe patch 0002-Do-not-strip-libtar.patch and is thus omitted.
The meta-openembedded recipe does not include any of the patches in
Kirkstone [9] nor the current master [10].
libtar does not have newer releases, and the libtar master doesn't
contain all of the changes included in the patches. Fedora's
libtar.1.2.11-*.patch are not included in the libtar v1.2.20 release
either but only in the master branch after the tag v1.2.20. The version
number in the filename is supposedly due to the patches being created
originally against v1.2.11 but have been upstreamed or at least
committed to the master only after v1.2.20.
The commit metadata could not be practically completed in most of the
cases due to missing commit messages in the original commits and
patches. The informal note about the author ("Authored by") was added to
the patch commit messages where the commit message was missing the
original author(s)' Signed-off-by.
*) The patch also contains the changes split to the libtar commits
495d0c0eabc5648186e7d58ad54b508d14af38f4 ("Check for NULL before
freeing th_pathname") and 20aa09bd7775094a2beb0f136c2c7d9e9fd6c7e6
("Added stdlib.h for malloc() in lib/decode.c"))
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-33643
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-33644
[3] https://nvd.nist.gov/vuln/detail/CVE-2021-33645
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-33646
[5] https://nvd.nist.gov/vuln/detail/CVE-2013-4420
[6] https://repo.or.cz/libtar.git
[7] https://src.fedoraproject.org/rpms/libtar/tree/f41
[8] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/
[9] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=kirkstone&id=9a24b7679810628b594cc5a9b52f77f53d37004f
[10] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master&id=9356340655b3a4f87f98be88f2d167bb2514a54c
Signed-off-by: Katariina Lounento <katariina.lounento@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3c9b5b36c8)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 505f2defdc)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Add all relevant items from queries:
$ sqlite3 nvdcve_2-2.db
sqlite> select vendor, product, count(*) from products where product like '%sox%' group by vendor, product;
commugen|sox_365|1
libsox_project|libsox|1
sox|sox|3
sox_project|sox|10
sqlite> select vendor, product, count(*) from products where product like '%sound_exchange%' group by vendor, product;
sound_exchange_project|sound_exchange|16
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a68c3df41c)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55212
Backport the patch that is mentioned in the NVD advisory.
Notes about the backport:
The original patch deletes two extra lines compared to the backport:
those lines were a previous attempt[1] to solve the same vulnerability,
and the final patch reverted them. Since that patch wasn't part of the
recipe, those deletions were dropped from the backported patch.
The PerceptibleReciprocal function was renamed[2] to MagickSafeReciprocal
after the recipe's revision, but there were no functional changes
in the function's behavior.
[1]: 43d92bf855
[2]: https://github.com/ImageMagick/ImageMagick/commit/7e5d87fe6e9
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
