537ab769ae
redis: Fix CVE-2025-32023
...
Upstream-Status: Backport from https://github.com/redis/redis/commit/f35b72dd1735f381337a2eb078083450cb98e237
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
515f1f1e6e
redis: Fix CVE-2025-27151
...
Upstream-Status: Backport from https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
aecae8eb07
vorbis-tools: Fix CVE-2023-43361
...
Upstream-commits:
https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/68c5a33685f5b86e7f18f239ceb8861484fee552
& https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/5bb47f58582c15c2413564b741d1d95e7b566aa8
Drop md5sum
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
199ca4579c
poppler: fix CVE-2025-52885
...
Poppler ia a library for rendering PDF files, and examining or
modifying their structure. A use-after-free (write) vulnerability
has been detected in versions Poppler prior to 25.10.0 within the
StructTreeRoot class. The issue arises from the use of raw pointers
to elements of a `std::vector`, which can lead to dangling pointers
when the vector is resized. The vulnerability stems from the way that
refToParentMap stores references to `std::vector` elements using raw
pointers. These pointers may become invalid when the vector is resized.
This vulnerability is a common security problem involving the use of
raw pointers to `std::vectors`. Internally, `std::vector `stores its
elements in a dynamically allocated array. When the array reaches its
capacity and a new element is added, the vector reallocates a larger
block of memory and moves all the existing elements to the new location.
At this point if any pointers to elements are stored before a resize
occurs, they become dangling pointers once the reallocation happens.
Version 25.10.0 contains a patch for the issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-52885
Upstream patch:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/4ce27cc826bf90cc8dbbd8a8c87bd913cccd7ec0
Signed-off-by: Yogita Urade <yogita.urade@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
9146afcebb
yasm: fix CVE-2024-22653
...
yasm commit 9defefae was discovered to contain a NULL pointer
dereference via the yasm_section_bcs_append function at section.c.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-22653
Upstream-patch:
https://github.com/yasm/yasm/commit/121ab150b3577b666c79a79f4a511798d7ad2432
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
bfc756c1e6
fio: fix CVE-2025-10823
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-10823
https://github.com/axboe/fio/issues/1982
Upstream-patch:
https://github.com/axboe/fio/commit/6a39dfaffdb8a6c2080eec0dc7fb1ee532d54025
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
5bb71a5f0f
squid: mark CVE-2025-54574 as patched
...
Per [1] CVE-2025-54574 is fixed in patch for CVE-2023-5824.
That was a composite patch from more commits.
When checking it, it really contains also commit [2] which is mentioned
as fix for CVE-2025-54574.
[1] https://security-tracker.debian.org/tracker/CVE-2025-54574
[2] https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
27206f97e6
emlog: set CVE_PRODUCT
...
This will remove false-positive CVE-2024-50655 from reports.
There are different emlog components from other vendors around.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d8d45d9093skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
df0b60ad51
apache2: ignore CVE-2025-3891
...
The vulnerability was reported against mod_auth_openidc, which module
is a 3rd party one, and not part of the apache2 source distribution.
The affected module is not part of the meta-oe universe currently,
so ignore the CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
8d733ee01b
st: Update status for CVE-2017-16224
...
The recipe used in the meta-openembedded is a different st package compared to the one which has the CVE issue.
Package used in meta-embedded: https://st.suckless.org/
Package with CVE issue: https://www.npmjs.com/package/st
No action required.
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit eb9c7bb564skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
80b5365780
webmin: patch CVE-2022-0829
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0829
Pick the patch from the nvd report details.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
b4c4f0c525
webmin: patch CVE-2022-0824
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0824
Pick the patch mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
241abdec12
webmin: patch CVE-2019-15642
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-15642
Pick the patch mentioned in the nvm report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
85933945fb
webmin: patch CVE-2017-17089
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-17089
Pick the patch referenced in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
4c602e88b9
webmin: patch CVE-2017-15644, CVE-2017-15645 and CVE-2017-15646
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15644
https://nvd.nist.gov/vuln/detail/CVE-2017-15645
https://nvd.nist.gov/vuln/detail/CVE-2017-15646
Pick the patch mentioned in the nvd report (same patch is marked to
fix all three vulnerabilities).
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
529b31ef7f
poppler: fix CVE-2025-43718
...
Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption
and a SIGSEGV via deeply nested structures within the metadata (such
as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for
a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata,
and associated functions in PDFDoc, with deep recursion in the regex
executor (std::__detail::_Executor).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-43718
Upstream patch:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/f54b815672117c250420787c8c006de98e8c7408
Signed-off-by: Yogita Urade <yogita.urade@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
5fd149feb4
xsp: CVE status update for CVE-2006-2658
...
The recipe used in the `meta-openembedded` is a different xsp package compared to the one which has the CVE issue.
Package used in `meta-embedded`: maemo xsp http://repository.maemo.org/pool/maemo/ossw/source/x/xsp/
Package with CVE issue: mono xsp https://github.com/mono/xsp
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3cb411a057skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
f4adc003e4
zchunk: patch CVE-2023-46228
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46228
Pick the patch that's mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
ed6bb390fe
zlog: patch CVE-2021-43521
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-43521
Pick the patch that resolves the issue linked in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
155ac93191
iniparser: Fix CVE-2025-0633
...
Heap-based Buffer Overflow vulnerability in iniparser_dumpsection_ini() in iniparser
allows attacker to read out of bound memory
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-0633
https://security-tracker.debian.org/tracker/CVE-2025-0633
Upstream patch:
https://gitlab.com/iniparser/iniparser/-/commit/072a39a772a38c475e35a1be311304ca99e9de7f
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
fff1d56fe1
iperf2: ignore irrelevant CVEs
...
These CVEs are for iperf3 - which is a similar application in its goals (and name),
but an independent project from this, and the projects are independent implementations
also, they share no common code.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit aedf74e082skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
7eadf76d76
open-vm-tools: fix CVE-2025-41244
...
VMware Aria Operations and VMware Tools contain a local privilege
escalation vulnerability. A malicious local actor with non-administrative
privileges having access to a VM with VMware Tools installed and managed
by Aria Operations with SDMP enabled may exploit this vulnerability
to escalate privileges to root on the same VM.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-41244
Upstream-patch:
https://github.com/vmware/open-vm-tools/commit/7ed196cf01f8acd09011815a605b6733894b8aab
Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
93826fffc5
imagemagick: Fix CVE-2022-28463
...
Imagemagick is vulnerable to buffer overflow.
Reference: https://github.com/ImageMagick/ImageMagick/commit/ca3654ebf7a439dc736f56f083c9aa98e4464b7f
Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
b6c9eb2ce5
tcpreplay: fix CVE-2025-51006
...
Within tcpreplay's tcprewrite, a double free vulnerability has been identified
in the dlt_linuxsll2_cleanup() function in plugins/dlt_linuxsll2/linuxsll2.c.
This vulnerability is triggered when tcpedit_dlt_cleanup() indirectly
invokes the cleanup routine multiple times on the same memory region.
By supplying a specifically crafted pcap file to the tcprewrite binary,
a local attacker can exploit this flaw to cause a Denial of Service (DoS) via memory corruption.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
0538af085a
tcpreplay: fix CVE-2025-9157
...
A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2.
The impacted element is the function untrunc_packet of the file
src/tcpedit/edit_packet.c of the component tcprewrite. Executing
manipulation can lead to use after free. It is possible to launch
the attack on the local host. The exploit has been publicly disclosed
and may be utilized. This patch is called 73008f261f1cdf7a1087dc8759115242696d35da.
Applying a patch is advised to resolve this issue.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
bf223a6c9a
cryptsetup: Update the license field
...
The below reference clearly states that GPL-2.0-with-OpenSSL-exception
is to be used with GPL 2.0 or GPL3.0 and not as a standalone license.
Therefore, update the correct license.
Reference:
https://github.com/aboutcode-org/scancode-licensedb/blob/569d72e13e7c8d14a44380f91e80c5a2d4091f8f/docs/openssl-exception-gpl-2.0.yml#L7
Signed-off-by: Sana Kazi <Sana.Kazi@bmwtechworks.in >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
fbb3d46fad
udisks2: fix CVE-2025-8067
...
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-8067
Upstream-patch:
https://github.com/storaged-project/udisks/commit/9ed2186f668c76aeb472de170d62b499d85a1915
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:23 +02:00
9c51a98b4f
botan: patch CVE-2024-50382 and CVE-2024-50383
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-50382
https://nvd.nist.gov/vuln/detail/CVE-2024-50383
Pick patch mentioned in the URL list of the nist page - the
same patch fixes both vulnerabilities.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:49 +02:00
a742bea992
botan: patch CVE-2024-39312
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-39312
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:46 +02:00
6c5e7ee581
botan: patch CVE-2022-43705
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-43705
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:41 +02:00
bf9fc50ccc
dovecot: patch CVE-2021-33515
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33515
Backport the relevant patch.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:38 +02:00
91a9a3d61f
dovecot: patch CVE-2022-30550
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-30550
Pick the commit referenced in https://www.openwall.com/lists/oss-security/2022/07/08/1
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:33 +02:00
b157fa0412
civetweb: patch CVE-2020-27304
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-27304
Take the patches referenced in
https://jfrog.com/blog/cve-2020-27304-rce-via-directory-traversal-in-civetweb-http-server/
(which URL is also referenced by NIST)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:29 +02:00
49c4e29bc9
apache2: ignore irrelevant CVEs
...
Ignore a number of CVEs for this recipe (because they are for another software,
outdated version, or because they affect only non-Linux platforms). This commit
is a backport of a number of commits from the master branch (which uses the same
version of the recipe):
0e7733f1b81b86a60f6259d3949e3e1b86a60f62da2b5e8b930e7733f1b8skandigraun@gmail.com >
2025-10-12 13:08:23 +02:00
5e398bfa67
ace: ignore CVE-2009-1147
...
The CVE is for another product, for VMWare ACE, not for this one.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:13 +02:00
93fc9a2c0c
fbida: fix make fbpdf build optional
...
this is a backport-like from scarthgap branch: fbida_git.bb and patch 0001-meson.build-make-fbpdf-build-optional.patch
From Github Pull request: https://github.com/openembedded/meta-openembedded/pull/1008
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-10 11:09:27 +02:00
96fbc15636
collectd: set working SRC_URI
...
The project started to outsource the source hosting to Google storage
and Github.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
f7b1663333
psqlodbc: set valid SRC_URI
...
The old URI stopped working.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
325b2b6238
xfce4-sensors-plugin: correct netcat PACKAGECONFIG
...
In case netcat PACKAGECONFIG is enabled, do_configure fails
with the following error message:
| configure: error: hddtemp isn't queryable via netcat (use --disable-pathchecks to disable this check)
hddtemp service keeps a TCP port open to query the sensor data.
In case netcat is enabled for this recipe, the configure script
will search for the netcat binary, and will try to query this
hddtemp port, as a sanity check. This check is performed
independently from the hddtemp PACKAGECONFIG. Since hddtemp
isn't running in the build environment (probably) and
network connection is also disabled, this check fails.
To avoid this problem, add the extra config argument suggested by the
error message.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit b16f9c6f04skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
f62b1d0e44
python3-send2trash: add missing run-time dependencies
...
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit e7430b5874skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
e66e1917b6
python3-pyparted: add missing run-time dependencies
...
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9249052f98skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
1d09e1628b
python3-thrift: add missing run-time dependencies
...
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit e015b0e996skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
0f0ab90c20
python3-hpack: add missing run-time dependencies
...
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1659a00086skandigraun@gmail.com >
2025-10-02 15:16:46 +02:00
7e1af614e2
python3-txws: add missing run-time dependencies
...
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d334d496c3skandigraun@gmail.com >
2025-10-02 15:16:40 +02:00
5023aa82bc
python3-pyconnman: Add 'future' runtime dependency
...
pyconnman has an install_requires on 'future', but the corresponding
'python3-future' is missing from the recipes RDEPENDS.
Signed-off-by: Marcus Flyckt <mafl@kvaser.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4ccb2fa47fskandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
a72092583c
python3-gsocketpool: add missing run-time dependencies
...
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit b630485986skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
d8d1b71a50
libcrypt-openssl-guess-perl: fix syntax for PROVIDES
...
PROVIDES_${PN} -> PROVIDES
Signed-off-by: Yi Zhao <yi.zhao@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9d54352564skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
e73a317cb7
tree: fix broken links
...
New tarball location is:
http://oldmanprogrammer.net/tar/tree/
Homepage is:
http://oldmanprogrammer.net/source.php?dir=projects/tree
Signed-off-by: Benjamin Szőke <egyszeregy@freemail.hu >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 0c4079fc28skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
7336283ec9
span-lite: do not inherit ptest
...
This recipe provides no run-ptest script.
Signed-off-by: Tim Orling <tim.orling@konsulko.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 0fc5f550d3skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
0b97d9ec03
smarty: upgrade 4.1.0 -> 4.1.1
...
Changelog:
==========
Security
--------
Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221
Fixed
-------
Exclude docs and demo from export and composer #751
PHP 8.1 deprecation notices in demo/plugins/cacheresource.pdo.php #706
PHP 8.1 deprecation notices in truncate modifier #699
Math equation max(x, y) didn't work anymore #721
Fix PHP 8.1 deprecated warning when calling rtrim #743
PHP 8.1: fix deprecation in escape modifier #727
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9374648c39skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
Vijay Anusuri
Yogita Urade
Praveen Kumar
Saravanan
Peter Marko
Gyorgy Sarvari
Ninette Adhikari
Soumya Sambu
Rajeshkumar Ramasamy
virendra thakur
Archana Polampalli
Sana Kazi
simoneScaravati
Bartosz Golaszewski
Marcus Flyckt
Yi Zhao
Benjamin Szőke
Tim Orling
Wang Mingyu