00e263ed58
dante: patch CVE-2024-54662
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-54662
This backported patch was taken from upstream's website[1],
where they identify it as the solution for this vulnerability
[1]: https://www.inet.no/dante/ (bottom, "advisories" section)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-27 14:28:50 +01:00
c737d99e36
cups-filters: patch CVE-2025-64503
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64503
Pick the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-27 14:28:50 +01:00
f19f8995e2
python3-cbor2: patch CVE-2025-68131
...
Backport the patch[1] which fixes this vulnerability as mentioned in the
comment[2].
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68131
[1] https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0
[2] https://github.com/agronholm/cbor2/pull/268#issuecomment-3719179000
Dropped changes to the changelog from the original commit.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-27 14:28:43 +01:00
d9010e70c4
iperf3: remove incorrect CVE_PRODUCT setting
...
This CVE_PRODUCT setting seems to be copied from the iperf2 recipe.
But the CVE_PRODUCT for iperf3 should be just iperf3. For example,
https://nvd.nist.gov/vuln/detail/CVE-2023-38403 .
Signed-off-by: Chen Qi <Qi.Chen@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-26 13:36:35 +01:00
13b25be8f8
nginx: apply patchs for CVE-2025-23419 and CVE-2026-1642 to all versions
...
There is no reason to apply them only to single version when they apply
properly to all versions.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-26 13:36:35 +01:00
2a61b6dac8
fcgi: add follow-up patch for CVE-2025-23016
...
New release [1] added additional fir for this CVE.
[1] https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.7
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-26 13:36:35 +01:00
3c1286f8b3
nginx: patch CVE-2026-1642
...
Pick patch accorting to [1].
[1] https://security-tracker.debian.org/tracker/CVE-2026-1642
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-26 13:36:34 +01:00
3e3bd7acfc
dovecot: ignore CVE-2025-30189
...
Vulnerable versions are 2.4.0, 2.4.1 according to the full disclosure[1]
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-30189
[1] https://seclists.org/fulldisclosure/2025/Oct/29
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Adapted to Kirkstone.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-26 13:36:34 +01:00
33822593e5
rocksdb: Add an option to set static library
...
Modify the CMakeLists.txt to add an Option for
STATIC target import, as available for shared library.
Link: https://github.com/facebook/rocksdb/pull/12890
Configure static library as option, default to ON.
Provides option to make it off thru PACKCONFIG, if needed.
Signed-off-by: Bhabu Bindu <bindu.bhabu@kpit.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 233079a41cakuster808@gmail.com >
(cherry picked from commit 72018ca1b1zahir.basha@kpit.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-26 13:36:34 +01:00
631e0ac2f0
postgresql: upgrade 14.20 -> 14.21
...
It contains Security fixes for CVE-2026-2003, CVE-2026-2004,
CVE-2026-2005, CVE-2026-2006 and CVE-2026-2007.
It also contains other bug fixes and for more details refer Release note.
0001-configure.ac-bypass-autoconf-2.69-version-check.patch
refreshed for 14.21
Release notes: https://www.postgresql.org/docs/release/14.21/
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-26 13:36:29 +01:00
42774277a4
wireshark: Fix multiple CVEs
...
Backport fixes for :
* CVE-2024-8645 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/8e5f8de8836d3a81276ae5b9bf78cbac58bb6108
* CVE-2026-0960 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/f31123dcdbac37272046b58b2f7941bc7fb42934
* CVE-2025-13945 - Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/9139917bd8e2c80a5db7079993d5528db74e3519
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-19 12:03:21 +01:00
8a598a2bc9
poppler: mark CVE-2022-38171 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-38171
This is the same as CVE-2021-30860, but that one was primarily filed
against Apple software (and some other related projects).
The patch that fixes this vulenrability is already added to the recipe,
just extend its CVE tag
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-15 15:30:54 +01:00
c1eda860f4
python3-django: upgrade 4.2.27 -> 4.2.28
...
Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207,
CVE-2026-1285, CVE-2026-1287 and CVE-2026-1312
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-15 15:30:54 +01:00
b54893d226
mercurial: ignore CVE-2022-43410
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-43410
The vulnerability affects only the Mercurial Jenkins plugin, which
is a different project. This CVE can be ignored in this recipe.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-15 15:30:54 +01:00
122941ea98
libebml: patch CVE-2015-8791
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2015-8791
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-15 15:30:49 +01:00
d27a3be1f6
ez-ipupdate: patch CVE-2003-0887
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2003-0887
The vulnerability is about the default (example) configurations,
which place cache files into the /tmp folder, that is world-writeable.
The recommendation would be to place them to a more secure folder.
The recipe however does not install these example configurations,
and as such it is not vulnerable either.
Just to make sure, patch these folders to a non-tmp folder
(and also install that folder, empty).
Some more discussion about the vulnerability:
https://bugzilla.suse.com/show_bug.cgi?id=48161
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit dd81ffdb68skandigraun@gmail.com >
2026-02-13 17:03:50 +01:00
6f0602375b
Use https when accessing archive.xfce.org
...
While using devtool to check available versions, I noticed a 301 http error.
Specifically :
$ devtool latest-version libxfce4ui
Resolving archive.xfce.org (archive.xfce.org)... 217.70.191.87
Connecting to archive.xfce.org (archive.xfce.org)|217.70.191.87|:80... connected
.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://archive.xfce.org/src/xfce/libxfce4ui/4.20/ [following]
With this patch, we change to make the SRC_URI an https request.
A similar patch is already in master - commit 8089168196schonm@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-12 08:40:56 +01:00
f8c8241198
strongswan: Security fix for CVE-2025-62291
...
CVE fixed:
- CVE-2025-62291 strongswan: Arbitrary Code Execution and Denial of Service via crafted EAP-MSCHAPv2 message
Upstream-Status: Backport from https://download.strongswan.org/security/CVE-2025-62291/strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch
Signed-off-by: Rohini Sangam <rsangam@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-11 19:52:14 +01:00
518ff6ef48
mariadb: Fix CVE-2025-30693
...
Upstream-Status: Backport from https://github.com/MariaDB/server/commit/1c9f64e54ffb109bb6cf6a189e863bfa54e46510
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-11 11:30:12 +01:00
8e5a4c1a26
tigervnc: mark CVE-2024-0408 and CVE-2024-0409 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-0408
https://nvd.nist.gov/vuln/detail/CVE-2024-0409
Both of these vulnerabilities were fixed[1][2] in xserver 21.1.11,
just mark them patched.
[1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/8d825f72da71d6c38cbb02cf2ee2dd9e0e0f50f2
[2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/a4f0e9466f3bc7073a8f0c28a581211c2d7adf0e
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:16:53 +01:00
84457b29af
tigervnc: ignore CVE-2025-26594...26601
...
Ignore the following CVEs: CVE-2025-26594, CVE-2025-26595, CVE-2025-26596,
CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601
Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-26594
https://nvd.nist.gov/vuln/detail/CVE-2025-26595
https://nvd.nist.gov/vuln/detail/CVE-2025-26596
https://nvd.nist.gov/vuln/detail/CVE-2025-26597
https://nvd.nist.gov/vuln/detail/CVE-2025-26598
https://nvd.nist.gov/vuln/detail/CVE-2025-26599
https://nvd.nist.gov/vuln/detail/CVE-2025-26600
https://nvd.nist.gov/vuln/detail/CVE-2025-26601
TigerVNC compiles its own xserver, this is why these CVEs are associated
with it - despite the vulnerabilities being in xserver.
All of these vulnerabilities were fixed by the same PR[1], which has
been part of xserver since version 21.1.16 (the currently used xserver
version in TigerVNC is 21.1.18).
Due to this, ignore these vulnerabilities, and just mark them as patched.
[1]: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4924e89bb7skandigraun@gmail.com >
2026-02-10 00:16:43 +01:00
e51b233d2e
tigervnc: ignore CVE-2023-6478
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6478
TigerVNC compiles its own xserver, this is why this CVE is associated
with it - despite the vulnerability being in xserver.
The vulnerability was fixed by [1] (from the nvd report), which has been
backported[2] to the xserver version used by the recipe - so ignore the
CVE, since it's patched already.
[1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632
[2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/58e83c683950ac9e253ab05dd7a13a8368b70a3c
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 62a78f8ba7skandigraun@gmail.com >
2026-02-10 00:16:33 +01:00
03a67156a4
tigervnc: ignore CVE-2023-6377
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6377
TigerVNC compiles its own xserver, this is why this CVE is associated
with it - despite the vulnerability being in xserver.
The vulnerability was fixed by [1] (from the nvd report), which has been
backported[2] to the xserver version used by the recipe - so ignore the
CVE, since it's patched already.
[1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
[2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/a7bda3080d2b44eae668cdcec7a93095385b9652
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f691f2178bskandigraun@gmail.com >
2026-02-10 00:16:21 +01:00
c0766dbf4b
tigervnc: sync xserver component with oe-core
...
oe-core has a newer version of xserver than this recipe used to compile
TigerVNC with. This recipe updates xserver to the same version, 21.1.18.
TigerVNC only started to support this xserver version 2 versions later,
with 1.13. Due to this 3 commits were backported that add the missing
changes.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:16:12 +01:00
4ae1930999
sox: patch CVE-2019-8354
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-8354
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2019-8354
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:15:56 +01:00
d782346939
sox: patch CVE-2019-13590
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-13590
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2019-13590
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:14:56 +01:00
417d194dbe
sox: mark CVE-2019-1010004 as patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-1010004
The description mentions that this vulnerability overlaps with CVE-2017-18189,
and Debian's investigation[1] confirms that it is solved by the same commit.
Add the ID to the CVE tag of CVE-2017-18189.patch.
[1]: https://security-tracker.debian.org/tracker/CVE-2019-1010004
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:14:46 +01:00
15a5b7a668
sox: patch CVE-2017-18189
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-18189
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-18189
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:14:37 +01:00
add3e267bf
sox: patch CVE-2017-15642
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15642
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-15642
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:14:27 +01:00
23dcf5a6e9
sox: patch CVE-2017-15372
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15372
Pick the patch that was indeitified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-15372
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:14:17 +01:00
f9d6eb7ebd
sox: patch CVE-2017-15371
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15371
Pick the patch that was identified by Debian[1] to fix the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-15371
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:14:07 +01:00
c21ca07c18
sox: patch CVE-2017-15370
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15370
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-15370
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:13:58 +01:00
f38680dcee
sox: patch CVE-2017-11359
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11359
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-11359
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:13:49 +01:00
e672fee7eb
sox: patch CVE-2017-11358
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11358
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-11358
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:13:34 +01:00
83498ed818
sox: patch CVE-2017-11332
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11332
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-11332
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:13:25 +01:00
9492cdbbf8
python3-protobuf: patch CVE-2026-0994
...
Pick patch from PR in NVD report.
It is the only code change in 33.5 release.
Skip the test file change as it's not shipped in python module sources.
Resolve formatting-only conflict.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-03 19:53:58 +01:00
a817392c05
faad2: patch CVE-2021-32276
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32276
Pick the patches from the PR[1] that resolved the issue[2] referenced by
the NVD advisory.
[1]: https://github.com/knik0/faad2/pull/66
[2]: https://github.com/knik0/faad2/issues/58
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-01 15:30:31 +01:00
c95de73853
python3-pymongo: upgrade 4.1.0 -> 4.1.1
...
Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-1-1-released/157895
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 5bfe98cb40skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
0f26b38ebc
python3-pymongo: patch CVE-2024-5629
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-5629
Backport the patch that is indicated to solve the issue based on the
upstream project's Jira ticket[1] (which comes from the NVD report).
[1]: https://jira.mongodb.org/browse/PYTHON-4305
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
c40873cb69
libiec61850: patch CVE-2024-45970
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-45970
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
90575e38b7
libiec61850: patch CVE-2024-45969
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-45969
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
fd620677ce
python3-ecdsa: ignore CVE-2024-23342
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-23342
The issue won't be fixed, because it is not in the scope of the
project. See also the discussion in the relevant Github issue[1].
[1]: https://github.com/tlsfuzzer/python-ecdsa/issues/330
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
44247b3cb0
libass: patch CVE-2020-24994
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-24994
Backport the commit that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
ef6ef1492c
frr: ignore CVE-2023-3748, CVE-2023-41359..61
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-3748
https://nvd.nist.gov/vuln/detail/CVE-2023-41359
https://nvd.nist.gov/vuln/detail/CVE-2023-41360
https://nvd.nist.gov/vuln/detail/CVE-2023-41361
Regarding CVE-2023-3748:
Based on Debian's investigation, the vulnerability was solved by [1].
However that vulnerable code that was fixed was introduced after the
recipe version, only in version 8.4.0[2].
Since the recipe version isn't affected by this CVE, ignore it.
Regarding CVE-2023-41359:
The pull request[3] referenced by the NVD report references another pull
request[4] which was opened to backport the fix. The conversion on this
PR confirms that the vulnerable feature was introduced in 8.5.
Due to this, ignore this CVE.
Regarding CVE-2023-41360:
The vulnerable code was introduced[5] in version 8.4.0, and the
recipe version is not vulnerable.
Due to this ignore this CVE.
Regarding CVE-2023-41361:
The vulnerable code was introduced[6] in version 9.0 and the recipe
version is not vulnerable.
Due to this ignore this CVE.
[1]: https://github.com/FRRouting/frr/commit/0a95d121ca8e1f43d41d952d6c82d111ca850085
[2]: https://github.com/FRRouting/frr/commit/54a3e60b3ebd3621c4dd90b0b49e8e36e4e100d8
[3]: https://github.com/FRRouting/frr/pull/14232
[4]: https://github.com/FRRouting/frr/pull/15927
[5]: https://github.com/FRRouting/frr/commit/f1aa49293a4a8302b70989aaa9ceb715385c3a7e
[6]: https://github.com/FRRouting/frr/commit/234f6fd4f4804bb17bd8cbb1dd91994a914f38d2
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
702efc091e
gnome-settings-daemon: ignore CVE-2024-38394
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-38394
The CVE has the disputed flag. The project maintainers claim that the issue
is not in gnome-setttings-daemon. If the vulnerability needs to be handled
in gnome-settings-daemon, than it is a new feature rather than a vulnerability fix.
Due to this, ignore this CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
bcac2eef54
gpsd: patch CVE-2025-67268
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-67268
Pick the patch that is referenced by the NVD advisory.
The original commit also contains a lot of commenting style
changes (// vs /* */) and whitespace changes which were removed from
the backport.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
363dc629d4
python3-twitter: mark CVE-2012-5825 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2012-5825
The Debian bugtracker[1] indicated that the issue is tracked by
upstream in github[2] (with a difference CVE ID, but same issue),
where the vulnerability was confirmed. Later in the same github issue
the solution is confirmed: the project switched to use the requests
library, which doesn't suffer from this vulnerability.
Due to this mark the CVE as patched.
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692444
[2]: https://github.com/tweepy/tweepy/issues/279
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3ee544e759skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
8c092c4a82
proftpd: ignore CVE-2021-47865
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47865
This CVE was opened based on a 5 years old Github issue[1], and has been made
public recently. The CVE wasn't officially disputed (yet?), but based on
the description and the given PoC the application is working as expected.
The vulnerability description and the PoC basically configures proftpd to
accept maximum x connections, and then when the user tries to open x + 1
concurrent connections, it refuses new connections over the configured limit.
See also discussion in the Github issue.
I just put it on the ignore list.
[1]: https://github.com/proftpd/proftpd/issues/1298
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
510ac35c7d
libvncserver: patch CVE-2020-29260
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-29260
Pick the patch referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
7b9138a24d
catfish: upgrade 4.16.3 -> 4.16.4
...
Changelog:
- Add "Open with" right click item and dialog
- Add a command-line option for setting default sort method
- Add Ctrl+A accelerator for the treeview
- Add option to show file size in binary or decimal
- Cosmetic changes for search entry and delete dialog
- Fix Ctrl+H not always toggling hidden files
- Fix DE detection when launched from Electron apps
- Fix exo file manager lookup for non-existent keys
- Fix file manager lookup outside of Xfce
- Fix GNOME DE detection in Ubuntu
- Improve application menu appearance
- Improve default width for the sidebar
- Prepend the project root directory to sys.path
- Support running without Xfconf (no preference saving)
- Switch to using the super() method
- Use correct executable for elementary Files
- Translation Updates
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
Gyorgy Sarvari
Hitendra Prajapati
Chen Qi
Peter Marko
Ankur Tyagi
Zahir Hussain
Jason Schonberg
Rohini Sangam
Vijay Anusuri
zhengruoqin