b712d9b0b1
vlc: ignore CVE-2026-26227 and CVE-2026-26228
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-26227
https://nvd.nist.gov/vuln/detail/CVE-2026-26228
Both vulnerabilities affect only the Android version of VLC, not
the other ones. Because of this, ignore these CVEs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-03-09 16:37:29 +01:00
4b86569eb4
streamripper: ignore CVE-2020-37065
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-37065
The vulnerability is about a 3rd party Windows-only GUI frontend for
the streamripper library, and not for the CLI application that the
recipe builds. Due to this ignore this CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-27 17:00:16 +01:00
122941ea98
libebml: patch CVE-2015-8791
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2015-8791
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-15 15:30:49 +01:00
4ae1930999
sox: patch CVE-2019-8354
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-8354
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2019-8354
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:15:56 +01:00
d782346939
sox: patch CVE-2019-13590
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-13590
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2019-13590
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:14:56 +01:00
417d194dbe
sox: mark CVE-2019-1010004 as patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-1010004
The description mentions that this vulnerability overlaps with CVE-2017-18189,
and Debian's investigation[1] confirms that it is solved by the same commit.
Add the ID to the CVE tag of CVE-2017-18189.patch.
[1]: https://security-tracker.debian.org/tracker/CVE-2019-1010004
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:14:46 +01:00
15a5b7a668
sox: patch CVE-2017-18189
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-18189
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-18189
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:14:37 +01:00
add3e267bf
sox: patch CVE-2017-15642
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15642
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-15642
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:14:27 +01:00
23dcf5a6e9
sox: patch CVE-2017-15372
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15372
Pick the patch that was indeitified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-15372
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:14:17 +01:00
f9d6eb7ebd
sox: patch CVE-2017-15371
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15371
Pick the patch that was identified by Debian[1] to fix the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-15371
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:14:07 +01:00
c21ca07c18
sox: patch CVE-2017-15370
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15370
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-15370
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:13:58 +01:00
f38680dcee
sox: patch CVE-2017-11359
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11359
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-11359
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:13:49 +01:00
e672fee7eb
sox: patch CVE-2017-11358
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11358
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-11358
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:13:34 +01:00
83498ed818
sox: patch CVE-2017-11332
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11332
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-11332
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-02-10 00:13:25 +01:00
680570c8b6
fluidsynth: patch CVE-2025-56225
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-56225
Pick the PR content referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:28 +01:00
d07ae6a5c8
mpd: Update status for CVE-2020-7465 and CVE-2020-7466
...
The recipe used in the `meta-openembedded` is a different mpd package compared to the one which has the CVE issue.
Package used in `meta-embedded`: http://www.musicpd.org
Package with CVE issue: https://sourceforge.net/projects/mpd/
No action required.
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3e3c256981skandigraun@gmail.com >
2025-12-25 13:56:59 +01:00
0cc9b2df36
vlc: upgrade 3.0.17-1 -> 3.0.17.4
...
This update contains minor bugfixes.
Changelog:
3.0.17.4:
Service Discovery: Fix UPnP regression on Windows
3.0.17.3:
Demux: Fix a regression causing a lack of audio in adaptive streaming
3.0.17.2:
Interface: Qt: Fix right click support on video
Misc: Update YouTube script
This commit has been detached from all branches. The version format
change does not cause version-going-backwards issues.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-25 10:17:02 +01:00
d8e53c627c
vorbis-tools: upgrade 1.4.2 -> 1.4.3
...
Refreshed gettext.patch
Dropped 0001-ogginfo-Include-utf8.h-for-missing-utf8_decode.patch & CVE-2023-43361.patch
Dropped patches fixed in newer version
Dropped md5sum
Changelog:
https://gitlab.xiph.org/xiph/vorbis-tools/-/blob/release-1.4.3/CHANGES
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 37a17c25ccskandigraun@gmail.com >
2025-12-25 10:17:02 +01:00
593b6d93ca
libmediaart-2.0: upgrade 1.9.6 -> 1.9.7
...
This is a bugfix release, fixing some memory leaks and compiler warning
(and it also has a couple of commits related to the project's own CI system,
which doesn't affect the application)
Changelog: https://gitlab.gnome.org/GNOME/libmediaart/-/blob/master/NEWS
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-25 10:17:02 +01:00
5c3e0fc516
openh264: patch CVE-2025-27091
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-27091
The advisory confirms that the bug was fixed in v2.6.0.
When looking at the relevant Github advisory[1], it mentions
the name of the implementer. Pick the patch that was included
in this release, created by the mentioned Github account and
isn't only a cosmetic or build-system change.
[1]: https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-17 15:37:59 +01:00
97d4be2839
gupnp-igd: add ptest support
...
Execution takes around 10 seconds.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 19:34:22 +01:00
590afd1a98
gupnp-av: add ptest support
...
It takes around a second to execute the suite.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 65c2f6de55skandigraun@gmail.com >
2025-12-06 19:34:21 +01:00
535fc775a6
gupnp: add ptest support
...
It takes almost 50 seconds on my machine to execute.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit e7878d69abskandigraun@gmail.com >
2025-12-06 19:34:20 +01:00
ff2b74df62
gssdp: add ptest support
...
It is quick, it finished under 20 seconds on my machine.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 27865a96d5skandigraun@gmail.com >
2025-12-06 19:34:19 +01:00
4cf5f8cc31
libao: ignore CVE-2017-11548
...
Both Suse[1] and Debian[2] disputes that this is a vulnerability in libao.
Based on their investigation while an issue exists, it is not in libao, however
higher in the audio-toolchain, most likely in libmad or mpg321. There seem to
be nothing to be fixed about this in libao - ignore this CVE due to this.
[1]: https://bugzilla.suse.com/show_bug.cgi?id=1081767
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a993eb8b93skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
91c15953c0
libde265: patch CVE-2022-1253
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-1253
Pick the patch from the nvd report.
The patch is only partially backported, because part of the vulnerable
code was introuced only in a later version.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
3693ee5670
rtmpdump: mark CVE-2015-8270, CVE-2015-8271 and CVE-2015-8272 as fixed
...
This CVE is marked as fixed by Debian.
Extracting Debian jessie Debian sources [1] shows 4 commits uses for
backports. All these commits are already included in current hash
([2]-[5]).
../tmp/work/core2-64-poky-linux/rtmpdump/2.4/git$ git log | grep 'commit \(10b580aabcec1621b25518271ba1ab2b018be88e\|...\|4312322107a94c81d3ec5b98f91bc6b923551dc5\)'
commit 530f9bb2a02a78c1198fb2bf0293a12d225e4691
commit 4312322107a94c81d3ec5b98f91bc6b923551dc5
commit 39ec7eda489717d503bc4cbfaa591c93205695b6
commit 10b580aabcec1621b25518271ba1ab2b018be88e
[1] https://snapshot.debian.org/archive/debian/20170704T094954Z/pool/main/r/rtmpdump/rtmpdump_2.4%2B20150115.gita107cef-1%2Bdeb8u1.debian.tar.xz
[2] https://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/10b580aabcec1621b25518271ba1ab2b018be88e
[3] https://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/39ec7eda489717d503bc4cbfaa591c93205695b6
[4] https://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/530f9bb2a02a78c1198fb2bf0293a12d225e4691
[5] https://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/4312322107a94c81d3ec5b98f91bc6b923551dc5
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d7758a8d0cskandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
dffc5416e5
mpd: fix SRC_URI branch
...
The original branch was deleted, but the commit is still present in the
master branch.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-17 09:08:32 +01:00
69fbdd491a
libopenmpt: fix ptests
...
Install missing test file.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-29 17:05:20 +01:00
aecae8eb07
vorbis-tools: Fix CVE-2023-43361
...
Upstream-commits:
https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/68c5a33685f5b86e7f18f239ceb8861484fee552
& https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/5bb47f58582c15c2413564b741d1d95e7b566aa8
Drop md5sum
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
cfde891d0d
libmediaart-2.0: upgrade 1.9.5 -> 1.9.6
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 04d583327dskandigraun@gmail.com >
2025-09-26 13:17:10 +02:00
abee025ebf
libdvbpsi: upgrade 1.3.0 -> 1.3.3
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d6832f8136skandigraun@gmail.com >
2025-09-26 13:17:10 +02:00
b82caee581
libdvdcss: upgrade 1.4.2 -> 1.4.3
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit ec86150015skandigraun@gmail.com >
2025-09-26 13:17:10 +02:00
736b46a07c
opusfile: patch CVE-2022-47021
...
This patch is mentioned in [1] and [2].
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-47021
[2] https://github.com/xiph/opusfile/issues/36
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 95b8d055dbskandigraun@gmail.com >
2025-09-26 13:17:10 +02:00
20b6924450
opencore-amr: upgrade 0.1.3 -> 0.1.6
...
Changelog:
0.1.6
- Fixed an infinite loop when decoding some AMR-NB samples
- Fixed noise spikes when decoding non-voice frames for both AMR-NB and AMR-WB
0.1.5
- Fix an autotools issue with cross compiling from the 0.1.4 release
0.1.4
- Autotools cleanups
- Fixes for SID/DTX in the AMR-WB decoder, fixes for handling of bad
frames in both AMR-WB and AMR-NB
Signed-off-by: alperak <alperyasinak1@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 55274f650eskandigraun@gmail.com >
2025-09-26 13:17:10 +02:00
bf9a40289e
libdvbcsa: set correct LICENSE
...
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a66ce64267skandigraun@gmail.com >
2025-09-26 13:17:10 +02:00
f284c11a9e
libdc1394: upgrade 2.2.6 -> 2.2.7
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 5914277f90skandigraun@gmail.com >
2025-09-26 13:17:10 +02:00
89fd1c569f
libupnp: upgrade 1.14.6 -> 1.14.18
...
Changelog:
github.com/pupnp/pupnp/blob/branch-1.14.x/ChangeLog
Signed-off-by: alperak <alperyasinak1@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 6908f7fcb8skandigraun@gmail.com >
2025-09-26 13:17:10 +02:00
ada662b5ea
gssdp: check opengl is enabled or not
...
The sniffer PACKAGECONFIG will make gssdp depend on gtk4 as below.
PACKAGECONFIG[sniffer] = "-Dsniffer=true,-Dsniffer=false,gtk4,"
But gtk4 needs the opengl DISTRO_FEATURES enabled, so also check
opengl in gssdp recipe to keep consistent.
Fixes:
ERROR: Nothing PROVIDES 'gtk4' (but /build/layers/meta-openembedded/meta-multimedia/recipes-connectivity/gupnp/gssdp_1.4.0.1.bb DEPENDS on or otherwise requires it)
gtk4 was skipped: missing required distro feature 'opengl' (not in DISTRO_FEATURES)
ERROR: Required build target 'meta-world-pkgdata' has no buildable providers.
Missing or unbuildable dependency chain was: ['meta-world-pkgdata', 'gssdp', 'gtk4']
Signed-off-by: Mingli Yu <mingli.yu@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 491a703c41skandigraun@gmail.com >
2025-09-26 13:17:10 +02:00
d6fb7f426b
readme: update maintainer
...
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-09-18 11:49:40 +02:00
5c13812501
readme: update maintainer
...
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-09-16 09:04:49 +02:00
66ec168505
packagegroup-meta-multimedia: Remove library only packages from rdeps
...
Because they get renamed, it is better to ignore them and let a
dependency build them
Fixes errors like
ERROR: packagegroup-meta-multimedia-1.0-r0 do_package_write_ipk: An allarch packagegroup shouldn't depend on packages which are dynamically renamed (gssdp to libgssdp-1.2-0)
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit eafecde2aeakuster808@gmail.com >
2025-01-01 09:13:52 -05:00
b4bee1f709
packagegroup-meta-multimedia: restore x11 restriction for projucer
...
* it was removed in:
https://git.openembedded.org/meta-openembedded/commit/?id=deb11a823c32d4090b3724a589641810e06df6bc
* but still needed as shown in world build without x11 in DISTRO_FEATURES:
ERROR: Nothing RPROVIDES 'projucer' (but /OE/build/luneos-nanbield/meta-openembedded/meta-multimedia/recipes-multimedia/packagegroups/packagegroup-meta-multimedia.bb RDEPENDS on or otherwise requires it)
projucer was skipped: missing required distro feature 'x11' (not in DISTRO_FEATURES)
NOTE: Runtime target 'projucer' is unbuildable, removing...
Missing or unbuildable dependency chain was: ['projucer']
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2023-11-03 10:51:09 -04:00
e5f27c78d5
dleyna-{server,renderer}: fix dev-so QA issue with multilib
...
* the libdir is arch specific, but the subdirectory is always BPN
* fixes:
lib32-dleyna-server-0.6.0+gitAUTOINC+eb895ae827: non -dev/-dbg/nativesdk- package lib32-dleyna-server contains symlink .so '/usr/lib/dleyna-server/libdleyna-server-1.0.so' [dev-so]
lib32-dleyna-renderer-0.6.0: non -dev/-dbg/nativesdk- package lib32-dleyna-renderer contains symlink .so '/usr/lib/dleyna-renderer/libdleyna-renderer-1.0.so' [dev-so]
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2023-04-13 08:26:23 -04:00
0342b7b6c3
fluidsynth: update SRC_URI to remove non-existing 2.2.x branch
...
Remove branch 2.2.x from SRC_URI as fluidsynth github removed the branch.
The SRCREV is on master branch.
Signed-off-by: Preeti Sachan <preeti.sachan@intel.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 534d04af48scott.murray@konsulko.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2023-03-05 07:45:14 -05:00
ace7fca1d9
mpd: Upgrade to 0.23.12 release
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit ba5a86a51ascott.murray@konsulko.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2023-03-05 07:45:14 -05:00
34da9c55df
ncmpc: Upgrade to 0.47
...
Backport a patch to fix c++17 build with clang
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9b6baed24dscott.murray@konsulko.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2023-03-05 07:45:14 -05:00
6b148cd433
mpd: Upgrade to 0.23.9
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9ed1e62bbbscott.murray@konsulko.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2023-03-05 07:45:14 -05:00
b6dfef7d8b
mpd: Update to 0.23.8
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 02fc7f371dscott.murray@konsulko.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2023-03-05 07:45:14 -05:00
7430daa22d
bigbuckbunny-1080p: update SRC_URI
...
fixes:
ERROR: bigbuckbunny-1080p-1.0-r0 do_fetch: Bitbake Fetcher Error: FetchError('Unable to fetch URL from any source.', 'https://www.mediaspip.net/IMG/avi/big_buck_bunny_1080p_surround.avi ')
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2022-07-24 11:43:10 -07:00
Gyorgy Sarvari
Ninette Adhikari
Peter Marko
Vijay Anusuri
Khem Raj
alperak
Mingli Yu
Martin Jansa
Preeti Sachan
Armin Kuster