mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity
30,494 Commits 64 Branches 0 Tags
62b9edf47be6b70d77ac6a662cedc9dbbb96e550
Commit Graph

13502 Commits

Author SHA1 Message Date
Divya Chellam 62b9edf47b jq: fix CVE-2025-9403 
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the
function run_jq_tests of the file jq_test.c of the component JSON Parser.
Executing manipulation can lead to reachable assertion. The attack
requires local access. The exploit has been publicly disclosed and may be
utilized. Other versions might be affected as well.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9403

Upstream-patch:
https://github.com/jqlang/jq/commit/a4d9d540103ff9a262e304329c277ec89b27e5f9

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 15:11:47 +08:00
Ankur Tyagi 9fd485ca64 hostapd: patch CVE-2025-24912 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-24912

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 15:11:04 +08:00
Hitendra Prajapati d18271891f libjxl: fix CVE-2024-11403 & CVE-2024-11498 
* CVE-2024-11403 - Upstream-Status: Backport from https://github.com/libjxl/libjxl/commit/9cc451b91b74ba470fd72bd48c121e9f33d24c99
* CVE-2024-11498 - Upstream-Status: Backport from https://github.com/libjxl/libjxl/commit/bf4781a2eed2eef664790170977d1d3d8347efb9

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 15:11:00 +08:00
Jiaying Song 59594572f9 webkitgtk3: fix do_configure error on beaglebone-yocto 
* According to latest comment [1] and the mentioned pull request [2],
  build an ENABLE(WEBASSEMBLY) && !ENABLE(JIT) configuration is
  supported, so original issue already fixed in current version, the
  EXTRA_OECMAKE setting is not needed anymore.

* This EXTRA_OECMAKE setting causes following configure error on
  beaglebone-yocto, remove the setting to let the configure process
  decide the configuration:
  CMake Error at Source/cmake/WebKitFeatures.cmake:312 (message):
  ENABLE_JIT conflicts with ENABLE_C_LOOP.  You must disable one or the other.

[YOCTO #15254]

[1] https://github.com/WebKit/WebKit/pull/17447
[2] https://github.com/WebKit/WebKit/pull/17688

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 15:07:38 +08:00
Jiaying Song aebbd0f965 webkitgtk3: update 2.44.1 -> 2.44.3 
Changelog:
https://webkitgtk.org/2024/05/16/webkitgtk2.44.2-released.html
https://webkitgtk.org/2024/08/13/webkitgtk2.44.3-released.html

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 15:07:37 +08:00
Gyorgy Sarvari 4e64442c58 emacs: patch CVE-2024-39331 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-39331

Pick the patch that's mentioned in thee details.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:44:50 +08:00
Gyorgy Sarvari bfff201fff emacs: patch CVE-2024-30205 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30205

Pick the patch that's in the description.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:44:44 +08:00
Gyorgy Sarvari d7f90a53d6 emacs: patch CVE-2024-30204 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30204

Pick the patch that's mentioned in the description.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:44:39 +08:00
Gyorgy Sarvari 1459f29e71 emacs: patch CVE-2024-30203 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30203

Pick the patch mentioned in the description.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:44:35 +08:00
Gyorgy Sarvari b0edb9f891 emacs: patch CVE-2024-30202 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30202

Backport the patch mentioned in the details of the link.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:44:28 +08:00
Yogita Urade 580609b6d5 poppler: fix CVE-2025-52885 
Poppler ia a library for rendering PDF files, and examining or
modifying their structure. A use-after-free (write) vulnerability
has been detected in versions Poppler prior to 25.10.0 within the
StructTreeRoot class. The issue arises from the use of raw pointers
to elements of a `std::vector`, which can lead to dangling pointers
when the vector is resized. The vulnerability stems from the way that
refToParentMap stores references to `std::vector` elements using raw
pointers. These pointers may become invalid when the vector is resized.
This vulnerability is a common security problem involving the use of
raw pointers to `std::vectors`. Internally, `std::vector `stores its
elements in a dynamically allocated array. When the array reaches its
capacity and a new element is added, the vector reallocates a larger
block of memory and moves all the existing elements to the new location.
At this point if any pointers to elements are stored before a resize
occurs, they become dangling pointers once the reallocation happens.
Version 25.10.0 contains a patch for the issue.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-52885

Upstream patch:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/4ce27cc826bf90cc8dbbd8a8c87bd913cccd7ec0

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:36 +08:00
Praveen Kumar ed71c716fa yasm: fix CVE-2024-22653 
yasm commit 9defefae was discovered to contain a NULL pointer
dereference via the yasm_section_bcs_append function at section.c.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-22653

Upstream-patch:
https://github.com/yasm/yasm/commit/121ab150b3577b666c79a79f4a511798d7ad2432

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:36 +08:00
Saravanan e599281324 fio: fix CVE-2025-10823 
Reference:
	https://nvd.nist.gov/vuln/detail/CVE-2025-10823
	https://github.com/axboe/fio/issues/1982

Upstream-patch:
	https://github.com/axboe/fio/commit/6a39dfaffdb8a6c2080eec0dc7fb1ee532d54025

Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:36 +08:00
Gyorgy Sarvari 94867425c1 redis: upgrade 6.2.18 -> 6.2.20 
Changelog:

6.2.19:
(CVE-2025-32023) Fix out-of-bounds write in HyperLogLog commands
(CVE-2025-48367) Retry accepting other connections even if the accepted connection reports an error

6.2.20:
(CVE-2025-49844) A Lua script may lead to remote code execution
(CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
(CVE-2025-46818) A Lua script can be executed in the context of another user
(CVE-2025-46819) LUA out-of-bound read

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1a22715b82)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:36 +08:00
Vijay Anusuri 7727848e28 redis: upgrade 6.2.16 -> 6.2.18 
Changelog:
https://github.com/redis/redis/releases/tag/6.2.17
https://github.com/redis/redis/releases/tag/6.2.18

Security fixes
==============
* (CVE-2024-46981) Lua script commands may lead to remote code execution
* (CVE-2025-21605) An unauthenticated client can cause an unlimited growth of output buffers

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e970ff8bff)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:36 +08:00
Yi Zhao 6f12aebd61 redis: upgrade 6.2.14 -> 6.2.16 
ChangeLog:

Security fixes
==============
* (CVE-2024-31449) Lua library commands may lead to stack overflow and
  potential RCE.
* (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern
  matching.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f702405fe9)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:36 +08:00
Ninette Adhikari 4f1cef469b influxdb: Update CVE status for CVE-2019-10329 
The version don't match and only the Jenkins plugin is affected.

Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 524acf0542)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:35 +08:00
Khem Raj 411c384daa influxdb: Do not remove non-existing files 
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit cd6e2d8f53)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:35 +08:00
Peter Marko 3eaf7bd00b gattlib: mark CVE-2019-6498 as fixed 
Our hash does not point to exact tag and CVE patch is already in.

We use: 33a8a275928b186381bb0aea0f9778e330e57ec3
Fix: https://github.com/labapart/gattlib/commit/60b813a770e42fdb0e85c1d2da7a55327784b8d6

git describe --tags --match=v0.2 33a8a275928b186381bb0aea0f9778e330e57ec3 60b813a770e42fdb0e85c1d2da7a55327784b8d6
v0.2-262-g33a8a27
v0.2-85-g60b813a

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e5a12d5252)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:35 +08:00
Gyorgy Sarvari 68cef7642d exiv2: patch CVE-2025-55304 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55304

Backport patch mentioned in the details of the vulnerability.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit f47fdfd730)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:35 +08:00
Gyorgy Sarvari 81b90a5a0c exiv2: patch CVE-2025-54080 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-54080

Backport the patch mentioned in the details.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 40036aa47a)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:35 +08:00
Gyorgy Sarvari cd7e963b09 exiv2: patch CVE-2025-26623 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26623

Apply the first to PRs from the relevant issue.

(The second PR adds a test, and the 3rd PR tries to reimplement
correctly the feature that introduced the vulnerability:
it is switching some raw pointers to smart pointers. It was not picked
because the
1. In the original issue it is stated that the first PR itself
   fixes the vulnerability
2. The patch doesn't apply clean due to the time gap between our
   and their version
3. The behavior of the application does not change
)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 7907a3e206)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:35 +08:00
Ankur Tyagi e34da7d9dc zlog: fix CVE-2024-22857 
Backport a fix from upstream
https://github.com/HardySimpson/zlog/commit/c47f781a9f1e9604f5201e27d046d925d0d48ac4

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit dead2a0070)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:35 +08:00
Ankur Tyagi e9af1614d1 libraw: patch CVE-2025-43964 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-43964

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 95f680e0df)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 7c56524a8d libraw: patch CVE-2025-43963 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-43963

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 287ed36b86)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi a8c1967976 libraw: patch CVE-2025-43961 CVE-2025-43962 
Details
 - https://nvd.nist.gov/vuln/detail/CVE-2025-43961
 - https://nvd.nist.gov/vuln/detail/CVE-2025-43962

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 337ab48ff8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi da2b9ec4db libcupsfilters: patch CVE-2024-47076 
Details https://nvd.nist.gov/vuln/detail/CVE-2024-47076

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 1ef236b6c5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 7ad4066c40 libppd: patch CVE-2024-47175 
Details https://nvd.nist.gov/vuln/detail/CVE-2024-47175

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 07330a98cf)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Peter Marko b2a0dd6c8d dash: set CVE_PRODUCT 
This removes false positive CVE-2024-21485 from cve reports.

$ sqlite3 nvdcve_2-2.db
sqlite> select * from products where product = 'dash';
CVE-2009-0854|dash|dash|0.5.4|=||
CVE-2024-21485|plotly|dash|||2.13.0|<
CVE-2024-21485|plotly|dash|2.14.0|>=|2.15.0|<

Our dash:dash did not reach major version 1 yet.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e1427013e0)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 80bda1d289 hdf5: patch CVE-2025-6269, CVE-2025-6270, CVE-2025-6516 
As mentioned in the issues [1],[2] and [3], PR[4] addressed several vulnerabilities.

[1] https://github.com/HDFGroup/hdf5/issues/5581#issuecomment-3251977160
[2] https://github.com/HDFGroup/hdf5/issues/5579#issuecomment-2993915196
[3] https://github.com/HDFGroup/hdf5/issues/5580#issuecomment-2993727142
[4] https://github.com/HDFGroup/hdf5/pull/5756

Details:
 https://nvd.nist.gov/vuln/detail/CVE-2025-6269
 https://nvd.nist.gov/vuln/detail/CVE-2025-6270
 https://nvd.nist.gov/vuln/detail/CVE-2025-6516

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 81c0782d8f hdf5: patch CVE-2025-2925 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2925

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 73e3b3c308 hdf5: patch CVE-2025-2924 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2924

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 547d4e1dae hdf5: patch CVE-2025-2923, CVE-2025-6816, CVE-2025-6856 
Single PR[1] addressed all three vulnerabilities

Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-2923
https://nvd.nist.gov/vuln/detail/CVE-2025-6816
https://nvd.nist.gov/vuln/detail/CVE-2025-6856

[1] https://github.com/HDFGroup/hdf5/pull/5829

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi bd847d489a hdf5: patch CVE-2025-2915 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2915

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi 7d1b63f0af hdf5: patch CVE-2025-2914 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2914

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi b42e6eb3e5 hdf5: patch CVE-2025-2913 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2913

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Vijay Anusuri b03f8e79af redis: upgrade 7.2.8 -> 7.2.11 
ChangeLog:
https://github.com/redis/redis/releases/tag/7.2.9
https://github.com/redis/redis/releases/tag/7.2.10
https://github.com/redis/redis/releases/tag/7.2.11
https://github.com/redis/redis/compare/7.2.8...7.2.11

7.2.11

Security fixes

(CVE-2025-49844) A Lua script may lead to remote code execution
(CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
(CVE-2025-46818) A Lua script can be executed in the context of another user
(CVE-2025-46819) LUA out-of-bound read

7.2.10

Security fixes

(CVE-2025-32023) Fix out-of-bounds write in HyperLogLog commands
(CVE-2025-48367) Retry accepting other connections even if the accepted connection reports an error

7.2.9

Security fixes

(CVE-2025-27151) redis-check-aof may lead to stack overflow and potential RCE

Dropped CVE-2025-32023.patch

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 7a17429d34 freerdp3: patch CVE-2024-32662 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32662

Pick the patch that is mentioned in the above vulnerability report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari d577aca11c freerdp3: patch CVE-2024-32661 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32661

Pick the patch that is mentioned in the above vulnerability report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 6acb319466 freerdp3: patch CVE-2024-32660 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32660

Pick the patch that is mentioned in the above CVE report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari a682f5efd0 freerdp3: patch CVE-2025-32659 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32659

Pick the commit that mentioned in the above CVE report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 95d7b8e7d5 freerdp3: patch CVE-2024-32658 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32658

Pick the commit that is marked to resolve the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 3fab129346 freerdp3: patch CVE-2024-32460 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32460

Pick the commit that marked as a solution for the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 3bc45c028e freerdp3: patch CVE-2024-32459 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32459

Pick the patch that is marked to resolve the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari df276ba913 freerdp3: patch CVE-2024-32458 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32458

Pick the commit that is marked to resolve the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 057e1f5d06 freerdp3: patch CVE-2024-32040 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32040

Pick the patch that is marked to resolve the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari ca2667f23a freerdp3: patch CVE-2024-32039 and CVE-2024-32041 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32039
https://nvd.nist.gov/vuln/detail/CVE-2024-32041

Pick the patch that is marked as fixing the related github advisory.
The same commit fixes both vulnerabilities.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Peter Marko 0e314d0f4c freerdp3: set CVE_PRODUCT 
CPE does not contain mnajor version number, so set VE product to just
freerdp.
Without this there are no (fixed) CVEs in reports.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4058959d6c)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Peter Marko 9b07679a55 freerdp: mark CVE-2024-32662 as fixed 
2.x is not affected, bug was introduced in 3.0.0.
See e.g. https://security-tracker.debian.org/tracker/CVE-2024-32662

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a7f2051068)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Peter Marko 0095a1e3c3 freerdp: patch CVE-2024-32661 
Pick commit [1] as mentioned in [2] or [3].

[1] https://github.com/FreeRDP/FreeRDP/commit/71e463e31b4d69f4022d36bfc814592f56600793
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-32661
[3] https://security-tracker.debian.org/tracker/CVE-2024-32661

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c91d6a2c65)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00