67bb8e4b16
yasm: patch CVE-2021-33456
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33465
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1020-hash-null-CVE-2021-33456.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1e2731fce0
2025-11-30 20:48:05 +01:00
68a44fe280
yasm: patch CVE-2021-33464
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33464
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1010-nasm-pp-no-env-CVE-2021-33464.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 66a0b01b52
2025-11-30 20:48:04 +01:00
5fb0376aed
yasm: patch CVE-2023-29579
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-29579
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1000-x86-dir-cpu-CVE-2023-29579.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit cc30757a7f
2025-11-30 20:48:03 +01:00
b6eb044866
yasm: add alternative CVE_PRODUCT
...
There are multiple vendors for yasm:
$ sqlite3 ./nvdcve_2-2.db "select distinct vendor, product from products where product = 'yasm';"
tortall|yasm
yasm_project|yasm
Both products refer to the same application
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 93f85e4fd2
2025-11-30 20:48:01 +01:00
8b438a9d7b
python3-django: fix CVE-2024-39330
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-39330
Upstream-patch:
https://github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:36 +01:00
740980aaba
python3-django: fix CVE-2024-39329
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-39329
Upstream-patch:
https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:34 +01:00
21d389c8f9
python3-django: fix CVE-2025-57833
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-57833
Upstream-patch:
https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:32 +01:00
0b554678b6
python3-django: fix CVE-2024-56374
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-56374
Upstream-patch:
https://github.com/django/django/commit/ad866a1ca3e7d60da888d25d27e46a8adb2ed36e
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:31 +01:00
540b79e3ee
python3-django: fix CVE-2025-26699
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-26699
Upstream-patch:
https://github.com/django/django/commit/e88f7376fe68dbf4ebaf11fad1513ce700b45860
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:30 +01:00
666ec505b4
python3-django: fix CVE-2024-27351
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-27351
Upstream-patch:
https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:29 +01:00
d4a5c4cf6c
python3-django: upgrade 4.2.17 -> 4.2.26
...
Fixes CVE-2025-64459, CVE-2025-64458, CVE-2025-59682, CVE-2025-59681,
CVE-2025-57833, CVE-2025-48432, CVE-2025-32873, CVE-2025-26699, CVE-2024-56374
and other bug fixes.
Release notes:
https://docs.djangoproject.com/en/dev/releases/4.2.18/
https://docs.djangoproject.com/en/dev/releases/4.2.19/
https://docs.djangoproject.com/en/dev/releases/4.2.20/
https://docs.djangoproject.com/en/dev/releases/4.2.21/
https://docs.djangoproject.com/en/dev/releases/4.2.22/
https://docs.djangoproject.com/en/dev/releases/4.2.23/
https://docs.djangoproject.com/en/dev/releases/4.2.24/
https://docs.djangoproject.com/en/dev/releases/4.2.25/
https://docs.djangoproject.com/en/dev/releases/4.2.26/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:28 +01:00
252b82edd5
python3-django: upgrade 3.2.23 -> 3.2.25
...
Fixes CVE-2024-27351, CVE-2024-24680 and other bugfixes.
Release notes:
https://docs.djangoproject.com/en/dev/releases/3.2.24/
https://docs.djangoproject.com/en/dev/releases/3.2.25/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:24 +01:00
a12478e722
libraw: patch CVE-2025-43964
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43964
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
0e30e2ab37
libraw: patch CVE-2025-43963
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43963
Pick the patch that is referenced in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
cb0fcd1ae4
libraw: patch CVE-2025-43961 and CVE-2025-43962
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43961
https://nvd.nist.gov/vuln/detail/CVE-2025-43962
Pick the patch that is mentioned by the nvd reports - the
same patch fixes both vulnerabilities.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
309e9688d5
libraw: patch CVE-2023-1729
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1729
Pick the patch that is mentioned to solve the issue in the issue
linked from the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
730f4c000c
libraw: ignore CVE-2020-35535
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35535
The fix is already included in the used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
298f329594
libraw: ignore CVE-2020-35534
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35534
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
ce9b6df403
libraw: ignore CVE-2020-35533
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35533
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
73891ac756
libraw: ignore CVE-2020-35532
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35532
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
34f34b93d9
libraw: ignore CVE-2020-35531
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35531
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
27f77ae006
libraw: ignore CVE-2020-35530
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35530
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
8f89a8c732
tigervnc: ignore CVE-2014-8241
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2014-8241
The vulnerability is about a potential null-pointer dereference, because
of a malloc result is not verified[1].
The vulnerable code has been refactored since completely[2], and the code isn't
present anymore in the codebase.
[1]: https://github.com/TigerVNC/tigervnc/issues/993#issuecomment-612874972 - attachment
[2]: https://github.com/TigerVNC/tigervnc/commit/b8a24f055f1a29886d8b18bb3f0902144dc5bd14
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
4cf5f8cc31
libao: ignore CVE-2017-11548
...
Both Suse[1] and Debian[2] disputes that this is a vulnerability in libao.
Based on their investigation while an issue exists, it is not in libao, however
higher in the audio-toolchain, most likely in libmad or mpg321. There seem to
be nothing to be fixed about this in libao - ignore this CVE due to this.
[1]: https://bugzilla.suse.com/show_bug.cgi?id=1081767
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a993eb8b93skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
f81db4757e
cockpit: set correct CVE_PRODUCT
...
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit af4df551ee
2025-11-30 15:13:57 +01:00
91c15953c0
libde265: patch CVE-2022-1253
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-1253
Pick the patch from the nvd report.
The patch is only partially backported, because part of the vulnerable
code was introuced only in a later version.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
7965aa0704
links: set CVE_PRODUCT
...
There are some unrelated software called "links", which cases
false-positive CVEs to be reported by the CVE checker.
Set the vendor/product pairs that were historically used with
CVEs for this software.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 62a5309732
2025-11-30 15:13:57 +01:00
afb1296723
jasper: patch CVE-2025-8837
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8837
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
42058c8120
jasper: patch CVE-2025-8836
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8836
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
95ecb0c563
jasper: patch CVE-2025-8835
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8835
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
163eb9faca
jasper: patch CVE-2023-51257
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-51257
Pick the patch that's marked to solve the issue linked in the
nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
89e6b49f2d
redis-7: ignore CVE-2022-3734 and CVE-2022-0543
...
CVE-2022-3734 only affects Windows.
CVE-2022-0543 affects only packages that were packaged for Debian and
Debian-derivative distros.
Neither of these issues is present in upstream Redis.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
a5217f562a
redis: upgrade 7.0.13 -> 7.0.15
...
Contains fixes for CVE-2023-41056 and CVE-2023-45145.
Dropped the backported patches that are included.
Release notes: https://github.com/redis/redis/blob/7.0.15/00-RELEASENOTES
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
d86503aa21
redis: upgrade 6.2.12 -> 6.2.21
...
This upgrade contains a list of vunerability fixes: CVE-2025-49844,
CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-32023,
CVE-2025-48367, CVE-2025-21605, CVE-2024-46981, CVE-2024-31449,
CVE-2024-31228, CVE-2023-45145, CVE-2022-24834
Dropped the CVE patches that are included above.
Release notes: https://github.com/redis/redis/blob/6.2.21/00-RELEASENOTES
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
caea02d115
redis: ignore CVE-2022-3734 and CVE-2022-0543
...
CVE-2022-3734 only affects Windows.
CVE-2022-0543 affects only packages that were packaged for Debian and
Debian-derivative distros.
Neither of these issues is present in upstream Redis.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8f1269507askandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
8602562caa
exiv2: patch CVE-2021-34335
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-34335
Pick the patches from the PR mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
41e6c428c8
exiv2: patch CVE-2021-34334
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-34334
Pick the patches from the PR mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
0f89f58111
exiv2: patch CVE-2021-32815
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32815
Pick the patch from the PR mentioned in he nvd report.
This patch is a combination of 3 commits, which are so
small, that it is still very readable in this form also.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
19fb28a912
exiv2: patch CVE-2021-32617
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32617
Pick the patch from the PR that's mentioned by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
3a8bb65960
exiv2: add missing CVE tag to patch
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-29458
https://nvd.nist.gov/vuln/detail/CVE-2021-31292
The patch is already present, but it was missing the CVE tag, which
is added in this change.
The same patch fixes both CVEs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
aa979d9766
exiv2: patch CVE-2021-29623
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-29623
Pick the patch from the PR mentioned in teh nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
b91b961b3f
libtorrent: ignore CVE-2016-5301
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2016-5301
This vulnerability is for another libtorrent (https://github.com/arvidn/libtorrent )
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
124826c549
logcheck: ignore CVE-2017-20148
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-20148
The issue is specific to the postinstall script that Gentoo packages
with this application - we can ignore it.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
3bd62901b3
monkey: ignore CVE-2013-1771
...
This is gentoo specific CVE.
NVD tracks this as version-less CVE.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 36a7e409d8skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
370cc5e372
monkey: Update status for CVE-2013-2183
...
Current version (1.6.9) is not affected. Issue was addressed in version 1.3.0
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 17bcf478a5skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
de561a26c0
poco: patch CVE-2023-52389
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-52389
Pick the patch from the PR mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
8c086ec3df
p7zip: ignore CVE-2022-47069
...
According to debian, this issue is due to crash in CLI tool with
no security impact, hence ignore this CVE
Reference: https://security-tracker.debian.org/tracker/CVE-2022-47069
Signed-off-by: Naman Jain <namanj1@kpit.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
668cef8d6b
wxwidgets: fix CVE-2024-58249
...
CVE-2024-58249:
In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when
connections are refused in wxWebRequestCURL.
References:
[https://nvd.nist.gov/vuln/detail/CVE-2024-58249 ]
Upstream patch:
[https://github.com/wxWidgets/wxWidgets/commit/f2918a9ac823074901ce27de939baa57788beb3d ]
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
fb79c60c57
imagemagick: adds ptest for imagemagick recipe
...
Backport of the commit 96b97c0c64ashishkumar.mishra@bmwtechworks.in >
Adapted to Kirkstone.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
4ae2ec4620
libssh : fix CVE-2025-8114
...
A flaw was found in libssh, a library that implements the SSH protocol.
When calculating the session ID during the key exchange (KEX) process,
an allocation failure in cryptographic functions may lead to a NULL
pointer dereference. This issue can cause the client or server to crash.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-8114
Upstream-patch:
https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb2c5463f6c4cd1525331bd578812d
Signed-off-by: Divya Chellam <divya.chellam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
Gyorgy Sarvari
Saravanan
Peter Marko
Ninette Adhikari
Naman Jain
Zhang Peng
AshishKumar Mishra
Divya Chellam