The CVE is fixed in the current version already, however
NVD tracks it without version - suppress the report explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
Skipped the duplicate singleton header check in lax mode (the default for response
parsing). In strict mode (request parsing, or -X dev), all RFC 9110 singletons
are still enforced.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
It has been unmaintained/EOL for over a year - there is
a recipe for a newer, still supported version.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Contains fix for CVE-2026-34610 (which is however tracked without
a version by NVD, so it is marked as patched explicitly)
Changelog:
- Offer a means to select the AES-C constant time / S-Box
implementation via lc_init API
- use the AES-C constant time implementation by default - it is
about 3 times slower than the AES-C S-Box implementation, but
more secure. As the leancrypto library is about secure by default,
the CT implementation is just right. Furthermore, if a caller
wants to have the faster AES-C S-Box, he can call
lc_init(LC_INIT_AES_SBOX) at the beginning.
- X.509: fix security issue (CVE-2026-34610)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The CVE is tracked by NVD without version info. It's description
confirms that it is fixed in version 1.6.17.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Both CVEs were fixed in version 3.11.0, however NVD tracks them
without version/CPE info.
Relevant commits:
CVE-2026-32877: 798a332e11
CVE-2026-32883: 6ecc62a4e3
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Contains fixes for CVE-2026-35580 and CVE-2026-35582
Changelog: https://botan.randombit.net/news.html#version-3-11-1-2026-03-31
-CVE-2026-35580: Resolve certificate verification bypass bug introduced in 3.11.0
-CVE-2026-35582: Resolve TLS 1.3 client authentication bypass
-Add optimized Argon2 implementation using AVX512
-Add optimized and constant-time Twofish implementation using AVX512/GFNI
-Add optimized and constant-time SEED implementation using AVX512/GFNI
-Add optimized and constant-time Whirlpool implementations using AVX2 and AVX512
-Add SSSE3/NEON and AVX2 optimized codepaths for CTR
-Add constant time implementations of Camellia, ARIA, SEED and SM4 using
AES-NI or ARMv8 AES instructions to implement sbox lookups
-Improve performance of the AVX512 implementation of SHA-512 especially for Clang
-Optimizations for the IDEA modular multiplication
-Fix various minor TLS conformance issues flagged by TLS-Anvil
-Fix bug in Ed25519 where an invalid signature checked with PK_Verifier
might cause a later valid signature to be rejected.
-Fix a bug in handling of ECDSA DER-encode signatures where an invalid
signature checked with PK_Verifier might cause a later valid signature to be rejected.
-Fix a problem introduced in 3.11.0 which could cause crashes on processors without
SSSE3 support, particularly when compiled by GCC.
-Fix various new warnings from clang-tidy 22
-Fix a compilation error introduced in 3.11.0 which prevented using ffi
unless bcrypt was also enabled.
-Avoid a macro collision with Microsoft headers that could cause a compilation
problem in amalgamation mode.
-Enable explicit_bzero, getentropy, getrandom on Hurd
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Fixes errors e.g.
error: assigning to 'char *' from 'const char *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
131 | dot = strrchr(filename, '.');
| ^ ~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
They are latent and brought to fore with autoconf 2.73 which switches
defaults to use -std=gnu23
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Without it, it will throw "ModuleNotFoundError: No module named
'unittest'" from pyroute2/netlink/rtnl/iprsocket.py" line 6.
Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This commit adds a PACKAGECONFIG to build the av1 gdk-pixbuf-loader/thumbnailer
and enables it by default.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
- add missing dependencies
- add PACKAGECONFIG for aom,svt-av1
1.4.1 - 2026-03-20
Changed since 1.4.0
Fix build with CMake 3.22
Update aom.cmd/LocalAom.cmake: v3.13.2
Update libxml2.cmd/LocalLibXml2.cmake: v2.15.2
Update libyuv.cmd/LocalLibyuv.cmake: 6067afde5 (1922)
Support long path names in Windows
Fix cicp management and memory leaks in avifgainmaputil #3102.
Removed since 1.4.0
Remove experimental status for the following options of avifenc: --progressive, --layered and --scaling-mode, and the extraLayerCount option of avifEncoder.
1.4.0 - 2026-03-04
Added since 1.3.0
Allow avifenc to read png or jpeg files through stdin using --stdin-format.
Support some Sample Transform schemes as defined in the version 1.2 of the AVIF specification.
Add an optional argument to the --depth flag of avifenc used to enable a bit depth extension scheme in the encoded file.
Add support for converting jpeg files with Apple style gain maps.
Add support for PNG cICP chunk when decoding PNG files. If a PNG file contains a cICP chunk and other color information chunks, such as iCCP (ICC profile), the other chunks are ignored as per the PNG Specification Third Edition Section 4.3.
Support reading Sample-Transform-based 16-bit AVIF files when avifDecoder::imageContentToDecode & AVIF_IMAGE_CONTENT_SAMPLE_TRANSFORMS is not zero.
Support Sample Transform derived image items with grid input image items.
Add --sato flag to avifdec to enable Sample Transforms support at decoding.
Add --grid option to avifgainmaputil.
Apply clean aperture crop, rotation and mirror when decoding to PNG or JPEG. Remove orientation information from Exif if present.
Add avif::RGBImageCleanup to the C++ API.
Changed since 1.3.0
Set avifDecoder::image->depth to the same value after avifDecoderParse() as after avifDecoderNextImage() when the file to decode contains a 'sato' derived image item.
avifdec only enables Sample Transform decoding when --depth is set to 16.
Update dav1d.cmd/dav1d_android.sh/LocalDav1d.cmake: 1.5.3
Update googletest.cmd/LocalGTest.cmake: v1.17.0
Update libgav1.cmd: v0.20.0
Update libjpeg.cmd/LocalJpeg.cmake: 3.1.3
Update libyuv.cmd/LocalLibyuv.cmake: deeb764bb (1922)
Update libsharpyuv.cmd/LocalLibsharpyuv.cmake: v1.6.0
Update libxml2.cmd/LocalLibXml2.cmake: v2.15.1
Update aom.cmd/LocalAom.cmake: v3.13.1
Update LocalAvm.cmake: research-v13.0.0
Update rav1e.cmd/LocalRav1e.cmake: cargo-c v0.10.20, corrosion v0.6.1, rav1e v0.8.1
Update svt.cmd/svt.sh/LocalSvt.cmake: v4.0.1
Update zlibpng.cmd/LocalZlibpng.cmake: libpng 1.6.55, zlib 1.3.2
Fix grayscale conversion when changing the bit depth.
Bump cmake_minimum_required from 3.13 to 3.22
Associate transformative properties with alpha auxiliary image items.
Always forward the CICP color primaries, transfer characteristics, and matrix coefficients to the AV1 encoder, which writes them in the Sequence Header OBU, for compatibility with libraries that wrongly ignore the colr box.
Use a "quality to quantizer (QP)" mapping formula designed for AOM_TUNE_IQ.
Set tuning before applying the user-provided specific aom codec options.
Use AOM_TUNE_PSNR by default when encoding alpha with libaom because AOM_TUNE_SSIM causes ringing for alpha.
Use AOM_TUNE_IQ by default when encoding still non-RGB color samples with libaom v3.13.0 or later.
Converting an image containing a gain map using avifenc with the --grid flag now also splits the gain map into a grid.
In avifenc, set Exif orientation to 1 (no transformation) when converting JPEGs to AVIF.
Use all-intra encoding for a layered image if the total number of layers is 2 and the quality of the first layer is very low (q <= 10).
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The directx-headers dependency is no longer required and got removed
from CMakeLists.txt
Signed-off-by: Tafil Avdyli <tafil@tafhub.de>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The ebtables utility can be provided by both ebtables and iptables
packages. Set higher priority for the version provided by iptables
to prefer it.
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Fixes issues introduced in commit 16a72067f5 ("python3-ninja: upgrade
1.11.1.1 -> 1.13.0").
Upstream's __init__.py uses a relative import:
from .ninja_syntax import Writer, escape, expand
This requires ninja_syntax.py to be present inside the ninja package
directory. Upstream relies on CMake (via scikit-build-core) to copy
ninja_syntax.py from ninja-upstream/misc/ into the package during
build [1]. Since the OE recipe replaces scikit-build-core with
setuptools (no-scikit-build.patch), CMake is not invoked and this
copy does not happen, causing ImportError at runtime.
Similarly, upstream uses scikit-build-core's generate feature to
create _version.py from the SCM version. With setuptools, this
does not happen automatically, so generate it in do_configure.
[1] https://github.com/scikit-build/ninja-python-distributions/commit/f3b4a786be
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Fix following error when multilib is used:
Running transaction test
Error: Transaction test error:
file /etc/pam.d/vsftpd conflicts between attempted installs of vsftpd-3.0.5-r0.x86_64_v3 and lib32-vsftpd-3.0.5-r0.core2_32
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
============
- Popup menu at tab label on keybord activated
- Add keyboard support for context menu on terminal
- Add keyboard support for history menu on back and forward buttons
- Add keyboard support for context menu on toolbar
- Popup menu on tree view item for keyboard activated
- Popup menu at focused widget on keyboard activated
- Disable overlay scrolling by default (#367)
- Wrap long filenames in error dialogs (#1412)
- Limit filname length for create/rename (#1812)
- Add fallback for backdrop highlight color
- Properties dialog - add separator for fs data
- Show filesystem type in preferences
- At tooltips to 'Capacity' and 'Usage' (#1806)
- Show as well 'usable' size in 'Capacity' row (#1806)
- Differ between total and usable fs space (#1806)
- Add help text for URL arguments
- Call xfconf_shutdown before exit
- Store pending column size changes on close (#1318)
- Use GtkTreeModelFilter for tree view side pane (#1460)
- Tree-view pane: Fix wrong selection on open new window
- Prevent shortcuts view focus lost (#1675)
- Add 'grab_focus' parameter to 'set directory' calls (#1675)
- Expose drag-drop-mode in preferences
- Init media_fs_uuids on startup
- Never ask twice on replace/overwrite (#1794)
- Fix translations for XML file (#1790)
- Improve statusbar loading text (#1787)
- Detect CDROM media changes using ID_FD_UUID udev property
- Add %d to strings to fix some transl. (#939)
- Pass current dir to catfish (#1785)
- Ignore G_IO_ERROR_NOT_SUPPORTED (#1782)
- Show selection busy information on statusbar
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==========
- parse_list_header preserves partially quoted items, discards empty items, and
returns empty for unclosed quoted values.
- WWWAuthenticate.to_header does not produce a trailing space when there are no
parameters.
- Transfer-Encoding is parsed as a set.
- Request.host, get_host, and host_is_trusted validate the characters of the
value. An empty value is no longer allowed. A Unix socket server address is
ignored. The trusted_list argument to host_is_trusted is optional.
- Fix multipart form parser handling of newline at boundary.
- Response.make_conditional sets the Accept-Ranges header even if it is not a
satisfiable range request.
- merge_slashes merges any number of consecutive slashes.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
Limit number of parts of a TOML key to address quadratic time complexity
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
=========
- (asgi) Add option to disable suppressing chained exceptions
- (logging) Separate ignore lists for events/breadcrumbs and sentry logs
- Set exception info on streaming span when applicable
- Patch AsyncStream.close() and AsyncMessageStream.close() to finish spans
- Patch Stream.close() and MessageStream.close() to finish spans
- (starlette) Catch Jinja2Templates ImportError
- Add note on AI PRs to CONTRIBUTING.md
- Pin GitHub Actions to full-length commit SHAs
- Add -latest alias for each integration test suite
- Use date-based branch names for toxgen PRs
- Update test matrix with new releases (03/19)
- Add client report tests for span streaming
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
==========
- Fix AttributeError in cluster metrics recording when connection is None or
ClusterNode object instance is used to extract the connection info (#3999)
- Fixing security concern in repr methods for ConnectionPools - passwords might
leak in plain text logs (#3998)
- Refactored connection count and SCH metric collection (#4001)
- Refactored health check logic for MultiDBClient (#3994)
- Expose basic Otel classes and functions to be importable through
redis.observability to match the examples in the readthedocs
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
- Make marshmallow.fields.Number and marshmallow.fields.Mapping abstract base
classes to prevent using them within Schemas
- Allow required to be set on marshmallow.fields.Contant
- Fix marshmallow.validate.OneOf emitting extra pairs when labels outnumber
choices
- Fix behavior when passing a dot-delimited attribute name to partial for a key
with data_key set
- Fix Enum field by-name lookup to only return actual members
- marshmallow.fields.DateTime with format="timestamp_ms" properly rejects bool
values
- Fix typing of error_essages argument to marshmallow.fields.Field
- Add ipaddress.* to marshmallow.Schema.TYPE_MAPPING
-
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Bug Fixes
==========
- HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2
ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)
- ASGI Chunked EOF Handling: Add finish() method to callback parser to handle
chunked encoding edge case where connection closes before final CRLF after
zero-chunk
- HTTP/2 Documentation: Fix http_protocols examples to use comma-separated
string instead of list syntax (#3561)
- Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC
9112 (#3556)
- Request Line Limit: Fix --limit-request-line 0 to mean unlimited as
documented, instead of using default maximum. Works with both Python and fast
C parser. (#3563)
- uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when
using gevent or gthread workers with uwsgi protocol behind nginx.
- FileWrapper Iterator Protocol: Add __iter__ and __next__ methods to
FileWrapper for full PEP 3333 compliance. Previously only supported old-style
__getitem__ iteration which broke code explicitly using iter() or next().
Security =============
- ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
- Reject duplicate Content-Length headers
- Reject requests with both Content-Length and Transfer-Encoding
- Reject chunked transfer encoding in HTTP/1.0
- Reject stacked chunked encoding
- Validate Transfer-Encoding values
- Strict chunk size validation
Changes ==========
- Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property
and InvalidChunkExtension validation for bare CR rejection
- ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser
- Docker Images: Update to Python 3.14
New Features ============
- Fast HTTP Parser (gunicorn_h1c 0.6.0): Integrate new exception types and
limit parameters from gunicorn_h1c 0.6.0 for both WSGI and ASGI workers
- Requires gunicorn_h1c >= 0.6.0 for http_parser='fast'
- Falls back to Python parser in auto mode if version not met
- Proper HTTP status codes for limit errors (414, 431)
Performance ============
- ASGI HTTP Parser Optimizations: Improve ASGI worker HTTP parsing performance
- Callback-based parsing with direct bytearray buffer operations
- Use bytearray.find() directly instead of converting to bytes first
- Use index-based iteration for header parsing instead of list.pop(0) (O(1) vs
O(n))
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
