6ae02f0f60
python3-ecdsa: Upgrade 0.19.1 -> 0.19.2
...
Changlog:
https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2
Signed-off-by: Mingli Yu <mingli.yu@windriver.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 27d096d984ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
822ae72861
xdg-dbus-proxy: upgrade 0.1.6 -> 0.1.7
...
Contains fix for CVE-2026-34080. Since it is tracked without version info
by NVD, mark it explicitily as patched.
Drop the patch that is included in this release.
While here, also add the recipe to the ptest list - it's a fast one,
runs under a second.
Changelog:
- Drop the autotools build system
- Unbreak the CI
- Prevent a crash on disconnect
- Fix building with glibc >= 2.43
- Fix the eavesdrop filtering to prevent message interception
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
326e8481b8
libgpiod: update to v2.2.4
...
Bug-fix release addressing several issues discovered during an
AI-augmented security audit. The most severe bug was found in the C
extension code of the python bindings - which also get an update - but
there were some memory leaks and integer overflow bugs in the core C
library as well as in tools and DBus daemon.
Full changelog:
Bug fixes:
- fix buffer over-read bugs when translating uAPI structs to library types
- fix variable and argument types where necessary
- sanitize values returned by the kernel to avoid potential buffer overflows
- fix memory leaks in gpio-tools
- add missing return value checks in gpio-tools
- fix period parsing in gpio-tools
- use correct loop counter in error path in gpio-manager
Improvements:
- make tests work with newer coreutils by removing cases checking tools'
behavior on SIGINT which stopped working due to changes in behavior of the
timeout tool
Also: drop the patch that's now upstream from the recipe.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
9f66cce6da
libgpiod: update to v2.2.3
...
Bug-fix release addressing a couple problems in gpio-manager and tests.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 172c473cafankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
3f2293398f
nodejs: mark CVE-2026-21710 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-21710
The CVE is fixed in the current recipe version[1], but NVD tracks it
without verison info.
Mark it as patched in the recipe.
[1]: https://github.com/nodejs/node/blob/v22.x/doc/changelogs/CHANGELOG_V22.md
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit b483760dbaskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
61f2155c03
freeipmi: mark CVE-2026-33554 patched
...
The CVE is tracked by NVD without version info. It's description
confirms that it is fixed in version 1.6.17.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 21f792ff63skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
2d10d4a11d
libsoup-2.4: fix several CVEs
...
Fix CVE-2026-1539,CVE-2026-1761,CVE-2026-1801,CVE-2026-2443,
CVE-2026-2369,CVE-2026-1760,CVE-2025-14523,CVE-2025-32049,CVE-2026-1467
Refer:
CVE-2026-1801 https://gitlab.gnome.org/GNOME/libsoup/-/issues/481
CVE-2026-1761 https://gitlab.gnome.org/GNOME/libsoup/-/issues/493
CVE-2026-2443 https://gitlab.gnome.org/GNOME/libsoup/-/issues/487
CVE-2026-1539 https://gitlab.gnome.org/GNOME/libsoup/-/issues/489
CVE-2026-2369 https://gitlab.gnome.org/GNOME/libsoup/-/issues/498
CVE-2026-1760 https://gitlab.gnome.org/GNOME/libsoup/-/issues/475
CVE-2025-14523 https://gitlab.gnome.org/GNOME/libsoup/-/issues/472
CVE-2025-32049 https://gitlab.gnome.org/GNOME/libsoup/-/issues/390
CVE-2026-1467 https://gitlab.gnome.org/GNOME/libsoup/-/issues/488
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 07d6722816ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
9f003507af
python3-grpcio: ignore CVE-2026-33186
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
The vulnerability only affects the Go implememtation of the library,
not the Python one. Ignore this CVE due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 468ee626f8ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
850b7f6fd7
protobuf, python3-protobuf: ignore CVE-2026-6409
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6409
The vulnerability impacts only the PHP library component, not the
cpp/python one. Ignore this CVE due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit aef8bc3422ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
d91b26edec
libcoap: patch CVE-2026-29013
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29013
Debian[1] also identified this as a fix.
[1] https://security-tracker.debian.org/tracker/CVE-2026-29013
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
c50a1edbcf
lcms: patch CVE-2026-41254
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-41254
Backport the patches referenced by the NVD advisory.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
d861698ab8
lshw: Fix binmerge
...
In case $sbindir = $bindir we have to pass this setting to make.
Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit d09f50438fanuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:21 +05:30
76819dfd4c
libdvdnav: use https for fetching code
...
Signed-off-by: Markus Volk <f_l_k@t-online.de >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit b50fbdd66banuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:21 +05:30
e1fba4cbbc
libdvdcss: use https for fetching code
...
Signed-off-by: Markus Volk <f_l_k@t-online.de >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit ae92a2993canuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:21 +05:30
50cde1e649
libdvdread: use https for fetching code
...
Signed-off-by: Markus Volk <f_l_k@t-online.de >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 7bf89d06a4anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:21 +05:30
c72fd80a5c
jq: patch CVE-2026-39979
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-39979
Backport the patch that is referenced by the NVD advisory.y
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 2b1e34f0f5anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:21 +05:30
2732cd42ec
jq: patch CVE-2026-33948
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 8d399af333anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:21 +05:30
f251c27025
jq: patch CVE-2026-33947
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947
Backport the patch that is referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 525e18ce21anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
c547565088
jq: patch CVE-2026-32316
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32316
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit e94ab85126anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
1574d0ed55
jq: Use Git to fetch the code
...
There is a bug (see https://github.com/jqlang/jq/issues/434 ), which
results in an empty version being used if autoreconf is run on the jq
sources when using a release tar ball. The incorrect assumption is that
autoreconf is only used when fetching the code using Git.
The empty version results in an incorrect libjq.pc file being created
where the version is not set, which results in, e.g.,
`pkgconf --libs 'libjq > 1.6'` failing even if version 1.8.1 of jq is
actually installed.
Switch to fetching the code using Git to workaround the bug.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit ed33569f82anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
3ed2bdeb7d
libgphoto2: patch CVE-2026-40341
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40341
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit de5f93f95danuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
2a3142c8fc
libgphoto2: patch CVE-2026-40340
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40340
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 420e5aec46anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
c7d9a8a5bf
libgphoto2: patch CVE-2026-40339
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40339
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 2e3be1dddcanuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
6ea6840dd3
libgphoto2: patch CVE-2026-40338
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40338
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit f22e17508eanuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
0d7e46071f
libgphoto2: patch CVE-2026-40336
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40336
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 078f26b084anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
52e89178e6
libgphoto2: patch CVE-2026-40335
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40335
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit f735ea20b1anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
866c25643a
libgphoto2: patch CVE-2026-40334
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40334
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit ce3fa8ad2aanuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
9e9977200d
libgphoto2: patch CVE-2026-40333
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40333
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 754e02c668anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
ba9800188e
openjpeg: patch CVE-2026-6192
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6192
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 09050325e6anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
c642dbf8e7
monkey: patch CVEs
...
These patches are about a number of CVEs files against the application:
CVE-2025-63649, CVE-2025-63650, CVE-2025-63651, CVE-2025-63652, CVE-2025-63653, CVE-2025-63655,
CVE-2025-63656, CVE-2025-63657 and CVE-2025-63658.
These patches are taken from a pull request[1] that is referenced in the relevant bug report[2].
The patches don't target specific CVEs on separately, but they fix a number of CVEs altogether.
Based on upstream analysis (in the linked issue) a number of these CVEs are duplicates of each
other and/or not exploitable. The valid CVEs are fixed by these patches.
I haven't added specific CVE info to the patches, one hand because of the above, it is hard to
separate the patches by CVE, and secondarily because NVD tracks these CVEs with incorrect version
info: NVD considers 1.8.6 fully fixed, even though the patches are only in the master branch,
untagged at this time. After updating the recipe to 1.8.6+, the vulnerabilites will disappear
from the CVE report due to this.
[1]: https://github.com/monkey/monkey/pull/434
[2]: https://github.com/monkey/monkey/issues/426
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit d31f07340fanuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
a7b755fbd0
monkey: upgrade 1.8.4 -> 1.8.7
...
Shortlog:
https://github.com/monkey/monkey/compare/v1.8.4...v1.8.7
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 22277ca3a3anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
133678b770
hiawatha: upgrade 11.7 -> 11.8
...
Drop patches that are included in this release.
Changes:
* mbed TLS updated to 3.6.4.
* Small bugfixes.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d92fa873e5ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
1df4552b9e
imagemagick: upgrade 7.1.2-18 -> 7.1.2-19
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 946243ec05skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
ae59325285
corosync: patch CVE-2026-35092
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35092
Pick the patch that mentions the CVE ID explicitly (the same commit
was identified by Debian also[1])
[1]: https://security-tracker.debian.org/tracker/CVE-2026-35092
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
5b72e39149
corosync: patch CVE-2026-35091
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091
Pick the patch that mentions the CVE ID explicitly (it was identified
by Debian also as the fix[1])
[1]: https://security-tracker.debian.org/tracker/CVE-2026-35091
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
1f8d2c36c0
botan: patch CVE-2026-34582
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-34582
Debian has identified[1] the PR that fixes this, however the url seems to have a
typo - it was PR number 5499[2], and not 5599[3]. (The backported commit's description matches
the CVE's description)
[1]: https://security-tracker.debian.org/tracker/CVE-2026-34582
[2]: https://github.com/randombit/botan/pull/5499
[3]: https://github.com/randombit/botan/pull/5599
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
4c4eaf1d21
php: upgrade 8.4.19 -> 8.4.20
...
This is a bug fix release.
Changelog: https://www.php.net/ChangeLog-8.php#8.4.20
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
a23083428f
giflib: patch CVE-2025-31344
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31344
Backport the commit that mentions this CVE ID explicitly
in its message.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
fed5dab762
imagemagick: upgrade 7.1.2-17 -> 7.1.2-18
...
Contains fixes for CVE-2026-33535 and CVE-2026-33536
Shortlog:
https://github.com/ImageMagick/ImageMagick/compare/7.1.2-17...7.1.2-18
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
873ae07e82
opensc: patch CVE-2025-66038
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66038
Backport the patch that is referenced by the upstream wiki
page[1] that is related to this vulnerability.
[1]: https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
73034a4fe1
opensc: patch CVE-2025-66037
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66037
Backport the patch that is referenced by the upstream wiki
page[1] that is related to this vulnerability.
[1]: https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66037
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
7c8dd8d492
opensc: patch CVE-2025-49010
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49010
Backport the patch that is referenced by the upstream wiki
page[1] that is related to this vulnerability.
[1]: https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
6c4868d3f7
nodejs: ignore fixed CVEs
...
All these CVEs are fixed in v22.22.2[1], except for CVE-2026-21712,
which does not affect v22 series, because it was introduced in a
later version[2]. All these CVEs are tracked without version info
by NVD at the time of creating this patch.
[1]: https://github.com/nodejs/node/blob/v22.x/doc/changelogs/CHANGELOG_V22.md
[2]: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
2c70222d32
nodejs: upgrade 22.22.1 -> 22.22.2
...
This is the March 2026 security release.
2 high severity issues.
5 medium severity issues.
2 low severity issues.
High priority fixes:
CVE-2026-21637
CVE-2026-21710
Medium priority fixes:
CVE-2026-21711 (affects only nodejs v25)
CVE-2026-21712 (affects only nodejs v24 & v25)
CVE-2026-21713
CVE-2026-21714
CVE-2026-21717
Low priority fixes:
CVE-2026-21715
CVE-2026-21716
https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
Changelog: https://github.com/nodejs/node/releases/tag/v22.22.2
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit d32cd27eaaskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
de8e685a66
nodejs: upgrade 22.22.0 -> 22.22.1
...
License Update: Add sorttable.js under the MIT license - https://github.com/nodejs/node/pull/61348/files
Update minimatch to the Blue Oak Model License - https://github.com/nodejs/node/commit/e72da8c7544727f90b857ba86b8c7755e631fe96
Changelog: https://github.com/nodejs/node/releases/tag/v22.22.1
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit db05f827bbskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
25dbfb365a
giflib: Fix CVE-2026-23868
...
Pick patch according to [1]
[1] https://www.facebook.com/security/advisories/cve-2026-23868
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-23868
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
d994b091f6
dovecot: mark CVE-2026-0394 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0394
As identified[1] by Debian, the recipe version already contains
the commits that fix this. Due to this mark it as patched.
[1]: https://security-tracker.debian.org/tracker/CVE-2026-0394
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
47ec93ee07
dovecot: patch CVE-2025-59031
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-59031
Backport the patch that was identified[1] by Debian.
[1]: https://security-tracker.debian.org/tracker/CVE-2025-59031
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
b35ad41144
botan: patch CVE-2026-32884
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32884
The backported patch was selected based on the security.rst[1]
file of the project, that mentions the date of the fix. When
looked through the commits from that date, picked the one that's
description matches the CVE description.
The included test passed successfully (along with the other tests).
[1]: https://github.com/randombit/botan/blob/master/doc/security.rst
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
70a903c888
botan: patch CVE-2026-32883
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32883
Backport the patch that was identified by Debian[1].
The included test passed successfully (along with the other tests).
[1]: https://security-tracker.debian.org/tracker/CVE-2026-32883
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-24 21:13:20 +05:30
Mingli Yu
Gyorgy Sarvari
Bartosz Golaszewski
Changqing Li
Ankur Tyagi
Jörg Sommer
Markus Volk
Peter Kjellerstedt
Wang Mingyu
Jason Schonberg
Vijay Anusuri