mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity
30,355 Commits 64 Branches 0 Tags
71b601e3d721fd8edc0e98b627331e14f8ff7a23
Commit Graph

30355 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Divya Chellam 71b601e3d7 libssh: fix CVE-2025-4878 
A vulnerability was found in libssh, where an uninitialized variable
exists under certain conditions in the privatekey_from_file() function.
This flaw can be triggered if the file specified by the filename doesn't
exist and may lead to possible signing failures or heap corruption.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-4878

Upstream-patches:
https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1
https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-23 09:57:53 +08:00
Deepak Rathore b9fb6556a3 protobuf 4.25.8: Mark CVE-2024-7254 as patched 
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-7254
Type: Security Fix
CVE: CVE-2024-7254
Score: 8.7
Patch: https://github.com/protocolbuffers/protobuf/commit/850fcce9176e

Analysis:
The original fix [1] for CVE-2024-7254 is listed in the NVD security
tracker (https://nvd.nist.gov/vuln/detail/CVE-2024-7254) and was
subsequently backported to the v4.25.8 version via commit [2].
Hence, this CVE is considered patched in the current source.

Reference:
[1] https://github.com/protocolbuffers/protobuf/commit/cc8b3483a558
[2] https://github.com/protocolbuffers/protobuf/commit/850fcce9176e (v4.25.8)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:13 +08:00
Martin Schwan 10fc221938 linuxptp: Add systemd instance specifier for ptp4l dependency 
Add the instance specifier to the ptp4l dependency for the phc2sys
service, so the corresponding service is automatically started
correctly. This fixes the following error messages, when starting the
phc2sys@... service:

    Failed to restart phc2sys@eth0.service: Unit ptp4l.service not found.

Signed-off-by: Martin Schwan <m.schwan@phytec.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 31f0b9d3d5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:13 +08:00
Michael Opdenacker 2222925e92 kernel-hardening-checker: backport recipe 
This recipe is a Scarthgap backport of kernel-hardening-checker_0.6.10.2.bb
in the master branch as of August 19, 2025.

Tested on qemux86-64 and on beaglebone-yocto

Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:13 +08:00
Gyorgy Sarvari f2b163a416 poppler: fix typos in CVE-2025-52886-0001.patch 
There were a some accidenal typos in the CVE-2025-52886-0001.patch file
that introduced a number of syntactical errors in the qt5/src/poppler-annotation.cc
file, which failed the compilation, in case qt5 PACKAGECONFIG is enabled.

This change fixes these typos. Since qt6 is not enabled in the recipe,
only the qt5 related parts were verified.

While reworking the backport, unfortunately some line number differences
were introduced, which inflate the size of this patch - just scroll
past those.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:13 +08:00
Zhang Peng 2ffcfd6a34 iperf3: fix CVE-2025-54349 
CVE-2025-54349:
In iperf before 3.19.1, iperf_auth.c has an off-by-one error and resultant
heap-based buffer overflow.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-54349]

Upstream patches:
[https://github.com/esnet/iperf/commit/4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:12 +08:00
Zhang Peng fddaa45a87 gnuplot: fix CVE-2025-31181 
CVE-2025-31181:
A flaw was found in gnuplot. The X11_graphics() function may lead to a
segmentation fault and cause a system crash.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31181]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/af96c2c1b20383684b1ec2084dab7936f7053031/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:12 +08:00
Zhang Peng 732f5800cf gnuplot: fix CVE-2025-31180 
CVE-2025-31180:
A flaw was found in gnuplot. The CANVAS_text() function may lead to a
segmentation fault and cause a system crash.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31180]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b2343fd02c4fff94957f0151b73daa0a1f7fec49/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:12 +08:00
Zhang Peng 02d046e20d gnuplot: fix CVE-2025-31179 
CVE-2025-31179:
A flaw was found in gnuplot. The xstrftime() function may lead to a
segmentation fault, causing a system crash.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31179]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/ed647df512786b3c94429dd5c864715301e03ea5/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:12 +08:00
Zhang Peng 3d810d7d3b gnuplot: fix CVE-2025-31178 
CVE-2025-31178:
A flaw was found in gnuplot. The GetAnnotateString() function may lead to a
segmentation fault and cause a system crash.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31178]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b78cc829a18e9436daaa859c96f3970157f3171e/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:12 +08:00
Zhang Peng dd4b10de44 gnuplot: fix CVE-2025-31177 
CVE-2025-31177:
gnuplot is affected by a heap buffer overflow at function utf8_copy_one.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31177]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/226809aebb345e74d371bb43a2b434b490be527a/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:12 +08:00
Zhang Peng a3826c4999 gnuplot: fix CVE-2025-31176 
CVE-2025-31176:
A flaw was found in gnuplot. The plot3d_points() function may lead to a segmentation
fault and cause a system crash.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31176]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b456a3ef618f55a20b3071d336cb20514274f1d4/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:12 +08:00
Zhang Peng 9d3537ef42 gnuplot: fix CVE-2025-3359 
CVE-2025-3359:
A flaw was found in GNUPlot. A segmentation fault via IO_str_init_static_internal
may jeopardize the environment.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-3359]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/a5897feadc4be73b0ffd8458556c47117bd24d03/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:12 +08:00
Hitendra Prajapati a8fdc03123 libssh: fix CVE-2025-4877 
Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:11 +08:00
Peter Marko 97e9dee283 nginx: patch CVE-2025-53859 
Pick patch from nginx site which is also mentioned in [1].

[1] https://security-tracker.debian.org/tracker/CVE-2025-53859

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:11 +08:00
Alexandre Truong 3ef67c94da hunspell-dictionaries: switch branch from master to main 
The repository of dictionaries doesn't have a branch named master. So, the
branch is switched to main.

Signed-off-by: Alexandre Truong <alexandre.truong@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:11 +08:00
Martin Jansa d90b295188 abseil-cpp: fix build with gcc-15 on host 
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:11 +08:00
Yogita Urade 938c8d28a2 postgresql: upgrade 16.9 -> 16.10 
Includes fix for CVE-2025-8713, CVE-2025-8714, CVE-2025-8715

License-Update: Align organization wording in copyright statement

Changelog:
https://www.postgresql.org/docs/release/16.10/

Refreshed 0003-configure.ac-bypass-autoconf-2.69-version-check.patch
for 16.10

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:11 +08:00
Yogita Urade c316f92599 poppler: fix CVE-2025-50420 
An issue in the pdfseparate utility of freedesktop poppler
v25.04.0 allows attackers to cause an infinite recursion via
supplying a crafted PDF file. This can lead to a Denial of
Service (DoS).

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-50420

Upstream patch:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/a7025904e3330dd6cf95f3664ef6fc77034cc5e1

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:11 +08:00
Jan Vermaete b484df6361 python3-werkzeug: added python3-difflib as RDEPENDS 
File "/usr/lib/python3.12/site-packages/werkzeug/routing/exceptions.py", line 3, in <module>
    import difflib
ModuleNotFoundError: No module named 'difflib'

Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:11 +08:00
Randolph Sapp dcef3fff75 vulkan-cts: allow vulkan versions > 1.3 
Backport a patch from upstream that allows vulkan-cts to work with
Vulkan version greater than 1.3. Previously any unknown Vulkan versions
will return 0 when we attempt to locate the minimum version with
minVulkanAPIVersion.

Signed-off-by: Randolph Sapp <rs@ti.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:11 +08:00
Changqing Li 1095ea81ed luajit: fix several CVEs 
Fix CVE-2024-25176, CVE-2024-25177, CVE-2024-25178

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:10 +08:00
Roland Kovacs e099b1462d jq: add Upstream-Status and CVE tags into .patch files 
v1 version was merged instead of v2 from:
https://lists.openembedded.org/g/openembedded-devel/message/118302
add missing Upstream-Status and CVE tags from v2.

Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:10 +08:00
Praveen Kumar 3fbbd2c080 php: upgrade 8.2.28 -> 8.2.29 
This upgrade fixes below CVEs.
CVE-2025-1735
CVE-2025-6491
CVE-2025-1220

Changelog: https://www.php.net/ChangeLog-8.php#8.2.29

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-12 08:15:06 +08:00
Jiaying Song 2a7a09ff10 v4l-utils: Fix QA and build errors related to _TIME_BITS on 32-bit 
* Remove GLIBC_64BIT_TIME_FLAGS="" to enable _TIME_BITS=64 by default,
  which avoids the following QA issue during builds on 32-bit systems:

  WARNING: lib32-v4l-utils-1.24.1+git-r0 do_package_qa: QA Issue: /usr/bin/cec-compliance uses 32-bit api 'time'

* Undefine _TIME_BITS to fix the build error:

  /usr/include/features-time64.h:26:5: error: #error "_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64"

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-09-11 16:58:30 +08:00
kjlau0112 c29a18fa39 mbedtls: drop tag parameter from SRC_URI. 
Signed-off-by: kjlau0112 <karn.jye.lau@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
 2025-08-18 08:35:05 -07:00
Peter Marko 205638f9ed poco: patch CVE-2025-6375 
Pick commit mentioned in [1].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-6375

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:37:04 -04:00
Peter Marko 37b138014b poco: ignore additional failing tests 
These tests are failing and thus preventing verification of new patches.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:37:04 -04:00
Peter Marko e67921006f minifi-cpp: patch spdlog CVE-2025-6140 
Same patch as in spdlog recipe.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:37:04 -04:00
Peter Marko 1fb0820868 spdlog: patch CVE-2025-6140 
Pick commit [1] mentioned in [2] as listed in [3].

[1] https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094
[2] https://github.com/gabime/spdlog/issues/3360
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-6140

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:37:04 -04:00
Peter Marko ba84c52d55 libcoap: patch CVE-2024-31031 
Pick commit [1] from [2] which fixes [3] as listed in [4].

[1] https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928
[2] https://github.com/obgm/libcoap/pull/1352
[3] https://github.com/obgm/libcoap/issues/1351
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-31031

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:37:04 -04:00
Yogita Urade c8a1b909ec poppler: fix CVE-2025-52886 
Poppler is a PDF rendering library. Versions prior to 25.06.0
use `std::atomic_int` for reference counting. Because
`std::atomic_int` is only 32 bits, it is possible to overflow
the reference count and trigger a use-after-free. Version 25.06.0
patches the issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2025-52886
https://security-tracker.debian.org/tracker/CVE-2025-52886

Upstream patches:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/3449a16d3b1389870eb3e20795e802c6ae8bc04f
https://gitlab.freedesktop.org/poppler/poppler/-/commit/ac36affcc8486de38e8905a8d6547a3464ff46e5

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:37:04 -04:00
Hitendra Prajapati 21e370fd3c open-vm-tools: fix CVE-2025-22247 
VMware Tools contains an insecure file handling vulnerability.
\xa0A malicious actor with non-administrative privileges on a
guest VM may tamper the local files to trigger insecure file
operations within that VM.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-22247

Upstream patch: Backport from https://github.com/vmware/open-vm-tools/blob/CVE-2025-22247.patch/CVE-2025-22247-1230-1250-VGAuth-updates.patch

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:37:04 -04:00
Guocai He c781171d34 mariadb: File conflicts for multilib 
File conflicts between attempted installs of mariadb and lib32-mariadb

Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

(master rev: ddd322323e)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:37:04 -04:00
Swamil Jain 958ef90ab0 kmsxx: Revert to using original name for kmstest 
Earlier both libdrm[1] and kmsxx[2] projects used to provide a binary
program called kmstest. To avoid the clash, the kmsxx recipe was
updated to rename this binary to kmsxxtest during installation. However
libdrm project has now removed kmstest[3] and hence there is no clash
in naming anymore, so revert back to original name of binary i.e.
kmstest.

[1]: https://gitlab.freedesktop.org/mesa/libdrm.git
[2]: https://github.com/tomba/kmsxx
[3]: https://gitlab.freedesktop.org/mesa/libdrm.git
commit: 2b997bb4bb688be00620887c8646ff24ccb9396b

Signed-off-by: Swamil Jain <s-jain1@ti.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:37:04 -04:00
Yogita Urade 7b57b8f106 mariadb: upgrade 10.11.9 -> 10.11.12 
This upgrade includes fix for CVE-2023-52969, CVE-2023-52970
and CVE-2023-52971

Changelog:
https://mariadb.com/kb/en/mariadb-10-11-12-changelog/

refresh 0001-Add-missing-includes-cstdint-and-cstdio.patch

Droped mm_malloc.patch and ppc-remove-glibc-dep.patch (Commit ID:
https://github.com/MariaDB/server/commit/dff354e7df2fa774ce4da77202a17e2cae99ac59)
as these changes are available in 10.11.12

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:37:04 -04:00
Hitendra Prajapati 1b222113dc libssh: fix CVE-2025-5351 & CVE-2025-5372 
* CVE-2025-5351 - Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=6ddb730a27338983851248af59b128b995aad256
* CVE-2025-5372 - Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:37:04 -04:00
Guðni Már Gilbert 2c9126bd0d mbedtls: upgrade 3.6.3.1 -> 3.6.4 
Fixes several security vulnerabilities:
CVE-2025-49601, CVE-2025-49600, CVE-2025-52496,
CVE-2025-47917, CVE-2025-48965, CVE-2025-52497,
and CVE-2025-49087

The framework directory has been changed into a git submodule.[1][2]
The recipe now uses Git Submodule Fetcher (gitsm)

Changelog:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4

[1] https://github.com/Mbed-TLS/mbedtls/commit/8cf5666a174237998a7965e284d7ba8c1655d16d
[2] https://github.com/Mbed-TLS/mbedtls/commit/c90c6d8ff787ab8787d9373b0e662a95ed1f4dae

Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:37:04 -04:00
Wang Mingyu 6dedea4262 mbedtls: upgrade 3.6.3 -> 3.6.3.1 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:34:07 -04:00
Guocai He ec1f3712f2 softhsm: correct the SRC_URI 
The old SRC_URI is not available.

Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:13:21 -04:00
Hitendra Prajapati e66e64ee63 redis: fix CVE-2025-32023 
Upstream-Status: Backport from https://github.com/redis/redis/commit/50188747cbfe43528d2719399a2a3c9599169445

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:13:18 -04:00
Jinfeng Wang fb6424156a postfix: fix rootfs file difference 
Rootfs file differs with the same project configure, add preliminary
setting to avoid this.

Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:13:14 -04:00
Vijay Anusuri c672757f81 apache2: Upgrade 2.4.62 -> 2.4.64 
This upgrade incorporates the fixes for CVE-2025-53020, CVE-2025-49812,
CVE-2025-49630, CVE-2025-23048, CVE-2024-47252, CVE-2024-43394,
CVE-2024-43204, CVE-2024-42516 and other bugfixes.

Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.64

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:13:10 -04:00
Vijay Anusuri 1e80bb4b03 proftpd: Fix CVE-2023-51713 
Upstream-Status: Backport from https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592

Link: https://git.openembedded.org/meta-openembedded/commit/?h=kirkstone&id=730e44900a0a86265bad93a16b5a5ff344a07266

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:13:06 -04:00
Guocai He b5b11c1cc0 thrift: correct the SRC_URI 
The tarball of version 0.20.0 can not be found on old SRC_URI.

Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-08-02 13:13:02 -04:00
J. S. e8fd97d86a xfce4 update HOMEPAGEs 
https://goodies.xfce.org/ states "Starting this month (November 2019), a project is starting
to migrate the goodies.xfce.org documentation to https://docs.xfce.org/start. The goal is to
remove deprecated projects and, eventually, de-commission the goodies.xfce.org URLs. Additional
information will be posted on https://wiki.xfce.org/projects/goodies-decomm/start as the project
proceeds."

This patch updates the URLs being used in the HOMEPAGEs to reflect where the address is actually
resolving.

Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-07-10 20:29:57 -04:00
Guocai He 3b6e1fa190 logcheck: correct the SRC_URI 
In http://ftp.debian.org/debian/pool/main/l/logcheck/, the
tarball of version 1.4.3 is not available.

Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-07-10 20:23:41 -04:00
Guocai He dde4e6d41b libconfig: correct the SRC_URI 
The old SRC_URI is not available.

Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-07-10 20:23:37 -04:00
Martin Jansa bf0a439694 python3-h5py: backport fixes for incompatible-pointer-types issues 
Needed in scarthgap for native build on hosts with gcc-14 and newer.

It was in master since:
https://git.openembedded.org/meta-openembedded/diff/meta-python/recipes-devtools/python/python3-h5py_3.11.0.bb?id=f0c767407d033e3f39ceeccc2f7e03a1ca7a6443
and then removed as fixed in 3.11.0 by:
https://git.openembedded.org/meta-openembedded/commit/?id=4b990b6dbabaeb65df5bf46546a873c69032a040
but scarthgap has older 3.10.0, backport necessary changes.

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-07-10 20:23:34 -04:00
Roland Kovacs 3d03058fe2 jq-1.7.1: Backport multiple CVE fixes 
CVE: CVE-2024-23337
CVE: CVE-2024-53427
CVE: CVE-2025-48060

Patches CVE-2024-23337.patch and CVE-2024-53427.patch are backported from
jq-1.8.0, and CVE-2025-48060.patch is backported from jq-1.8.1.

Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-07-10 20:23:11 -04:00