mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity
30,512 Commits 64 Branches 0 Tags
7632025d8a62eecd18dfa6c91d4e3f0bf2e7cbcd
Commit Graph

30512 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Gyorgy Sarvari 81b90a5a0c exiv2: patch CVE-2025-54080 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-54080

Backport the patch mentioned in the details.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 40036aa47a)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:35 +08:00
Gyorgy Sarvari cd7e963b09 exiv2: patch CVE-2025-26623 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26623

Apply the first to PRs from the relevant issue.

(The second PR adds a test, and the 3rd PR tries to reimplement
correctly the feature that introduced the vulnerability:
it is switching some raw pointers to smart pointers. It was not picked
because the
1. In the original issue it is stated that the first PR itself
   fixes the vulnerability
2. The patch doesn't apply clean due to the time gap between our
   and their version
3. The behavior of the application does not change
)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 7907a3e206)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:35 +08:00
Ankur Tyagi e34da7d9dc zlog: fix CVE-2024-22857 
Backport a fix from upstream
https://github.com/HardySimpson/zlog/commit/c47f781a9f1e9604f5201e27d046d925d0d48ac4

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit dead2a0070)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:35 +08:00
Ankur Tyagi e9af1614d1 libraw: patch CVE-2025-43964 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-43964

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 95f680e0df)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 7c56524a8d libraw: patch CVE-2025-43963 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-43963

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 287ed36b86)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi a8c1967976 libraw: patch CVE-2025-43961 CVE-2025-43962 
Details
 - https://nvd.nist.gov/vuln/detail/CVE-2025-43961
 - https://nvd.nist.gov/vuln/detail/CVE-2025-43962

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 337ab48ff8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi da2b9ec4db libcupsfilters: patch CVE-2024-47076 
Details https://nvd.nist.gov/vuln/detail/CVE-2024-47076

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 1ef236b6c5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 7ad4066c40 libppd: patch CVE-2024-47175 
Details https://nvd.nist.gov/vuln/detail/CVE-2024-47175

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 07330a98cf)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Peter Marko b2a0dd6c8d dash: set CVE_PRODUCT 
This removes false positive CVE-2024-21485 from cve reports.

$ sqlite3 nvdcve_2-2.db
sqlite> select * from products where product = 'dash';
CVE-2009-0854|dash|dash|0.5.4|=||
CVE-2024-21485|plotly|dash|||2.13.0|<
CVE-2024-21485|plotly|dash|2.14.0|>=|2.15.0|<

Our dash:dash did not reach major version 1 yet.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e1427013e0)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 80bda1d289 hdf5: patch CVE-2025-6269, CVE-2025-6270, CVE-2025-6516 
As mentioned in the issues [1],[2] and [3], PR[4] addressed several vulnerabilities.

[1] https://github.com/HDFGroup/hdf5/issues/5581#issuecomment-3251977160
[2] https://github.com/HDFGroup/hdf5/issues/5579#issuecomment-2993915196
[3] https://github.com/HDFGroup/hdf5/issues/5580#issuecomment-2993727142
[4] https://github.com/HDFGroup/hdf5/pull/5756

Details:
 https://nvd.nist.gov/vuln/detail/CVE-2025-6269
 https://nvd.nist.gov/vuln/detail/CVE-2025-6270
 https://nvd.nist.gov/vuln/detail/CVE-2025-6516

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 81c0782d8f hdf5: patch CVE-2025-2925 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2925

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 73e3b3c308 hdf5: patch CVE-2025-2924 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2924

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 547d4e1dae hdf5: patch CVE-2025-2923, CVE-2025-6816, CVE-2025-6856 
Single PR[1] addressed all three vulnerabilities

Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-2923
https://nvd.nist.gov/vuln/detail/CVE-2025-6816
https://nvd.nist.gov/vuln/detail/CVE-2025-6856

[1] https://github.com/HDFGroup/hdf5/pull/5829

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi bd847d489a hdf5: patch CVE-2025-2915 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2915

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi 7d1b63f0af hdf5: patch CVE-2025-2914 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2914

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi b42e6eb3e5 hdf5: patch CVE-2025-2913 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2913

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi 3e72a5f33c libconfuse: patch CVE-2022-40320 
Pick patch per [1] poiting to [2] pointing to [3].

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-40320
[2] https://github.com/libconfuse/libconfuse/issues/163
[3] https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c048c04101)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi a7b0b1cba8 libavif: ignore CVE-2025-48175 
CVE-2025-48175 got introduced due to following change which is missing in the current recipe version
https://github.com/AOMediaCodec/libavif/commit/1b4ce5ca24a33b5878b7f766de6eaa05c49f08e6

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi 4bb1da31d5 frr: patch CVE-2024-44070 
Details https://nvd.nist.gov/vuln/detail/CVE-2024-44070

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi 393bb3e0a5 tinyproxy: patch CVE-2023-49606 
Details https://nvd.nist.gov/vuln/detail/CVE-2023-49606

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 7f8516d8db)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Peter Marko 24b0040b4c corosync: patch CVE-2025-30472 
Pick commit from [1] mentioned in [2] from [3]

[1] https://github.com/corosync/corosync/issues/778
[2] https://github.com/corosync/corosync/pull/779
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-30472

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit eab04e4620)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Peter Marko a1b17511ca corosync: upgrade 3.1.6 -> 3.1.9 
dbus dir was changed from sysconfdir to datadir

drop unused configure code

License-Update: copyright years refreshed

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 950c603f21)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Peter Marko 64f9120014 corosync: fix upstream version check 
github-releases is needed that it work at all:
ERROR: Automatic discovery of latest version/revision failed - you must provide a version using the --version/-V option, or for recipes that fetch from an SCM such as git, the --srcrev/-S option.

UPSTREAM_CHECK_GITTAGREGEX is needed to get correct version, otherwise:
$ devtool latest-version corosync
...
INFO: Current version: 3.1.6
INFO: Latest version: 414.336.75.75.75

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 9aed476a90)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Christos Gavros 68f8ea24d0 corosync: reproducibility issue 
Corosync is not reproducible due to change of value
in NETSNMP_SYS_CONTACT which is set in net-snmp:
NETSNMP_SYS_CONTACT = "$ME@$LOC"
$ME = whoami
$LOC assigned domain name from /etc/resolv.conf

Use build in'--with-sys-contact' to overwrite it

https://autobuilder.yoctoproject.org/valkyrie/#/builders/87/builds/30/steps/28/logs/stdio

CC: Yoann Congal <yoann.congal@smile.fr>
CC: Randy MacLeod <randy.macleod@windriver.com>
Signed-off-by: Christos Gavros <gavrosc@yahoo.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bb138b9f6b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Vijay Anusuri b03f8e79af redis: upgrade 7.2.8 -> 7.2.11 
ChangeLog:
https://github.com/redis/redis/releases/tag/7.2.9
https://github.com/redis/redis/releases/tag/7.2.10
https://github.com/redis/redis/releases/tag/7.2.11
https://github.com/redis/redis/compare/7.2.8...7.2.11

7.2.11

Security fixes

(CVE-2025-49844) A Lua script may lead to remote code execution
(CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
(CVE-2025-46818) A Lua script can be executed in the context of another user
(CVE-2025-46819) LUA out-of-bound read

7.2.10

Security fixes

(CVE-2025-32023) Fix out-of-bounds write in HyperLogLog commands
(CVE-2025-48367) Retry accepting other connections even if the accepted connection reports an error

7.2.9

Security fixes

(CVE-2025-27151) redis-check-aof may lead to stack overflow and potential RCE

Dropped CVE-2025-32023.patch

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 7a17429d34 freerdp3: patch CVE-2024-32662 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32662

Pick the patch that is mentioned in the above vulnerability report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari d577aca11c freerdp3: patch CVE-2024-32661 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32661

Pick the patch that is mentioned in the above vulnerability report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 6acb319466 freerdp3: patch CVE-2024-32660 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32660

Pick the patch that is mentioned in the above CVE report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari a682f5efd0 freerdp3: patch CVE-2025-32659 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32659

Pick the commit that mentioned in the above CVE report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 95d7b8e7d5 freerdp3: patch CVE-2024-32658 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32658

Pick the commit that is marked to resolve the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 3fab129346 freerdp3: patch CVE-2024-32460 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32460

Pick the commit that marked as a solution for the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 3bc45c028e freerdp3: patch CVE-2024-32459 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32459

Pick the patch that is marked to resolve the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari df276ba913 freerdp3: patch CVE-2024-32458 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32458

Pick the commit that is marked to resolve the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 057e1f5d06 freerdp3: patch CVE-2024-32040 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32040

Pick the patch that is marked to resolve the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari ca2667f23a freerdp3: patch CVE-2024-32039 and CVE-2024-32041 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32039
https://nvd.nist.gov/vuln/detail/CVE-2024-32041

Pick the patch that is marked as fixing the related github advisory.
The same commit fixes both vulnerabilities.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Peter Marko 0e314d0f4c freerdp3: set CVE_PRODUCT 
CPE does not contain mnajor version number, so set VE product to just
freerdp.
Without this there are no (fixed) CVEs in reports.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4058959d6c)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Peter Marko 9b07679a55 freerdp: mark CVE-2024-32662 as fixed 
2.x is not affected, bug was introduced in 3.0.0.
See e.g. https://security-tracker.debian.org/tracker/CVE-2024-32662

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a7f2051068)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Peter Marko 0095a1e3c3 freerdp: patch CVE-2024-32661 
Pick commit [1] as mentioned in [2] or [3].

[1] https://github.com/FreeRDP/FreeRDP/commit/71e463e31b4d69f4022d36bfc814592f56600793
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-32661
[3] https://security-tracker.debian.org/tracker/CVE-2024-32661

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c91d6a2c65)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Khem Raj 19565142f8 freerdp: Upgrade 2.11.2 -> 2.11.7 
Partially backport a fix to build with gcc-14

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4b14dacf55)

This bugfix update also contains fixes for the following vulnerabilities:

CVE-2024-22211, CVE-2024-32039, CVE-2024-32040, CVE-2024-32041,
CVE-2024-32458, CVE-2024-32459, CVE-2024-32460

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Alexandre Truong 5b3e9e377c evince: Update status for CVE-2011-0433 and CVE-2011-5244 
The current version 46.0 is not affected by the issues.
Both issues have been fixed in commit [0].
The fix is in effect since early versions of evince (3.1.2).
Thus, both can be safely ignored.

[0]: https://gitlab.gnome.org/GNOME/evince/-/commit/efadec4ffcdde3373f6f4ca0eaac98dc963c4fd5

Signed-off-by: Alexandre Truong <alexandre.truong@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 492b1b1adc)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Gyorgy Sarvari efa1ef31f4 etcd: patch CVE-2023-32082 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-32082

Pick the patch mentioned in the details of the report. (It was backported
to the 3.5 tree)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Peter Marko d27a9c3b6e emlog: set CVE_PRODUCT 
This will remove false-positive CVE-2024-50655 from reports.
There are different emlog components from other vendors around.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d8d45d9093)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Vijay Anusuri fe8e7d62aa poppler: Fix CVE-2025-43718 
Upstream patch: https://gitlab.freedesktop.org/poppler/poppler/-/commit/f54b815672117c250420787c8c006de98e8c7408

Reference: https://ubuntu.com/security/CVE-2025-43718

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Ninette Adhikari 0d59e9acda xsp: CVE status update for CVE-2006-2658 
The recipe used in the `meta-openembedded` is a different xsp package compared to the one which has the CVE issue.
Package used in `meta-embedded`: maemo xsp http://repository.maemo.org/pool/maemo/ossw/source/x/xsp/
Package with CVE issue: mono xsp https://github.com/mono/xsp

Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3cb411a057)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Gyorgy Sarvari adf3b111c3 jasper: patch CVE-2025-8837 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8837

Pick the patch from the details of the above link.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Gyorgy Sarvari 10196085ab jasper: patch CVE-2025-8836 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8836

Pick the patch mentioned in the details of the above link.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Gyorgy Sarvari 7c893fb155 jasper: patch CVE-2025-8835 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8835

Pick the patch from the details of the above link.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Gyorgy Sarvari a2a174aafc iperf2: ignore irrelevant CVEs 
These CVEs are for iperf3 - which is a similar application in its goals (and name),
but an independent project from this, and the projects are independent implementations
also, they share no common code.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit aedf74e082)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Rajeshkumar Ramasamy 46091f4925 open-vm-tools: fix CVE-2025-41244 
VMware Aria Operations and VMware Tools contain a local privilege
escalation vulnerability. A malicious local actor with non-administrative
privileges having access to a VM with VMware Tools installed and managed
by Aria Operations with SDMP enabled may exploit this vulnerability
to escalate privileges to root on the same VM.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-41244

Upstream-patch:
https://github.com/vmware/open-vm-tools/commit/7ed196cf01f8acd09011815a605b6733894b8aab

Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Gyorgy Sarvari 4d28ff8b34 tokyocabinet: fix license 
The application is distributed under the LGPL license, not GPL.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8fd2b5c5b2)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00