meta-openembedded

mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 17:59:59 +00:00

Author	SHA1	Message	Date
Vijay Anusuri	7727848e28	redis: upgrade 6.2.16 -> 6.2.18 Changelog: https://github.com/redis/redis/releases/tag/6.2.17 https://github.com/redis/redis/releases/tag/6.2.18 Security fixes ============== * (CVE-2024-46981) Lua script commands may lead to remote code execution * (CVE-2025-21605) An unauthenticated client can cause an unlimited growth of output buffers Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `e970ff8bff`) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:36 +08:00
Yi Zhao	6f12aebd61	redis: upgrade 6.2.14 -> 6.2.16 ChangeLog: Security fixes ============== * (CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE. * (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `f702405fe9`) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:36 +08:00
Ankur Tyagi	b067a34198	memcached: patch CVE-2023-46853 Details https://nvd.nist.gov/vuln/detail/CVE-2023-46853 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:35 +08:00
Ankur Tyagi	9795c85f02	memcached: patch CVE-2023-46852 Details https://nvd.nist.gov/vuln/detail/CVE-2023-46852 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:35 +08:00
Peter Marko	bf656aa325	memcached: ignore disputed CVE-2022-26635 Per [1] this is a problem of applications using memcached inproperly. This should not be a CVE against php-memcached, but for whatever software the issue was actually found in. php-memcached and libmemcached provide a VERIFY_KEY flag if they're too lazy to filter untrusted user input. [1] https://github.com/php-memcached-dev/php-memcached/issues/519 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `889ccce684`) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:35 +08:00
Ninette Adhikari	4f1cef469b	influxdb: Update CVE status for CVE-2019-10329 The version don't match and only the Jenkins plugin is affected. Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `524acf0542`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:35 +08:00
Khem Raj	411c384daa	influxdb: Do not remove non-existing files Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `cd6e2d8f53`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:35 +08:00
Peter Marko	3eaf7bd00b	gattlib: mark CVE-2019-6498 as fixed Our hash does not point to exact tag and CVE patch is already in. We use: 33a8a275928b186381bb0aea0f9778e330e57ec3 Fix: https://github.com/labapart/gattlib/commit/60b813a770e42fdb0e85c1d2da7a55327784b8d6 git describe --tags --match=v0.2 33a8a275928b186381bb0aea0f9778e330e57ec3 60b813a770e42fdb0e85c1d2da7a55327784b8d6 v0.2-262-g33a8a27 v0.2-85-g60b813a Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `e5a12d5252`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:35 +08:00
Gyorgy Sarvari	68cef7642d	exiv2: patch CVE-2025-55304 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55304 Backport patch mentioned in the details of the vulnerability. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `f47fdfd730`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:35 +08:00
Gyorgy Sarvari	81b90a5a0c	exiv2: patch CVE-2025-54080 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-54080 Backport the patch mentioned in the details. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `40036aa47a`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:35 +08:00
Gyorgy Sarvari	cd7e963b09	exiv2: patch CVE-2025-26623 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26623 Apply the first to PRs from the relevant issue. (The second PR adds a test, and the 3rd PR tries to reimplement correctly the feature that introduced the vulnerability: it is switching some raw pointers to smart pointers. It was not picked because the 1. In the original issue it is stated that the first PR itself fixes the vulnerability 2. The patch doesn't apply clean due to the time gap between our and their version 3. The behavior of the application does not change ) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `7907a3e206`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:35 +08:00
Ankur Tyagi	e34da7d9dc	zlog: fix CVE-2024-22857 Backport a fix from upstream https://github.com/HardySimpson/zlog/commit/c47f781a9f1e9604f5201e27d046d925d0d48ac4 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `dead2a0070`) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:35 +08:00
Ankur Tyagi	e9af1614d1	libraw: patch CVE-2025-43964 Details https://nvd.nist.gov/vuln/detail/CVE-2025-43964 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `95f680e0df`) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:34 +08:00
Ankur Tyagi	7c56524a8d	libraw: patch CVE-2025-43963 Details https://nvd.nist.gov/vuln/detail/CVE-2025-43963 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `287ed36b86`) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:34 +08:00
Ankur Tyagi	a8c1967976	libraw: patch CVE-2025-43961 CVE-2025-43962 Details - https://nvd.nist.gov/vuln/detail/CVE-2025-43961 - https://nvd.nist.gov/vuln/detail/CVE-2025-43962 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `337ab48ff8`) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:34 +08:00
Ankur Tyagi	da2b9ec4db	libcupsfilters: patch CVE-2024-47076 Details https://nvd.nist.gov/vuln/detail/CVE-2024-47076 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `1ef236b6c5`) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:34 +08:00
Ankur Tyagi	7ad4066c40	libppd: patch CVE-2024-47175 Details https://nvd.nist.gov/vuln/detail/CVE-2024-47175 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `07330a98cf`) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:34 +08:00
Peter Marko	b2a0dd6c8d	dash: set CVE_PRODUCT This removes false positive CVE-2024-21485 from cve reports. $ sqlite3 nvdcve_2-2.db sqlite> select * from products where product = 'dash'; CVE-2009-0854\|dash\|dash\|0.5.4\|=\|\| CVE-2024-21485\|plotly\|dash\|\|\|2.13.0\|< CVE-2024-21485\|plotly\|dash\|2.14.0\|>=\|2.15.0\|< Our dash:dash did not reach major version 1 yet. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `e1427013e0`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:34 +08:00
Ankur Tyagi	80bda1d289	hdf5: patch CVE-2025-6269, CVE-2025-6270, CVE-2025-6516 As mentioned in the issues [1],[2] and [3], PR[4] addressed several vulnerabilities. [1] https://github.com/HDFGroup/hdf5/issues/5581#issuecomment-3251977160 [2] https://github.com/HDFGroup/hdf5/issues/5579#issuecomment-2993915196 [3] https://github.com/HDFGroup/hdf5/issues/5580#issuecomment-2993727142 [4] https://github.com/HDFGroup/hdf5/pull/5756 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-6269 https://nvd.nist.gov/vuln/detail/CVE-2025-6270 https://nvd.nist.gov/vuln/detail/CVE-2025-6516 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:34 +08:00
Ankur Tyagi	81c0782d8f	hdf5: patch CVE-2025-2925 Details https://nvd.nist.gov/vuln/detail/CVE-2025-2925 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:34 +08:00
Ankur Tyagi	73e3b3c308	hdf5: patch CVE-2025-2924 Details https://nvd.nist.gov/vuln/detail/CVE-2025-2924 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:34 +08:00
Ankur Tyagi	547d4e1dae	hdf5: patch CVE-2025-2923, CVE-2025-6816, CVE-2025-6856 Single PR[1] addressed all three vulnerabilities Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2923 https://nvd.nist.gov/vuln/detail/CVE-2025-6816 https://nvd.nist.gov/vuln/detail/CVE-2025-6856 [1] https://github.com/HDFGroup/hdf5/pull/5829 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:34 +08:00
Ankur Tyagi	bd847d489a	hdf5: patch CVE-2025-2915 Details https://nvd.nist.gov/vuln/detail/CVE-2025-2915 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:33 +08:00
Ankur Tyagi	7d1b63f0af	hdf5: patch CVE-2025-2914 Details https://nvd.nist.gov/vuln/detail/CVE-2025-2914 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:33 +08:00
Ankur Tyagi	b42e6eb3e5	hdf5: patch CVE-2025-2913 Details https://nvd.nist.gov/vuln/detail/CVE-2025-2913 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:33 +08:00
Ankur Tyagi	3e72a5f33c	libconfuse: patch CVE-2022-40320 Pick patch per [1] poiting to [2] pointing to [3]. [1] https://nvd.nist.gov/vuln/detail/CVE-2022-40320 [2] https://github.com/libconfuse/libconfuse/issues/163 [3] https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `c048c04101`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:33 +08:00
Ankur Tyagi	a7b0b1cba8	libavif: ignore CVE-2025-48175 CVE-2025-48175 got introduced due to following change which is missing in the current recipe version https://github.com/AOMediaCodec/libavif/commit/1b4ce5ca24a33b5878b7f766de6eaa05c49f08e6 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:33 +08:00
Ankur Tyagi	4bb1da31d5	frr: patch CVE-2024-44070 Details https://nvd.nist.gov/vuln/detail/CVE-2024-44070 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:33 +08:00
Ankur Tyagi	393bb3e0a5	tinyproxy: patch CVE-2023-49606 Details https://nvd.nist.gov/vuln/detail/CVE-2023-49606 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `7f8516d8db`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:33 +08:00
Peter Marko	24b0040b4c	corosync: patch CVE-2025-30472 Pick commit from [1] mentioned in [2] from [3] [1] https://github.com/corosync/corosync/issues/778 [2] https://github.com/corosync/corosync/pull/779 [3] https://nvd.nist.gov/vuln/detail/CVE-2025-30472 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `eab04e4620`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:33 +08:00
Peter Marko	a1b17511ca	corosync: upgrade 3.1.6 -> 3.1.9 dbus dir was changed from sysconfdir to datadir drop unused configure code License-Update: copyright years refreshed Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `950c603f21`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:33 +08:00
Peter Marko	64f9120014	corosync: fix upstream version check github-releases is needed that it work at all: ERROR: Automatic discovery of latest version/revision failed - you must provide a version using the --version/-V option, or for recipes that fetch from an SCM such as git, the --srcrev/-S option. UPSTREAM_CHECK_GITTAGREGEX is needed to get correct version, otherwise: $ devtool latest-version corosync ... INFO: Current version: 3.1.6 INFO: Latest version: 414.336.75.75.75 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit `9aed476a90`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:33 +08:00
Christos Gavros	68f8ea24d0	corosync: reproducibility issue Corosync is not reproducible due to change of value in NETSNMP_SYS_CONTACT which is set in net-snmp: NETSNMP_SYS_CONTACT = "$ME@$LOC" $ME = whoami $LOC assigned domain name from /etc/resolv.conf Use build in'--with-sys-contact' to overwrite it https://autobuilder.yoctoproject.org/valkyrie/#/builders/87/builds/30/steps/28/logs/stdio CC: Yoann Congal <yoann.congal@smile.fr> CC: Randy MacLeod <randy.macleod@windriver.com> Signed-off-by: Christos Gavros <gavrosc@yahoo.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `bb138b9f6b`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:33 +08:00
Vijay Anusuri	b03f8e79af	redis: upgrade 7.2.8 -> 7.2.11 ChangeLog: https://github.com/redis/redis/releases/tag/7.2.9 https://github.com/redis/redis/releases/tag/7.2.10 https://github.com/redis/redis/releases/tag/7.2.11 https://github.com/redis/redis/compare/7.2.8...7.2.11 7.2.11 Security fixes (CVE-2025-49844) A Lua script may lead to remote code execution (CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE (CVE-2025-46818) A Lua script can be executed in the context of another user (CVE-2025-46819) LUA out-of-bound read 7.2.10 Security fixes (CVE-2025-32023) Fix out-of-bounds write in HyperLogLog commands (CVE-2025-48367) Retry accepting other connections even if the accepted connection reports an error 7.2.9 Security fixes (CVE-2025-27151) redis-check-aof may lead to stack overflow and potential RCE Dropped CVE-2025-32023.patch Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:32 +08:00
Gyorgy Sarvari	7a17429d34	freerdp3: patch CVE-2024-32662 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32662 Pick the patch that is mentioned in the above vulnerability report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:32 +08:00
Gyorgy Sarvari	d577aca11c	freerdp3: patch CVE-2024-32661 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32661 Pick the patch that is mentioned in the above vulnerability report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:32 +08:00
Gyorgy Sarvari	6acb319466	freerdp3: patch CVE-2024-32660 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32660 Pick the patch that is mentioned in the above CVE report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:32 +08:00
Gyorgy Sarvari	a682f5efd0	freerdp3: patch CVE-2025-32659 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32659 Pick the commit that mentioned in the above CVE report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:32 +08:00
Gyorgy Sarvari	95d7b8e7d5	freerdp3: patch CVE-2024-32658 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32658 Pick the commit that is marked to resolve the related github advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:32 +08:00
Gyorgy Sarvari	3fab129346	freerdp3: patch CVE-2024-32460 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32460 Pick the commit that marked as a solution for the related github advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:32 +08:00
Gyorgy Sarvari	3bc45c028e	freerdp3: patch CVE-2024-32459 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32459 Pick the patch that is marked to resolve the related github advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:32 +08:00
Gyorgy Sarvari	df276ba913	freerdp3: patch CVE-2024-32458 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32458 Pick the commit that is marked to resolve the related github advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:32 +08:00
Gyorgy Sarvari	057e1f5d06	freerdp3: patch CVE-2024-32040 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32040 Pick the patch that is marked to resolve the related github advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:32 +08:00
Gyorgy Sarvari	ca2667f23a	freerdp3: patch CVE-2024-32039 and CVE-2024-32041 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32039 https://nvd.nist.gov/vuln/detail/CVE-2024-32041 Pick the patch that is marked as fixing the related github advisory. The same commit fixes both vulnerabilities. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:31 +08:00
Peter Marko	0e314d0f4c	freerdp3: set CVE_PRODUCT CPE does not contain mnajor version number, so set VE product to just freerdp. Without this there are no (fixed) CVEs in reports. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `4058959d6c`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:31 +08:00
Peter Marko	9b07679a55	freerdp: mark CVE-2024-32662 as fixed 2.x is not affected, bug was introduced in 3.0.0. See e.g. https://security-tracker.debian.org/tracker/CVE-2024-32662 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `a7f2051068`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:31 +08:00
Peter Marko	0095a1e3c3	freerdp: patch CVE-2024-32661 Pick commit [1] as mentioned in [2] or [3]. [1] https://github.com/FreeRDP/FreeRDP/commit/71e463e31b4d69f4022d36bfc814592f56600793 [2] https://nvd.nist.gov/vuln/detail/CVE-2024-32661 [3] https://security-tracker.debian.org/tracker/CVE-2024-32661 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `c91d6a2c65`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:31 +08:00
Khem Raj	19565142f8	freerdp: Upgrade 2.11.2 -> 2.11.7 Partially backport a fix to build with gcc-14 Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `4b14dacf55`) This bugfix update also contains fixes for the following vulnerabilities: CVE-2024-22211, CVE-2024-32039, CVE-2024-32040, CVE-2024-32041, CVE-2024-32458, CVE-2024-32459, CVE-2024-32460 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:31 +08:00
Alexandre Truong	5b3e9e377c	evince: Update status for CVE-2011-0433 and CVE-2011-5244 The current version 46.0 is not affected by the issues. Both issues have been fixed in commit [0]. The fix is in effect since early versions of evince (3.1.2). Thus, both can be safely ignored. [0]: https://gitlab.gnome.org/GNOME/evince/-/commit/efadec4ffcdde3373f6f4ca0eaac98dc963c4fd5 Signed-off-by: Alexandre Truong <alexandre.truong@smile.fr> Reviewed-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `492b1b1adc`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:31 +08:00
Gyorgy Sarvari	efa1ef31f4	etcd: patch CVE-2023-32082 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-32082 Pick the patch mentioned in the details of the report. (It was backported to the 3.5 tree) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>	2025-10-30 14:43:31 +08:00

1 2 3 4 5 ...

30471 Commits