CVE metrics currently report CVE-2025-34468 as open.
CPE is <=4.3.5, while recipe version is 4.3.5a which is a higher
version, however by default cve-check only compares numbers.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Use the latest commit from the 1.4 branch; the last 1.4 release was 3
months ago so it contains important fixes.
- The contents of /usr/share/ are slightly different, so change the path
slightly.
- The new patch fixes the .pc file generation (it also ensures that
there are no references to absolute paths in the .pc file which would
need to be removed again).
- PubSub information model is now enabled by default, add a new option
to disable it (disabling only pubsub isn't enough).
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Motivation for this is to get vapi files created which are required to
e.g. build the budgie desktop
-Add PACKAGECONFIG for x11 and build depending on DISTRO_FEATURES
-Build vala by default
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixes:
ERROR: nodejs-22.21.1-r0 do_patch: Applying patch '0001-deps-disable-io_uring-support-in-libuv.patch' on target directory '/build/tmp/work/core2-32-poky-linux/nodejs/22.21.1/sources/node-v22.21.1'
CmdError('quilt --quiltrc /build/tmp/work/core2-32-poky-linux/nodejs/22.21.1/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch 0001-deps-disable-io_uring-support-in-libuv.patch
can't find file to patch at input line 27
The sources which related to libuv as deps/uv/ are removed in prune_sources
when depends on libuv.
So postpone prune_sources execute at do_patch phase to fix the gap.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the December 2025 security release that the nodejs team released
January 13, 2026.
3 high severity issues.
4 medium severity issues.
1 low severity issue.
High priority fixes:
CVE-2025-55131
CVE-2025-55130
CVE-2025-59465
Medium priority fixes:
CVE-2025-59466
CVE-2025-59464
CVE-2026-21636 *
CVE-2026-21637
Low priority fixes:
CVE-2025-55132
* note that this medium priority CVE only effects Nodejs v25.
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
Changelog: https://github.com/nodejs/node/releases/tag/v22.22.0
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==============
- fix: resolve TOCTOU vulnerabilities in app_data and lock directory creation
- fix: Prevent NameError when accessing _DISTUTILS_PATCH during file overwrite
- Upgrade pip and fix 3.15 picking old wheel
- fix: wrong path on migrated venv
- test_too_many_open_files: assert on errno.EMFILE instead of strerror
- fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146
- fix: resolve EncodingWarning in tox upgrade environment
- Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1
- Add support for PEP 440 version specifiers in the --python flag.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Add wait_for_activation parameter to pystemd.run to wait only for service activation without blocking until completion
- Document cwd and wait_for_activation parameters in pystemd.run
- Drop support for Python 3.6-3.10, now requires Python 3.11+
- Add unit property and unit_name to TransientUnitProcess for easy access to the running unit
- Change development tooling to use uv for package management
- Change lint/format stack from black/mypy to ruff/pyrefly
- Add a lot of typing
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Make sure tests/__init__.py is included in sdist
- Fix compatibility with pytest
- Explicitly tag Python 3.14 compatibility
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
AISTracker.update now accepts raw sentences as well as decoded messages
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
fix regression where the 'plugin' was not passed to pppd
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
- Add an extra check for completeness only.
- Fix a signed integer overflow which could trigger a FPE_INTOVF
- Fix Microsoft'2 MHC2 private tag
- Added projects for XCode 26 & Visual Studio 2026
- Added documentation for PCS illuminants and chromatic adaptation
- Check for a possible out-of-bounds in softproofing transforms when using cmsCreateExtendedTransform
- Fix for a out-of-bound read, issue #522
- Add an extra check for out-of-bounds read when misusing a support function
- avoid divide by zero, special case from spec. notes on CAM02
- Fix CGATS parser bug when number has a "+" sign
- Fix a typo when handling a special case for BPC
- Fixed a loss of precision when Lab16 is used as input color space on integer transforms
- Fixes hypotetical corrupted pointer in non-happy path. Cannot happen in real world
- Fix a theoretical memory leak.
- Add support of localized descriptions in v2 profiles for MacOS
- Mark some tables as const
- Make the param of cmsCreateLab4Profile() to refer to the media white instead of the illuminant
- fix a warning in unit tests
- Remove redundant check. Fixes#497
- Update autotools
- fix plugins soname + add oklab to transicc (experimental)
- meson: ability to disable .so.version libraries
- Fix black point detection when using darker colorant.
- testcms2.c: Fix incorrect string comparisons
- Fix CICp tag size.
- Fix broken linkicc
- meson: Bump minimum Meson version to 0.52 for visibility:hidden
- meson: Disable unused fs import
- Add a guard against a wrong use of flags
- Fix for #469 heap buffer overflow on convert_utf16_to_utf32()
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
- Fix frequent crashes when with gdk-pixbuf 2.44
- Add image/avif to the MimeType list in the .desktop
- appdata: Add missing developer name
- Set prgname to application ID
- data: Rename appdata to metainfo and use rDNS app id
- metadata: Hide unreachable help URL
- desktop: Add more keywords
- content type to mime type conversion
- Official website has been retired
- org.gnome.eog.desktop should list image/heic as MimeType
- Segfault SIGSEGV when switching images
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add ptest and upgrade to release 0.13.1:
- pyproject.toml: add pytest as dev dependency
- Import Self from type_checking if needed to be compat with 3.9
- CI: run pytest via uv
- CI: test against multiple python versions
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 2.6.0:
- "Modernize" build system to use pyproject.toml and github actions.
Fixes:
WARNING: python3-huey-2.6.0-r0 do_check_backend: QA Issue: inherits
setuptools3 but has pyproject.toml with setuptools.build_meta, use
the correct class [pep517-backend]
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 4.0.4:
- Fixed false positive for ``invalid-name`` where module-level
constants were incorrectly classified as variables when a
class-level attribute with the same name exists.
- Fix a false positive for ``invalid-name`` on an UPPER_CASED
name inside an ``if`` branch that assigns an object.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
1. Changelog
Features:
* Add a systemd service to run xdg-user-dirs-update
* Add initial Meson buildsystem support
Bugfixes:
* Fix autopoint invocation
Miscellaneous:
* Updated translations
* Update automake boilerplate
* Update information in README
2. Add pkgconfig to solvo following configure error:
../sources/xdg-user-dirs-0.19/configure: line 9319: syntax error near unexpected token `systemd,'
../sources/xdg-user-dirs-0.19/configure: line 9319: `PKG_CHECK_EXISTS(systemd,'
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Source code for gtksourceview will be unpacked to a directory called
'gtksourceview-${PV}'. But as the recipes have added part of PV to the
name of the recipe the default setting of variable S will be wrong.
This is fixed by explicitly setting it.
Fixing issues like:
WARNING: gtksourceview3-3.24.11-r0 do_unpack: gtksourceview3: the directory ${UNPACKDIR}/${BP} (<snip>/gtksourceview3/3.24.11/sources/gtksourceview3-3.24.11) pointed to by the S variable doesn't exist - please set S within the recipe to point to where the source has been unpacked to
WARNING: gtksourceview3-3.24.11-r0 do_populate_lic: Could not copy license file <snip>/gtksourceview3/3.24.11/sources/gtksourceview3-3.24.11/COPYING to <snip>/gtksourceview3/3.24.11/license-destdir/corei7-64/gtksourceview3/COPYING: [Errno 2] No such file or directory: '<snip>/gtksourceview3/3.24.11/sources/gtksourceview3-3.24.11/COPYING'
ERROR: gtksourceview3-3.24.11-r0 do_populate_lic: QA Issue: gtksourceview3: LIC_FILES_CHKSUM points to an invalid file: <snip>/gtksourceview3/3.24.11/sources/gtksourceview3-3.24.11/COPYING [license-checksum]
ERROR: gtksourceview3-3.24.11-r0 do_populate_lic: Fatal QA errors were found, failing task.
WARNING: gtksourceview4-4.8.4-r0 do_unpack: gtksourceview4: the directory ${UNPACKDIR}/${BP} (<snip>/gtksourceview4/sources/gtksourceview4-4.8.4) pointed to by the S variable doesn't exist - please set S within the recipe to point to where the source has been unpacked to
ERROR: gtksourceview4-4.8.4-r0 do_patch: Applying patch '0001-remove-pointless-check.patch' on target directory '<snip>/gtksourceview4/4.8.4/sources/gtksourceview4-4.8.4'
WARNING: gtksourceview5-5.18.0-r0 do_unpack: gtksourceview5: the directory ${UNPACKDIR}/${BP} (<snip>/gtksourceview5/5.18.0/sources/gtksourceview5-5.18.0) pointed to by the S variable doesn't exist - please set S within the recipe to point to where the source has been unpacked to
WARNING: gtksourceview5-5.18.0-r0 do_populate_lic: Could not copy license file <snip>/gtksourceview5/5.18.0/sources/gtksourceview5-5.18.0/COPYING to <snip>/gtksourceview5/5.18.0/license-destdir/corei7-64/gtksourceview5/COPYING: [Errno 2] No such file or directory: '<snip>/gtksourceview5/5.18.0/sources/gtksourceview5-5.18.0/COPYING'
ERROR: gtksourceview5-5.18.0-r0 do_populate_lic: QA Issue: gtksourceview5: LIC_FILES_CHKSUM points to an invalid file: <snip>/gtksourceview5/5.18.0/sources/gtksourceview5-5.18.0/COPYING [license-checksum]
ERROR: gtksourceview5-5.18.0-r0 do_populate_lic: Fatal QA errors were found, failing task.
Signed-off-by: Peter Bergin <peter@berginkonsult.se>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Disable build-testing for now, as this would require 'googletest' dependency
v1.4.6
References | Description | Author(s)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The old SRC_URI stopped working (its certificate expired), and the recipe
defaulted to OE mirrors.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The underscores and hyphens in the product name are used randomly in the CVE
database:
sqlite> select * from PRODUCTs where vendor = 'gnome' and product like '%keyr%';
CVE-2012-3466|gnome|gnome-keyring|3.4.0|=||
CVE-2012-3466|gnome|gnome-keyring|3.4.1|=||
CVE-2012-6111|gnome|gnome_keyring|3.2|=||
CVE-2012-6111|gnome|gnome_keyring|3.4|=||
CVE-2018-19358|gnome|gnome-keyring|||3.28.2|<=
CVE-2018-20781|gnome|gnome_keyring|||3.27.2|<
Set CVE_PRODUCT so that both versions are matched.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The related CVEs are tracked with "xerces-c\+\+" (sic).
See CVE db query:
sqlite> select vendor, product, count(*) from PRODUCTs where product like '%xerces%' group by 1, 2;
apache|xerces-c\+\+|29
apache|xerces-j|2
apache|xerces2_java|3
redhat|xerces|3
Set CVE_PRODUCT accordingly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Markus Volk
Peter Marko
Johannes Kauffmann
Jason Schonberg
Khem Raj
Mingli Yu
Liu Yiding
Wang Mingyu
Leon Anavi
Yi Zhao
Peter Bergin
Gyorgy Sarvari
Ankur Tyagi