7acc744194
dash: fix CVE-2026-31323
...
Backport upstream fix for CVE-2026-31323 [1].
[1] https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3
Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:48 +05:30
a587f53a0e
strongswan: fix for CVE-2026-35334
...
Pick patch according to [1]
[1] https://download.strongswan.org/security/CVE-2026-35334
[2] https://www.strongswan.org/blog/2026/04/22/strongswan-vulnerability-(cve-2026-35334).html
[3] https://security-tracker.debian.org/tracker/CVE-2026-35334
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:48 +05:30
9f70f8d461
libssh: set status for CVE-2025-14821
...
The vulnerability is Windows-specific and depends on loading
configuration from C:\etc, which does not apply to Linux/Yocto builds
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-14821
https://github.com/advisories/GHSA-5jf9-8f86-jhvw
https://www.libssh.org/security/advisories/CVE-2025-14821.txt
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:48 +05:30
797f2baebe
nanomsg: upgrade 1.2.1 -> 1.2.2
...
Changelog:
https://github.com/nanomsg/nanomsg/releases/tag/1.2.2
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:47 +05:30
c756576c1c
postfix: upgrade 3.8.12 -> 3.8.16
...
3.8.13
http://www.postfix.org/announcements/postfix-3.10.6.html
3.8.14
http://www.postfix.org/announcements/postfix-3.10.7.html
3.8.15
http://www.postfix.org/announcements/postfix-3.10.8.html
3.8.16
http://www.postfix.org/announcements/postfix-3.11.2.html
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:47 +05:30
100da99a04
lcms: patch CVE-2026-42798
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-42798
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:46 +05:30
49a682f2ed
lcms: patch CVE-2026-41254
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-41254
Backport the patches referenced by the NVD advisory.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:46 +05:30
fdd887bc29
frr: patch CVE-2026-28532
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-28532
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:45 +05:30
764a8f2154
firewalld: upgrade 1.3.2 -> 1.3.4
...
https://github.com/firewalld/firewalld/releases/tag/v1.3.3
https://github.com/firewalld/firewalld/releases/tag/v1.3.4
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:45 +05:30
9f64ff03f5
apache2: upgrade 2.4.66 -> 2.4.67
...
Security fixes:
- CVE-2026-34059
- CVE-2026-34032
- CVE-2026-33857
- CVE-2026-33523
- CVE-2026-33007
- CVE-2026-33006
- CVE-2026-29169
- CVE-2026-29168
- CVE-2026-28780
- CVE-2026-24072
- CVE-2026-23918
See: https://archive.apache.org/dist/httpd/CHANGES_2.4.67
Signed-off-by: Liyin Zhang <liyin.zhang.cn@windriver.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:44 +05:30
92b5798115
exiftool: ignore CVE-2026-7580
...
The impacted function mentioned in the nvd[1] was introduced in v12.82[2],
hence we can ignore this CVE.
[1]https://nvd.nist.gov/vuln/detail/CVE-2026-7580
[2]https://github.com/exiftool/exiftool/commit/280a7f0db71b5887be492d57723723cb196ad2f9
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:44 +05:30
5fe0fb19e7
php: upgrade 8.2.30 -> 8.2.31
...
This is a security release.
Changelog: https://www.php.net/ChangeLog-8.php#8.2.31
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:43 +05:30
90a0e3bf89
open-vm-tools: Add entry to CVE_PRODUCT to support the product name
...
- Added 'vmware:open_vm_tools' to CVE_PRODUCT to align with the NVD
CPE and ensure accurate CVE reporting.
Signed-off-by: Het Patel <hetpat@cisco.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9b69587ecbhjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:43 +05:30
aaa594e19e
onig: Add CVE_PRODUCT to support product name
...
- Set CVE_PRODUCT to align with the NVD CPE and ensure correct CVE
reporting.
Signed-off-by: Het Patel <hetpat@cisco.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 7bc5268662hjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:43 +05:30
9500d05195
abseil-cpp: Add CVE_PRODUCT to support product name
...
- Set CVE_PRODUCT to align with the NVD CPE and ensure correct CVE
reporting.
Signed-off-by: Het Patel <hetpat@cisco.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a428ea90c0hjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:42 +05:30
3fd10def49
python3-ecdsa: set CVE_PRODUCT
...
Set the correct CVE_PRODUCT value, the default python: ecdsa doesn't
match relevant entries.
The correct values were taken from the CVE db, by checking which CVEs
are relevant.
See CVE db query:
sqlite> select * from products where product like '%ecdsa%';
CVE-2019-14853|python-ecdsa_project|python-ecdsa|||0.13.3|<
CVE-2019-14859|python-ecdsa_project|python-ecdsa|||0.13.3|<
CVE-2020-12607|antonkueltz|fastecdsa|||2.1.2|<
CVE-2021-43568|starkbank|elixir_ecdsa|1.0.0|=||
CVE-2021-43569|starkbank|ecdsa-dotnet|1.3.2|=||
CVE-2021-43570|starkbank|ecdsa-java|1.0.0|=||
CVE-2021-43571|starkbank|ecdsa-node|1.1.2|=||
CVE-2021-43572|starkbank|ecdsa-python|||2.0.1|<
CVE-2022-24884|ecdsautils_project|ecdsautils|||0.4.1|<
CVE-2024-21502|antonkueltz|fastecdsa|||2.3.2|<
CVE-2024-23342|tlsfuzzer|ecdsa|||0.18.0|<=
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 7f962ef155hjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:42 +05:30
6b76759967
python-grpcio(-tools): add grpc:grpc to cve product
...
These grpc python modules contain parts of grpc core.
Each CVE needs to be assessed if the patch applies also to core parts
included in each module.
Note that so far there was never a CVE specific for python module, only
for grpc:grpc and many of those needed to be fixed at leasts in grpcio:
sqlite> select vendor, product, count(*) from products where product like '%grpc%' group by vendor, product;
grpc|grpc|21
grpck|grpck|1
linuxfoundation|grpc_swift|9
microsoft|grpconv|1
opentelemetry|configgrpc|1
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f993cb2ecbhjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:41 +05:30
fb4ebd1200
wireshark: fix for CVE-2025-13946
...
Pick patch from [1] also mentioned at NVD report in [2]
[1] https://gitlab.com/wireshark/wireshark/-/issues/20884
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-13946
[3] https://security-tracker.debian.org/tracker/CVE-2025-13946
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:37 +05:30
ae7dfb1224
jq: Stick to C17 until next release
...
Patches are sprinkled in master branch of jq but the backports
regresses tests, so its better to keep it at C17 for now.
Backport: changed from += to :append to apply to all target, native
and nativesdk builds.
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Cc: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-05 06:57:17 +05:30
a9b7af632e
onig: fix gcc 15 build
...
With backport from upstream 6.9.10.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 12:56:07 +05:30
964065663c
jq: patch CVE-2026-39979
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-39979
Ptests passed:
root@qemux86:~# ptest-runner jq
START: ptest-runner
2026-04-26T11:09
BEGIN: /usr/lib/jq/ptest
PASS: optionaltest
PASS: mantest
PASS: jqtest
PASS: onigtest
PASS: shtest
PASS: utf8test
PASS: base64test
=== Test Summary ===
TOTAL: 7
PASSED: 7
FAILED: 0
SKIPPED: 0
DURATION: 44
END: /usr/lib/jq/ptest
2026-04-26T11:10
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
6cbaf81a01
jq: patch CVE-2026-33948
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
18de8de0ef
jq: patch CVE-2026-33947
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
9bdfbd20b2
jq: patch CVE-2026-32316
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32316
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
fdf83ebd28
python3-pillow: fix CVE-2026-40192
...
Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2].
[1] https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-40192
[3] https://security-tracker.debian.org/tracker/CVE-2026-40192
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
955189fbcb
libssh: Fix CVE-2026-0965
...
Backport the patch [1] as mentioned in [2]
[1] https://git.libssh.org/projects/libssh.git/commit/?id=bf390a042623e02abc8f421c4c5fadc0429a8a76
[2] https://security-tracker.debian.org/tracker/CVE-2026-0965
Ptests passed:
root@qemux86:~# ptest-runner libssh
START: ptest-runner
2026-04-28T04:44
BEGIN: /usr/lib/libssh/ptest
...
...
DURATION: 269
END: /usr/lib/libssh/ptest
2026-04-28T04:49
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
0f64da2ab9
libssh: patch CVE-2026-0967
...
Backport patch [1] as mentioned in [2]
[1] https://git.libssh.org/projects/libssh.git/commit/?id=6d74aa6138895b3662bade9bd578338b0c4f8a15
[2] https://security-tracker.debian.org/tracker/CVE-2026-0967
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
015b974b6b
libssh: patch CVE-2026-0968
...
Backport patches [1] and [2] as mentioned in [3]
[1] https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9
[2] https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03
[3] https://security-tracker.debian.org/tracker/CVE-2026-0968
Certain functions from sftp.c were moved to a new file sftp_common.c
in version 0.11.0 by following commit:
https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a
This is the backport of the changes using the original file sftp.c
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
5ce7602ce1
corosync: patch CVE-2026-35092
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35092
Pick the patch that mentions the CVE ID explicitly (the same commit
was identified by Debian also[1])
[1]: https://security-tracker.debian.org/tracker/CVE-2026-35092
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit af73e716bcankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
985cc4d384
corosync: patch CVE-2026-35091
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091
Pick the patch that mentions the CVE ID explicitly (it was identified
by Debian also as the fix[1])
[1]: https://security-tracker.debian.org/tracker/CVE-2026-35091
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 701b22fda3ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
9a19b0f3cb
opensc: patch CVE-2025-66215
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66215
Backport the patches referenced by the PR[1] mentioned in the nvd.
Dropped the formatting commit from the backport.
[1] https://github.com/OpenSC/OpenSC/pull/3436
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
91858e7ff9
opensc: patch CVE-2025-66038
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66038
Backport the patch referenced by the wiki[1] mentioned in the nvd.
[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
a02592adda
opensc: patch CVE-2025-66037
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66037
Backport the patch referenced by the wiki[1] mentioned in the nvd.
[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66037
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
886f7d221a
opensc: patch CVE-2025-49010
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49010
Backport the patch referenced by the wiki[1] mentioned in the nvd.
[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
22a2ae9646
openjpeg: patch CVE-2026-6192
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6192
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 09050325e6ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
383ff86953
jq: fix CVE-2026-40164
...
Backport patch to fix CVE-2026-40164.
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
7ba6689d13
nginx: fix CVE-2026-32647
...
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.
[1] https://my.f5.com/manage/s/article/K000160366
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-32647
[3] https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
bed3ecfe03
krb5: Backport additional fixes to build on clang
...
Enabling additional warning tightens the function prototype checks
and clang goes a step ahead to flag void foo() as well it should be
void foo(void)
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Cc: Martin Jansa <martin.jansa@gmail.com >
(cherry picked from commit 37cc472e44deeratho@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
32081787dc
kernel-hardening-checker: update 0.6.10.2 -> 0.6.17.1
...
Following the update on master.
This version reports more hardening issues:
128 "failures" instead of 113 on the same kernel.
Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
0febf2f87d
python3-tornado: set CVE_PRODUCT
...
The default "python:tornado" CVE_PRODUCT doesn't match relevant CVEs, because
the project's CPE is "tornadoweb:tornado".
See cve db query (docmosis is an irrelevant vendor):
sqlite> select * from products where PRODUCT = 'tornado';
CVE-2012-2374|tornadoweb|tornado|||2.2|<=
CVE-2012-2374|tornadoweb|tornado|1.0|=||
CVE-2012-2374|tornadoweb|tornado|1.0.1|=||
CVE-2012-2374|tornadoweb|tornado|1.1|=||
CVE-2012-2374|tornadoweb|tornado|1.1.1|=||
CVE-2012-2374|tornadoweb|tornado|1.2|=||
CVE-2012-2374|tornadoweb|tornado|1.2.1|=||
CVE-2012-2374|tornadoweb|tornado|2.0|=||
CVE-2012-2374|tornadoweb|tornado|2.1|=||
CVE-2012-2374|tornadoweb|tornado|2.1.1|=||
CVE-2014-9720|tornadoweb|tornado|||3.2.2|<
CVE-2023-25264|docmosis|tornado|||2.9.5|<
CVE-2023-25265|docmosis|tornado|||2.9.5|<
CVE-2023-25266|docmosis|tornado|||2.9.5|<
CVE-2023-28370|tornadoweb|tornado|||6.3.2|<
CVE-2024-42733|docmosis|tornado|||2.9.7|<=
CVE-2024-52804|tornadoweb|tornado|||6.4.2|<
CVE-2025-47287|tornadoweb|tornado|||6.5.0|<
CVE-2025-67724|tornadoweb|tornado|||6.5.3|<
CVE-2025-67725|tornadoweb|tornado|||6.5.3|<
CVE-2025-67726|tornadoweb|tornado|||6.5.3|<
Set the CVE_PRODUCT accordingly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 139cc15de3hjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
c40989630d
hdf5: fix CVE-2025-6857
...
According to [1], A vulnerability has been found in HDF5 1.14.6 and
classified as problematic. Affected by this vulnerability is the function
H5G__node_cmp3 of the file src/H5Gnode.c. The manipulation leads to
stack-based buffer overflow. It is possible to launch the attack on the
local host. The exploit has been disclosed to the public and may be used.
Backport patch [2] from upstream to fix CVE-2025-6857
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-6857
[2] https://github.com/HDFGroup/hdf5/commit/a8ceb1d95bb997f548c1129363dad53c18540096
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
4ab556ad1e
hdf5: fix CVE-2025-2308
...
According to [1], A vulnerability, which was classified as critical, was
found in HDF5 1.14.6. This affects the function
H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter.
The manipulation leads to heap-based buffer overflow. An attack has to be
approached locally. The exploit has been disclosed to the public and may be
used. The vendor plans to fix this issue in an upcoming release.
Backport patch [2] from upstream to fix CVE-2025-2308
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2308
[2] https://github.com/HDFGroup/hdf5/commit/2ce7fdc4cf147d280aa6d49686297faacc250e40
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
a26a769011
nginx: set CVE_PRODUCT
...
nginx has a long history, and has used multiple CPEs
over time. Set CVE_PRODUCT to reflect current and historic
vendor:product pairs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d25aadbbb5colin.mcallister@garmin.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
6f90f29b18
rocksdb: packageconfig knob for set static library option
...
Adding PACKAGECONFIG knob for enable/disable the static library option
It is just a follow-up changes of previous commit
https://git.openembedded.org/meta-openembedded/commit/?h=scarthgap&id=72018ca1b1a471226917e8246e8bbf9a374ccf97
and also this changes are already accepted and integrated in kirkstone branch.
Signed-off-by: Zahir Hussain <zahir.basha@kpit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
098a230565
imagemagick: Fix CVEs
...
Fix the following CVEs-
CVE-2026-24481 CVE-2026-25638 CVE-2026-25794 CVE-2026-25795
CVE-2026-25796 CVE-2026-25797 CVE-2026-25798 CVE-2026-25799
CVE-2026-25897 CVE-2026-25898 CVE-2026-25965 CVE-2026-25966
CVE-2026-25967 CVE-2026-25968 CVE-2026-25969 CVE-2026-25970
CVE-2026-25982 CVE-2026-25985 CVE-2026-25986 CVE-2026-25987
CVE-2026-25988 CVE-2026-26066 CVE-2026-26283 CVE-2026-26284
CVE-2026-26983
Signed-off-by: Naman Jain <namanj1@kpit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:24 +05:30
5124ac4a65
nginx: fix CVE-2026-28753
...
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.
[1] https://my.f5.com/manage/s/article/K000160367
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-28753
[3] https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
24459e3f5c
nginx: fix CVE-2026-27654
...
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.
[1] https://my.f5.com/manage/s/article/K000160382
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27654
[3] https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
958cca3987
nginx: fix CVE-2026-27651
...
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.
[1] https://my.f5.com/manage/s/article/K000160383
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27651
[3] https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
0ef4a2ecee
grpc: set status for CVE-2026-33186
...
CPE per NVD report is for "go", while this is C++ component:
* cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*
Also the link to adisory within NVD report says "grpc-go":
* https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
a1b14b7a3a
python3-werkzeug: ignore CVE-2026-27199
...
Vvulnerability affects Windows application and can be ignored.
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27199
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
Theo Gaige
Hitendra Prajapati
Sudhir Dumbhare
Ankur Tyagi
Liyin Zhang
Jason Schonberg
Het Patel
Gyorgy Sarvari
Peter Marko
Khem Raj
Mikko Rapeli
Daniel Turull
Michael Opdenacker
Libo Chen
Zahir Hussain
Naman Jain