mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity
30,458 Commits 64 Branches 0 Tags
7c56524a8d889a6d52ff0062dd534944497a2adc
Commit Graph

30458 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ankur Tyagi 7c56524a8d libraw: patch CVE-2025-43963 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-43963

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 287ed36b86)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi a8c1967976 libraw: patch CVE-2025-43961 CVE-2025-43962 
Details
 - https://nvd.nist.gov/vuln/detail/CVE-2025-43961
 - https://nvd.nist.gov/vuln/detail/CVE-2025-43962

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 337ab48ff8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi da2b9ec4db libcupsfilters: patch CVE-2024-47076 
Details https://nvd.nist.gov/vuln/detail/CVE-2024-47076

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 1ef236b6c5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 7ad4066c40 libppd: patch CVE-2024-47175 
Details https://nvd.nist.gov/vuln/detail/CVE-2024-47175

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 07330a98cf)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Peter Marko b2a0dd6c8d dash: set CVE_PRODUCT 
This removes false positive CVE-2024-21485 from cve reports.

$ sqlite3 nvdcve_2-2.db
sqlite> select * from products where product = 'dash';
CVE-2009-0854|dash|dash|0.5.4|=||
CVE-2024-21485|plotly|dash|||2.13.0|<
CVE-2024-21485|plotly|dash|2.14.0|>=|2.15.0|<

Our dash:dash did not reach major version 1 yet.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e1427013e0)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 80bda1d289 hdf5: patch CVE-2025-6269, CVE-2025-6270, CVE-2025-6516 
As mentioned in the issues [1],[2] and [3], PR[4] addressed several vulnerabilities.

[1] https://github.com/HDFGroup/hdf5/issues/5581#issuecomment-3251977160
[2] https://github.com/HDFGroup/hdf5/issues/5579#issuecomment-2993915196
[3] https://github.com/HDFGroup/hdf5/issues/5580#issuecomment-2993727142
[4] https://github.com/HDFGroup/hdf5/pull/5756

Details:
 https://nvd.nist.gov/vuln/detail/CVE-2025-6269
 https://nvd.nist.gov/vuln/detail/CVE-2025-6270
 https://nvd.nist.gov/vuln/detail/CVE-2025-6516

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 81c0782d8f hdf5: patch CVE-2025-2925 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2925

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 73e3b3c308 hdf5: patch CVE-2025-2924 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2924

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi 547d4e1dae hdf5: patch CVE-2025-2923, CVE-2025-6816, CVE-2025-6856 
Single PR[1] addressed all three vulnerabilities

Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-2923
https://nvd.nist.gov/vuln/detail/CVE-2025-6816
https://nvd.nist.gov/vuln/detail/CVE-2025-6856

[1] https://github.com/HDFGroup/hdf5/pull/5829

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:34 +08:00
Ankur Tyagi bd847d489a hdf5: patch CVE-2025-2915 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2915

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi 7d1b63f0af hdf5: patch CVE-2025-2914 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2914

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi b42e6eb3e5 hdf5: patch CVE-2025-2913 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2913

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi 3e72a5f33c libconfuse: patch CVE-2022-40320 
Pick patch per [1] poiting to [2] pointing to [3].

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-40320
[2] https://github.com/libconfuse/libconfuse/issues/163
[3] https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c048c04101)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi a7b0b1cba8 libavif: ignore CVE-2025-48175 
CVE-2025-48175 got introduced due to following change which is missing in the current recipe version
https://github.com/AOMediaCodec/libavif/commit/1b4ce5ca24a33b5878b7f766de6eaa05c49f08e6

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi 4bb1da31d5 frr: patch CVE-2024-44070 
Details https://nvd.nist.gov/vuln/detail/CVE-2024-44070

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Ankur Tyagi 393bb3e0a5 tinyproxy: patch CVE-2023-49606 
Details https://nvd.nist.gov/vuln/detail/CVE-2023-49606

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 7f8516d8db)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Peter Marko 24b0040b4c corosync: patch CVE-2025-30472 
Pick commit from [1] mentioned in [2] from [3]

[1] https://github.com/corosync/corosync/issues/778
[2] https://github.com/corosync/corosync/pull/779
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-30472

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit eab04e4620)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Peter Marko a1b17511ca corosync: upgrade 3.1.6 -> 3.1.9 
dbus dir was changed from sysconfdir to datadir

drop unused configure code

License-Update: copyright years refreshed

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 950c603f21)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Peter Marko 64f9120014 corosync: fix upstream version check 
github-releases is needed that it work at all:
ERROR: Automatic discovery of latest version/revision failed - you must provide a version using the --version/-V option, or for recipes that fetch from an SCM such as git, the --srcrev/-S option.

UPSTREAM_CHECK_GITTAGREGEX is needed to get correct version, otherwise:
$ devtool latest-version corosync
...
INFO: Current version: 3.1.6
INFO: Latest version: 414.336.75.75.75

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 9aed476a90)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Christos Gavros 68f8ea24d0 corosync: reproducibility issue 
Corosync is not reproducible due to change of value
in NETSNMP_SYS_CONTACT which is set in net-snmp:
NETSNMP_SYS_CONTACT = "$ME@$LOC"
$ME = whoami
$LOC assigned domain name from /etc/resolv.conf

Use build in'--with-sys-contact' to overwrite it

https://autobuilder.yoctoproject.org/valkyrie/#/builders/87/builds/30/steps/28/logs/stdio

CC: Yoann Congal <yoann.congal@smile.fr>
CC: Randy MacLeod <randy.macleod@windriver.com>
Signed-off-by: Christos Gavros <gavrosc@yahoo.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bb138b9f6b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:33 +08:00
Vijay Anusuri b03f8e79af redis: upgrade 7.2.8 -> 7.2.11 
ChangeLog:
https://github.com/redis/redis/releases/tag/7.2.9
https://github.com/redis/redis/releases/tag/7.2.10
https://github.com/redis/redis/releases/tag/7.2.11
https://github.com/redis/redis/compare/7.2.8...7.2.11

7.2.11

Security fixes

(CVE-2025-49844) A Lua script may lead to remote code execution
(CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
(CVE-2025-46818) A Lua script can be executed in the context of another user
(CVE-2025-46819) LUA out-of-bound read

7.2.10

Security fixes

(CVE-2025-32023) Fix out-of-bounds write in HyperLogLog commands
(CVE-2025-48367) Retry accepting other connections even if the accepted connection reports an error

7.2.9

Security fixes

(CVE-2025-27151) redis-check-aof may lead to stack overflow and potential RCE

Dropped CVE-2025-32023.patch

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 7a17429d34 freerdp3: patch CVE-2024-32662 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32662

Pick the patch that is mentioned in the above vulnerability report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari d577aca11c freerdp3: patch CVE-2024-32661 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32661

Pick the patch that is mentioned in the above vulnerability report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 6acb319466 freerdp3: patch CVE-2024-32660 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32660

Pick the patch that is mentioned in the above CVE report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari a682f5efd0 freerdp3: patch CVE-2025-32659 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32659

Pick the commit that mentioned in the above CVE report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 95d7b8e7d5 freerdp3: patch CVE-2024-32658 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32658

Pick the commit that is marked to resolve the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 3fab129346 freerdp3: patch CVE-2024-32460 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32460

Pick the commit that marked as a solution for the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 3bc45c028e freerdp3: patch CVE-2024-32459 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32459

Pick the patch that is marked to resolve the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari df276ba913 freerdp3: patch CVE-2024-32458 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32458

Pick the commit that is marked to resolve the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari 057e1f5d06 freerdp3: patch CVE-2024-32040 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32040

Pick the patch that is marked to resolve the related github advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:32 +08:00
Gyorgy Sarvari ca2667f23a freerdp3: patch CVE-2024-32039 and CVE-2024-32041 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32039
https://nvd.nist.gov/vuln/detail/CVE-2024-32041

Pick the patch that is marked as fixing the related github advisory.
The same commit fixes both vulnerabilities.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Peter Marko 0e314d0f4c freerdp3: set CVE_PRODUCT 
CPE does not contain mnajor version number, so set VE product to just
freerdp.
Without this there are no (fixed) CVEs in reports.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4058959d6c)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Peter Marko 9b07679a55 freerdp: mark CVE-2024-32662 as fixed 
2.x is not affected, bug was introduced in 3.0.0.
See e.g. https://security-tracker.debian.org/tracker/CVE-2024-32662

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a7f2051068)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Peter Marko 0095a1e3c3 freerdp: patch CVE-2024-32661 
Pick commit [1] as mentioned in [2] or [3].

[1] https://github.com/FreeRDP/FreeRDP/commit/71e463e31b4d69f4022d36bfc814592f56600793
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-32661
[3] https://security-tracker.debian.org/tracker/CVE-2024-32661

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c91d6a2c65)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Khem Raj 19565142f8 freerdp: Upgrade 2.11.2 -> 2.11.7 
Partially backport a fix to build with gcc-14

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4b14dacf55)

This bugfix update also contains fixes for the following vulnerabilities:

CVE-2024-22211, CVE-2024-32039, CVE-2024-32040, CVE-2024-32041,
CVE-2024-32458, CVE-2024-32459, CVE-2024-32460

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Alexandre Truong 5b3e9e377c evince: Update status for CVE-2011-0433 and CVE-2011-5244 
The current version 46.0 is not affected by the issues.
Both issues have been fixed in commit [0].
The fix is in effect since early versions of evince (3.1.2).
Thus, both can be safely ignored.

[0]: https://gitlab.gnome.org/GNOME/evince/-/commit/efadec4ffcdde3373f6f4ca0eaac98dc963c4fd5

Signed-off-by: Alexandre Truong <alexandre.truong@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 492b1b1adc)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Gyorgy Sarvari efa1ef31f4 etcd: patch CVE-2023-32082 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-32082

Pick the patch mentioned in the details of the report. (It was backported
to the 3.5 tree)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Peter Marko d27a9c3b6e emlog: set CVE_PRODUCT 
This will remove false-positive CVE-2024-50655 from reports.
There are different emlog components from other vendors around.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d8d45d9093)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Vijay Anusuri fe8e7d62aa poppler: Fix CVE-2025-43718 
Upstream patch: https://gitlab.freedesktop.org/poppler/poppler/-/commit/f54b815672117c250420787c8c006de98e8c7408

Reference: https://ubuntu.com/security/CVE-2025-43718

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Ninette Adhikari 0d59e9acda xsp: CVE status update for CVE-2006-2658 
The recipe used in the `meta-openembedded` is a different xsp package compared to the one which has the CVE issue.
Package used in `meta-embedded`: maemo xsp http://repository.maemo.org/pool/maemo/ossw/source/x/xsp/
Package with CVE issue: mono xsp https://github.com/mono/xsp

Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3cb411a057)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:31 +08:00
Gyorgy Sarvari adf3b111c3 jasper: patch CVE-2025-8837 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8837

Pick the patch from the details of the above link.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Gyorgy Sarvari 10196085ab jasper: patch CVE-2025-8836 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8836

Pick the patch mentioned in the details of the above link.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Gyorgy Sarvari 7c893fb155 jasper: patch CVE-2025-8835 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8835

Pick the patch from the details of the above link.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Gyorgy Sarvari a2a174aafc iperf2: ignore irrelevant CVEs 
These CVEs are for iperf3 - which is a similar application in its goals (and name),
but an independent project from this, and the projects are independent implementations
also, they share no common code.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit aedf74e082)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Rajeshkumar Ramasamy 46091f4925 open-vm-tools: fix CVE-2025-41244 
VMware Aria Operations and VMware Tools contain a local privilege
escalation vulnerability. A malicious local actor with non-administrative
privileges having access to a VM with VMware Tools installed and managed
by Aria Operations with SDMP enabled may exploit this vulnerability
to escalate privileges to root on the same VM.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-41244

Upstream-patch:
https://github.com/vmware/open-vm-tools/commit/7ed196cf01f8acd09011815a605b6733894b8aab

Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Gyorgy Sarvari 4d28ff8b34 tokyocabinet: fix license 
The application is distributed under the LGPL license, not GPL.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8fd2b5c5b2)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Gyorgy Sarvari 630a852aa4 tokyocabinet: switch to working SRC_URI 
The original source seems to be long gone.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Gyorgy Sarvari 693a7500ba pm-qa: update git fetch protocol 
Apparently the git repo in the SRC_URI stopped supporting git
protocol. Switch to https to be able to fetch the source successfully.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-30 14:43:30 +08:00
Khem Raj a8484babb6 uim: Stick to C17 
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5cac401d00)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-29 23:07:07 +08:00
Peter Marko 84f8102ada audiofile: patch CVE-2017-6839 
Use patch from buildroot:
https://github.com/buildroot/buildroot/commit/844a7c6281eb442881330a5d36d5a0719f2870bf

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 88faae83b2)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
 2025-10-06 16:11:25 +08:00