92bfb48d4c
libssh: Fix CVE-2026-3731
...
Pick the patch [1] and [2] as mentioned in [3]
[1] https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8
[2] https://git.libssh.org/projects/libssh.git/commit/?id=02c6f5f7ec8629a7cff6a28cde9701ab10304540
[3] https://security-tracker.debian.org/tracker/CVE-2026-3731
Signed-off-by: Deepak Rathore <deeratho@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
0fd2ea7e0b
exiv2: patch CVE-2026-27631
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27631
Backport the patches referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
ab099baf93
exiv2: patch CVE-2026-27596
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27596
Backport the commits referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
18824f8a2d
exiv2: patch CVE-2026-25884
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25884
Backport the commits referenced by the NVD advisory.
One of the patches contain some binary data (for test data),
which needs to be applied with git PATCHTOOL..
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
51be807682
ettercap: patch CVE-2026-3603
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3606
Pick the commit that is marked to solve the related Github
issue[1]. Its commit message also references the CVE ID explicitly.
[1]: https://github.com/Ettercap/ettercap/issues/1297
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
d7546078a9
python3-django: upgrade 4.2.28 -> 4.2.29
...
Contains fixes for CVE-2026-25673 and CVE-2026-25674.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
c08b3e9d8f
python3-django: upgrade 5.2.11 -> 5.2.12
...
Ptests passed successfully.
Changelog: https://docs.djangoproject.com/en/6.0/releases/5.2.12/
- Fixed CVE-2026-25673 and CVE-2026-25674
- Fixed NameError when inspecting functions making use of deferred
annotations in Python 3.14.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
dd54c60cb3
zfs: upgrade 2.2.8 -> 2.2.9
...
Also include tag in the SRC_URI and refreshed patches.
Backported patch 0004-linux-use-sys-stat.h-instead-of-linux-stat.h.patch
to resolve build failure with musl.
Release Notes:
https://github.com/openzfs/zfs/releases/tag/zfs-2.2.9
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
6f6a7b518e
owfs: upgrade 3.2p3 -> 3.2p4
...
Drop patch that's included in this release.
Changelog:
v3.2p4 is mainly a bugfix & cleanup release.
Enhancements
Add support for InfernoEmbedded soft-devices (GH-21)
Bug fixes
Fix bug (GH-55) related to split packet (GH-64)
Fix copy paste bug (474f06d)
Add \r to Http header to satisfy RFC2616 specification (GH-20)
Maintenance
build system cleanup (GH-72, GH-27, GH-16)
Fix missing files in source distribution (GH-70, GH-69)
Fix compilation with GCC10 (GH-62)
Minor fixes
Fix typos (GH-43 GH-23)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 58259850feankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
ef3c6b8db7
packagegroups: fix foldername
...
The correct folder name is "packagegroups", not "packageconfigs".
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 93e33ae809ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
79ff65043e
btrfsmaintenance: upgrade 0.5 -> 0.5.2
...
1.Changelog:
fix syntax error in run_task, preventing jobs to start
start scrub jobs sequentially if RAID5 or RAID6 data profile is found
fix btrfsmaintenance-refresh.service description
2.Update 0001-change-sysconfig-path-to-etc-default.patch for 0.5.2
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 7adb1a61d2ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
6f989b75a0
postfix: upgrade 3.10.6 -> 3.10.8
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 09cc9579d4https://www.postfix.org/announcements/postfix-3.10.7.html
https://www.postfix.org/announcements/postfix-3.10.8.html
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:14:08 +05:30
e771677d73
libcacard: upgrade 2.8.1 -> 2.8.2
...
Changelog:
==========
- Sort certificates by underlying objects CKA_ID to provide deterministic
object order
- Avoid using uninitialized memory
- Improve test coverage and build scripts
- Improve compatibility with modern compilers (avoid strict warnings)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit bf0ea3fc28ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:14:07 +05:30
bcc33ac73b
open62541: upgrade 1.3.15 -> 1.3.17
...
Release Notes:
https://github.com/open62541/open62541/releases/tag/v1.3.17
https://github.com/open62541/open62541/releases/tag/v1.3.16
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:14:07 +05:30
509063a7cc
networkmanager-openvpn: upgrade 1.12.3 -> 1.12.5
...
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit fcebca61e5https://github.com/NetworkManager/NetworkManager-openvpn/blob/1.12.5/NEWS
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:14:06 +05:30
e8a99f2978
networkmanager: upgrade 1.52.0 -> 1.52.2
...
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 14c9d10173https://github.com/NetworkManager/NetworkManager/blob/1.52.2/NEWS
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:14:06 +05:30
a38694da2b
nopoll: upgrade 0.4.7.b429 -> 0.4.9.b462
...
0.4.9
-----
Stable release with bug fixing, support for Debian Buster, Debian Bullseye and Ubuntu Focal
https://github.com/ASPLes/nopoll/blob/master/doc/release-notes/nopoll-0.4.9.txt
0.4.8
-----
Stable release with bug fixing, support for Debian Buster, Debian Bullseye and Ubuntu Focal
https://github.com/ASPLes/nopoll/blob/master/doc/release-notes/nopoll-0.4.8.txt
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:14:05 +05:30
5672114d58
nopoll: Upgrade to 0.4.7.b429
...
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 5f7c5c6641https://github.com/ASPLes/nopoll/blob/master/doc/release-notes/nopoll-0.4.7.txt
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:14:05 +05:30
32ad58ec4e
frr: upgrade 10.4.2 -> 10.4.3
...
Release Notes:
https://github.com/FRRouting/frr/releases/tag/frr-10.4.3
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:14:05 +05:30
467427d3af
zabbix: mark CVE-2026-23925 as patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-23925
The vulnerability has been fixed since 7.0.18[1], however NVD
tracks this CVE without version information.
[1]: https://github.com/zabbix/zabbix/commit/89dec866ec7f8230b25f06ac000575e3b7bd4025
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:14:04 +05:30
9f2fe367d8
libjxl: mark CVE-2025-12474 and CVE-2026-1837 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-12474
https://nvd.nist.gov/vuln/detail/CVE-2026-1837
Both CVEs have been fixed in v0.11.2, but NVD tracks these
vulnerabilities without version information.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:14:04 +05:30
2216b029ff
pipewire: update 1.4.9 -> 1.4.10
...
PipeWire 1.4.10 (2026-01-16)
This is a small bugfix release that is API and ABI compatible with
previous 1.x releases.
Highlights
- Fix a regression in restoring volumes on nodes.
- Clean up timed out stream on pulse-server.
- Backport filter-graph channel support.
- More small fixes and improvements.
PipeWire
- Backport the timer queue from 1.5.
modules
- Fix module leak in module-eq. (#5045 )
- Fix profiling of multiple drivers when profile.interval.ms is
set. (#5061 )
- Allow both sink and source pulse tunnels with the same name.
(#5079 )
SPA
- Emit props events in all cases. (#4610 )
- Backport some filter-graph changes to make it adapt better to the
number of channels of the stream.
- Fix some port errors in filter-graph. (#4700 )
- Avoid a memcpy in the convolver.
- Handle some DBus errors better instead of crashing.
- Fix AVX2 functions and flags. (#5072 )
- Limit resampler phases to avoid crashes (#5073 )
- Support some more channel downmix positions.
pulse-server
- Clean up timed out streams. (#4901 )
- Add message to force mono mixdown.
GStreamer
- Avoid scaling overflow in the clock.
Signed-off-by: Markus Volk <f_l_k@t-online.de >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit b7bd06e9b4ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:14:03 +05:30
b4c7c6ca2a
libmediaart-2.0: upgrade 1.9.6 -> 1.9.7
...
This is a bugfix release, fixing some memory leaks and compiler warning
(and it also has a couple of commits related to the project's own CI system,
which doesn't affect the application)
Changelog: https://gitlab.gnome.org/GNOME/libmediaart/-/blob/master/NEWS
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3f6b25f18aankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:14:03 +05:30
3e7a57da7f
libde265: upgrade 1.0.15 -> 1.0.16
...
Also included tag in the SRC_URI.
This release fixes some rare decoding errors and some build issues.
Changelog:
https://github.com/strukturag/libde265/compare/v1.0.15...v1.0.16
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 625a2be8a8ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 17:13:59 +05:30
f4dca597c9
exiftool: ignore CVE-2026-3102
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3102
The vulnerability impacts only MacOS - ignore it.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 07:49:33 +05:30
6bb74fff88
python3-protobuf: mark CVE-2026-0994 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994
It is fixed already in the currently used version, however NVD tracks
it without any version info, so it still shows up in CVE reports.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 07:49:32 +05:30
7b418ef060
unbound: patch CVE-2025-5994
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-5994
Backport the patch[1] provided by upstream, which is linked in
the upstream advisory[2] referenced by the NVD report.
Tests passed successfully in a locally prepared ptest image.
[1]: https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-5994_2.diff
[1]: https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 07:49:32 +05:30
c3185de08d
streamripper: ignore CVE-2020-37065
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-37065
The vulnerability is about a 3rd party Windows-only GUI frontend for
the streamripper library, and not for the CLI application that the
recipe builds. Due to this ignore this CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1571c1a8e5skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 07:49:31 +05:30
9fcdfa8b22
python3-pillow: patch CVE-2026-25990
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990
Backport the patch referenced by the NVD advisory.
Note that the patch contain some new binary test data, which
requires "git" PATCHTOOL - other tools fail to apply binary patches.
All ptests passed successfully:
Testsuite summary
TOTAL: 5011
PASS: 4577
SKIP: 431
XFAIL: 3
FAIL: 0
XPASS: 0
ERROR: 0
DURATION: 59
END: /usr/lib/python3-pillow/ptest
2026-03-06T17:58
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 07:49:31 +05:30
a892f6cfc9
python3-nltk: upgrade 3.9.2 -> 3.9.3
...
Contains fix for CVE-2026-14009.
Changelog:
* Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader
* Block path traversal/arbitrary reads in nltk.data for protocol-less refs
* Block path traversal/abs paths in corpus readers and FS pointers
* Validate external StanfordSegmenter JARs using SHA256
* Add optional sandbox enforcement for filestring()
* Maintenance: downloader/zipped models, CI/tooling updates
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 14d464c150skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 07:49:30 +05:30
7d3016495f
libheif: patch CVE-2025-68431
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68431
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 07:49:30 +05:30
258cdd1e07
imagemagick: upgrade 7.1.2-13 -> 7.1.2-15
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 853aecb2f9skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 07:49:26 +05:30
843542472e
ceres-solver: Don't fail if .git/hooks/commit-msg can't be touched
...
The .git/hooks/commit-msg Git hook may already exist and not be
writable. E.g., in our environment it is a symbolic link to a script in
/usr/share.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a22fe21c59anuj.mittal@oss.qualcomm.com >
2026-03-06 10:13:27 +05:30
d925b85aee
python3-flask: Upgrade 3.1.2 -> 3.1.3
...
Upgrade to release 3.1.3:
- The session is marked as accessed for operations that only access
the keys but not the values, such as in and len.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 0badc6de53ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:14 +05:30
b75a502874
python3-werkzeug: upgrade 3.1.5 -> 3.1.6
...
Contains fix for CVE-2026-27199
Changelog: safe_join on Windows does not allow special devices names in multi-segment paths
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9cbc4befe5ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:14 +05:30
34c62e2edf
python3-sqlparse: upgrade 0.5.4 -> 0.5.5
...
Changelog:
==========
* Fix DoS protection to raise SQLParseError instead of silently returning None
when grouping limits are exceeded
* Fix splitting of BEGIN TRANSACTION statements
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 48617f7032ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:13 +05:30
f21e5cdea1
python3-greenlet: upgrade 3.2.4 -> 3.2.5
...
Fix a crash on Python 3.9 if there are active greenlets during interpreter shutdown
https://greenlet.readthedocs.io/en/latest/changes.html#id4
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:13 +05:30
6928c475f2
python3-filelock: Upgrade 3.20.2 -> 3.20.3
...
Upgrade to release 3.20.3:
- Fix TOCTOU symlink vulnerability in SoftFileLock
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:12 +05:30
21f3c64e8e
python3-filelock: Upgrade 3.20.1 -> 3.20.2
...
Upgrade to release 3.20.2:
- Support Unix systems without O_NOFOLLOW
- [pre-commit.ci] pre-commit autoupdate
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8b5e1f5dbfankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:12 +05:30
6829eda4e2
python3-filelock: upgrade 3.20.0 -> 3.20.1
...
Changelog:
CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit c2710a2df9ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:11 +05:30
d25f3ab33a
valkey: upgrade 8.1.4 -> 8.1.6
...
Includes fix for CVE-2026-21863, CVE-2025-67733 and various bug fixes.
Also include tag in the SRC_URI.
https://github.com/valkey-io/valkey/releases/tag/8.1.5
https://github.com/valkey-io/valkey/releases/tag/8.1.6
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:11 +05:30
78a373916b
nbench-byte: Fix sysinfo generation in parallel build
...
The project Makefile uses a script (sysinfo.sh) to non-atomically generate
two .c files (sysinfo.c, sysinfoc.c) which are then included in the build.
Since the script always overwrites both .c files, the Makefile should only
invoke it once, not twice in parallel. Otherwise the .c files may be
corrupted and cause random build failures in parallel builds.
Requires at least GNU make 4.3, for Grouped Targets support [1].
[1] https://lists.gnu.org/archive/html/info-gnu/2020-01/msg00004.html
Reviewed-by: Silvio Fricke <silvio.fricke@gin.de >
Signed-off-by: Daniel Klauer <daniel.klauer@gin.de >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit add2d94ab7anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:10 +05:30
9783e418db
xrdp: patch CVE-2025-68670
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68670
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:10 +05:30
24abd61c54
minidlna: ignore CVE-2024-51442
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-51442
The description of the vulnerability says "attacker [...] execute arbitrary
OS commands via a specially crafted minidlna.conf configuration file".
There is no official fix for this CVE, and upstream seems to be inactive
for the past 3 years.
The reason for ignoring this CVE is that the referenced minidlna.conf
file is in the /etc folder, and the file is not world-writable. Which
means that this vulnerability can be exploited only when someone is
root - but if the attacker is already root, they don't need to resort
to minidlna config-file modifications to execute any command they want.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:09 +05:30
4660316de2
gimp: ignore already fixed CVEs
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0797
https://nvd.nist.gov/vuln/detail/CVE-2026-2044
https://nvd.nist.gov/vuln/detail/CVE-2026-2045
https://nvd.nist.gov/vuln/detail/CVE-2026-2047
https://nvd.nist.gov/vuln/detail/CVE-2026-2048
All these CVEs are already fixed in the recipe version, however
NVD tracks them currently without CPE info. Ignore them.
Relevant upstream commits:
CVE-2026-0797: https://gitlab.gnome.org/GNOME/gimp/-/commit/ca449c745d58daa3f4b1ed4c2030d35d401a009d
Note that the commit referenced by NVD is incorrect. This commit
was identified from the relevant upstream Gitlab issue:
https://gitlab.gnome.org/GNOME/gimp/-/issues/15555
CVE-2026-2044: https://gitlab.gnome.org/GNOME/gimp/-/commit/3b5f9ec2b4c03cf4a51a5414f2793844c26747e5
CVE-2026-2045: https://gitlab.gnome.org/GNOME/gimp/-/commit/bb896f67942557658b3fbfc67a1c073775c002c7
CVE-2026-2047: https://gitlab.gnome.org/GNOME/gimp/-/commit/5873e16f80cf4152d25a4c86b08553008a331e90
CVE-2026-2048: https://gitlab.gnome.org/GNOME/gimp/-/commit/fa69ac5ec5692f675de5c50a6df758f7d3e45117
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:09 +05:30
12845752e1
gnome-shell: ignore CVE-2021-3982
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3982
The vulnerability is about a privilege escalation, in case
the host distribution sets CAP_SYS_NICE capability on the
gnome-shell binary.
OE distros don't do that, and due to this this recipe is not
affected by this issue. The CVE is ignored.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:09 +05:30
592de481e6
libjxl: upgrade 0.11.1 -> 0.11.2
...
- fix tile dimension in low memory rendering pipeline (CVE-2025-12474)
- fix number of channels for gray-to-gray color transform (CVE-2026-1837)
- djxl: reject decoding JXL files if "packed" representation size overflows
size_t
https://github.com/libjxl/libjxl/releases/tag/v0.11.2
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:08 +05:30
1a18d1ac74
protobuf: ignore CVE-2026-0994
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994
The vulnerability impacts only the python bindings of protobuf, which
is in a separate recipe (python3-protobuf, where it is patched).
Ignore this CVE in this recipe due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:08 +05:30
3ad174f956
postgresql: upgrade 17.7 -> 17.8
...
License-Update: Update license year to 2026
Refreshed patches for version 17.8
Includes fix for CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006
Release Notes:
https://www.postgresql.org/docs/release/17.8/
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:07 +05:30
fdddf2bdd3
openjpeg: patch CVE-2023-39327
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39327
Take the patch that is used by OpenSUSE to mitigate this vulnerability.
Upstream seems to be unresponsive to this issue.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:07 +05:30
Deepak Rathore
Gyorgy Sarvari
Ankur Tyagi
Liu Yiding
Wang Mingyu
Jason Schonberg
Markus Volk
Peter Kjellerstedt
Leon Anavi
Daniel Klauer