985cc4d384
corosync: patch CVE-2026-35091
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091
Pick the patch that mentions the CVE ID explicitly (it was identified
by Debian also as the fix[1])
[1]: https://security-tracker.debian.org/tracker/CVE-2026-35091
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 701b22fda3ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
9a19b0f3cb
opensc: patch CVE-2025-66215
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66215
Backport the patches referenced by the PR[1] mentioned in the nvd.
Dropped the formatting commit from the backport.
[1] https://github.com/OpenSC/OpenSC/pull/3436
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
91858e7ff9
opensc: patch CVE-2025-66038
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66038
Backport the patch referenced by the wiki[1] mentioned in the nvd.
[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
a02592adda
opensc: patch CVE-2025-66037
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66037
Backport the patch referenced by the wiki[1] mentioned in the nvd.
[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66037
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
886f7d221a
opensc: patch CVE-2025-49010
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49010
Backport the patch referenced by the wiki[1] mentioned in the nvd.
[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
22a2ae9646
openjpeg: patch CVE-2026-6192
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6192
Backport the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 09050325e6ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
383ff86953
jq: fix CVE-2026-40164
...
Backport patch to fix CVE-2026-40164.
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
7ba6689d13
nginx: fix CVE-2026-32647
...
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.
[1] https://my.f5.com/manage/s/article/K000160366
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-32647
[3] https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
bed3ecfe03
krb5: Backport additional fixes to build on clang
...
Enabling additional warning tightens the function prototype checks
and clang goes a step ahead to flag void foo() as well it should be
void foo(void)
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Cc: Martin Jansa <martin.jansa@gmail.com >
(cherry picked from commit 37cc472e44deeratho@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
32081787dc
kernel-hardening-checker: update 0.6.10.2 -> 0.6.17.1
...
Following the update on master.
This version reports more hardening issues:
128 "failures" instead of 113 on the same kernel.
Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
0febf2f87d
python3-tornado: set CVE_PRODUCT
...
The default "python:tornado" CVE_PRODUCT doesn't match relevant CVEs, because
the project's CPE is "tornadoweb:tornado".
See cve db query (docmosis is an irrelevant vendor):
sqlite> select * from products where PRODUCT = 'tornado';
CVE-2012-2374|tornadoweb|tornado|||2.2|<=
CVE-2012-2374|tornadoweb|tornado|1.0|=||
CVE-2012-2374|tornadoweb|tornado|1.0.1|=||
CVE-2012-2374|tornadoweb|tornado|1.1|=||
CVE-2012-2374|tornadoweb|tornado|1.1.1|=||
CVE-2012-2374|tornadoweb|tornado|1.2|=||
CVE-2012-2374|tornadoweb|tornado|1.2.1|=||
CVE-2012-2374|tornadoweb|tornado|2.0|=||
CVE-2012-2374|tornadoweb|tornado|2.1|=||
CVE-2012-2374|tornadoweb|tornado|2.1.1|=||
CVE-2014-9720|tornadoweb|tornado|||3.2.2|<
CVE-2023-25264|docmosis|tornado|||2.9.5|<
CVE-2023-25265|docmosis|tornado|||2.9.5|<
CVE-2023-25266|docmosis|tornado|||2.9.5|<
CVE-2023-28370|tornadoweb|tornado|||6.3.2|<
CVE-2024-42733|docmosis|tornado|||2.9.7|<=
CVE-2024-52804|tornadoweb|tornado|||6.4.2|<
CVE-2025-47287|tornadoweb|tornado|||6.5.0|<
CVE-2025-67724|tornadoweb|tornado|||6.5.3|<
CVE-2025-67725|tornadoweb|tornado|||6.5.3|<
CVE-2025-67726|tornadoweb|tornado|||6.5.3|<
Set the CVE_PRODUCT accordingly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 139cc15de3hjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
c40989630d
hdf5: fix CVE-2025-6857
...
According to [1], A vulnerability has been found in HDF5 1.14.6 and
classified as problematic. Affected by this vulnerability is the function
H5G__node_cmp3 of the file src/H5Gnode.c. The manipulation leads to
stack-based buffer overflow. It is possible to launch the attack on the
local host. The exploit has been disclosed to the public and may be used.
Backport patch [2] from upstream to fix CVE-2025-6857
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-6857
[2] https://github.com/HDFGroup/hdf5/commit/a8ceb1d95bb997f548c1129363dad53c18540096
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
4ab556ad1e
hdf5: fix CVE-2025-2308
...
According to [1], A vulnerability, which was classified as critical, was
found in HDF5 1.14.6. This affects the function
H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter.
The manipulation leads to heap-based buffer overflow. An attack has to be
approached locally. The exploit has been disclosed to the public and may be
used. The vendor plans to fix this issue in an upcoming release.
Backport patch [2] from upstream to fix CVE-2025-2308
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2308
[2] https://github.com/HDFGroup/hdf5/commit/2ce7fdc4cf147d280aa6d49686297faacc250e40
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
a26a769011
nginx: set CVE_PRODUCT
...
nginx has a long history, and has used multiple CPEs
over time. Set CVE_PRODUCT to reflect current and historic
vendor:product pairs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d25aadbbb5colin.mcallister@garmin.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
6f90f29b18
rocksdb: packageconfig knob for set static library option
...
Adding PACKAGECONFIG knob for enable/disable the static library option
It is just a follow-up changes of previous commit
https://git.openembedded.org/meta-openembedded/commit/?h=scarthgap&id=72018ca1b1a471226917e8246e8bbf9a374ccf97
and also this changes are already accepted and integrated in kirkstone branch.
Signed-off-by: Zahir Hussain <zahir.basha@kpit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
098a230565
imagemagick: Fix CVEs
...
Fix the following CVEs-
CVE-2026-24481 CVE-2026-25638 CVE-2026-25794 CVE-2026-25795
CVE-2026-25796 CVE-2026-25797 CVE-2026-25798 CVE-2026-25799
CVE-2026-25897 CVE-2026-25898 CVE-2026-25965 CVE-2026-25966
CVE-2026-25967 CVE-2026-25968 CVE-2026-25969 CVE-2026-25970
CVE-2026-25982 CVE-2026-25985 CVE-2026-25986 CVE-2026-25987
CVE-2026-25988 CVE-2026-26066 CVE-2026-26283 CVE-2026-26284
CVE-2026-26983
Signed-off-by: Naman Jain <namanj1@kpit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:24 +05:30
5124ac4a65
nginx: fix CVE-2026-28753
...
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.
[1] https://my.f5.com/manage/s/article/K000160367
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-28753
[3] https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
24459e3f5c
nginx: fix CVE-2026-27654
...
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.
[1] https://my.f5.com/manage/s/article/K000160382
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27654
[3] https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
958cca3987
nginx: fix CVE-2026-27651
...
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.
[1] https://my.f5.com/manage/s/article/K000160383
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27651
[3] https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
0ef4a2ecee
grpc: set status for CVE-2026-33186
...
CPE per NVD report is for "go", while this is C++ component:
* cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*
Also the link to adisory within NVD report says "grpc-go":
* https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
a1b14b7a3a
python3-werkzeug: ignore CVE-2026-27199
...
Vvulnerability affects Windows application and can be ignored.
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27199
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
3b6292cfbe
python3-tornado: fix CVE-2026-35536
...
Backport the commit[1] from version 6.5.5 which fixes this vulnerability
according to the NVD[2].
[1] https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-35536
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
6679171034
python3-flask: upgrade 3.0.2 -> 3.0.3
...
License Update: File renamed as txt[1]
Release Notes:
https://github.com/pallets/flask/releases/tag/3.0.3
[1] https://github.com/pallets/flask/commit/87d5f5b9a9697434e6d972b021201105eabb54e6
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
8ce4b233c6
python3-ecdsa: fix CVE-2026-33936
...
Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-33936
Ptests passed:
root@qemux86:~# ptest-runner python3-ecdsa
START: ptest-runner
2026-04-11T08:04
BEGIN: /usr/lib/python3-ecdsa/ptest
...
...
Testsuite summary
# TOTAL: 1978
# PASS: 1974
# SKIP: 4
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
DURATION: 386
END: /usr/lib/python3-ecdsa/ptest
2026-04-11T08:10
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
8e106a9b12
python3-django: upgrade 4.2.29 -> 4.2.30
...
Release Notes:
https://docs.djangoproject.com/en/dev/releases/4.2.30/
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
f3e47be00a
nmap: rename enum PCAP_SOCKET
...
The enum PCAP_SOCKET conflicts with the PCAP_SOCKET macro introduced in
libpcap 1.10.5. Use ifdefs to handle both old and new libpcap versions,
renaming the enum to NM_PCAP_SOCKET when the PCAP_SOCKET macro is defined.
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
9757d0151b
python3-django: fix CVE-2025-59681
...
QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and
QuerySet.extra() methods were subject to SQL injection in column aliases, using
a suitably crafted dictionary, with dictionary expansion, as the **kwargs
passed to these methods on MySQL and MariaDB.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-59681
Upstream-patch:
https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
838ca22808
python3-django: fix CVE-2025-57833
...
FilteredRelation was subject to SQL injection in column aliases, using a
suitably crafted dictionary, with dictionary expansion, as the **kwargs
passed QuerySet.annotate() or QuerySet.alias().
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-57833
Upstream-patch:
https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
6f240eceb0
hdf5: fix CVE-2025-2309
...
According to [1], A vulnerability has been found in HDF5 1.14.6 and
classified as critical. This vulnerability affects the function
H5T__bit_copy of the component Type Conversion Logic. The manipulation
leads to heap-based buffer overflow. Local access is required to approach
this attack. The exploit has been disclosed to the public and may be used.
The real existence of this vulnerability is still doubted at the moment.
The vendor plans to fix this issue in an upcoming release.
Backport patch [2] from upstream to fix CVE-2025-2309
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2309
[2] https://github.com/HDFGroup/hdf5/commit/9d90b21ef5c5373978014f1a711795aa653bd9a1
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
69fcb4d4b1
hdf5: fix CVE-2025-44905
...
According to [1], hdf5 v1.14.6 was discovered to contain a heap buffer
overflow via the H5Z__filter_scaleoffset function.
Backport patch [2] from upstream to fix CVE-2025-44905
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-44905
[2] https://github.com/HDFGroup/hdf5/commit/42588aeba786a121fec1fbad72cf39d8f60a4983
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
c96f578f10
hdf5: fix CVE-2025-2310
...
According to [1], A vulnerability was found in HDF5 1.14.6 and classified
as critical. This issue affects the function H5MM_strndup of the component
Metadata Attribute Decoder. The manipulation leads to heap-based buffer
overflow. Attacking locally is a requirement. The exploit has been
disclosed to the public and may be used.
Backport patch [2] from upstream to fix CVE-2025-2310
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2310
[2] https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
43572581cf
hdf5: fix CVE-2025-2153
...
According to [1], A vulnerability, which was classified as critical, was
found in HDF5 1.14.6. Affected is the function H5SM_delete of the file
H5SM.c of the component h5 File Handler. The manipulation leads to
heap-based buffer overflow. It is possible to launch the attack remotely.
The complexity of an attack is rather high. The exploitability is told to
be difficult. The exploit has been disclosed to the public and may be used.
Backport patch [2] from upstream to fix CVE-2025-2153
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2153
[2] https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:15 +05:30
151e634ed2
python3-django: fix CVE-2025-64459
...
The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the
class Q() were subject to SQL injection when using a suitably crafted
dictionary, with dictionary expansion, as the _connector argument.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-64459
https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html
Upstream-patch:
https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241
https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:10:33 +05:30
c14dcffcd7
yasm: fix CVE-2021-33454
...
An issue was discovered in yasm version 1.3.0. There is a
NULL pointer dereference in yasm_expr_get_intnum() in
libyasm/expr.c.
Backport patch to fix CVE-2021-33454 per reference [1].
[1]: https://security-tracker.debian.org/tracker/CVE-2021-33454
Signed-off-by: Guocai He <guocai.he.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:10:33 +05:30
fc30bb5eed
unbound: Fix CVE-2025-11411
...
Backport complete patch to fix CVE-2025-11411
The existing scarthgap patch is a partial backport with hardcoded logic,
causing incorrect behavior and ptest failures. Backport the full upstream
fix along with the follow-up patch to ensure correct functionality.
Add below patch to fix
0001-CVE-2025-11411-1.patch
0002-CVE-2025-11411-2.patch
Signed-off-by: Jackson James <jacksonj2@kpit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
07c2b52840
nodejs: upgrade 20.20.0 -> 20.20.2
...
License Update: Update minimatch to the Blue Oak Model License[1]
nodejs LTS releases containing security and bugfixes.
https://nodejs.org/en/blog/release/v20.20.1
https://nodejs.org/en/blog/release/v20.20.2
[1] https://github.com/nodejs/node/commit/f0ef221b0d458d9358c6e6e49094da475e86c229
Ptests passed:
root@qemux86:~# ptest-runner nodejs
START: ptest-runner
2026-04-09T10:37
BEGIN: /usr/lib/nodejs/ptest
Running main() from /usr/src/debug/nodejs/20.20.2/deps/googletest/src/gtest_main.cc
[==========] Running 152 tests from 23 test suites.
[----------] Global test environment set-up.
...
...
[----------] Global test environment tear-down
[==========] 152 tests from 23 test suites ran. (30533 ms total)
[ PASSED ] 152 tests.
PASS: nodejs
DURATION: 31
END: /usr/lib/nodejs/ptest
2026-04-09T10:37
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
42bf9aa27a
mbedtls: upgrade 3.6.5 -> 3.6.6
...
Contains fixes for CVE-2026-25833, CVE-2026-25834, CVE-2026-25835,
CVE-2026-34872, CVE-2026-34873, CVE-2026-34874 and CVE-2026-34875.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6
Ptests passed:
root@qemux86:~# ptest-runner mbedtls
START: ptest-runner
2026-04-09T10:41
BEGIN: /usr/lib/mbedtls/ptest
...
...
DURATION: 508
END: /usr/lib/mbedtls/ptest
2026-04-09T10:49
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit fe1b038cd8ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
39924b5b88
libvncserver: fix CVE-2026-32854
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32854
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
c56964fcf2
libvncserver: fix CVE-2026-32853
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32853
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
964432f3af
libraw: ignore CVE-2026-5318
...
Vulnerability exists in the function which was added in version 0.22.0[1]
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-5318
[1] https://github.com/LibRaw/LibRaw/commit/12b0e5d60c57bb795382fda8494fc45f683550b8
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
d17d94e0e0
libde265: upgrade 1.0.12 -> 1.0.16
...
Dropped patches which are part of the upstream version.
https://github.com/strukturag/libde265/releases/tag/v1.0.16
https://github.com/strukturag/libde265/releases/tag/v1.0.15
https://github.com/strukturag/libde265/releases/tag/v1.0.14
https://github.com/strukturag/libde265/releases/tag/v1.0.13
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
7e723ad1c7
giflib: patch CVE-2025-31344
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31344
Backport the commit that mentions this CVE ID explicitly
in its message.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
6d5a42a5e0
freerdp3: fix CVE-2026-33984
...
Detaisl: https://nvd.nist.gov/vuln/detail/CVE-2026-33984
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
262e656885
freerdp3: fix CVE-2026-31897
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-31897
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
73ae0a8034
freerdp3: fix CVE-2026-31806
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-31806
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
7025c461c7
freerdp3: fix CVE-2026-29776
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29776
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
1bc75cd389
freerdp3: fix CVE-2026-29775
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29775
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
2d96f24f2d
freerdp3: fix CVE-2026-29774
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29774
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
53ab8b4a5a
freerdp3: fix CVE-2026-24683
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24683
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
2beb2f81e7
freerdp3: fix CVE-2026-24682
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24682
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
Gyorgy Sarvari
Ankur Tyagi
Daniel Turull
Hitendra Prajapati
Khem Raj
Michael Opdenacker
Libo Chen
Zahir Hussain
Naman Jain
Peter Marko
Jinfeng Wang
Haixiao Yan
Guocai He
Jackson James