mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity
36,250 Commits 64 Branches 0 Tags
9cb5abd34b658d54d3bb938d2629265119180da8
Commit Graph

36250 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Gyorgy Sarvari 9cb5abd34b asyncmqtt: set CVE_PRODUCT 
The CVEs are tracked with an underscore in the product name:

sqlite> select * from PRODUCTs where product like '%async%mq%';
CVE-2025-65503|redboltz|async_mqtt|10.2.5|=||

This patch sets the correct CVE_PRODUCT.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4da079d7f5)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:17:19 +05:30
Gyorgy Sarvari 835f1ef688 libcereal: set CVE_PRODUCT 
The relevant CVEs are associated with usc:cereal CPE.

See CVE db query:

sqlite> select * from PRODUCTS  where PRODUCT like '%cereal%';
CVE-2020-11104|usc|cereal|||1.3.0|<=
CVE-2020-11105|usc|cereal|||1.3.0|<=

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6e936626cb)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:20 +05:30
Gyorgy Sarvari 57b188f8bc raptor2: set CVE_PRODUCT 
All relevant CVEs are files against these CPEs.

See CVE db query (zediious vendor is not relevant):

sqlite> select * from PRODUCTs where PRODUCT like '%raptor%' and vendor <> 'symantec' and product <> 'velociraptor';
CVE-2012-0037|librdf|raptor|||2.0.7|<
CVE-2017-18926|librdf|raptor_rdf_syntax_library|2.0.15|=||
CVE-2020-25713|librdf|raptor_rdf_syntax_library|2.0.15|=||
CVE-2023-49078|zediious|raptor-web|0.4.4|=||
CVE-2024-57822|librdf|raptor_rdf_syntax_library|||2.0.16|<=
CVE-2024-57823|librdf|raptor_rdf_syntax_library|||2.0.16|<=

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 15aca0b2fa)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:20 +05:30
Liu Yiding 5c64a792b6 libsdl3: upgrade 3.2.28 -> 3.2.30 
Changelog:
  https://github.com/libsdl-org/SDL/releases/tag/release-3.2.30

Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a524aaddac)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:19 +05:30
Ankur Tyagi 351df9d54e libjxl: Fix build error with arm and musl 
Build fails for qemuarm with musl with following error:
/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1/lib/jxl/convolve_separable5.cc
| error: out of range pc-relative fixup value

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 63ae47a70d)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:19 +05:30
Ankur Tyagi 6cb598129d mozjs-128: Fix build error with arm and musl 
Build fails for qemuarm with musl with following error:
mozglue/misc/StackWalk.o: in function `unwind_callback(_Unwind_Context*, void*)':
| /usr/src/debug/mozjs-128/128.5.2/mozglue/misc/StackWalk.cpp:810:(.text._ZL15unwind_callbackP15_Unwind_ContextPv+0x4): undefined reference to `_Unwind_GetIP'

Referenced commit[1] for the fix, also refreshed patches.

[1] https://github.com/OSSystems/meta-browser/commit/bb8662912354dae13634c0ec35c3803c344b1e72

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 30942cebe8)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:18 +05:30
Wang Mingyu 91193c97a3 libsdl3-image: upgrade 3.2.4 -> 3.2.6 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

Release Notes:
https://github.com/libsdl-org/SDL_image/releases/tag/release-3.2.6

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:18 +05:30
Gyorgy Sarvari 6d1c5be67b smarty: extend CVE_PRODUCT 
Some CVEs assign smarty-php as the vendor to the corresponding CPE.
E.g CVE-2024-35226[1] is tracked with smarty-php:smarty by mitre
(NVD tracks it without CPE).

[1]: https://cveawg.mitre.org/api/cve/CVE-2024-35226

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1aee6a403c)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:18 +05:30
Khem Raj f3407694b8 vboxguestdrivers: Upgrade to 7.2.4 
This is a maintenance release. The following items were fixed or added:

GUI: Fixed VirtualBox VM Manager crash when host was resuming from sleep (​github:gh-121, ​github:gh-170)
GUI: Updated native language support for Traditional Chinese, Greek, Swedish, Hungarian and Indonesian translations
NAT: Fixed issue when multiple port forwarding rules affected NAT functionality (​github:gh-232)
Linux host and guest: Introduced initial support for kernel 6.18
Linux Guest Additions: Introduced additional fixes for RHEL 9.6 and 9.7 kernels (​github:GH-12)
Windows Guest Additions: Introduced additional fixes for issue when installation was failing in Windows XP SP2 guest (​github:GH-142)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Bruce Ashfield <bruce.ashfield@gmail.com>
(cherry picked from commit 0ecf2814b2)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:17 +05:30
Wang Mingyu 1b5228dcce libdecor: upgrade 0.2.4 -> 0.2.5 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

Changelog:
https://gitlab.freedesktop.org/libdecor/libdecor/-/compare/0.2.4...0.2.5?from_project_id=18349
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:17 +05:30
Wang Mingyu d879c37905 cryptsetup: upgrade 2.8.1 -> 2.8.3 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6f41c5872d)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:16 +05:30
Gyorgy Sarvari 5508b827fb nodejs: remove extra CVE_PRODUCT 
CVE_PRODUCT is specified twice - the second instance only duplicates one
value from the first instance.

Remove this extra CVE_PRODUCT.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6ff9252484)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:16 +05:30
Ankur Tyagi 441cf7db11 php: upgrade 8.4.16 -> 8.4.17 
Changelog: https://www.php.net/ChangeLog-8.php#8.4.17

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:15 +05:30
Wang Mingyu 4beb45b615 microsoft-gsl: upgrade 4.2.0 -> 4.2.1 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1d33fb39d9)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:15 +05:30
Dmitry Baryshkov cce0f2d7cd vulkan-cts: upgrade 1.4.4.0 -> 1.4.4.2 
Upgrade Vulkan CTS to the point release, fixing several tests. While we
are at it, refresh Vulkan-Video-Samples patches.

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 374949c531)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:14 +05:30
Jiaying Song a1a87ebf04 minicoredumper: fix 2038 year problem in timestamp handling 
The minicoredumper has multiple 2038 year problems where 'long' type
variables and strtol() function calls cause overflow on 32-bit systems
when handling timestamps after 2038-01-19.

This leads to incorrect timestamp formatting in core dump directory
names (e.g., sleep40s.20380119.031407+0000.598).

Fix by changing 'long timestamp' to 'time_t timestamp' and replacing
strtol() with strtoll() to properly handle 64-bit timestamps on
32-bit systems.

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b5685fb375)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:14 +05:30
Wang Mingyu 199ca0c29d usb-modeswitch: upgrade 2.6.1 -> 2.6.2 
0001-Fix-build-with-gcc-15.patch
removed since it's included in 2.6.2

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit dfbe08b6c3)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:13 +05:30
Wang Mingyu 5a9ced1fd5 usb-modeswitch-data: upgrade 20191128 -> 20251207 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8f2c436db5)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:13 +05:30
Wang Mingyu 650978be5c libsdl3: upgrade 3.2.26 -> 3.2.28 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 26e3ef119b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:12 +05:30
Liu Yiding cb3faee20b liblognorm: upgrade 2.0.7 -> 2.0.8 
Change log
==========
Version 2.0.8, 2025-12-04
- fix potential segfault on some platforms
  Thanks to Julian Thomas for a fix
- fix memory leak when a custom type in rules does not match
  Thanks to Meric Sentunali for the fix and Julian Thomas for alerting
  me of the missing merge.

Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c627784366)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:12 +05:30
Wang Mingyu 6d4fdf7f7e parallel: upgrade 20251022 -> 20251122 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c9c4b5a887)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:12 +05:30
Wang Mingyu f2c80b13c4 python3-psycopg: upgrade 3.2.12 -> 3.2.13 
Changelog:
==============
- Show the host name in the error message in case of name resolution error
- Fix Cursor.copy() and AsyncCursor.copy() to hold the connection lock for the
  entire operation, preventing concurrent access issues
- Fix GSSAPI check with C extension built with libpq < v16

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4b297312d7)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:11 +05:30
Peter Marko c870a26c00 libcoap: set CVE version suffix 
CVE metrics currently report CVE-2025-34468 as open.
CPE is <=4.3.5, while recipe version is 4.3.5a which is a higher
version, however by default cve-check only compares numbers.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:11 +05:30
Peter Marko 08d81e661e libsodium: patch CVE-2025-69277 
Pick patch per [1].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-69277

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:10 +05:30
Peter Marko 0d737e1419 net-snmp: patch CVE-2025-68615 
Pick patch per [1].

[1] https://security-tracker.debian.org/tracker/CVE-2025-68615

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-20 10:15:07 +05:30
Gyorgy Sarvari c6849e7529 python3-django: upgrade 5.2.8 -> 5.2.9 
Includes fix for CVE-2025-13372 and CVE-2025-64460

Changelog: https://github.com/django/django/blob/5.2.9/docs/releases/5.2.9.txt

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2538918df1)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:59 +05:30
Gyorgy Sarvari 9a6b60af3e python3-django: upgrade 4.2.26 -> 4.2.27 
Contains fix for CVE-2025-13372 and CVE-2025-64460

Changelog: https://github.com/django/django/blob/4.2.27/docs/releases/4.2.27.txt

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fae6fe9b41)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:58 +05:30
Gyorgy Sarvari b964b9858b python3-configobj: ignore CVE-2023-26112 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112

The used version (5.0.9) contains the fix[1] already - ignore the CVE.

[1]: https://github.com/DiffSK/configobj/commit/7c618b0bbaff6ecaca51a6f05b29795d1377a4a5

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:58 +05:30
Gyorgy Sarvari e51133657a postgresql: upgrade 17.6 -> 17.7 
It contains fixes for CVE-2025-12817 and CVE-2025-12818.

Changelog:
https://www.postgresql.org/docs/release/17.7/

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8217b90e94)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:57 +05:30
Gyorgy Sarvari 7c1e9999d0 php: upgrade 8.4.15 -> 8.4.16 
This is a bugfix release, containing fixes for CVE-2025-14177,
CVE-2025-14178 and CVE-2025-14180.

Changelog: https://www.php.net/ChangeLog-8.php#8.4.16

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:57 +05:30
Gyorgy Sarvari 303f5afacf openvpn: upgrade 2.6.16 -> 2.6.17 
Contains fix for CVE-2025-13751

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:56 +05:30
Hugo SIMELIERE 925318887e libwebsockets: fix CVE-2025-11678 
Backport a fix from Debian:
https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11678.patch
Upstream commit:
https://github.com/warmcat/libwebsockets/commit/2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a

Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 5fab8bd31b)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:56 +05:30
Hugo SIMELIERE 9570160dae libwebsockets: fix CVE-2025-11677 
Backport a fix from Debian:
https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11677.patch
Upstream commit:
https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a

Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit da04d7003e)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:55 +05:30
Gyorgy Sarvari 94e21ed9b5 libcoap: ignore CVE-2025-50518 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-50518

The vulnerability is disputed by upstream, because the vulnerability
requires a user error, incorrect library usage. See also an upstream
discussion in a related (rejected) PR: https://github.com/obgm/libcoap/pull/1726

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 598176e1cb)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:55 +05:30
Gyorgy Sarvari b8127adea4 imagemagick: upgrade 7.1.2-8 -> 7.1.2-12 
Contains fix for CVE-2025-65955 and CVE-2025-69204.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:54 +05:30
Gyorgy Sarvari a06ce2aa74 gimp: patch CVE-2025-14425 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14425

Backport the patch referenced by the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 49732c90c0)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:54 +05:30
Gyorgy Sarvari f9add3e25a gimp: patch CVE-2025-14424 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14424

Pick the patch referenced by the NVD report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b16c1a543a)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:53 +05:30
Gyorgy Sarvari 732aa8f936 gimp: patch CVE-2025-14423 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14423

Pick the patch references by the NVD report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6aa5720e76)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:53 +05:30
Gyorgy Sarvari b680240a03 gimp: patch CVE-2025-14422 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422

Pick the patch referenced by the NVD report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a0b41204af)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:53 +05:30
Gyorgy Sarvari ed4878b3bc freerdp3: ignore CVE-2025-68118 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68118

It is a Windows only vulnerability, ignore it.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:52 +05:30
Ankur Tyagi 22b7851cde fetchmail: patch CVE-2025-61962 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-61962

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 0d9da11052)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:52 +05:30
Gyorgy Sarvari 0827d22e4c civetweb: ignore CVE-2025-9648 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-9648

It is already fixed in the currently used version.

Also, update CVE-2025-55763's status to "fixed-version" (so it will be
marked as "Patched" in the CVE report instead of "Ignored")

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bfb76da63b)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:51 +05:30
Gyorgy Sarvari 670aa709fb tigervnc: ignore CVE-2025-26594...26601 
Ignore the following CVEs: CVE-2025-26594, CVE-2025-26595, CVE-2025-26596,
CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601

Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-26594
https://nvd.nist.gov/vuln/detail/CVE-2025-26595
https://nvd.nist.gov/vuln/detail/CVE-2025-26596
https://nvd.nist.gov/vuln/detail/CVE-2025-26597
https://nvd.nist.gov/vuln/detail/CVE-2025-26598
https://nvd.nist.gov/vuln/detail/CVE-2025-26599
https://nvd.nist.gov/vuln/detail/CVE-2025-26600
https://nvd.nist.gov/vuln/detail/CVE-2025-26601

TigerVNC compiles its own xserver, this is why these CVEs are associated
with it - despite the vulnerabilities being in xserver.

All of these vulnerabilities were fixed by the same PR[1], which has
been part of xserver since version 21.1.16 (the currently used xserver
version in TigerVNC is 21.1.18).

Due to this, ignore these vulnerabilities, and just mark them as patched.

[1]: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4924e89bb7)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:51 +05:30
Gyorgy Sarvari 62a12a32a8 tigervnc: ignore CVE-2023-6478 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6478

TigerVNC compiles its own xserver, this is why this CVE is associated
with it - despite the vulnerability being in xserver.

The vulnerability was fixed by [1] (from the nvd report), which has been
backported[2] to the xserver version used by the recipe - so ignore the
CVE, since it's patched already.

[1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632
[2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/58e83c683950ac9e253ab05dd7a13a8368b70a3c

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 62a78f8ba7)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:50 +05:30
Gyorgy Sarvari dc575822b2 tigervnc: ignore CVE-2023-6377 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6377

TigerVNC compiles its own xserver, this is why this CVE is associated
with it - despite the vulnerability being in xserver.

The vulnerability was fixed by [1] (from the nvd report), which has been
backported[2] to the xserver version used by the recipe - so ignore the
CVE, since it's patched already.

[1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
[2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/a7bda3080d2b44eae668cdcec7a93095385b9652

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f691f2178b)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:50 +05:30
Gyorgy Sarvari 0be619859e tigervnc: sync xserver code with oe-core 
TigerVNC compiles its own xserver. Synchronize the xserver version
with oe-core.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fadb9c0570)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:49 +05:30
Gyorgy Sarvari d5f3269b90 tigervnc: fix typo in CVE_STATUS 
Forgot to add the CVE- prefix in previous patch.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2f913279d4)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:49 +05:30
Gyorgy Sarvari e370d2f41f fio: ignore CVE-2025-10824 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-10824

The upstream maintainer wasn't able to reproduce the issue[1],
and the related bug is closed without further action.

[1]: https://github.com/axboe/fio/issues/1981

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a275078cbe)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:48 +05:30
Gyorgy Sarvari c0a63f5222 dovecot: patch CVE-2025-30189 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-30189

Pick the patches referenced by the advisory[1] from the Full Disclosure list.

[1]: https://seclists.org/fulldisclosure/2025/Oct/29

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:48 +05:30
Gyorgy Sarvari af7857e40c cups-filters: patch CVE-2025-64524 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64524

Pick the patch mentioned in the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 056ee43dd1)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-06 18:07:47 +05:30