9d92eeacdf
imagemagick: patch CVE-2025-57803
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57803
Backport the patch that is mentioned in the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:55 +05:30
29fa171a9d
imagemagick: patch CVE-2025-55212
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55212
Backport the patch that is mentioned in the NVD advisory.
Notes about the backport:
The original patch deletes two extra lines compared to the backport:
those lines were a previous attempt[1] to solve the same vulnerability,
and the final patch reverted them. Since that patch wasn't part of the
recipe, those deletions were dropped from the backported patch.
The PerceptibleReciprocal function was renamed[2] to MagickSafeReciprocal
after the recipe's revision, but there were no functional changes
in the function's behavior.
[1]: https://github.com/ImageMagick/ImageMagick/commit/43d92bf855155e8e716ecbb50ed94c2ed41ff9f6
[2]: https://github.com/ImageMagick/ImageMagick/commit/7e5d87fe6e9
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:54 +05:30
118df68d25
imagemagick: patch CVE-2025-55160
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55160
Pick the patch that mentions the related github advisory[1]
in its commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:54 +05:30
dd13a60248
imagemagick: patch CVE-2025-55154
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55154
Pick the patch that mentions the related github advisory[1]
in its commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:53 +05:30
df19121bc6
imagemagick: patch CVE-2025-55005
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55005
Pick the patch that mentions the related github advisory[1] in its
commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v393-38qx-v8fp
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:53 +05:30
b32dcf53ce
imagemagick: patch CVE-2025-55004
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55004
Pick the patch that mentions the related github advisory[1] explicitly in
its commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cjc8-g9w8-chfw
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:52 +05:30
2d4ca24273
imagemagick: patch CVE-2025-53101
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53101
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:52 +05:30
482f541705
imagemagick: patch CVE-2025-53019
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53019
Pick the commit that is marked as a fix at the bottom of the relevant
github advisory[1].
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:51 +05:30
7c479d21cd
imagemagick: patch CVE-2025-53015
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53015
Backport the patches marked as a solution at the bottom of the relevant
github advisory[1].
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:51 +05:30
e9916715c9
imagemagick: patch CVE-2025-53014
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53014
Pick the commit that is mentioned as a solution at the bottom of
the relevant Github advisory[1].
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:50 +05:30
80175b4a47
imagemagick: mark CVE-2023-5341 as patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-5341
The fix[1] mentioned in the NVD report has been part of the recipe since
7.1.1-19.
[1]: https://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:50 +05:30
90fdbcf82b
imagemagick: upgrade 7.1.1-26 -> 7.1.1-47
...
Contains fixes for CVE-2024-41817, CVE-2025-43965 and CVE-2025-46393
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:50 +05:30
3835a88f94
recipes-core/toybox: Switch SRC_URI to HTTPS for reliable fetch
...
The upstream site (landley.net) serves inconsistent content when using HTTP,
causing checksum mismatches during do_fetch. Using HTTPS ensures stable
downloads and resolves checksum failures.
Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:50:49 +05:30
2b26d30fc7
atop: patch CVE-2025-31160
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31160
Backport the patch that's subject references the CVE id explicitly.
I was able to verify the patch with a reproducer[1] (which is mentioned
in a reference[2] in the nvd report). Without the patch atop crashed,
with the patch it worked fine (both with and without -k/-K flags).
[1]: https://blog.bismuth.sh/blog/bismuth-found-the-atop-bug
[2]: https://gist.github.com/kallsyms/3acdf857ccc5c9fbaae7ed823be0365e
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:16 +05:30
cf81094887
zabbix: patch CVE-2025-49643
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49643
The actual patch was identified by checking the file that was modified
in the tag 6.0.42, and also by looking at the Jira item referenced by it:
the patch references DEV-4466, the same ID that is referenced in the
Jira ticket[1] referenced by the NVD report (look in the "All Activity" tab).
[1]: https://support.zabbix.com/browse/ZBX-27284
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:15 +05:30
19d7eedf67
freerdp3: patch CVE-2025-68118
...
Details https://nvd.nist.gov/vuln/detail/CVE-2025-68118
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:12 +05:30
c8f7748616
cups-filters: patch CVE-2025-64524
...
Details https://nvd.nist.gov/vuln/detail/CVE-2025-64524
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:11 +05:30
44bdb70034
krb5: fix for CVE-2024-3596
...
Upstream-Status: Backport from https://github.com/krb5/krb5/commit/871125fea8ce0370a972bf65f7d1de63f619b06c
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:11 +05:30
3e322cb550
postgresql: upgrade 16.10 -> 16.11
...
This is a bugfix release.
Contains fixes for CVE-2025-12817 and CVE-2025-12818.
Changelog: https://www.postgresql.org/docs/16/release-16-11.html
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:04 +05:30
9dea9286a0
fio: ignore CVE-2025-10824
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-10824
The upstream maintainer wasn't able to reproduce the issue[1],
and the related bug is closed without further action.
[1]: https://github.com/axboe/fio/issues/1981
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a275078cbeskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:04 +05:30
fe9360051e
minio: ignore irrelevant CVEs
...
The minio umbrella covers multiple projects. The recipe itself builds
"minio client", which is a set of basic tools to query data from
"minio server" - like ls, mv, find...
The CVEs were files against minio server. Looking at the go mod list,
this recipe doesn't use minio server even as a build dependency - so ignore
the CVEs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit df462075beskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:03 +05:30
6553182380
p7zip 16.02: Fix CVE-2022-47069
...
Upstream Repository: https://sourceforge.net/projects/p7zip/
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069
Type: Security Fix
CVE: CVE-2022-47069
Score: 7.8
Note:
- Commit [1] updates complete p7zip archive source for v17 and includes changes
that fixes CVE-2022-47609, adapted fix related changes in current p7zip v16.02.
- Similar changes via [2] have been integrated into the upstream 7zip package,
which replaced p7zip 16.02 in OE-Core master.
For the testing:
- Verified fix using steps mentioned at [3], trace not observed.
- Validated against known malicious ZIP samples [3]
References:
[1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
[2] https://github.com/ip7z/7zip/commit/f19f813537c7
[3] https://sourceforge.net/p/p7zip/bugs/241/
[4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069
Signed-off-by: Vrushti Dabhi <vdabhi@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:07:59 +05:30
e76bf51a92
redis: Refine CVE-2022-0543 status description
...
Refine the CVE_STATUS description for CVE-2022-0543 to provide
a more precise explanation of this Debian-specific vulnerability.
The vulnerability originates from Debian's packaging methodology,
which loads system-wide Lua libraries (lua-cjson, lua-cmsgpack),
enabling Lua sandbox escape. Upstream Redis builds, including
those built by Yocto/OpenEmbedded, utilize embedded Lua from the
deps/ directory and are therefore not affected by this issue.
It is also fixed in Debian with this commit:
https://salsa.debian.org/lamby/pkg-redis/-/commit/c7fd665150dc4769402cae97d1152b3c6e4366f0
References:
- https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
- https://nvd.nist.gov/vuln/detail/CVE-2022-0543
Signed-off-by: Deepak Rathore <deeratho@cisco.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 7675392aa7deeratho@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-22 07:49:04 +05:30
1c7b69ee0b
editorconfig-core-c: patch CVE-2024-53849
...
Details https://nvd.nist.gov/vuln/detail/CVE-2024-53849
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:21 +05:30
d9148434ad
flatpak: patch CVE-2024-42472
...
Details https://nvd.nist.gov/vuln/detail/CVE-2024-42472
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:21 +05:30
af50080591
libcupsfilters: patch CVE-2025-57812
...
Details https://nvd.nist.gov/vuln/detail/CVE-2025-57812
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:20 +05:30
a0292cd209
jasper: patch CVE-2024-31744
...
Details https://nvd.nist.gov/vuln/detail/CVE-2024-31744
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:20 +05:30
d9e1f6f274
gflags: switch Git branch from master to main
...
Update SRC_URI to use the 'main' branch instead of 'master' since
the upstream GitHub repository has renamed its default branch.
Signed-off-by: Viswanath Kraleti <viswanath.kraleti@oss.qualcomm.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-11 08:00:54 +05:30
e0dbf0bcd3
hdf5 1.14.4-3: fix CVE-2025-2912
...
Upstream Repository: https://github.com/HDFGroup/hdf5.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2912
Type: Security Fix
CVE: CVE-2025-2912
Score: 4.8
Patch: https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a
Analysis:
- CVE-2025-2913 was previously fixed by [1], which is also addresses CVE-2025-2912
as noted in [4].
- NVD [2] references the GitHub discussion [3] for CVE-2025-2912, and we successfully
reproduced the issue following the steps outlined there.
- Applied the fix from [4] and verified resolution using the reproduction steps.
- The same patch [4] is already included in OE-scarthgap [5] for CVE-2025-2913.
- Therefore, reused the patch from [5] to resolve CVE-2025-2912.
References:
[1] https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-2912
[3] https://github.com/HDFGroup/hdf5/issues/5370#issue-2917388806
[4] https://github.com/HDFGroup/hdf5/issues/5370#issuecomment-3542881855
[5] https://git.openembedded.org/meta-openembedded/commit/meta-oe/recipes-support/hdf5?h=scarthgap&id=b42e6eb3e51a
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-11 08:00:53 +05:30
b7fd86557f
smarty: update CVE_PRODUCT
...
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-11 08:00:23 +05:30
b09a12e166
hdf5 1.14.4-3: Fix CVE tag format in patches
...
- The CVE tags in multiple hdf5 patches were using comma-separated
format which caused false positives in CVE reports.
- Multiple CVEs should be separated by space in CVE-ID.patch file as
per recipe style guide in Yocto documentation so CVE report tool can
scan those CVEs and mark it as patched.
Fixed the following patches:
- CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_01.patch
- CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch
- CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch
Reference:
- https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#cve-patches
Signed-off-by: Deepak Rathore <deeratho@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-05 17:46:25 +05:30
a9fa1c5c2a
xrdp: patch CVE-2023-42822
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-42822
Pick the patch the references the github advisory[1] and the cve ID also from
the nvd report. The patch is a backported version of the patch referenced by
the nvd report.
[1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:11 +05:30
259e4f9266
xrdp: patch CVE-2023-40184
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40184
Pick the patch that is associated with the github advisory[1], which is
a backported version of the patch that is referenced by the nvd report.
[1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:11 +05:30
f81041bb39
xrdp: patch CVE-2022-23493
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23493
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:10 +05:30
2578e5c17d
xrdp: patch CVE-2022-23484
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23484
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:10 +05:30
8ffd8f29d5
xrdp: patch CVE-2022-23483
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23483
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:09 +05:30
31694c82e3
xrdp: patch CVE-2022-23482
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:09 +05:30
64ee8f84c4
xrdp: patch CVE-2022-23481
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23481
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:08 +05:30
71e9d02b12
xrdp: patch CVE-2022-23480
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23480
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:08 +05:30
19e076e66b
xrdp: patch CVE-2022-23479
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:07 +05:30
63b5fff975
xrdp: patch CVE-2022-23478
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23478
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:07 +05:30
a6efc5b285
xrdp: patch CVE-2022-23477
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23477
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:06 +05:30
1cb08277fe
xrdp: patch CVE-2022-23468
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23468
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:02 +05:30
5a52615450
pidgin: fix reproducibility issues
...
Backport changes fixing reproducibility issues from master:
9697fd958eanuj.mittal@oss.qualcomm.com >
2025-12-03 11:23:31 +05:30
9e4f627941
trace-cmd: Update SRC_URI to use HTTPS protocol
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f00b6ad12fanuj.mittal@oss.qualcomm.com >
2025-12-03 10:37:26 +05:30
7e74032909
crash: add zlib-native to depends for crash-cross
...
Fix the following error when using buildtools-extended:
va_server.c:20:10: fatal error: zlib.h: No such file or directory
20 | #include <zlib.h>
| ^~~~~~~~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit bd745115deanuj.mittal@oss.qualcomm.com >
2025-12-03 10:34:21 +05:30
8f602e1cfa
redis: handle CVE-2025-27151
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-27151
In redis 7 this is already patched[1], and the recipe contains the
fix.
For redis 6 backport the relevant patch (which is referenced in the
nvd report)
[1]: https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:33 +05:30
ac19cd99a8
redis: ignore CVE-2022-0543
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0543
The issue is specific to the version packaged by Debian, it can be ignored.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:33 +05:30
ed345fca57
yasm: patch CVE-2021-33456
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33465
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1020-hash-null-CVE-2021-33456.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1e2731fce0anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:32 +05:30
782c49a05a
yasm: patch CVE-2021-33464
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33464
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1010-nasm-pp-no-env-CVE-2021-33464.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 66a0b01b52anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:32 +05:30
Gyorgy Sarvari
Sanjay Chitroda
Ankur Tyagi
Hitendra Prajapati
Vrushti Dabhi
Deepak Rathore
Viswanath Kraleti
Sudhir Dumbhare
Anuj Mittal
yuyu
Yi Zhao