a56aafa0a6
netdata: ignore CVE-2024-32019
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32019
The vulnerability affects the ndsudo binary, part of netdata.
This binary was introduced in version 1.45.0[1], and the recipe
contains v1.34.1 - which is not vulnerable yet.
Ignore the CVE due to this.
[1]: https://github.com/netdata/netdata/commit/0c8b46cbfd05109a45ee4de27f034567569fa3fa
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:57 +05:30
522a522cb7
mongodb: ignore CVE-2025-14911
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14911
The CVE is currently tracked without valid CPE. The vulnerability
affects mongo-c-driver component, not mongodb. They are also stored
in different repositories.
Due to this, ignore this CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:57 +05:30
c6b15e6601
mongodb: upgrade 4.4.29 -> 4.4.30
...
This is a security release to fix CVE-2025-14847:
https://nvd.nist.gov/vuln/detail/CVE-2025-14847
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:56 +05:30
832b983735
libcupsfilters: patch CVE-2025-64503
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64503
Pick the patch that explicitly refernces the CVE ID in its message.
(The NVD advisory mentions only the cups-filters patch, but
the developer indicated the CVE ID in the libcupsfilters patch also)
Between this recipe version and the patch the project has decided to
eliminate c++ from the project, and use c only. The patch however
is straightforward enough that it could be backported with very small
modifications.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:56 +05:30
0923b77230
imagemagick: patch CVE-2025-66628
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66628
Pick the patch that refers to the relevant github advisory[1]
explicitly in its commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hjr-v6g4-3fm8
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:55 +05:30
2073a86a79
gnome-settings-daemon: ignore CVE-2024-38394
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-38394
The CVE has the disputed flag. The project maintainers claim that the issue
is not in gnome-setttings-daemon. If the vulnerability needs to be handled
in gnome-settings-daemon, than it is a new feature rather than a vulnerability fix.
Due to this, ignore this CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:55 +05:30
a33dae10b1
gimp: ignore CVE-2025-14423
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14423
The vulnerability is about parsing LBM files, however this feature
was introduced in verison 3.0[1], and the current recipe version
is not vulnerable.
[1]: https://gitlab.gnome.org/GNOME/gimp/-/commit/222bef78c71ed8562a610f6863d56c0b3e2bef68
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:54 +05:30
a0806bca0a
freerdp: ignore CVE-2025-68118
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68118
The vulnerability is specific to the usage of Microsoft specific sprintf
implementation. Because of this, ignore this vulnerability.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1b4b952b51skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:54 +05:30
eb8e89e3b4
ez-ipupdate: patch CVE-2003-0887
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2003-0887
The vulnerability is about the default (example) configurations,
which place cache files into the /tmp folder, that is world-writeable.
The recommendation would be to place them to a more secure folder.
The recipe however does not install these example configurations,
and as such it is not vulnerable either.
Just to make sure, patch these folders to a non-tmp folder
(and also install that folder, empty).
Some more discussion about the vulnerability:
https://bugzilla.suse.com/show_bug.cgi?id=48161
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 0080dd7973skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:53 +05:30
14972f0f6a
fontforge: patch CVE-2025-15270
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15270
Pick the patch that mentions this vulnerbaility explicitly
in its description.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 15f2f350ccskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:53 +05:30
867af88ada
fontforge: patch CVE-2025-15269
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15269
Pick the patch that refers to this vulnerability ID explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 449999f676skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:53 +05:30
22b196ccb5
fontforge: patch CVE-2025-15275
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15275
Pick the patch that mentions this vulnerability ID explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit edc3b69cefskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:52 +05:30
8854244ac5
fontforge: patch CVE-2025-15279
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15279
Pick the patch that mentions this vulnerability ID explicitly.
Also, this patch has caused some regression - pick the patch also
that fixed that regression.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 21418bce90skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:52 +05:30
70822f1a81
php 8.2.29: Fix CVE-2025-14180
...
Upstream Repository: https://github.com/php/php-src.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14180
Type: Security Fix
CVE: CVE-2025-14180
Score: 7.5
Patch: https://github.com/php/php-src/commit/5797b94652c3
Signed-off-by: Anil Dongare <adongare@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:51 +05:30
4750244921
php 8.2.29: Fix CVE-2025-14178
...
Upstream Repository: https://github.com/php/php-src.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14178
Type: Security Fix
CVE: CVE-2025-14178
Score: 8.2
Patch: https://github.com/php/php-src/commit/c4268c15e361
Signed-off-by: Anil Dongare <adongare@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:51 +05:30
561e0e911f
Use https when accessing archive.xfce.org
...
While using devtool to check available versions, I noticed a 301 http error.
Specifically :
$ devtool latest-version libxfce4ui
Resolving archive.xfce.org (archive.xfce.org)... 217.70.191.87
Connecting to archive.xfce.org (archive.xfce.org)|217.70.191.87|:80... connected
.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://archive.xfce.org/src/xfce/libxfce4ui/4.20/ [following]
With this patch, we change to make the SRC_URI an https request.
A similar patch is already in master - commit 8089168196schonm@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:50 +05:30
4e1397ed49
python3-protobuf: added python3-ctypes as RDEPENDS
...
File "/usr/lib/python3.12/site-packages/google/protobuf/internal/type_checkers.py", line 25, in <module>
import ctypes
ModuleNotFoundError: No module named 'ctypes'
tested on qemu86-64
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(From meta-openembedded rev: d1b8ebc2a5peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:50 +05:30
0ae047668f
python3-protobuf: patch CVE-2026-0994
...
Pick patch from PR in NVD report.
It is the only code change in 33.5 release.
Skip the test file change as it's not shipped in python module sources.
Resolve formatting-only conflict.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:49 +05:30
79e3760935
tigervnc: ignore CVE-2025-26594...26601
...
Ignore the following CVEs: CVE-2025-26594, CVE-2025-26595, CVE-2025-26596,
CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601
Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-26594
https://nvd.nist.gov/vuln/detail/CVE-2025-26595
https://nvd.nist.gov/vuln/detail/CVE-2025-26596
https://nvd.nist.gov/vuln/detail/CVE-2025-26597
https://nvd.nist.gov/vuln/detail/CVE-2025-26598
https://nvd.nist.gov/vuln/detail/CVE-2025-26599
https://nvd.nist.gov/vuln/detail/CVE-2025-26600
https://nvd.nist.gov/vuln/detail/CVE-2025-26601
TigerVNC compiles its own xserver, this is why these CVEs are associated
with it - despite the vulnerabilities being in xserver.
All of these vulnerabilities were fixed by the same PR[1], which has
been part of xserver since version 21.1.16 (the currently used xserver
version in TigerVNC is 21.1.18).
Due to this, ignore these vulnerabilities, and just mark them as patched.
[1]: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4924e89bb7skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:49 +05:30
859698874e
tigervnc: ignore CVE-2023-6478
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6478
TigerVNC compiles its own xserver, this is why this CVE is associated
with it - despite the vulnerability being in xserver.
The vulnerability was fixed by [1] (from the nvd report), which has been
backported[2] to the xserver version used by the recipe - so ignore the
CVE, since it's patched already.
[1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632
[2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/58e83c683950ac9e253ab05dd7a13a8368b70a3c
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 62a78f8ba7skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:48 +05:30
cfcf8dd2e9
tigervnc: ignore CVE-2023-6377
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6377
TigerVNC compiles its own xserver, this is why this CVE is associated
with it - despite the vulnerability being in xserver.
The vulnerability was fixed by [1] (from the nvd report), which has been
backported[2] to the xserver version used by the recipe - so ignore the
CVE, since it's patched already.
[1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
[2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/a7bda3080d2b44eae668cdcec7a93095385b9652
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f691f2178bskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:48 +05:30
e846385dac
tigervnc: ignore CVE-2014-8241
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2014-8241
The vulnerability is about a potential null-pointer dereference, because
of a malloc result is not verified[1].
The vulnerable code has been refactored since completely[2], and the code isn't
present anymore in the codebase.
[1]: https://github.com/TigerVNC/tigervnc/issues/993#issuecomment-612874972 - attachment
[2]: https://github.com/TigerVNC/tigervnc/commit/b8a24f055f1a29886d8b18bb3f0902144dc5bd14
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit ed8a1038d2skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:48 +05:30
db5577f533
tigervnc: sync xserver component with oe-core
...
oe-core has a newer version of xserver than this recipe used to compile
TigerVNC with. This recipe updates xserver to the same version, 21.1.18.
TigerVNC only started to support this xserver version 2 versions later,
with 1.13. Due to this 3 commits were backported that add the missing
changes.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:47 +05:30
0182c8c269
python3-m2crypto: workaround for swig issue with sys/types.h
...
Upgrade to openssl 3.4.0 added sys/types.h into include/openssl/e_os2.h
Unfortunetelly swig has issue with this and the build broke.
Add a workaroung to remove this include until swig is fixed.
In our setup this include is not necessary.
Upstream issue: https://github.com/swiftlang/swift/issues/69311
(From meta-openembedded rev: f9158ce32fpeter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:47 +05:30
e2001fa66c
libmodule-build-tiny-perl: fix reference to TMPDIR
...
This fix is found in the recipe on the master branch.
The warning was seen in build https://autobuilder.yoctoproject.org/valkyrie/?#/builders/81/builds/1279
Signed-off-by: Jason Schonberg <schonm@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:46 +05:30
acbbb1e308
wireshark: fix for CVE-2026-0959
...
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/4b48ee36f1829d6d3d009bf9871af523ce8e3ace
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:46 +05:30
032393ff1c
sox: patch CVE-2019-8354
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-8354
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2019-8354
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:45 +05:30
022657b094
sox: patch CVE-2019-13590
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-13590
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2019-13590
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:45 +05:30
157b2e377d
sox: mark CVE-2019-1010004 as patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-1010004
The description mentions that this vulnerability overlaps with CVE-2017-18189,
and Debian's investigation[1] confirms that it is solved by the same commit.
Add the ID to the CVE tag of CVE-2017-18189.patch.
[1]: https://security-tracker.debian.org/tracker/CVE-2019-1010004
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:44 +05:30
f81e7c9574
sox: patch CVE-2017-18189
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-18189
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-18189
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:44 +05:30
083add805e
sox: patch CVE-2017-15642
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15642
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-15642
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:43 +05:30
e37bff308b
sox: patch CVE-2017-15372
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15372
Pick the patch that was indeitified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-15372
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:43 +05:30
b4544d1e35
sox: patch CVE-2017-15371
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15371
Pick the patch that was identified by Debian[1] to fix the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-15371
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:42 +05:30
93464e794d
sox: patch CVE-2017-15370
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15370
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-15370
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:42 +05:30
745224d1ac
sox: patch CVE-2017-11359
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11359
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-11359
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:42 +05:30
5d16f49c1d
sox: patch CVE-2017-11358
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11358
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-11358
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:41 +05:30
73816b3deb
sox: patch CVE-2017-11332
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-11332
Pick the patch that was identified by Debian[1] as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2017-11332
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:41 +05:30
2306b49360
python3-watchdog: Remove obsolete dependencies
...
Python watchdog has removed all dependencies except optional `pyyaml`
dependency for `watchmedo` utility, like follows [1]:
* pathtools dependency was removed in 1.0.0
* python-argh dependency removed in 2.1.6
* requests was never a dependency
* pyyaml only needed for extras (`watchmedo`) and may not be strictly necessary
[1] https://github.com/gorakhargosh/watchdog/blob/master/changelog.rst
Signed-off-by: Tero Kinnunen <tero.kinnunen@vaisala.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:36 +05:30
7a5075cef7
gnome-keyring: set CVE_PRODUCT
...
The underscores and hyphens in the product name are used randomly in the CVE
database:
sqlite> select * from PRODUCTs where vendor = 'gnome' and product like '%keyr%';
CVE-2012-3466|gnome|gnome-keyring|3.4.0|=||
CVE-2012-3466|gnome|gnome-keyring|3.4.1|=||
CVE-2012-6111|gnome|gnome_keyring|3.2|=||
CVE-2012-6111|gnome|gnome_keyring|3.4|=||
CVE-2018-19358|gnome|gnome-keyring|||3.28.2|<=
CVE-2018-20781|gnome|gnome_keyring|||3.27.2|<
Set CVE_PRODUCT so that both versions are matched.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4fdeb484c2anuj.mittal@oss.qualcomm.com >
2026-01-26 11:16:37 +05:30
ab85e58b91
xerces-c: set CVE_PRODUCT
...
The related CVEs are tracked with "xerces-c\+\+" (sic).
See CVE db query:
sqlite> select vendor, product, count(*) from PRODUCTs where product like '%xerces%' group by 1, 2;
apache|xerces-c\+\+|29
apache|xerces-j|2
apache|xerces2_java|3
redhat|xerces|3
Set CVE_PRODUCT accordingly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 29a272744aanuj.mittal@oss.qualcomm.com >
2026-01-26 11:16:24 +05:30
95afb29339
acpitool: update SRC_URI
...
The old SRC_URI stopped working (its certificate expired), and the recipe
defaulted to OE mirrors.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 0b2deaab02anuj.mittal@oss.qualcomm.com >
2026-01-26 11:11:48 +05:30
0a2ce1c4dd
tcpreplay: fix CVE-2025-51006
...
Within tcpreplay's tcprewrite, a double free vulnerability has been identified
in the dlt_linuxsll2_cleanup() function in plugins/dlt_linuxsll2/linuxsll2.c.
This vulnerability is triggered when tcpedit_dlt_cleanup() indirectly invokes
the cleanup routine multiple times on the same memory region. By supplying a
specifically crafted pcap file to the tcprewrite binary, a local attacker can
exploit this flaw to cause a Denial of Service (DoS) via memory corruption.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-26 10:13:56 +05:30
cb4570120b
python3-twisted: patch CVE-2024-41810
...
Though nvd[1] mentions commit[2] as part of the fix for CVE-2024-41671, but
it is actually a fix[3] for CVE-2024-41810.
Rename patch files accordingly.
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-41671
[2] https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-41810
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-26 10:04:49 +05:30
daacf501a1
python3-cbor2: patch CVE-2025-68131
...
Backport the patch[1] which fixes this vulnerability as mentioned in the
comment[2].
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68131
[1] https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0
[2] https://github.com/agronholm/cbor2/pull/268#issuecomment-3719179000
Dropped changes to the changelog from the original commit.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-26 10:04:49 +05:30
8331a444fd
python3-aiohttp: patch CVE-2025-53643
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53643
Dropped changes to the test and changelog from the original commit.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-26 10:04:48 +05:30
2aaf663547
libmad: ignore CVE-2017-11552 and CVE-2018-7263
...
These CVEs are for mpg321, not libmad.
See Debian assessment:
* https://security-tracker.debian.org/tracker/CVE-2017-11552
* https://security-tracker.debian.org/tracker/CVE-2018-7263
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit fee86a312fskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-26 10:04:48 +05:30
a5772bb67e
openvpn: ignore CVE-2025-13751
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-13751
The vulnerability is Windows specific, can be ignored.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-26 10:04:48 +05:30
582d2ba035
python3-m2crypto: mark CVE-2020-25657 as patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-25657
The commit[1] that fixes the vulnerability has been part of the
package since version 0.39.0
[1]: https://git.sr.ht/~mcepl/m2crypto/commit/84c53958def0f510e92119fca14d74f94215827a
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit ba6468f7a0skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-26 10:04:47 +05:30
509f680b6e
python3-m2crypto: ignore CVE-2009-0127
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2009-0127
The vulnerability is disputed[1] by upstream:
"There is no vulnerability in M2Crypto. Nowhere in the functions
are the return values of OpenSSL functions interpreted incorrectly.
The functions provide an interface to their users that may be
considered confusing, but is not incorrect, nor it is a vulnerability."
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit b46a5452a1skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-26 10:04:47 +05:30
13e671d322
python3-twitter: mark CVE-2012-5825 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2012-5825
The Debian bugtracker[1] indicated that the issue is tracked by
upstream in github[2] (with a difference CVE ID, but same issue),
where the vulnerability was confirmed. Later in the same github issue
the solution is confirmed: the project switched to use the requests
library, which doesn't suffer from this vulnerability.
Due to this mark the CVE as patched.
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692444
[2]: https://github.com/tweepy/tweepy/issues/279
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3ee544e759skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-26 10:04:46 +05:30
Gyorgy Sarvari
Anil Dongare
Jason Schonberg
Jan Vermaete
Peter Marko
Hitendra Prajapati
Tero Kinnunen
Archana Polampalli
Ankur Tyagi