d2a493539f
xrdp: patch CVE-2022-23479
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:08 +01:00
444c8f69d2
xrdp: patch CVE-2022-23478
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23478
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:07 +01:00
74b0b81579
xrdp: patch CVE-2022-23477
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23477
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:06 +01:00
5709e8f6ec
xrdp: patch CVE-2022-23468
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23468
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:05 +01:00
f218f0373f
xrdp: upgrade 0.9.18 -> 0.9.18.1
...
Contains fix for CVE-2022-23613
Changelog: https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.18.1
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:04 +01:00
e2da1298ac
python3-django: fix CVE-2025-32873
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32873
Upstream-patch:
https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-05 15:29:59 +01:00
ee59faebac
python3-django: fix CVE-2024-53907
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-53907
Upstream-patch:
https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-05 15:29:58 +01:00
64e4cf9933
python3-django: fix CVE-2024-41991
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41991
Upstream-patch:
https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-05 15:29:55 +01:00
edb07bc11e
scsirastools: Fix build with usrmerge
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4448cd9ee7skandigraun@gmail.com >
2025-12-02 13:54:27 +01:00
4a70d6f944
gradm: fix installation with usrmerge enabled
...
In case usrmerge DISTRO_FEATURE is enabled, the recipe installs its
binaries into /sbin folder, which however supposed to be a symlink
to /usr/sbin folder, thus ultimately failing the installation.
To avoid this problem, backport a patch from master branch that allows
specifying the installation location.
This is a partial backport of 682657248cskandigraun@gmail.com >
2025-12-02 13:54:16 +01:00
bc55ba3d8c
babeld: fix installation with usrmerge
...
In case usrmerge DISTRO_FEATURE is enabled, the recipe installed
the application to /bin folder, which is however a symlink to /usr/bin,
so the installation ultimately failed.
To fix this, set the correct prefix for the installation.
This is a partial backport of f91983f1f3skandigraun@gmail.com >
2025-12-02 13:54:02 +01:00
6416254c0b
fontforge: patch CVE-2024-25081 and CVE-2024-25082
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-25081
https://nvd.nist.gov/vuln/detail/CVE-2024-25082
The same patch fixes both vulnerabilities.
Take the patch from the pull request that is referenced by the
nv report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 20:48:08 +01:00
2491ea2ffb
fontforge: patch CVE-2020-5395, CVE-2020-25690 and CVE-2020-5496
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-5395
https://nvd.nist.gov/vuln/detail/CVE-2020-25690
https://nvd.nist.gov/vuln/detail/CVE-2020-5496
The same patch fixes all three.
The patch for CVE-2020-25690 is mentioned in the RedHat bug, which is
referenced in the nvd report.
The patch for CVE-2020-5395 is mentioned in the Github issue that
is referenced in the nvd report.
The patch for CVE-2020-5496 is mentioned in the comments of the issue
that is linked in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 20:48:07 +01:00
48d2305f48
fontforge: ignore CVE-2019-15785
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-15785
The vulnerability is not present in the currently used version, so
ignore it.
Current version: 20190801
First vulnerable version: 20190813
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 20:48:06 +01:00
67bb8e4b16
yasm: patch CVE-2021-33456
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33465
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1020-hash-null-CVE-2021-33456.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1e2731fce0
2025-11-30 20:48:05 +01:00
68a44fe280
yasm: patch CVE-2021-33464
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33464
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1010-nasm-pp-no-env-CVE-2021-33464.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 66a0b01b52
2025-11-30 20:48:04 +01:00
5fb0376aed
yasm: patch CVE-2023-29579
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-29579
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1000-x86-dir-cpu-CVE-2023-29579.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit cc30757a7f
2025-11-30 20:48:03 +01:00
b6eb044866
yasm: add alternative CVE_PRODUCT
...
There are multiple vendors for yasm:
$ sqlite3 ./nvdcve_2-2.db "select distinct vendor, product from products where product = 'yasm';"
tortall|yasm
yasm_project|yasm
Both products refer to the same application
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 93f85e4fd2
2025-11-30 20:48:01 +01:00
8b438a9d7b
python3-django: fix CVE-2024-39330
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-39330
Upstream-patch:
https://github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:36 +01:00
740980aaba
python3-django: fix CVE-2024-39329
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-39329
Upstream-patch:
https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:34 +01:00
21d389c8f9
python3-django: fix CVE-2025-57833
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-57833
Upstream-patch:
https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:32 +01:00
0b554678b6
python3-django: fix CVE-2024-56374
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-56374
Upstream-patch:
https://github.com/django/django/commit/ad866a1ca3e7d60da888d25d27e46a8adb2ed36e
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:31 +01:00
540b79e3ee
python3-django: fix CVE-2025-26699
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-26699
Upstream-patch:
https://github.com/django/django/commit/e88f7376fe68dbf4ebaf11fad1513ce700b45860
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:30 +01:00
666ec505b4
python3-django: fix CVE-2024-27351
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-27351
Upstream-patch:
https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:29 +01:00
d4a5c4cf6c
python3-django: upgrade 4.2.17 -> 4.2.26
...
Fixes CVE-2025-64459, CVE-2025-64458, CVE-2025-59682, CVE-2025-59681,
CVE-2025-57833, CVE-2025-48432, CVE-2025-32873, CVE-2025-26699, CVE-2024-56374
and other bug fixes.
Release notes:
https://docs.djangoproject.com/en/dev/releases/4.2.18/
https://docs.djangoproject.com/en/dev/releases/4.2.19/
https://docs.djangoproject.com/en/dev/releases/4.2.20/
https://docs.djangoproject.com/en/dev/releases/4.2.21/
https://docs.djangoproject.com/en/dev/releases/4.2.22/
https://docs.djangoproject.com/en/dev/releases/4.2.23/
https://docs.djangoproject.com/en/dev/releases/4.2.24/
https://docs.djangoproject.com/en/dev/releases/4.2.25/
https://docs.djangoproject.com/en/dev/releases/4.2.26/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:28 +01:00
252b82edd5
python3-django: upgrade 3.2.23 -> 3.2.25
...
Fixes CVE-2024-27351, CVE-2024-24680 and other bugfixes.
Release notes:
https://docs.djangoproject.com/en/dev/releases/3.2.24/
https://docs.djangoproject.com/en/dev/releases/3.2.25/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:16:24 +01:00
a12478e722
libraw: patch CVE-2025-43964
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43964
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
0e30e2ab37
libraw: patch CVE-2025-43963
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43963
Pick the patch that is referenced in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
cb0fcd1ae4
libraw: patch CVE-2025-43961 and CVE-2025-43962
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43961
https://nvd.nist.gov/vuln/detail/CVE-2025-43962
Pick the patch that is mentioned by the nvd reports - the
same patch fixes both vulnerabilities.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
309e9688d5
libraw: patch CVE-2023-1729
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1729
Pick the patch that is mentioned to solve the issue in the issue
linked from the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
730f4c000c
libraw: ignore CVE-2020-35535
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35535
The fix is already included in the used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
298f329594
libraw: ignore CVE-2020-35534
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35534
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
ce9b6df403
libraw: ignore CVE-2020-35533
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35533
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
73891ac756
libraw: ignore CVE-2020-35532
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35532
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
34f34b93d9
libraw: ignore CVE-2020-35531
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35531
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
27f77ae006
libraw: ignore CVE-2020-35530
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35530
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
8f89a8c732
tigervnc: ignore CVE-2014-8241
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2014-8241
The vulnerability is about a potential null-pointer dereference, because
of a malloc result is not verified[1].
The vulnerable code has been refactored since completely[2], and the code isn't
present anymore in the codebase.
[1]: https://github.com/TigerVNC/tigervnc/issues/993#issuecomment-612874972 - attachment
[2]: https://github.com/TigerVNC/tigervnc/commit/b8a24f055f1a29886d8b18bb3f0902144dc5bd14
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
4cf5f8cc31
libao: ignore CVE-2017-11548
...
Both Suse[1] and Debian[2] disputes that this is a vulnerability in libao.
Based on their investigation while an issue exists, it is not in libao, however
higher in the audio-toolchain, most likely in libmad or mpg321. There seem to
be nothing to be fixed about this in libao - ignore this CVE due to this.
[1]: https://bugzilla.suse.com/show_bug.cgi?id=1081767
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a993eb8b93skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
f81db4757e
cockpit: set correct CVE_PRODUCT
...
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit af4df551ee
2025-11-30 15:13:57 +01:00
91c15953c0
libde265: patch CVE-2022-1253
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-1253
Pick the patch from the nvd report.
The patch is only partially backported, because part of the vulnerable
code was introuced only in a later version.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
7965aa0704
links: set CVE_PRODUCT
...
There are some unrelated software called "links", which cases
false-positive CVEs to be reported by the CVE checker.
Set the vendor/product pairs that were historically used with
CVEs for this software.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 62a5309732
2025-11-30 15:13:57 +01:00
afb1296723
jasper: patch CVE-2025-8837
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8837
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
42058c8120
jasper: patch CVE-2025-8836
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8836
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
95ecb0c563
jasper: patch CVE-2025-8835
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8835
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
163eb9faca
jasper: patch CVE-2023-51257
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-51257
Pick the patch that's marked to solve the issue linked in the
nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
89e6b49f2d
redis-7: ignore CVE-2022-3734 and CVE-2022-0543
...
CVE-2022-3734 only affects Windows.
CVE-2022-0543 affects only packages that were packaged for Debian and
Debian-derivative distros.
Neither of these issues is present in upstream Redis.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
a5217f562a
redis: upgrade 7.0.13 -> 7.0.15
...
Contains fixes for CVE-2023-41056 and CVE-2023-45145.
Dropped the backported patches that are included.
Release notes: https://github.com/redis/redis/blob/7.0.15/00-RELEASENOTES
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
d86503aa21
redis: upgrade 6.2.12 -> 6.2.21
...
This upgrade contains a list of vunerability fixes: CVE-2025-49844,
CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-32023,
CVE-2025-48367, CVE-2025-21605, CVE-2024-46981, CVE-2024-31449,
CVE-2024-31228, CVE-2023-45145, CVE-2022-24834
Dropped the CVE patches that are included above.
Release notes: https://github.com/redis/redis/blob/6.2.21/00-RELEASENOTES
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
caea02d115
redis: ignore CVE-2022-3734 and CVE-2022-0543
...
CVE-2022-3734 only affects Windows.
CVE-2022-0543 affects only packages that were packaged for Debian and
Debian-derivative distros.
Neither of these issues is present in upstream Redis.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8f1269507askandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
8602562caa
exiv2: patch CVE-2021-34335
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-34335
Pick the patches from the PR mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
Gyorgy Sarvari
Saravanan
Khem Raj