Changelog:
- Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
- Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
- Bugfix: fixed warning when compiling with MSVC 2022 x86.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
============
- prevent webook from crashing in case of openapi 3.0
- deps: bump react-syntax-highlighter to 16.0.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX to check the correct
latest stable verison.
Before the patch:
$ devtool latest-version xdebug
INFO: Current version: 3.4.6
INFO: Latest version:
After the patch:
$ devtool latest-version xdebug
INFO: Current version: 3.4.6
INFO: Latest version: 3.4.7
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Remove the patch with the fix that is already present in the new
version.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The BusyBox version of mv does not have the -Z flag for setting SELinux
security context. This results in failure
when the cockpit-certificate-helper script is executed.
Depend the package on GNU Coreutils to make sure that the proper version
of mv is installed.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The old-bridge package config option was removed from the recipe,
but the usage of this option was left in some places.
Remove any reference to old-bridge. Only the Python bridge is currently
supported by Cockpit.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The vulnerability was reported against mod_auth_openidc, which module
is a 3rd party one, and not part of the apache2 source distribution.
The affected module is not part of the meta-oe universe currently,
so ignore the CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[2025-07-14] — Xdebug 3.4.5
Fixed bug #2332: Segmentation fault for code coverage with nested fibers
Fixed bug #2356: Reading properties with get hooks may modify property value
[2025-06-12] — Xdebug 3.4.4
Fixed bug #2349: Regression in Xdebug 3.4.3 breaks throwing exceptions in nested generators
Fixed bug #2350: Crash when a certain page generates an exception since Xdebug 3.4.3
Fixed bug #2352: Crash when using latest Xdebug version when throwing exceptions
Fixed bug #2354: The __invoke frame in call stacks don't have the argument name in the trace
[2025-05-14] — Xdebug 3.4.3
Fixed bug #2322: Xdebug tries to open debugging connection in destructors during shutdown
Fixed bug #2325: Referred chrome browser extension is no longer working
Fixed bug #2326: Step debugger finishes if property debugging handler in PHP throws an exception
Fixed bug #2331: Segmentation fault with 'invalid' variable names
Fixed bug #2339: Trying to throw an exception can cause a zend_mm_heap corrupted error under specific circumstances
Fixed bug #2340: Xdebug case sensitivity issues on some files introduced since 3.3.0
Fixed bug #2343: Fatal error on virtual property hook step debugging
Fixed bug #2348: Xdebug does not resolve breakpoints in property hooks
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-04-23
nginx-1.28.0 stable version has been released, incorporating new
features and bug fixes from the 1.27.x mainline branch - including
memory usage and CPU usage optimizations in complex SSL configurations,
automatic re‑resolution of hostnames in upstream groups, performance
enhancements in QUIC, OCSP validation of client SSL certificates and
OCSP stapling support in the stream module, variables support in the
proxy_limit_rate, fastcgi_limit_rate, scgi_limit_rate, and
uwsgi_limit_rate directives, the proxy_pass_trailers directive, and
more.
License-Update: copyright years refreshed and removed C-style comments
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Handles CVE-2025-23016 (in 2.4.5)
Add tag to SRC_URI.
Move version to recipe filename.
License-Update: file was renamed without any text change
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
bugfix:
use open-cli instead of require('open') for Node 20+ compatibility
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=============
- feat: add support for OpenAPI 3.0.4 (#10247)
- feat: apply cumulative update to address various issues (#10324)
- fix(docker): fix security issues CVE-2024-56171, CVE-2025-24928 (#10351)
- fix: fix definition resolving being affected by the order of schemas (#10386)
- fix(json-schema-2020-12): avoid accessing properties of null schemas (#10397)
- fix(json-schema-2020-12-samples): fix examples for nullable primitive types defined as list of types (#10390)
- fix(utils): fix error messages for range validation of number parameters (#10344)
- fix(json-schema-2020-12): use consistent comparison operators for displaying min/max constraints (#10159)
- fix(json-schema-2020-12-samples): use zero as default example value for int32 and int64 (#10230)
- fix(style): prevent operationId from wrapping when space is available (#10259)
- fix(docker): address multiple HIGH security vulnerabilities (#10410)
- fix(json-schema-2020-12): infer type string when contentEncoding or contentMediaType is present (#10411)
- fix: align OpenAPI 3.x.y file uploads with specification (#10409)
- feat(oas31): display file upload input when contentMediaType or contentEncoding is present (#10412)
- fix: avoid accessing properties of empty Example Objects (#10453)
- fix(oauth2): avoid processing authorizationUrl when it is not a string (#10452)
- fix: use spec compliant JSON Pointer implementation (#10455)
- fix(spec): assure operation is an immutable map in operations selectors (#10454)
- fix: assure parameter is an immutable map when grouping parameters (#10457)
- fix(spec): avoid accessing $ref when path item is not an object (#10456)
- fix(json-schema-2020-12-samples): generate proper samples for XML atttributes (#10459)
- fix(security): update Axios to non-vulnerable 1.9.0 version (#10460)
- fix(docker): address CVE-2025-32414/CVE-2025-32415 (#10461)
- feat(observability): allow defining custom uncaught exception handler (#10462)
- feat(json-schema-5-samples): add support for time format example generation (#10420) (#10421)
- refactor: introduce function for getting Schema Object type (#10330)
- fix: mitigate ReDoS when generating examples from pattern (#10477)
- fix(release): fix failed v5.23.0 release
- fix(packagist): exclude large obsolete directories from publishing to Packagist (#10329)
- ft(oas3): show the schema tab in the Try it Out mode (#10488)
- fix: align expanded content inside expand collapse button (#10497)
- feat: release SwaggerUI via GitHub Actions
- fix(CD): provide correct npm token
- fix(dist): provide correct npm token for swagger-ui-dist release
- fix: fix opened model schema resolving issue on spec change (#10509)
- fix(docker): bump nginx image to version 1.29.0-alpine to fix CVE-2025-48174 (#10508)
- feat: release Swagger UI to Packagist (#10513)
- fix(oas3): reset request body values in try it out (#9717)
- fix(style): restore paragraph spacing in parameter and response descriptions (#10514)
- feat(json-schema): support x-additionalPropertiesName (#10006)
- fix: permissions of files to allow running as non-root (#10515)
- fix: sanitization of relative OpenAPI JSON paths (#10528)
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The current include file that stores the known non-reproducible packages
is layer dependent and that forces the user of the layers to maintain
the list of the files (for example, see AB config[0]).
By moving the exclude list to each layer.conf and extending the common
OEQA_REPRODUCIBLE_EXCLUDED_PACKAGES variable, the known non-reproducible
packages will be automatically excluded for each layer used in the
reproducibility test without any special knowledge in the test
environment.
NB: the empty list for meta-initramfs was just removed not moved.
[0]: https://git.yoctoproject.org/yocto-autobuilder-helper/tree/config.json?id=7d8933e75bdf7fb821a25617cb2dcabf1f3f8700#n322
Suggested-by: Quentin Schulz <quentin.schulz@cherry.de>
Co-Developed-by: Guillaume Swaenepoel <guillaume.swaenepoel@smile.fr>
Signed-off-by: Guillaume Swaenepoel <guillaume.swaenepoel@smile.fr>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Makes the hammer a bit smaller, since we do not enable go by default
in packageconfig's it helps with yocto check layer with default config.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
As the other layers of meta-openembedded, this line makes it easy to
send a patch by copy-pasting and reduce slightly the probability of
error.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Gyorgy Sarvari
Peter Marko
Jason Schonberg
Valeria Petrov
Wang Mingyu
Yi Zhao
Daniel Semkowicz
Khem Raj
Liu Yiding
Alexander Kanavin
Yoann Congal