b6aaee4b8e
keyutils: fix ptest failed since "+++ Can't Determine Endianness"
...
All the ptest cases are failed since error "+++ Can't Determine Endianness",
update the regex for matching the endianness to fix this issue.
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 6de9b46cc7skandigraun@gmail.com >
2025-10-20 08:53:08 +02:00
6d17a28ac2
kernel-selftest: fix ptest
...
The run-ptest script was trying to call test_align executable, which
doesn't exist (anymore?).
Instead align more to master branch, and execute the selftests themselves.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-20 08:53:04 +02:00
e735c00c42
function2: fix ptests
...
The recipe has inherited the ptest class, however it did not install
not execute any tests.
This change installs the tests and add a script to execute them.
The tests are quick, execution takes single digit seconds.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-20 08:53:00 +02:00
7579becc3b
fmt: fix ptests
...
The recipe has inherited the ptest class, however it did not install
not execute any tests.
This change installs the tests and add a script to execute them.
The tests are quick, execution takes single digit seconds.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-20 08:52:57 +02:00
c1171b8db7
cli11: fix ptests
...
The recipe inherits the ptest class, however it doesn't install
the actual tests, nor executes them.
This change installs the tests, and add a run-ptest script to
execute them also.
The tests are fairly quick, it takes single digit seconds on my
machine to execute.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-20 08:52:52 +02:00
1918af644e
faad2: patch CVE-2021-32278
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32278
Pick the patch that is marked to revolve the issue linked in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
d301a4324b
faad2: patch CVE-2021-32274 and CVE-2021-32277
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32274
https://nvd.nist.gov/vuln/detail/CVE-2021-32277
Pick the patch that resolved the issues linked in the nvd reports
(same patch fixes both vulnerabilities).
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
merge to CVE-2021-32274
2025-10-17 10:51:27 +02:00
e06fe48896
faad2: patch CVE-2021-32273
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32273
Pick the patch that resolved the issue linked in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
a84d373085
faad2: patch CVE-2021-32272
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32272
Pick the patch that is mentioned in the ncv report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
3396d38876
redis: Fix CVE-2025-49844
...
Upstream-Status: Backport from https://github.com/redis/redis/commit/db884a49bfbbccd7a0463ddc6aa486b52f28386f
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
e44b4561a9
redis: Fix CVE-2025-46819
...
Upstream-Status: Backport from https://github.com/redis/redis/commit/2802b52b554cb9f0f249a24474c9fba94e933dbb
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
abe7f83cc6
redis: Fix CVE-2025-46818
...
Upstream-Status: Backport from https://github.com/redis/redis/commit/dccb672d838f05c940f040c27b74fde6fb47b2a7
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
4450ab7430
redis: Fix CVE-2025-46817
...
Upstream-Status: Backport from https://github.com/redis/redis/commit/fc282edb61b56e7fe1e6bacf9400252145852fdc
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
b5ec3b12dd
redis: Fix CVE-2025-48367
...
import patch from debian to fix
CVE-2025-48367
Upstream-Status: Backport [import from debian redis_7.0.15-1~deb12u6.debian.tar.xz
Upstream commit
https://github.com/redis/redis/commit/0fe67435935cc5724ff6eb9c4ca4120c58a15765 ]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
537ab769ae
redis: Fix CVE-2025-32023
...
Upstream-Status: Backport from https://github.com/redis/redis/commit/f35b72dd1735f381337a2eb078083450cb98e237
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
515f1f1e6e
redis: Fix CVE-2025-27151
...
Upstream-Status: Backport from https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
199ca4579c
poppler: fix CVE-2025-52885
...
Poppler ia a library for rendering PDF files, and examining or
modifying their structure. A use-after-free (write) vulnerability
has been detected in versions Poppler prior to 25.10.0 within the
StructTreeRoot class. The issue arises from the use of raw pointers
to elements of a `std::vector`, which can lead to dangling pointers
when the vector is resized. The vulnerability stems from the way that
refToParentMap stores references to `std::vector` elements using raw
pointers. These pointers may become invalid when the vector is resized.
This vulnerability is a common security problem involving the use of
raw pointers to `std::vectors`. Internally, `std::vector `stores its
elements in a dynamically allocated array. When the array reaches its
capacity and a new element is added, the vector reallocates a larger
block of memory and moves all the existing elements to the new location.
At this point if any pointers to elements are stored before a resize
occurs, they become dangling pointers once the reallocation happens.
Version 25.10.0 contains a patch for the issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-52885
Upstream patch:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/4ce27cc826bf90cc8dbbd8a8c87bd913cccd7ec0
Signed-off-by: Yogita Urade <yogita.urade@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
9146afcebb
yasm: fix CVE-2024-22653
...
yasm commit 9defefae was discovered to contain a NULL pointer
dereference via the yasm_section_bcs_append function at section.c.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-22653
Upstream-patch:
https://github.com/yasm/yasm/commit/121ab150b3577b666c79a79f4a511798d7ad2432
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
bfc756c1e6
fio: fix CVE-2025-10823
...
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-10823
https://github.com/axboe/fio/issues/1982
Upstream-patch:
https://github.com/axboe/fio/commit/6a39dfaffdb8a6c2080eec0dc7fb1ee532d54025
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
27206f97e6
emlog: set CVE_PRODUCT
...
This will remove false-positive CVE-2024-50655 from reports.
There are different emlog components from other vendors around.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d8d45d9093skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
8d733ee01b
st: Update status for CVE-2017-16224
...
The recipe used in the meta-openembedded is a different st package compared to the one which has the CVE issue.
Package used in meta-embedded: https://st.suckless.org/
Package with CVE issue: https://www.npmjs.com/package/st
No action required.
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit eb9c7bb564skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
529b31ef7f
poppler: fix CVE-2025-43718
...
Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption
and a SIGSEGV via deeply nested structures within the metadata (such
as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for
a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata,
and associated functions in PDFDoc, with deep recursion in the regex
executor (std::__detail::_Executor).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-43718
Upstream patch:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/f54b815672117c250420787c8c006de98e8c7408
Signed-off-by: Yogita Urade <yogita.urade@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
5fd149feb4
xsp: CVE status update for CVE-2006-2658
...
The recipe used in the `meta-openembedded` is a different xsp package compared to the one which has the CVE issue.
Package used in `meta-embedded`: maemo xsp http://repository.maemo.org/pool/maemo/ossw/source/x/xsp/
Package with CVE issue: mono xsp https://github.com/mono/xsp
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3cb411a057skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
f4adc003e4
zchunk: patch CVE-2023-46228
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46228
Pick the patch that's mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
ed6bb390fe
zlog: patch CVE-2021-43521
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-43521
Pick the patch that resolves the issue linked in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:27 +02:00
155ac93191
iniparser: Fix CVE-2025-0633
...
Heap-based Buffer Overflow vulnerability in iniparser_dumpsection_ini() in iniparser
allows attacker to read out of bound memory
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-0633
https://security-tracker.debian.org/tracker/CVE-2025-0633
Upstream patch:
https://gitlab.com/iniparser/iniparser/-/commit/072a39a772a38c475e35a1be311304ca99e9de7f
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
fff1d56fe1
iperf2: ignore irrelevant CVEs
...
These CVEs are for iperf3 - which is a similar application in its goals (and name),
but an independent project from this, and the projects are independent implementations
also, they share no common code.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit aedf74e082skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
93826fffc5
imagemagick: Fix CVE-2022-28463
...
Imagemagick is vulnerable to buffer overflow.
Reference: https://github.com/ImageMagick/ImageMagick/commit/ca3654ebf7a439dc736f56f083c9aa98e4464b7f
Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
bf223a6c9a
cryptsetup: Update the license field
...
The below reference clearly states that GPL-2.0-with-OpenSSL-exception
is to be used with GPL 2.0 or GPL3.0 and not as a standalone license.
Therefore, update the correct license.
Reference:
https://github.com/aboutcode-org/scancode-licensedb/blob/569d72e13e7c8d14a44380f91e80c5a2d4091f8f/docs/openssl-exception-gpl-2.0.yml#L7
Signed-off-by: Sana Kazi <Sana.Kazi@bmwtechworks.in >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:26 +02:00
fbb3d46fad
udisks2: fix CVE-2025-8067
...
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-8067
Upstream-patch:
https://github.com/storaged-project/udisks/commit/9ed2186f668c76aeb472de170d62b499d85a1915
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-17 10:51:23 +02:00
9c51a98b4f
botan: patch CVE-2024-50382 and CVE-2024-50383
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-50382
https://nvd.nist.gov/vuln/detail/CVE-2024-50383
Pick patch mentioned in the URL list of the nist page - the
same patch fixes both vulnerabilities.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:49 +02:00
a742bea992
botan: patch CVE-2024-39312
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-39312
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:46 +02:00
6c5e7ee581
botan: patch CVE-2022-43705
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-43705
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:41 +02:00
5e398bfa67
ace: ignore CVE-2009-1147
...
The CVE is for another product, for VMWare ACE, not for this one.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-12 13:08:13 +02:00
93fc9a2c0c
fbida: fix make fbpdf build optional
...
this is a backport-like from scarthgap branch: fbida_git.bb and patch 0001-meson.build-make-fbpdf-build-optional.patch
From Github Pull request: https://github.com/openembedded/meta-openembedded/pull/1008
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-10 11:09:27 +02:00
96fbc15636
collectd: set working SRC_URI
...
The project started to outsource the source hosting to Google storage
and Github.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
f7b1663333
psqlodbc: set valid SRC_URI
...
The old URI stopped working.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-10-02 15:16:50 +02:00
e73a317cb7
tree: fix broken links
...
New tarball location is:
http://oldmanprogrammer.net/tar/tree/
Homepage is:
http://oldmanprogrammer.net/source.php?dir=projects/tree
Signed-off-by: Benjamin Szőke <egyszeregy@freemail.hu >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 0c4079fc28skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
7336283ec9
span-lite: do not inherit ptest
...
This recipe provides no run-ptest script.
Signed-off-by: Tim Orling <tim.orling@konsulko.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 0fc5f550d3skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
0b97d9ec03
smarty: upgrade 4.1.0 -> 4.1.1
...
Changelog:
==========
Security
--------
Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221
Fixed
-------
Exclude docs and demo from export and composer #751
PHP 8.1 deprecation notices in demo/plugins/cacheresource.pdo.php #706
PHP 8.1 deprecation notices in truncate modifier #699
Math equation max(x, y) didn't work anymore #721
Fix PHP 8.1 deprecated warning when calling rtrim #743
PHP 8.1: fix deprecation in escape modifier #727
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9374648c39skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
e985e34d03
lcov: Fix Perl Path
...
Fixes an issue where lcov is using the system Perl rather than the yocto
provided Perl. This causes packages to not be found during runtime such
as PerlIO::gzip.
Signed-off-by: Alex Yao <alexyao1@meraki.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit e66ae31c95skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
9573809997
synergy: patch CVE-2020-15117
...
Pick commit based on [1].
Note that the pick is node from deskflow, which is open-source successor
of synergy.
If anyone uses thie recipe, it should be switched.
[1] https://github.com/deskflow/deskflow/security/advisories/GHSA-chfm-333q-gfpp
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit db283053d0skandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
5e835d8e12
procmail: patch CVE-2017-16844.
...
Take patch from Debian.
https://sources.debian.org/data/main/p/procmail/3.22-26%2Bdeb10u1/debian/patches/30
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3d97f4c13dskandigraun@gmail.com >
2025-10-01 19:40:59 +02:00
3de4b5bc92
procmail: patch CVE-2014-3618
...
Take patch from Debian.
https://sources.debian.org/data/main/p/procmail/3.22-20%2Bdeb7u1/debian/patches/CVE-2014-3618.patch
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8378820dabskandigraun@gmail.com >
2025-10-01 19:40:58 +02:00
746ef0c9fb
procmail: Update status for CVE-1999-0475
...
Current version 3.22 is not affected by the issue.
Affected versions: Up to (excl.) 3.2.1
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 30e6d975e8skandigraun@gmail.com >
2025-10-01 19:40:58 +02:00
b4ff519ab2
openct: Fix typo in SUMMARY variable
...
Signed-off-by: Julian Haller <julian.haller@philips.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 38f62a5fb3skandigraun@gmail.com >
2025-10-01 19:40:58 +02:00
ac94ea5c21
ne10: append +git instead of gitr+
...
* looks like a typo introduced in:
https://git.openembedded.org/meta-openembedded/commit/?id=6e431331d18ded23a78e238ed40d03434e7719d9
* use +git as most other recipes are using
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
(cherry picked from commit 10703e5c6askandigraun@gmail.com >
2025-10-01 19:40:58 +02:00
91194cbb2b
multipath-tools: Use https for github
...
Per convert-srcuri.py script, github repos should be accessed
via https.
Change it accordingly.
Signed-off-by: Fabio Estevam <festevam@denx.de >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4cef1e68easkandigraun@gmail.com >
2025-10-01 19:40:58 +02:00
bb4a2d0b48
libtinyxml: patch CVE-2023-34194
...
Take patch from Debian:
https://salsa.debian.org/debian/tinyxml/-/commit/2366e1f23d059d4c20c43c54176b6bd78d6a83fc
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f4a6966bf0skandigraun@gmail.com >
2025-10-01 19:40:58 +02:00
91e03d42a3
libtinyxml: patch CVE-2021-42260
...
Take patch from Debian:
https://salsa.debian.org/debian/tinyxml/-/commit/38db99c12e43d7d6e349403ce4d39a706708603d
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 066cf35ae5skandigraun@gmail.com >
2025-10-01 19:40:58 +02:00
Changqing Li
Gyorgy Sarvari
Vijay Anusuri
Yogita Urade
Praveen Kumar
Saravanan
Peter Marko
Ninette Adhikari
Soumya Sambu
virendra thakur
Sana Kazi
simoneScaravati
Benjamin Szőke
Tim Orling
Wang Mingyu
Alex Yao
Julian Haller
Martin Jansa
Fabio Estevam