Changes in 1.18.4
=================
Released: 2024-04-18
- Don't allow commandline arrays when the first commandline item starts with
whitespace or hyphen. (CVE-2024-32462)
- Do not store device access permission if it returned an error.
- Fix crash with config files without a default backend set.
Changes in 1.18.3
=================
Released: 2024-04-04
- Don't try to read D-Bus object properties of Request objects on construction.
- Fix various memory and file descriptor leaks.
- Minuscule optimization to the ScreenCast portal so that it stores restoration
data with a single D-Bus call, instead of two.
- Fix a crash in the OpenURI file when trying to open a non-existing file.
- Various smaller bug fixes.
Changes in 1.18.2
=================
Released: 2023-11-22
- Pass the token to the OpenURI portal and, when missing, an empty string.
- Fix various memory and file descriptor leaks in the Document portal.
- Make files and folders openend with the Document portal close properly. This
should fix cases where the Document portal prevented external devices from
unmounting, due to files inside them not getting closed after applications
stop using them.
- Implement FUSE getlk and setlk callbacks.This should enable using sqlite3
through the Document portal.
- Properly resolve fd symlinks before opening them with O_NOFOLLOW.
- Fix cases where the portal id is assumed to match the .desktop file name.
- Allow sending directories in the file transfer portal. This should make it
possible to, among other things, drag and drop folders and files simultaneously
from and to sandboxed applications.
- Fallback to a hardcoded check to xdg-desktop-portal-gtk in the absence of any
other portal or configuration file, as a last resort mechanism.
- Various smaller fixes to the build system.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9e57692e9f)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Since this file is downloaded and upstream does not version it on changes
we have to ensure that we store the versions in DL_DIR and also ensure they
do not step on each other
Fixes
stdio: WARNING: unicode-ucd-14.0.0-r0 do_fetch: Checksum mismatch for local file /srv/autobuilder/valkyrie.yocto.io/current_sources/license.txt
stdio: WARNING: unicode-ucd-14.0.0-r0 do_fetch: Renaming /srv/autobuilder/valkyrie.yocto.io/current_sources/license.txt to /srv/autobuilder/valkyrie.yocto.io/current_sources/license.txt_bad-checksum_f7830d126f59d83842565d3dddedc79db4ca978ed52aee0ebcc040ea76a85519
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 830535e5b6)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This is downloaded and does not have version, so we have to
update it whenever upstream update it. The copyright year
is changed this time.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6121f2907a)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Switch to https protocol to avoid fetching failures (anonymous fetching
with git protocol is not available anymore on this server).
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The commit from the recipe got detached from the master branch - use nobranch to
avoid fetching failure.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The previously used repo was moved to freedesktop's gitlab instance,
causing fetching failures.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
Changes for 6.2.9
- fixed unauthorised file system access when using cURL
- increased TimescaleDB maximum supported version to 2.10
- increased MariaDB maximum supported version to 10.11
- fixed broken database upgrade if started more than one Zabbix server at the same time on one database
- fixed a crash when testing item with aggregated function count containing invalid argument
- fixed race condition when starting Zabbix agent 2 with loadable plugins
- changed global script name validation to include menu path in its scope of uniqueness check
- fixed HttpRequest limit in JavaScript being reached even if all objects are destroyed
Changes for 6.2.8
- fixed data sending to Zabbix server from Zabbix agent2 persistent buffer
- implemented API token authentication in user.checkAuthentication method
- added support of PHP 8.2
- fixed selects of history, trends blocking drop_chunks and housekeeping
- fixed success message when disabling hosts in host groups
- fixed the crash in calculated items when using tag filter on 32-bit systems
- optimized JSONPaths in the Nginx Plus template
- fixed discover status not being updated for templated graph prototype
- fixed misplaced error messages in the edit forms for host groups and template groups
- fixed template dashboard availability to users without permissions to the templates
- fixed Zabbix server crash appearing when only item tags change between LLD runs
- optimized Nginx Plus by HTTP template to spread the load across worker porcesses
- added the cookie engine to HTTP checks
- optimized Remote Zabbix server health template to spread the load across worker processes, updated descriptions
- optimized Zabbix server health template to spread the load across worker processes, updated descriptions
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The original download location, jfrog's artifactory stopped
providing any kind of free service, and the source code is not
downloadable anymore.
The project however has an official github repository also -
change the SRC_URI to this to make it work again.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The old repository was moved to a new freedesktop gitlab instance,
causing fetching faulres.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The previous repository was moved to freedesktop's gitlab instance,
and was causing fetching failures.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Pick patches according to oe-core patch for this CVE in wpa-supplicant.
Leave out commit which patched only files not present in hostapd.
Note that Debian just picked the last commit (actually fixing the CVE)
and removed not-applicable parts, but it is probably better to be
consistent with oe-core status.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This is a header only package. It may be useful to the native machine
but it is definitely useful for the nativesdk machine.
Signed-off-by: Randolph Sapp <rs@ti.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* According to latest comment [1] and the mentioned pull request [2],
build an ENABLE(WEBASSEMBLY) && !ENABLE(JIT) configuration is
supported, so original issue already fixed in current version, the
EXTRA_OECMAKE setting is not needed anymore.
* This EXTRA_OECMAKE setting causes following configure error on
beaglebone-yocto, remove the setting to let the configure process
decide the configuration:
CMake Error at Source/cmake/WebKitFeatures.cmake:312 (message):
ENABLE_JIT conflicts with ENABLE_C_LOOP. You must disable one or the other.
[YOCTO #15254]
[1] https://github.com/WebKit/WebKit/pull/17447
[2] https://github.com/WebKit/WebKit/pull/17688
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Poppler ia a library for rendering PDF files, and examining or
modifying their structure. A use-after-free (write) vulnerability
has been detected in versions Poppler prior to 25.10.0 within the
StructTreeRoot class. The issue arises from the use of raw pointers
to elements of a `std::vector`, which can lead to dangling pointers
when the vector is resized. The vulnerability stems from the way that
refToParentMap stores references to `std::vector` elements using raw
pointers. These pointers may become invalid when the vector is resized.
This vulnerability is a common security problem involving the use of
raw pointers to `std::vectors`. Internally, `std::vector `stores its
elements in a dynamically allocated array. When the array reaches its
capacity and a new element is added, the vector reallocates a larger
block of memory and moves all the existing elements to the new location.
At this point if any pointers to elements are stored before a resize
occurs, they become dangling pointers once the reallocation happens.
Version 25.10.0 contains a patch for the issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-52885
Upstream patch:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/4ce27cc826bf90cc8dbbd8a8c87bd913cccd7ec0
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Changelog:
6.2.19:
(CVE-2025-32023) Fix out-of-bounds write in HyperLogLog commands
(CVE-2025-48367) Retry accepting other connections even if the accepted connection reports an error
6.2.20:
(CVE-2025-49844) A Lua script may lead to remote code execution
(CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
(CVE-2025-46818) A Lua script can be executed in the context of another user
(CVE-2025-46819) LUA out-of-bound read
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1a22715b82)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Jason Schonberg
Markus Volk
Wang Mingyu
Khem Raj
Gyorgy Sarvari
Etienne Cordonnier
Peter Marko
Ankur Tyagi
Vijay Anusuri
Randolph Sapp
Praveen Kumar
Divya Chellam
Hitendra Prajapati
Jiaying Song
Yogita Urade
Saravanan
Yi Zhao
Ninette Adhikari