c42bfd596e
tcpreplay: fix CVE-2025-9157
...
A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2.
The impacted element is the function untrunc_packet of the file
src/tcpedit/edit_packet.c of the component tcprewrite. Executing
manipulation can lead to use after free. It is possible to launch
the attack on the local host. The exploit has been publicly disclosed
and may be utilized. This patch is called 73008f261f1cdf7a1087dc8759115242696d35da.
Applying a patch is advised to resolve this issue.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
(cherry picked from commit 0538af085aankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:23 +05:30
788904cef1
unbound: patch CVE-2024-43168
...
Details https://nvd.nist.gov/vuln/detail/CVE-2024-43168
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:23 +05:30
1876b4656d
unbound: patch CVE-2024-43167
...
Details https://nvd.nist.gov/vuln/detail/CVE-2024-43167
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:22 +05:30
0d9da11052
fetchmail: patch CVE-2025-61962
...
Details https://nvd.nist.gov/vuln/detail/CVE-2025-61962
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:22 +05:30
eb338ebb60
civetweb: patch CVE-2025-9648
...
Details https://nvd.nist.gov/vuln/detail/CVE-2025-9648
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:21 +05:30
1c7b69ee0b
editorconfig-core-c: patch CVE-2024-53849
...
Details https://nvd.nist.gov/vuln/detail/CVE-2024-53849
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:21 +05:30
d9148434ad
flatpak: patch CVE-2024-42472
...
Details https://nvd.nist.gov/vuln/detail/CVE-2024-42472
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:21 +05:30
af50080591
libcupsfilters: patch CVE-2025-57812
...
Details https://nvd.nist.gov/vuln/detail/CVE-2025-57812
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:20 +05:30
a0292cd209
jasper: patch CVE-2024-31744
...
Details https://nvd.nist.gov/vuln/detail/CVE-2024-31744
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:20 +05:30
1fea09e692
mbedtls: fix CVE-2025-47917
...
CVE-2025-47917 is that the function mbedtls_x509_string_to_names() takes
a head argument and performs a deep free() on it.
Backport patch to fix CVE-2025-47917 and drop the modification in doc
file and comment in header file which lack of context.
Signed-off-by: Kai Kang <kai.kang@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-17 11:45:16 +05:30
b4812b18ee
proftpd: Fix CVE-2023-48795
...
Upstream-Status: Backport from https://github.com/proftpd/proftpd/commit/bcec15efe6c53dac40420731013f1cd2fd54123b
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
(cherry picked from commit 6c8ae54fc3ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-11 08:02:03 +05:30
5775e1a643
wireshark: fix CVE-2025-13499
...
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/e180152d3dae668249f78c72a55a4ba436b57af7
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-11 08:02:02 +05:30
d9e1f6f274
gflags: switch Git branch from master to main
...
Update SRC_URI to use the 'main' branch instead of 'master' since
the upstream GitHub repository has renamed its default branch.
Signed-off-by: Viswanath Kraleti <viswanath.kraleti@oss.qualcomm.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-11 08:00:54 +05:30
e0dbf0bcd3
hdf5 1.14.4-3: fix CVE-2025-2912
...
Upstream Repository: https://github.com/HDFGroup/hdf5.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2912
Type: Security Fix
CVE: CVE-2025-2912
Score: 4.8
Patch: https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a
Analysis:
- CVE-2025-2913 was previously fixed by [1], which is also addresses CVE-2025-2912
as noted in [4].
- NVD [2] references the GitHub discussion [3] for CVE-2025-2912, and we successfully
reproduced the issue following the steps outlined there.
- Applied the fix from [4] and verified resolution using the reproduction steps.
- The same patch [4] is already included in OE-scarthgap [5] for CVE-2025-2913.
- Therefore, reused the patch from [5] to resolve CVE-2025-2912.
References:
[1] https://github.com/HDFGroup/hdf5/commit/7cc8b5e1010a
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-2912
[3] https://github.com/HDFGroup/hdf5/issues/5370#issue-2917388806
[4] https://github.com/HDFGroup/hdf5/issues/5370#issuecomment-3542881855
[5] https://git.openembedded.org/meta-openembedded/commit/meta-oe/recipes-support/hdf5?h=scarthgap&id=b42e6eb3e51a
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-11 08:00:53 +05:30
c223262bd7
apache2: upgrade 2.4.65 -> 2.4.66
...
Security fixes:
- CVE-2025-66200
- CVE-2025-65082
- CVE-2025-59775
- CVE-2025-58098
- CVE-2025-55753
See: http://www.apache.org/dist/httpd/CHANGES_2.4.66
Signed-off-by: Valeria Petrov <valeria.petrov@spinetix.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-11 08:00:53 +05:30
91ea5aa570
libavif: patch CVE-2025-48174
...
Details https://nvd.nist.gov/vuln/detail/CVE-2025-48174
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-11 08:00:53 +05:30
b7fd86557f
smarty: update CVE_PRODUCT
...
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-11 08:00:23 +05:30
47b2afbc12
corosync: upgrade 3.1.9 -> 3.1.10
...
CVE-2025-30472.patch
removed since it's included in 3.1.10
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 7915bcecf5ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-09 07:01:20 +05:30
873297afaa
python3-django: upgrade 5.0.11 -> 5.0.14
...
Drop patch merged in the upstream.
Release notes:
https://docs.djangoproject.com/en/dev/releases/5.0.12/
https://docs.djangoproject.com/en/dev/releases/5.0.13/
https://docs.djangoproject.com/en/dev/releases/5.0.14/
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-09 07:01:20 +05:30
4d1817df45
nftables: remove python dependency from main package
...
The recipe splits python code to nftables-python package, however
setuptools classes add the dependency to main package.
Since nftables-python package already has python3-core explicit
dependency, remove it from the main package.
(From meta-openembedded rev: 331126a6d0peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-09 07:01:16 +05:30
7ed4330bcf
net-snmp: Update Upstream-status in the net-snmp-5.9.4-kernel-6.7.patch
...
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-05 17:46:29 +05:30
bd2cabff81
net-snmp: Fix a crash and support for 6.7+ kernel
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from 8147a884c6vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-05 17:46:28 +05:30
b09a12e166
hdf5 1.14.4-3: Fix CVE tag format in patches
...
- The CVE tags in multiple hdf5 patches were using comma-separated
format which caused false positives in CVE reports.
- Multiple CVEs should be separated by space in CVE-ID.patch file as
per recipe style guide in Yocto documentation so CVE report tool can
scan those CVEs and mark it as patched.
Fixed the following patches:
- CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_01.patch
- CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch
- CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch
Reference:
- https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#cve-patches
Signed-off-by: Deepak Rathore <deeratho@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-05 17:46:25 +05:30
a9fa1c5c2a
xrdp: patch CVE-2023-42822
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-42822
Pick the patch the references the github advisory[1] and the cve ID also from
the nvd report. The patch is a backported version of the patch referenced by
the nvd report.
[1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:11 +05:30
259e4f9266
xrdp: patch CVE-2023-40184
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40184
Pick the patch that is associated with the github advisory[1], which is
a backported version of the patch that is referenced by the nvd report.
[1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:11 +05:30
f81041bb39
xrdp: patch CVE-2022-23493
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23493
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:10 +05:30
2578e5c17d
xrdp: patch CVE-2022-23484
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23484
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:10 +05:30
8ffd8f29d5
xrdp: patch CVE-2022-23483
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23483
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:09 +05:30
31694c82e3
xrdp: patch CVE-2022-23482
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:09 +05:30
64ee8f84c4
xrdp: patch CVE-2022-23481
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23481
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:08 +05:30
71e9d02b12
xrdp: patch CVE-2022-23480
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23480
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:08 +05:30
19e076e66b
xrdp: patch CVE-2022-23479
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:07 +05:30
63b5fff975
xrdp: patch CVE-2022-23478
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23478
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:07 +05:30
a6efc5b285
xrdp: patch CVE-2022-23477
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23477
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:06 +05:30
1cb08277fe
xrdp: patch CVE-2022-23468
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23468
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-04 14:10:02 +05:30
5a52615450
pidgin: fix reproducibility issues
...
Backport changes fixing reproducibility issues from master:
9697fd958eanuj.mittal@oss.qualcomm.com >
2025-12-03 11:23:31 +05:30
9e4f627941
trace-cmd: Update SRC_URI to use HTTPS protocol
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f00b6ad12fanuj.mittal@oss.qualcomm.com >
2025-12-03 10:37:26 +05:30
7e74032909
crash: add zlib-native to depends for crash-cross
...
Fix the following error when using buildtools-extended:
va_server.c:20:10: fatal error: zlib.h: No such file or directory
20 | #include <zlib.h>
| ^~~~~~~~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit bd745115deanuj.mittal@oss.qualcomm.com >
2025-12-03 10:34:21 +05:30
9100a5369d
nbdkit: patch CVE-2025-47712
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47712
Pick the patch from the project's repository which explicitly
mentions this vulnerability ID.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:34 +05:30
ffb8d52fae
nbdkit: patch CVE-2025-47711
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47711
Pick the patch from the repository which explicitly mentions
this CVE ID.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:34 +05:30
8f602e1cfa
redis: handle CVE-2025-27151
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-27151
In redis 7 this is already patched[1], and the recipe contains the
fix.
For redis 6 backport the relevant patch (which is referenced in the
nvd report)
[1]: https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:33 +05:30
ac19cd99a8
redis: ignore CVE-2022-0543
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0543
The issue is specific to the version packaged by Debian, it can be ignored.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:33 +05:30
ed345fca57
yasm: patch CVE-2021-33456
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33465
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1020-hash-null-CVE-2021-33456.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1e2731fce0anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:32 +05:30
782c49a05a
yasm: patch CVE-2021-33464
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33464
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1010-nasm-pp-no-env-CVE-2021-33464.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 66a0b01b52anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:32 +05:30
138ac945d9
yasm: patch CVE-2023-29579
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-29579
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1000-x86-dir-cpu-CVE-2023-29579.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit cc30757a7fanuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:31 +05:30
05fd7d83ff
yasm: add alternative CVE_PRODUCT
...
There are multiple vendors for yasm:
$ sqlite3 ./nvdcve_2-2.db "select distinct vendor, product from products where product = 'yasm';"
tortall|yasm
yasm_project|yasm
Both products refer to the same application
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 93f85e4fd2anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:31 +05:30
0ad67b4bd2
libtracefs: avoid run bison
...
There is a rare compile failure
| In file included from sqlhist-parse.h:25,
| from tracefs-sqlhist.c:17:
| sqlhist.tab.h:120:8: error: unterminated comment
| 120 | #endif /* !YY_TRACEFS_SQLHIST_TAB_H_INCLUDED */
| | ^
Backport patch to avoid run bison that not re-gerate sqlhist.tab.h.
Signed-off-by: Kai Kang <kai.kang@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-03 10:31:28 +05:30
89a01c3d9a
cockpit: set correct CVE_PRODUCT
...
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit af4df551eeanuj.mittal@oss.qualcomm.com >
2025-11-28 11:27:05 -08:00
2e0e65ecaa
fbida: Require opengl feature for pdf only
...
Don't require it for entire distro if pdf package config disabled.
Signed-off-by: Pavel Zhukov <pavel@zhukoff.net >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f22451b51bchris.laplante@agilent.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-11-28 11:27:05 -08:00
9f031e8d0f
links: set CVE_PRODUCT
...
There are some unrelated software called "links", which cases
false-positive CVEs to be reported by the CVE checker.
Set the vendor/product pairs that were historically used with
CVEs for this software.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 62a5309732anuj.mittal@oss.qualcomm.com >
2025-11-28 11:26:58 -08:00
Archana Polampalli
Ankur Tyagi
Kai Kang
Vijay Anusuri
Hitendra Prajapati
Viswanath Kraleti
Sudhir Dumbhare
Valeria Petrov
Wang Mingyu
Peter Marko
Khem Raj
Deepak Rathore
Gyorgy Sarvari
Anuj Mittal
yuyu
Yi Zhao
Pavel Zhukov