These patches are about a number of CVEs files against the application:
CVE-2025-63649, CVE-2025-63650, CVE-2025-63651, CVE-2025-63652, CVE-2025-63653, CVE-2025-63655,
CVE-2025-63656, CVE-2025-63657 and CVE-2025-63658.
These patches are taken from a pull request[1] that is referenced in the relevant bug report[2].
The patches don't target specific CVEs on separately, but they fix a number of CVEs altogether.
Based on upstream analysis (in the linked issue) a number of these CVEs are duplicates of each
other and/or not exploitable. The valid CVEs are fixed by these patches.
I haven't added specific CVE info to the patches, one hand because of the above, it is hard to
separate the patches by CVE, and secondarily because NVD tracks these CVEs with incorrect version
info: NVD considers 1.8.6 fully fixed, even though the patches are only in the master branch,
untagged at this time. After updating the recipe to 1.8.6+, the vulnerabilites will disappear
from the CVE report due to this.
[1]: https://github.com/monkey/monkey/pull/434
[2]: https://github.com/monkey/monkey/issues/426
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit d31f07340f)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
*) Change: now nginx limits the size and rate of QUIC stateless reset
packets.
*) Bugfix: receiving a QUIC packet by a wrong worker process could cause
the connection to terminate.
*) Bugfix: in the ngx_http_mp4_module.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit 34b3d0f491)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changes with nginx 1.29.2
*) Feature: now nginx can be built with AWS-LC.
*) Bugfix: now the "ssl_protocols" directive works in a virtual server
different from the default server when using OpenSSL 1.1.1 or newer.
*) Bugfix: SSL handshake always failed when using TLSv1.3 with OpenSSL
and client certificates and resuming a session with a different SNI
value; the bug had appeared in 1.27.4.
*) Bugfix: the "ignoring stale global SSL error" alerts might appear in
logs when using QUIC and the "ssl_reject_handshake" directive; the
bug had appeared in 1.29.0.
*) Bugfix: in delta-seconds processing in the "Cache-Control" backend
response header line.
*) Bugfix: an XCLIENT command didn't use the xtext encoding.
*) Bugfix: in SSL certificate caching during reconfiguration.
https://nginx.org/en/CHANGES
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
- Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
- Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
- Bugfix: fixed warning when compiling with MSVC 2022 x86.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
============
- prevent webook from crashing in case of openapi 3.0
- deps: bump react-syntax-highlighter to 16.0.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX to check the correct
latest stable verison.
Before the patch:
$ devtool latest-version xdebug
INFO: Current version: 3.4.6
INFO: Latest version:
After the patch:
$ devtool latest-version xdebug
INFO: Current version: 3.4.6
INFO: Latest version: 3.4.7
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Remove the patch with the fix that is already present in the new
version.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The BusyBox version of mv does not have the -Z flag for setting SELinux
security context. This results in failure
when the cockpit-certificate-helper script is executed.
Depend the package on GNU Coreutils to make sure that the proper version
of mv is installed.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The old-bridge package config option was removed from the recipe,
but the usage of this option was left in some places.
Remove any reference to old-bridge. Only the Python bridge is currently
supported by Cockpit.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The vulnerability was reported against mod_auth_openidc, which module
is a 3rd party one, and not part of the apache2 source distribution.
The affected module is not part of the meta-oe universe currently,
so ignore the CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[2025-07-14] — Xdebug 3.4.5
Fixed bug #2332: Segmentation fault for code coverage with nested fibers
Fixed bug #2356: Reading properties with get hooks may modify property value
[2025-06-12] — Xdebug 3.4.4
Fixed bug #2349: Regression in Xdebug 3.4.3 breaks throwing exceptions in nested generators
Fixed bug #2350: Crash when a certain page generates an exception since Xdebug 3.4.3
Fixed bug #2352: Crash when using latest Xdebug version when throwing exceptions
Fixed bug #2354: The __invoke frame in call stacks don't have the argument name in the trace
[2025-05-14] — Xdebug 3.4.3
Fixed bug #2322: Xdebug tries to open debugging connection in destructors during shutdown
Fixed bug #2325: Referred chrome browser extension is no longer working
Fixed bug #2326: Step debugger finishes if property debugging handler in PHP throws an exception
Fixed bug #2331: Segmentation fault with 'invalid' variable names
Fixed bug #2339: Trying to throw an exception can cause a zend_mm_heap corrupted error under specific circumstances
Fixed bug #2340: Xdebug case sensitivity issues on some files introduced since 3.3.0
Fixed bug #2343: Fatal error on virtual property hook step debugging
Fixed bug #2348: Xdebug does not resolve breakpoints in property hooks
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-04-23
nginx-1.28.0 stable version has been released, incorporating new
features and bug fixes from the 1.27.x mainline branch - including
memory usage and CPU usage optimizations in complex SSL configurations,
automatic re‑resolution of hostnames in upstream groups, performance
enhancements in QUIC, OCSP validation of client SSL certificates and
OCSP stapling support in the stream module, variables support in the
proxy_limit_rate, fastcgi_limit_rate, scgi_limit_rate, and
uwsgi_limit_rate directives, the proxy_pass_trailers directive, and
more.
License-Update: copyright years refreshed and removed C-style comments
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Handles CVE-2025-23016 (in 2.4.5)
Add tag to SRC_URI.
Move version to recipe filename.
License-Update: file was renamed without any text change
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
bugfix:
use open-cli instead of require('open') for Node 20+ compatibility
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=============
- feat: add support for OpenAPI 3.0.4 (#10247)
- feat: apply cumulative update to address various issues (#10324)
- fix(docker): fix security issues CVE-2024-56171, CVE-2025-24928 (#10351)
- fix: fix definition resolving being affected by the order of schemas (#10386)
- fix(json-schema-2020-12): avoid accessing properties of null schemas (#10397)
- fix(json-schema-2020-12-samples): fix examples for nullable primitive types defined as list of types (#10390)
- fix(utils): fix error messages for range validation of number parameters (#10344)
- fix(json-schema-2020-12): use consistent comparison operators for displaying min/max constraints (#10159)
- fix(json-schema-2020-12-samples): use zero as default example value for int32 and int64 (#10230)
- fix(style): prevent operationId from wrapping when space is available (#10259)
- fix(docker): address multiple HIGH security vulnerabilities (#10410)
- fix(json-schema-2020-12): infer type string when contentEncoding or contentMediaType is present (#10411)
- fix: align OpenAPI 3.x.y file uploads with specification (#10409)
- feat(oas31): display file upload input when contentMediaType or contentEncoding is present (#10412)
- fix: avoid accessing properties of empty Example Objects (#10453)
- fix(oauth2): avoid processing authorizationUrl when it is not a string (#10452)
- fix: use spec compliant JSON Pointer implementation (#10455)
- fix(spec): assure operation is an immutable map in operations selectors (#10454)
- fix: assure parameter is an immutable map when grouping parameters (#10457)
- fix(spec): avoid accessing $ref when path item is not an object (#10456)
- fix(json-schema-2020-12-samples): generate proper samples for XML atttributes (#10459)
- fix(security): update Axios to non-vulnerable 1.9.0 version (#10460)
- fix(docker): address CVE-2025-32414/CVE-2025-32415 (#10461)
- feat(observability): allow defining custom uncaught exception handler (#10462)
- feat(json-schema-5-samples): add support for time format example generation (#10420) (#10421)
- refactor: introduce function for getting Schema Object type (#10330)
- fix: mitigate ReDoS when generating examples from pattern (#10477)
- fix(release): fix failed v5.23.0 release
- fix(packagist): exclude large obsolete directories from publishing to Packagist (#10329)
- ft(oas3): show the schema tab in the Try it Out mode (#10488)
- fix: align expanded content inside expand collapse button (#10497)
- feat: release SwaggerUI via GitHub Actions
- fix(CD): provide correct npm token
- fix(dist): provide correct npm token for swagger-ui-dist release
- fix: fix opened model schema resolving issue on spec change (#10509)
- fix(docker): bump nginx image to version 1.29.0-alpine to fix CVE-2025-48174 (#10508)
- feat: release Swagger UI to Packagist (#10513)
- fix(oas3): reset request body values in try it out (#9717)
- fix(style): restore paragraph spacing in parameter and response descriptions (#10514)
- feat(json-schema): support x-additionalPropertiesName (#10006)
- fix: permissions of files to allow running as non-root (#10515)
- fix: sanitization of relative OpenAPI JSON paths (#10528)
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The current include file that stores the known non-reproducible packages
is layer dependent and that forces the user of the layers to maintain
the list of the files (for example, see AB config[0]).
By moving the exclude list to each layer.conf and extending the common
OEQA_REPRODUCIBLE_EXCLUDED_PACKAGES variable, the known non-reproducible
packages will be automatically excluded for each layer used in the
reproducibility test without any special knowledge in the test
environment.
NB: the empty list for meta-initramfs was just removed not moved.
[0]: https://git.yoctoproject.org/yocto-autobuilder-helper/tree/config.json?id=7d8933e75bdf7fb821a25617cb2dcabf1f3f8700#n322
Suggested-by: Quentin Schulz <quentin.schulz@cherry.de>
Co-Developed-by: Guillaume Swaenepoel <guillaume.swaenepoel@smile.fr>
Signed-off-by: Guillaume Swaenepoel <guillaume.swaenepoel@smile.fr>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Makes the hammer a bit smaller, since we do not enable go by default
in packageconfig's it helps with yocto check layer with default config.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Gyorgy Sarvari
Ankur Tyagi
Peter Marko
Jason Schonberg
Valeria Petrov
Wang Mingyu
Yi Zhao
Daniel Semkowicz
Khem Raj
Liu Yiding
Alexander Kanavin
Yoann Congal