c756576c1c
postfix: upgrade 3.8.12 -> 3.8.16
...
3.8.13
http://www.postfix.org/announcements/postfix-3.10.6.html
3.8.14
http://www.postfix.org/announcements/postfix-3.10.7.html
3.8.15
http://www.postfix.org/announcements/postfix-3.10.8.html
3.8.16
http://www.postfix.org/announcements/postfix-3.11.2.html
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:47 +05:30
fdd887bc29
frr: patch CVE-2026-28532
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-28532
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:45 +05:30
764a8f2154
firewalld: upgrade 1.3.2 -> 1.3.4
...
https://github.com/firewalld/firewalld/releases/tag/v1.3.3
https://github.com/firewalld/firewalld/releases/tag/v1.3.4
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:45 +05:30
90a0e3bf89
open-vm-tools: Add entry to CVE_PRODUCT to support the product name
...
- Added 'vmware:open_vm_tools' to CVE_PRODUCT to align with the NVD
CPE and ensure accurate CVE reporting.
Signed-off-by: Het Patel <hetpat@cisco.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9b69587ecbhjadon@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:43 +05:30
fb4ebd1200
wireshark: fix for CVE-2025-13946
...
Pick patch from [1] also mentioned at NVD report in [2]
[1] https://gitlab.com/wireshark/wireshark/-/issues/20884
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-13946
[3] https://security-tracker.debian.org/tracker/CVE-2025-13946
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-21 08:57:37 +05:30
5ce7602ce1
corosync: patch CVE-2026-35092
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35092
Pick the patch that mentions the CVE ID explicitly (the same commit
was identified by Debian also[1])
[1]: https://security-tracker.debian.org/tracker/CVE-2026-35092
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit af73e716bcankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
985cc4d384
corosync: patch CVE-2026-35091
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091
Pick the patch that mentions the CVE ID explicitly (it was identified
by Debian also as the fix[1])
[1]: https://security-tracker.debian.org/tracker/CVE-2026-35091
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 701b22fda3ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-29 10:14:29 +05:30
fc30bb5eed
unbound: Fix CVE-2025-11411
...
Backport complete patch to fix CVE-2025-11411
The existing scarthgap patch is a partial backport with hardcoded logic,
causing incorrect behavior and ptest failures. Backport the full upstream
fix along with the follow-up patch to ensure correct functionality.
Add below patch to fix
0001-CVE-2025-11411-1.patch
0002-CVE-2025-11411-2.patch
Signed-off-by: Jackson James <jacksonj2@kpit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
42bf9aa27a
mbedtls: upgrade 3.6.5 -> 3.6.6
...
Contains fixes for CVE-2026-25833, CVE-2026-25834, CVE-2026-25835,
CVE-2026-34872, CVE-2026-34873, CVE-2026-34874 and CVE-2026-34875.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6
Ptests passed:
root@qemux86:~# ptest-runner mbedtls
START: ptest-runner
2026-04-09T10:41
BEGIN: /usr/lib/mbedtls/ptest
...
...
DURATION: 508
END: /usr/lib/mbedtls/ptest
2026-04-09T10:49
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit fe1b038cd8ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
1ad0d777d1
strongswan: Fix CVE-2026-25075
...
Pick patch according to [1]
[1] https://download.strongswan.org/security/CVE-2026-25075/
[2] https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-25075).html
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:48 +05:30
4439caa199
lldpd: fix xml PACKAGECONFIG dependency
...
The xml PACKAGECONFIG entry uses libxm2, which is a typo and not a
valid dependency in OE.
Replace it with libxml2 so enabling PACKAGECONFIG:xml pulls in the
correct provider.
Signed-off-by: Aviv Daum <aviv.daum@gmail.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit cec3e0fd96anuj.mittal@oss.qualcomm.com >
2026-03-24 15:48:20 +05:30
75e3ed1850
ettercap: patch CVE-2026-3603
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3606
Pick the commit that is marked to solve the related Github
issue[1]. Its commit message also references the CVE ID explicitly.
[1]: https://github.com/Ettercap/ettercap/issues/1297
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:09 +05:30
a88f173ed0
wireshark: Fix CVE-2026-0960
...
Pick patch from [1] also mentioned in [2]
[1] https://gitlab.com/wireshark/wireshark/-/issues/20944
[2] https://security-tracker.debian.org/tracker/CVE-2026-0960
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:08 +05:30
e7a359838c
wireshark: Fix CVE-2026-3201
...
Pick patch from [1] also mentioned in [2]
[1] https://gitlab.com/wireshark/wireshark/-/issues/20972
[2] https://security-tracker.debian.org/tracker/CVE-2026-3201
More details : https://nvd.nist.gov/vuln/detail/CVE-2026-3201
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:07 +05:30
604a54d742
spice: set CVE-2016-2150 status to fixed
...
Debian has fixed this CVE with [1].
That patch is taken from [2].
.../tmp/work/core2-64-poky-linux/spice/0.15.2/git$ git describe 69628ea13
v0.13.1-190-g69628ea1
.../tmp/work/core2-64-poky-linux/spice/0.15.2/git$ git tag --contains 69628ea13
v0.13.2
[1] https://sources.debian.org/patches/spice/0.12.5-1%2Bdeb8u5/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch/
[2] https://gitlab.freedesktop.org/spice/spice/-/commit/69628ea1375282cb7ca5b4dc4410e7aa67e0fc02
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit e44f3251b5skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:04 +05:30
bc575f49a2
spice: ignore CVE-2016-0749
...
NVD tracks this as version-less CVE for spice.
It was fixed by [1] and [2] included in 0.13.2.
[1] https://gitlab.freedesktop.org/spice/spice/-/commit/6b32af3e1746988bb5a5123263bcf61b65e5be7e
[2] https://gitlab.freedesktop.org/spice/spice/-/commit/359ac42a7ac02dcd1013757559292006647cd5c4
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 073e845274skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:04 +05:30
0e38edb85d
spice-gtk: mark CVE-2012-4425 as fixed
...
It is fixed by [1] since 0.15.3.
NVD tracks this CVE as version-less.
[1] https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=efbf867bb88845d5edf839550b54494b1bb752b9
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 7e17f8cec0skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:03 +05:30
a0a3169b2b
keepalived: patch CVE-2024-41184
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-41184
Backport the patches referenced by upstream in the bug
mentioned by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:01 +05:30
1bdb7dc121
mbedtls: Do not set LIB_INSTALL_DIR to an absolute path to make MbedTLSTargets.cmake relocateable
...
Signed-off-by: haonguyen-qualgo <hao.nna@qualgo.net >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-23 14:14:58 +05:30
6ce6448ebc
README: update listed maintainer
...
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-25 13:58:47 +05:30
2160609b5b
wireshark 4.2.14: Fix CVE-2026-0962
...
Upstream Repository: https://gitlab.com/wireshark/wireshark.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0962
Type: Security Fix
CVE: CVE-2026-0962
Score: 6.5
Patch: https://gitlab.com/wireshark/wireshark/-/commit/825b83e1ed14
Signed-off-by: Anil Dongare <adongare@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-25 13:45:44 +05:30
c9662d5451
dovecot: ignore CVE-2025-30189
...
Vulnerable versions are 2.4.0, 2.4.1 according to the full disclosure[1]
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-30189
[1] https://seclists.org/fulldisclosure/2025/Oct/29
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-25 13:00:40 +05:30
d691a39655
proftpd: ignore CVE-2021-47865
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47865
This CVE was opened based on a 5 years old Github issue[1], and has been made
public recently. The CVE wasn't officially disputed (yet?), but based on
the description and the given PoC the application is working as expected.
The vulnerability description and the PoC basically configures proftpd to
accept maximum x connections, and then when the user tries to open x + 1
concurrent connections, it refuses new connections over the configured limit.
See also discussion in the Github issue.
It seems that it won't be fixed, because there is nothing to fix.
[1]: https://github.com/proftpd/proftpd/issues/1298
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-12 13:38:12 +05:30
eb8e89e3b4
ez-ipupdate: patch CVE-2003-0887
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2003-0887
The vulnerability is about the default (example) configurations,
which place cache files into the /tmp folder, that is world-writeable.
The recommendation would be to place them to a more secure folder.
The recipe however does not install these example configurations,
and as such it is not vulnerable either.
Just to make sure, patch these folders to a non-tmp folder
(and also install that folder, empty).
Some more discussion about the vulnerability:
https://bugzilla.suse.com/show_bug.cgi?id=48161
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit 0080dd7973skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:53 +05:30
acbbb1e308
wireshark: fix for CVE-2026-0959
...
Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/4b48ee36f1829d6d3d009bf9871af523ce8e3ace
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-09 09:35:46 +05:30
0a2ce1c4dd
tcpreplay: fix CVE-2025-51006
...
Within tcpreplay's tcprewrite, a double free vulnerability has been identified
in the dlt_linuxsll2_cleanup() function in plugins/dlt_linuxsll2/linuxsll2.c.
This vulnerability is triggered when tcpedit_dlt_cleanup() indirectly invokes
the cleanup routine multiple times on the same memory region. By supplying a
specifically crafted pcap file to the tcprewrite binary, a local attacker can
exploit this flaw to cause a Denial of Service (DoS) via memory corruption.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-26 10:13:56 +05:30
a5772bb67e
openvpn: ignore CVE-2025-13751
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-13751
The vulnerability is Windows specific, can be ignored.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-26 10:04:48 +05:30
e5a1286bf7
strongswan: patch CVE-2025-62291
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-62291
Pick the patch that is mentioned on the vendor's blog[1], that
is also referenced in the NVD report.
[1]: https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-%28cve-2025-62291%29.html
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-26 10:04:45 +05:30
31777981d7
frr: patch multiple CVEs
...
Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-61099
https://nvd.nist.gov/vuln/detail/CVE-2025-61100
https://nvd.nist.gov/vuln/detail/CVE-2025-61101
https://nvd.nist.gov/vuln/detail/CVE-2025-61102
https://nvd.nist.gov/vuln/detail/CVE-2025-61103
https://nvd.nist.gov/vuln/detail/CVE-2025-61104
https://nvd.nist.gov/vuln/detail/CVE-2025-61105
https://nvd.nist.gov/vuln/detail/CVE-2025-61106
https://nvd.nist.gov/vuln/detail/CVE-2025-61107
The PR[1] mentioned in nvd got closed without merge due to unresolved
code review comments but another PR[2] fixed them and changes were merged.
[1] https://github.com/FRRouting/frr/pull/19480
[2] https://github.com/FRRouting/frr/pull/19983
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-19 12:15:48 +05:30
a0d1cca3be
openfortivpn: upgrade 1.22.0 -> 1.22.1
...
Bugfix:
do not advertise we talk compressed HTTP
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 7cd1f5a871ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-19 12:15:48 +05:30
600a42c435
tcpreplay 4.4.4: Fix CVE-2025-9384
...
There is a NULL Pointer Dereference in ports2PORT when the user passes ill-formatted
portmap string to tcprewrite with option -r or --portmap
Upstream Repository: https://github.com/appneta/tcpreplay.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-9384
CVE: CVE-2025-9384
Signed-off-by: Jackson <jacksonj2@kpit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-19 12:15:44 +05:30
30dafc3958
unbound: Fix CVE-2025-5994
...
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been
discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is
also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND
configured to send ECS information along with queries to upstream name servers
CVE: CVE-2025-5994
Signed-off-by: Naman Jain <namanj1@kpit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:27 +05:30
b76d5a084b
networkmanager: upgrade 1.46.0 -> 1.46.6
...
Solves CVE-2024-6501 (in 1.46.4).
Release notes:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/1.46.6/NEWS?ref_type=tags
Switch SRC_URI for gnome Gitlab as gnome mirror no longer contains new
releases.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:24 +05:30
c49bff1273
wolfssl: patch CVE-2025-7394
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7394
Backport patches from the PR[1][2][3] mentioned in the changelog[4].
[1] https://github.com/wolfSSL/wolfssl/pull/8849
[2] https://github.com/wolfSSL/wolfssl/pull/8867
[3] https://github.com/wolfSSL/wolfssl/pull/8898
[4] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:18 +05:30
df26bbaaba
tinyproxy: patch CVE-2025-63938
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-63938
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:13 +05:30
e90c455347
znc: patch CVE-2024-39844
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-39844
Backport commit[1] from https://github.com/znc/znc/releases/tag/znc-1.9.1
[1] https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:52:00 +05:30
bfd8dda3ba
proftpd: patch CVE-2024-48651
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-48651
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:52:00 +05:30
bad750ad27
open62541: patch CVE-2024-53429
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-53429
Backport the patch mentioned in the comment[1] which fixed this CVE.
[1] https://github.com/open62541/open62541/issues/6825#issuecomment-2460650733
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:59 +05:30
c73fe4bd7e
mtr: patch CVE-2025-49809
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49809
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:59 +05:30
b45ac4e0ef
libcoap: patch CVE-2025-34468
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-34468
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:58 +05:30
c0c54373e9
frr: ignore CVE-2024-44070
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-44070
The PR[1] fixing this CVE was backported[2] to stable/9.1 and commit[3]
exists in the current version so we can ignore it.
$ git tag --contains 21cd931 | grep frr-9.1.3
frr-9.1.3
[1] https://github.com/FRRouting/frr/pull/16497
[2] https://github.com/FRRouting/frr/pull/16504
[3] https://github.com/FRRouting/frr/commit/21cd931a5f9303e12104c72ce31ca383c0c57514
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:58 +05:30
7e4c89a25e
dante: Add _GNU_SOURCE for musl builds
...
This helps build fixes e.g. cpuset_t definitions etc.
glibc builds have _GNU_SOURCE defined inherently.
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 848bac20eaankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:57 +05:30
f0fa984d16
dante: upgrade 1.4.3 -> 1.4.4
...
License-Update: copyright year bump
Changelog:
- Fix potential security issue CVE-2024-54662, related to "socksmethod"
use in client/hostid-rules.
- Add a missing call to setgroups(2).
- Patch to fix compilation with libminiupnp 2.2.8.
- Client connectchild optimizations.
- Client SIGIO handling improvements.
- Various configure/build fixes.
- Updated to support TCP_EXP1 version of TCP hostid format.
https://www.inet.no/dante/announce-1.4.4
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:57 +05:30
2aa20b7141
cifs-utils: patch CVE-2025-2312
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:56 +05:30
98f1eff432
net-snmp: patch CVE-2025-68615
...
Pick patch per [1].
[1] https://security-tracker.debian.org/tracker/CVE-2025-68615
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:50:50 +05:30
b7180060eb
wolfssl: patch CVE-2025-7395
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395
Backport the patches from the PR[1] that is referenced by the project's
changelog[2] to fix this issue.
[1]: https://github.com/wolfSSL/wolfssl/pull/8833
[2]: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:15 +05:30
e7b55c84bb
libcoap: patch CVE-2025-59391
...
Details https://nvd.nist.gov/vuln/detail/CVE-2025-59391
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:15 +05:30
ba18d52f43
libcoap: ignore CVE-2023-51847
...
Details https://nvd.nist.gov/vuln/detail/CVE-2023-51847
The vulnerability exists in coap_threadsafe.c but thread safe support was
added in version v4.5.3 [1]
[1] https://github.com/obgm/libcoap/commit/c69c5d5af0a30859e90756f535e2ca21cdeda0b2
$ git tag --contains c69c5d5
v4.3.5
v4.3.5-rc1
v4.3.5-rc2
v4.3.5-rc3
v4.3.5a
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:14 +05:30
8a991e7e3c
libcoap: ignore CVE-2025-50518
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-50518
The vulnerability is disputed by upstream, because the vulnerability
requires a user error, incorrect library usage. See also an upstream
discussion in a related (rejected) PR: https://github.com/obgm/libcoap/pull/1726
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 598176e1cbankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:14 +05:30
6593af3931
libmemcached: ignore CVE-2023-27478
...
Per [1] this is fixed by [2].
The commit message says that it is reverting feature added in:
$ git tag --no-contains d7a0084 | grep 1.0.18
1.0.18
This recipe is for the original memcached which is unmaintained now.
Hence the ignore instead of upgrade.
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-27478
[2] https://github.com/awesomized/libmemcached/commit/48dcc61a
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 607a446491ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2025-12-30 07:08:13 +05:30
Ankur Tyagi
Het Patel
Hitendra Prajapati
Gyorgy Sarvari
Jackson James
Vijay Anusuri
Aviv Daum
Peter Marko
haonguyen-qualgo
Anuj Mittal
Anil Dongare
Archana Polampalli
Wang Mingyu
Naman Jain
Khem Raj