c96f578f10
hdf5: fix CVE-2025-2310
...
According to [1], A vulnerability was found in HDF5 1.14.6 and classified
as critical. This issue affects the function H5MM_strndup of the component
Metadata Attribute Decoder. The manipulation leads to heap-based buffer
overflow. Attacking locally is a requirement. The exploit has been
disclosed to the public and may be used.
Backport patch [2] from upstream to fix CVE-2025-2310
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2310
[2] https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:18 +05:30
43572581cf
hdf5: fix CVE-2025-2153
...
According to [1], A vulnerability, which was classified as critical, was
found in HDF5 1.14.6. Affected is the function H5SM_delete of the file
H5SM.c of the component h5 File Handler. The manipulation leads to
heap-based buffer overflow. It is possible to launch the attack remotely.
The complexity of an attack is rather high. The exploitability is told to
be difficult. The exploit has been disclosed to the public and may be used.
Backport patch [2] from upstream to fix CVE-2025-2153
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2153
[2] https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:12:15 +05:30
151e634ed2
python3-django: fix CVE-2025-64459
...
The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the
class Q() were subject to SQL injection when using a suitably crafted
dictionary, with dictionary expansion, as the _connector argument.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-64459
https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html
Upstream-patch:
https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241
https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:10:33 +05:30
c14dcffcd7
yasm: fix CVE-2021-33454
...
An issue was discovered in yasm version 1.3.0. There is a
NULL pointer dereference in yasm_expr_get_intnum() in
libyasm/expr.c.
Backport patch to fix CVE-2021-33454 per reference [1].
[1]: https://security-tracker.debian.org/tracker/CVE-2021-33454
Signed-off-by: Guocai He <guocai.he.cn@windriver.com >
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-15 14:10:33 +05:30
fc30bb5eed
unbound: Fix CVE-2025-11411
...
Backport complete patch to fix CVE-2025-11411
The existing scarthgap patch is a partial backport with hardcoded logic,
causing incorrect behavior and ptest failures. Backport the full upstream
fix along with the follow-up patch to ensure correct functionality.
Add below patch to fix
0001-CVE-2025-11411-1.patch
0002-CVE-2025-11411-2.patch
Signed-off-by: Jackson James <jacksonj2@kpit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
07c2b52840
nodejs: upgrade 20.20.0 -> 20.20.2
...
License Update: Update minimatch to the Blue Oak Model License[1]
nodejs LTS releases containing security and bugfixes.
https://nodejs.org/en/blog/release/v20.20.1
https://nodejs.org/en/blog/release/v20.20.2
[1] https://github.com/nodejs/node/commit/f0ef221b0d458d9358c6e6e49094da475e86c229
Ptests passed:
root@qemux86:~# ptest-runner nodejs
START: ptest-runner
2026-04-09T10:37
BEGIN: /usr/lib/nodejs/ptest
Running main() from /usr/src/debug/nodejs/20.20.2/deps/googletest/src/gtest_main.cc
[==========] Running 152 tests from 23 test suites.
[----------] Global test environment set-up.
...
...
[----------] Global test environment tear-down
[==========] 152 tests from 23 test suites ran. (30533 ms total)
[ PASSED ] 152 tests.
PASS: nodejs
DURATION: 31
END: /usr/lib/nodejs/ptest
2026-04-09T10:37
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
42bf9aa27a
mbedtls: upgrade 3.6.5 -> 3.6.6
...
Contains fixes for CVE-2026-25833, CVE-2026-25834, CVE-2026-25835,
CVE-2026-34872, CVE-2026-34873, CVE-2026-34874 and CVE-2026-34875.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6
Ptests passed:
root@qemux86:~# ptest-runner mbedtls
START: ptest-runner
2026-04-09T10:41
BEGIN: /usr/lib/mbedtls/ptest
...
...
DURATION: 508
END: /usr/lib/mbedtls/ptest
2026-04-09T10:49
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit fe1b038cd8ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
39924b5b88
libvncserver: fix CVE-2026-32854
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32854
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
c56964fcf2
libvncserver: fix CVE-2026-32853
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32853
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
964432f3af
libraw: ignore CVE-2026-5318
...
Vulnerability exists in the function which was added in version 0.22.0[1]
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-5318
[1] https://github.com/LibRaw/LibRaw/commit/12b0e5d60c57bb795382fda8494fc45f683550b8
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
d17d94e0e0
libde265: upgrade 1.0.12 -> 1.0.16
...
Dropped patches which are part of the upstream version.
https://github.com/strukturag/libde265/releases/tag/v1.0.16
https://github.com/strukturag/libde265/releases/tag/v1.0.15
https://github.com/strukturag/libde265/releases/tag/v1.0.14
https://github.com/strukturag/libde265/releases/tag/v1.0.13
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
7e723ad1c7
giflib: patch CVE-2025-31344
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31344
Backport the commit that mentions this CVE ID explicitly
in its message.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
6d5a42a5e0
freerdp3: fix CVE-2026-33984
...
Detaisl: https://nvd.nist.gov/vuln/detail/CVE-2026-33984
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
262e656885
freerdp3: fix CVE-2026-31897
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-31897
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
73ae0a8034
freerdp3: fix CVE-2026-31806
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-31806
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
7025c461c7
freerdp3: fix CVE-2026-29776
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29776
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
1bc75cd389
freerdp3: fix CVE-2026-29775
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29775
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
2d96f24f2d
freerdp3: fix CVE-2026-29774
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29774
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
53ab8b4a5a
freerdp3: fix CVE-2026-24683
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24683
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
2beb2f81e7
freerdp3: fix CVE-2026-24682
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24682
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
799cfe0cfa
freerdp3: fix CVE-2026-24681
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24681
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
b343c96d52
freerdp3: fix CVE-2026-24680 and CVE-2026-27950
...
There was only SDL2 client until commit[1] created SDL2 and SDL3 clients
from version 3.6.0 onwards.
[1] https://github.com/FreeRDP/FreeRDP/commit/8281186a6d9dad20e8345d85a1732e2974636555
Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-24680
https://nvd.nist.gov/vuln/detail/CVE-2026-27950
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
27ba3fb054
freerdp3: fix CVE-2026-24679
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24679
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
09cd8e482a
freerdp3: ignore CVE-2026-24677 and CVE-2026-24678
...
Both vulnerabilities exists in the functions which were added in
version 3.6.0[1]
Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-24677
https://nvd.nist.gov/vuln/detail/CVE-2026-24678
[1] https://github.com/FreeRDP/FreeRDP/commit/a81d111ac4023d31e10ebf579fa34c93bf56bce5
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
8cc0cd3deb
freerdp3: fix CVE-2026-24676
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24676
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
4784f85b09
freerdp3: fix CVE-2026-24675
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24675
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
c9763be62b
freerdp3: fix CVE-2026-24491
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24491
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
a0221753e4
freerdp3: fix CVE-2026-23948
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-23948
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
21af1f7e13
freerdp3: fix CVE-2026-33952
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33952
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
421f659e20
freerdp3: fix CVE-2026-25941
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25941
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
7cc6fe87bc
abseil-cpp: ignore CVE-2025-0838
...
The commit[1] mentioned in the NVD[2] is part of the current version[3].
[1] https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-0838
[3] https://github.com/abseil/abseil-cpp/commit/54fac219c4ef0bc379dfffb0b8098725d77ac81b
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
d086d0b43e
nginx: Fix for CVE-2026-28755
...
Pick patch from [1] which mentioned in debian report [2]
[1] https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8
[2] https://security-tracker.debian.org/tracker/CVE-2026-28755
Note: Add different patch for both version to resolve fuzz issue.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:15 +05:30
9310c3b1a4
nginx: Fix for CVE-2026-27784
...
Pick patch from [1] which mentioned in debian report with [2]
[1] https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018
[2] https://security-tracker.debian.org/tracker/CVE-2026-27784
More details: https://nvd.nist.gov/vuln/detail/CVE-2026-27784
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:31:29 +05:30
1ad0d777d1
strongswan: Fix CVE-2026-25075
...
Pick patch according to [1]
[1] https://download.strongswan.org/security/CVE-2026-25075/
[2] https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-25075).html
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:48 +05:30
4feb9130b0
flatpak: add PACKAGECONFIG for dconf
...
Disable by default to avoid a requirement for meta-gnome
Signed-off-by: Markus Volk <f_l_k@t-online.de >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:48 +05:30
4810cd8c5b
python3-cbor2: patch CVE-2026-26209
...
Backport the patch[1] which fixes this vulnerability as mentioned in the
comment[3].
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-26209
[1] https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b
[2] https://github.com/agronholm/cbor2/commit/fb4ee1612a8a1ac0dbd8cf2f2f6f931a4e06d824 (pre patch)
[3] https://github.com/agronholm/cbor2/pull/275
Dropped changes to the changelog from the original commit.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:47 +05:30
b13ae5a8eb
giflib: Fix CVE-2026-23868
...
Pick patch according to [1]
[1] https://www.facebook.com/security/advisories/cve-2026-23868
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-23868
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:47 +05:30
57fc94a42d
libssh: Fix CVE-2026-0966
...
Pick commits according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-0966
[2] https://www.libssh.org/security/advisories/CVE-2026-0966.txt
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:47 +05:30
3b8e032dbc
libssh: Fix CVE-2026-0964
...
Pick commits according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-0964
[2] https://www.libssh.org/security/advisories/CVE-2026-0964.txt
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:46 +05:30
0e43651ad3
freerdp: remove 0001-Fix-const-qualifier-error.patch
...
Instead of fixing the build with clang this is now breaking it after 2.11.8 commit:
https://github.com/FreeRDP/FreeRDP/commit/67818bddb31900cdf3acb26cb0b673cc90b71cc9
freerdp/2.11.8/git/client/Wayland/wlfreerdp.c:637:19: error: incompatible function pointer types assigning to 'OBJECT_NEW_FN' (aka 'void *(*)(const void *)') from 'void *(void *)' [-Wincompatible-function-pointer-types]
637 | obj->fnObjectNew = uwac_event_clone;
| ^ ~~~~~~~~~~~~~~~~
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:40 +05:30
06f846a325
bluealsa: fix QA issue staticdev
...
When building bluealsa with building static libraries NOT disabled, you
get the following error:
ERROR: bluealsa-4.3.0-r0 do_package_qa: QA Issue: non -staticdev package
contains static .a library: bluealsa path
'/usr/lib/alsa-lib/libasound_module_pcm_bluealsa.a' [staticdev]
ERROR: bluealsa-4.3.0-r0 do_package_qa: QA Issue: non -staticdev package
contains static .a library: bluealsa path
'/usr/lib/alsa-lib/libasound_module_ctl_bluealsa.a' [staticdev]
ERROR: bluealsa-4.3.0-r0 do_package_qa: Fatal QA errors were found,
failing task.
Fix this by explicitly putting these files in the -staticdev package.
Signed-off-by: Matthias Proske <matthias.p@variscite.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1a9744b3caanuj.mittal@oss.qualcomm.com >
2026-03-24 15:53:24 +05:30
acbcafe3f5
krb5: fix build with gcc-15
...
* fixes:
http://errors.yoctoproject.org/Errors/Details/848727/
ss_internal.h:88:6: error: conflicting types for 'ss_delete_info_dir'; have 'void(void)'
88 | void ss_delete_info_dir();
| ^~~~~~~~~~~~~~~~~~
...
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f26536c2f6anuj.mittal@oss.qualcomm.com >
2026-03-24 15:51:50 +05:30
4439caa199
lldpd: fix xml PACKAGECONFIG dependency
...
The xml PACKAGECONFIG entry uses libxm2, which is a typo and not a
valid dependency in OE.
Replace it with libxml2 so enabling PACKAGECONFIG:xml pulls in the
correct provider.
Signed-off-by: Aviv Daum <aviv.daum@gmail.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit cec3e0fd96anuj.mittal@oss.qualcomm.com >
2026-03-24 15:48:20 +05:30
2ca25f2279
libde265: patch CVE-2025-61147
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61147
Backport the patch referenced by the NVD advisory.
Note that this is a partial backport - only the parts that are
used by the application, and without pulling in c++17 headers.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:16 +05:30
54c8a4ad6c
mariadb: upgrade 10.11.12 -> 10.11.16
...
10.11 is an LTS version of MariaDB. This upgrade is part of that commitment.
Release notes:
https://mariadb.com/docs/release-notes/community-server/10.11/10.11.16
https://mariadb.com/docs/release-notes/community-server/10.11/10.11.15
https://mariadb.com/docs/release-notes/community-server/10.11/10.11.14
https://mariadb.com/docs/release-notes/community-server/10.11/10.11.13
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:15 +05:30
bd41441bf3
libjxl: mark CVE-2025-12474 and CVE-2026-1837 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-12474
https://nvd.nist.gov/vuln/detail/CVE-2026-1837
Both vulnerabilities have been fixed in 0.10.5.
Relevant commits:
CVE-2025-12474: https://github.com/libjxl/libjxl/commit/5ce68976a5abfaea7b3086036ab9f6543ab5b29e
CVE-2026-1837: https://github.com/libjxl/libjxl/commit/36b0cecaa12f643d03c16bd32e5f83775c912b07
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:15 +05:30
76abb03c21
libnice: make crypto library configurable via PACKAGECONFIG
...
Move gnutls from a hard dependency to a PACKAGECONFIG option defaulting
to gnutls. This allows users to select openssl as an alternative crypto
library by setting PACKAGECONFIG.
Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com >
Signed-off-by: Sujeet Nayak <sujeetnayak1976@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:15 +05:30
808d3a73de
python3-pillow: fix CVE-2026-25990
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990
Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2].
[1] https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-25990
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:14 +05:30
d3a45ead9c
python3-pyjwt: Fix CVE-2026-32597
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32597
Backport commit[1] which fixes this vulnerability as mentioned in [2].
[1] https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92
[2] https://security-tracker.debian.org/tracker/CVE-2026-32597
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:14 +05:30
d5de98d28b
capnproto: patch CVE-2026-32239 and CVE-2026-32240
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32239
https://nvd.nist.gov/vuln/detail/CVE-2026-32240
Backport the patch that is referenced by the NVD advisories.
(Same patch for both vulnerabilities)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:13 +05:30
Libo Chen
Haixiao Yan
Guocai He
Jackson James
Ankur Tyagi
Gyorgy Sarvari
Hitendra Prajapati
Vijay Anusuri
Markus Volk
Martin Jansa
Matthias Proske
Aviv Daum
Sujeet Nayak