c9763be62b
freerdp3: fix CVE-2026-24491
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24491
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
a0221753e4
freerdp3: fix CVE-2026-23948
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-23948
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
21af1f7e13
freerdp3: fix CVE-2026-33952
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33952
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
421f659e20
freerdp3: fix CVE-2026-25941
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25941
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
7cc6fe87bc
abseil-cpp: ignore CVE-2025-0838
...
The commit[1] mentioned in the NVD[2] is part of the current version[3].
[1] https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-0838
[3] https://github.com/abseil/abseil-cpp/commit/54fac219c4ef0bc379dfffb0b8098725d77ac81b
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:21 +05:30
d086d0b43e
nginx: Fix for CVE-2026-28755
...
Pick patch from [1] which mentioned in debian report [2]
[1] https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8
[2] https://security-tracker.debian.org/tracker/CVE-2026-28755
Note: Add different patch for both version to resolve fuzz issue.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:40:15 +05:30
9310c3b1a4
nginx: Fix for CVE-2026-27784
...
Pick patch from [1] which mentioned in debian report with [2]
[1] https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018
[2] https://security-tracker.debian.org/tracker/CVE-2026-27784
More details: https://nvd.nist.gov/vuln/detail/CVE-2026-27784
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-13 12:31:29 +05:30
1ad0d777d1
strongswan: Fix CVE-2026-25075
...
Pick patch according to [1]
[1] https://download.strongswan.org/security/CVE-2026-25075/
[2] https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-25075).html
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:48 +05:30
4feb9130b0
flatpak: add PACKAGECONFIG for dconf
...
Disable by default to avoid a requirement for meta-gnome
Signed-off-by: Markus Volk <f_l_k@t-online.de >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:48 +05:30
4810cd8c5b
python3-cbor2: patch CVE-2026-26209
...
Backport the patch[1] which fixes this vulnerability as mentioned in the
comment[3].
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-26209
[1] https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b
[2] https://github.com/agronholm/cbor2/commit/fb4ee1612a8a1ac0dbd8cf2f2f6f931a4e06d824 (pre patch)
[3] https://github.com/agronholm/cbor2/pull/275
Dropped changes to the changelog from the original commit.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:47 +05:30
b13ae5a8eb
giflib: Fix CVE-2026-23868
...
Pick patch according to [1]
[1] https://www.facebook.com/security/advisories/cve-2026-23868
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-23868
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:47 +05:30
57fc94a42d
libssh: Fix CVE-2026-0966
...
Pick commits according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-0966
[2] https://www.libssh.org/security/advisories/CVE-2026-0966.txt
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:47 +05:30
3b8e032dbc
libssh: Fix CVE-2026-0964
...
Pick commits according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-0964
[2] https://www.libssh.org/security/advisories/CVE-2026-0964.txt
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:46 +05:30
0e43651ad3
freerdp: remove 0001-Fix-const-qualifier-error.patch
...
Instead of fixing the build with clang this is now breaking it after 2.11.8 commit:
https://github.com/FreeRDP/FreeRDP/commit/67818bddb31900cdf3acb26cb0b673cc90b71cc9
freerdp/2.11.8/git/client/Wayland/wlfreerdp.c:637:19: error: incompatible function pointer types assigning to 'OBJECT_NEW_FN' (aka 'void *(*)(const void *)') from 'void *(void *)' [-Wincompatible-function-pointer-types]
637 | obj->fnObjectNew = uwac_event_clone;
| ^ ~~~~~~~~~~~~~~~~
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-03 15:00:40 +05:30
06f846a325
bluealsa: fix QA issue staticdev
...
When building bluealsa with building static libraries NOT disabled, you
get the following error:
ERROR: bluealsa-4.3.0-r0 do_package_qa: QA Issue: non -staticdev package
contains static .a library: bluealsa path
'/usr/lib/alsa-lib/libasound_module_pcm_bluealsa.a' [staticdev]
ERROR: bluealsa-4.3.0-r0 do_package_qa: QA Issue: non -staticdev package
contains static .a library: bluealsa path
'/usr/lib/alsa-lib/libasound_module_ctl_bluealsa.a' [staticdev]
ERROR: bluealsa-4.3.0-r0 do_package_qa: Fatal QA errors were found,
failing task.
Fix this by explicitly putting these files in the -staticdev package.
Signed-off-by: Matthias Proske <matthias.p@variscite.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1a9744b3caanuj.mittal@oss.qualcomm.com >
2026-03-24 15:53:24 +05:30
acbcafe3f5
krb5: fix build with gcc-15
...
* fixes:
http://errors.yoctoproject.org/Errors/Details/848727/
ss_internal.h:88:6: error: conflicting types for 'ss_delete_info_dir'; have 'void(void)'
88 | void ss_delete_info_dir();
| ^~~~~~~~~~~~~~~~~~
...
Signed-off-by: Martin Jansa <martin.jansa@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f26536c2f6anuj.mittal@oss.qualcomm.com >
2026-03-24 15:51:50 +05:30
4439caa199
lldpd: fix xml PACKAGECONFIG dependency
...
The xml PACKAGECONFIG entry uses libxm2, which is a typo and not a
valid dependency in OE.
Replace it with libxml2 so enabling PACKAGECONFIG:xml pulls in the
correct provider.
Signed-off-by: Aviv Daum <aviv.daum@gmail.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit cec3e0fd96anuj.mittal@oss.qualcomm.com >
2026-03-24 15:48:20 +05:30
2ca25f2279
libde265: patch CVE-2025-61147
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61147
Backport the patch referenced by the NVD advisory.
Note that this is a partial backport - only the parts that are
used by the application, and without pulling in c++17 headers.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:16 +05:30
54c8a4ad6c
mariadb: upgrade 10.11.12 -> 10.11.16
...
10.11 is an LTS version of MariaDB. This upgrade is part of that commitment.
Release notes:
https://mariadb.com/docs/release-notes/community-server/10.11/10.11.16
https://mariadb.com/docs/release-notes/community-server/10.11/10.11.15
https://mariadb.com/docs/release-notes/community-server/10.11/10.11.14
https://mariadb.com/docs/release-notes/community-server/10.11/10.11.13
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:15 +05:30
bd41441bf3
libjxl: mark CVE-2025-12474 and CVE-2026-1837 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-12474
https://nvd.nist.gov/vuln/detail/CVE-2026-1837
Both vulnerabilities have been fixed in 0.10.5.
Relevant commits:
CVE-2025-12474: https://github.com/libjxl/libjxl/commit/5ce68976a5abfaea7b3086036ab9f6543ab5b29e
CVE-2026-1837: https://github.com/libjxl/libjxl/commit/36b0cecaa12f643d03c16bd32e5f83775c912b07
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:15 +05:30
76abb03c21
libnice: make crypto library configurable via PACKAGECONFIG
...
Move gnutls from a hard dependency to a PACKAGECONFIG option defaulting
to gnutls. This allows users to select openssl as an alternative crypto
library by setting PACKAGECONFIG.
Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com >
Signed-off-by: Sujeet Nayak <sujeetnayak1976@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:15 +05:30
808d3a73de
python3-pillow: fix CVE-2026-25990
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990
Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2].
[1] https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-25990
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:14 +05:30
d3a45ead9c
python3-pyjwt: Fix CVE-2026-32597
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32597
Backport commit[1] which fixes this vulnerability as mentioned in [2].
[1] https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92
[2] https://security-tracker.debian.org/tracker/CVE-2026-32597
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:14 +05:30
d5de98d28b
capnproto: patch CVE-2026-32239 and CVE-2026-32240
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32239
https://nvd.nist.gov/vuln/detail/CVE-2026-32240
Backport the patch that is referenced by the NVD advisories.
(Same patch for both vulnerabilities)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:13 +05:30
86dc3a4fe4
openjpeg: patch CVE-2023-39327
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39327
Take the patch that is used by OpenSUSE to mitigate this vulnerability.
Upstream seems to be unresponsive to this issue.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
(cherry picked from commit fdddf2bdd3bhabu.bindu@kpit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:13 +05:30
2a5987979a
hiawatha: fix SRC_URI
...
The tarball was moved to a new folder on the source server.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:12 +05:30
b79eee49df
imagemagick: patch CVE-2025-69204
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69204
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:12 +05:30
1c317cf2c8
imagemagick: patch CVE-2025-68950
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68950
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:11 +05:30
8d896ff2ae
imagemagick: patch CVE-2025-68618
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68618
Backport the commit that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:11 +05:30
14bb7501b0
exiv2: patch CVE-2026-27631
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27631
Backport the patches referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:10 +05:30
3175de6547
exiv2: patch CVE-2026-27596
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27596
Backport the commits referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:10 +05:30
7e66b15669
exiv2: patch CVE-2026-25884
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25884
Backport the commits referenced by the NVD advisory.
One of the patches contain some binary data (for test data),
which needs to be applied with git PATCHTOOL.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:10 +05:30
75e3ed1850
ettercap: patch CVE-2026-3603
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3606
Pick the commit that is marked to solve the related Github
issue[1]. Its commit message also references the CVE ID explicitly.
[1]: https://github.com/Ettercap/ettercap/issues/1297
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:09 +05:30
59b94e41bf
libssh: Fix CVE-2026-3731
...
Pick commits according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-3731
[2] https://www.libssh.org/security/advisories/libssh-2026-sftp-extensions.txt
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:09 +05:30
a88f173ed0
wireshark: Fix CVE-2026-0960
...
Pick patch from [1] also mentioned in [2]
[1] https://gitlab.com/wireshark/wireshark/-/issues/20944
[2] https://security-tracker.debian.org/tracker/CVE-2026-0960
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:08 +05:30
af2304fcb9
php: upgrade 8.2.29 -> 8.2.30
...
Drop patches that are included in this release.
Changes: https://www.php.net/ChangeLog-8.php#8.2.30
- Curl: Fix curl build and test failures with version 8.16.
- Opcache: Reset global pointers to prevent use-after-free in zend_jit_status().
- PDO: PDO quoting result null deref - CVE-2025-14180
- Null byte termination in dns_get_record()
- Heap buffer overflow in array_merge() - CVE-2025-14178
- Information Leak of Memory in getimagesize - CVE-2025-14177
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:08 +05:30
e7a359838c
wireshark: Fix CVE-2026-3201
...
Pick patch from [1] also mentioned in [2]
[1] https://gitlab.com/wireshark/wireshark/-/issues/20972
[2] https://security-tracker.debian.org/tracker/CVE-2026-3201
More details : https://nvd.nist.gov/vuln/detail/CVE-2026-3201
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:07 +05:30
b48d119e50
nativesdk-pistache: dependency with brotli
...
Building of nativesdk-pistache aborted due to
missing dependency with brotli.
Fixed by extending brotli recipe to build nativesdk
Signed-off-by: Christos Gavros <gavrosc@yahoo.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit cf95ee0ff5deeratho@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:07 +05:30
6dd3de0d5d
yasm: extend recipe for nativesdk builds
...
Some SDK dependency chains require yasm to be available
as SDK artifacts. The current metadata only partially provides this,
which can lead to dependency resolution failures when this recipe is pulled
into SDK-oriented builds.
This change does not alter target package behavior; it only enables required
nativesdk variant for build and SDK integration paths.
Signed-off-by: Deepak Rathore <deeratho@cisco.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:06 +05:30
29e835b9b7
vlc: ignore CVE-2026-26227 and CVE-2026-26228
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-26227
https://nvd.nist.gov/vuln/detail/CVE-2026-26228
Both vulnerabilities affect only the Android version of VLC, not
the other ones. Because of this, ignore these CVEs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:06 +05:30
67d0242d70
gimp: add additional patch for CVE-2026-0797
...
There is an additional patch for CVE-2026-0797, which is not mentioned
in the CVE advisory, nor in the related issue nor in the related PR, however
both the change, and the commit message shows that this is a continuation
of the original fix, which was incomplete.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:05 +05:30
ada8211493
sassc: ignore CVE-2022-43357
...
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.
[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
are not present in this repository.
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] https://github.com/sass/libsass/issues/3177
[3] https://github.com/sass/libsass/pull/3184
[4] https://github.com/sass/sassc/
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 576b84263bskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:05 +05:30
604a54d742
spice: set CVE-2016-2150 status to fixed
...
Debian has fixed this CVE with [1].
That patch is taken from [2].
.../tmp/work/core2-64-poky-linux/spice/0.15.2/git$ git describe 69628ea13
v0.13.1-190-g69628ea1
.../tmp/work/core2-64-poky-linux/spice/0.15.2/git$ git tag --contains 69628ea13
v0.13.2
[1] https://sources.debian.org/patches/spice/0.12.5-1%2Bdeb8u5/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch/
[2] https://gitlab.freedesktop.org/spice/spice/-/commit/69628ea1375282cb7ca5b4dc4410e7aa67e0fc02
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit e44f3251b5skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:04 +05:30
bc575f49a2
spice: ignore CVE-2016-0749
...
NVD tracks this as version-less CVE for spice.
It was fixed by [1] and [2] included in 0.13.2.
[1] https://gitlab.freedesktop.org/spice/spice/-/commit/6b32af3e1746988bb5a5123263bcf61b65e5be7e
[2] https://gitlab.freedesktop.org/spice/spice/-/commit/359ac42a7ac02dcd1013757559292006647cd5c4
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 073e845274skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:04 +05:30
0e38edb85d
spice-gtk: mark CVE-2012-4425 as fixed
...
It is fixed by [1] since 0.15.3.
NVD tracks this CVE as version-less.
[1] https://cgit.freedesktop.org/spice/spice-gtk/commit/?id=efbf867bb88845d5edf839550b54494b1bb752b9
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 7e17f8cec0skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:03 +05:30
213a390d5d
streamripper: ignore CVE-2020-37065
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-37065
The vulnerability is about a 3rd party Windows-only GUI frontend for
the streamripper library, and not for the CLI application that the
recipe builds. Due to this ignore this CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1571c1a8e5skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:03 +05:30
67a8fe4a1a
python3-django: upgrade 4.2.28 -> 4.2.29
...
Contains fiuxes for CVE-2026-25673 and CVE-2026-25674.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:03 +05:30
c73a2a0435
protobuf: ignore CVE-2026-0994
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994
The vulnerability impacts only the python bindings of protobuf, which
is in a separate recipe (python3-protobuf, where it is patched).
Ignore this CVE in this recipe due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 398fa05aa8skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:02 +05:30
24e8a09f65
libjxl: upgrade 0.10.2 -> 0.10.5
...
Bug fix release, mostly CVE fixes.
Drop patches that are included.
Changelog:
0.10.5:
fix tile dimension in low memory rendering pipeline (CVE-2025-12474)
fix number of channels for gray-to-gray color transform (CVE-2026-1837)
djxl: reject decoding JXL files if "packed" representation size overflows size_t
0.10.4:
Huffman lookup table size fix (CVE-2024-11403)
Check height limit in modular trees (CVE-2024-11498)
0.10.3:
fixed decoding of some special images
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:02 +05:30
a0a3169b2b
keepalived: patch CVE-2024-41184
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-41184
Backport the patches referenced by upstream in the bug
mentioned by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-24 08:52:01 +05:30
Ankur Tyagi
Hitendra Prajapati
Vijay Anusuri
Markus Volk
Martin Jansa
Matthias Proske
Aviv Daum
Gyorgy Sarvari
Sujeet Nayak
Christos Gavros
Deepak Rathore
Peter Marko