dda2b96cb2
freerdp: mark CVE-2024-32041 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32041
Both the relevant Github Advisory[1] and Debian[2] states that the
same patch fixes this vulnerability as CVE-2024-32039.
Therefore add this CVE ID to the same patch's CVE tag.
[1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5r4p-mfx2-m44r
[2]: https://security-tracker.debian.org/tracker/CVE-2024-32041
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
23a46eae5f
freerdp: patch CVE-2024-32040
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32040
Pick the patch that is marked to resolve this vulnerability, from
the related Github advisory[1].
[1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-23c5-cp23-h2h5
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
cebeb9b1a6
freerdp: patch CVE-2024-32039
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32039
Pick the commit that is marked to resolve this vulerability, mentioned
by the Github advisory[1].
[1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5h8-7j42-j4r9
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
86566fac39
freerdp: patch CVE-2024-22211
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-22211
Pick the patch that is referenced by the NVD report as the solution.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
99ffae0ed0
freerdp: patch CVE-2023-40589
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40589
Pick the patch that was identified[1] by Debian to solve the issue
on the 2.x branch.
[1]: https://security-tracker.debian.org/tracker/CVE-2023-40589
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
d3eea640d3
freerdp: add ptest support
...
The tests take about 50s to execute on my machine.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
bb987740aa
freerdp: patch CVE-2023-40569
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40569
Pick the patch that was identified[1] by Debian as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2023-40569
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
d4e1c145e6
freerdp: patch CVE-2023-40181
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40181
Pick the patch that was identified[1] by Debian as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2023-40181
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
c9affa4bd5
freerdp: patch CVE-2023-39353
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39353
Pick the patch that was identified[1] by Debian as the solution.
[1]: https://security-tracker.debian.org/tracker/CVE-2023-39353
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
c793926ade
freerdp: patch CVE-2023-39352
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39352
Backport the commit that was identified[1] by Debian as the solution.
Note: WINPR_ASSERT macro calls have been changed to assert calls, as this
macro doesn't exist yet in this version. Looking at the implementation[2],
it is basically an assert call with a bit verbose logs.
Even though the original implementation also defines a no-op version, the
assert version is enabled by default.
[1]: https://security-tracker.debian.org/tracker/CVE-2023-39352
[2]: https://github.com/FreeRDP/FreeRDP/blob/2.11.0/winpr/include/winpr/assert.h#L31
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
f4a93a4c96
freerdp: patch CVE-2023-39351
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39351
Pick the patch that is mentioned by Debian[1] to solve the problem.
[1]: https://security-tracker.debian.org/tracker/CVE-2023-39351
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
9e67ae18b0
freerdp: patch CVE-2023-39350
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39350
Pick the patch that was identified[1] by Debian as the solution.
Note that the NVD report also references a commit as a patch - however
that seems to be incorrect. Although the NVD patch also solves a
vulnerability, it solves a different CVE (CVE-2023-39353), not this.
[1]: https://security-tracker.debian.org/tracker/CVE-2023-39350
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
f0e689ff4d
freerdp: patch CVE-2022-39320
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-39320
Take the patch that Debian has determined[1] to solve the issue.
[1]: https://security-tracker.debian.org/tracker/CVE-2022-39320
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
8cea479b35
freerdp: mark CVE-2022-39317 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-39317
Both Ubuntu[1] and Red Hat[2] confirms that this vulenrability is
fixed by the same patch as CVE-2022-39316.
Therefore add this CVE ID to the patch's tag also.
[1]: https://ubuntu.com/security/CVE-2022-39317
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=2143643
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
af8f2af56b
freerdp: patch CVE-2022-39282
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-39282
Pick the patch that's description matches the CVE description.
(Debian also considers the same patch[1] the fix)
[1]: https://security-tracker.debian.org/tracker/CVE-2022-39282
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
ee510136eb
freerdp: patch CVE-2022-24883
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-24883
Pick the patch that is mentioned in teh NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
f4ed05a423
influxdb: ignore CVE-2024-30896
...
As mentioned in the comment[1], vulnerability is in
/api/v2/authorizations API which only exists in 2.x, 1.x is not affected.
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30896
[1] https://github.com/influxdata/influxdb/issues/24797#issuecomment-2514690740
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 2f1d7a8597skandigraun@gmail.com >
2026-01-30 18:59:29 +01:00
b1794b6239
boinc-client: mark CVE-2013-2018 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2013-2018
According to oss-security email[1], version 7.0.45 included
the fixes[2][3][4]
[1]: https://www.openwall.com/lists/oss-security/2013/04/29/11
[2]: https://github.com/BOINC/boinc/commit/6e205de096da83b12ffb2f0183b43e51261eb0c4
[3]: https://github.com/BOINC/boinc/commit/e8d6c33fe158129a5616e18eb84a7a9d44aca15f
[4]: https://github.com/BOINC/boinc/commit/ce3110489bc139b8218252ba1cb0862d69f72ae3
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 2a78ad8813skandigraun@gmail.com >
2026-01-30 18:59:28 +01:00
4ccb9bf4ac
raptor2: patch CVE-2024-57823
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-57822
Pick the patch mentioned in the related github issue[1].
The issue contains fixes for 2 issues, but only the second
patch is related to this vulnerability.
[1]: https://github.com/dajobe/raptor/issues/70
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-20 18:22:02 +01:00
542c269b5a
raptor2: patch CVE-2024-57822
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-57822
Pick the patch mentioned in the related github issue[1].
The issue contains fixes for 2 issues, but only the first
patch is related to this vulnerability.
[1]: https://github.com/dajobe/raptor/issues/70
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-20 18:22:01 +01:00
f3af7f8f02
raptor2: patch CVE-2020-25713
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-25713
Pick the git cmmit that is mentioned as a solution in the related bug[1]
from the NVD advisory.
[1]: https://bugs.librdf.org/mantis/view.php?id=650
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-20 18:22:00 +01:00
7b4d42c640
raptor2: patch CVE-2017-18926
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-18926
NVD advisory mentions the original announcement on oss-security
mailing list[1]. This mentions a bug link[2] related to this
vulnerability. The bug mentions the revision of the fix - pick
that patch from the project's git repository.
[1]: https://www.openwall.com/lists/oss-security/2017/06/07/1
[2]: https://bugs.librdf.org/mantis/view.php?id=617
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-20 18:21:58 +01:00
7d4507f226
libsodium: patch CVE-2025-69277
...
Pick patch per [1].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-69277
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-12 13:48:02 +01:00
ab68fc6dd9
php: ignore CVE-2024-3566
...
CVE-2024-3566 only effects Microsoft Windows.
Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit d68c56e1edskandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
80ed7802ad
spitools: upgrade 1.0.1 -> 1.0.2
...
This is a bugfix release, with some ioctl handling fixes.
Changelog:
- Adjust the handling of SPI_IOC_RD_LSB_FIRST ioctl call
- Parameter for SPI_IOC_WR_LSB_FIRST ioctl is {0, 1}.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
bd17a0d132
tree: upgrade 2.0.2 -> 2.0.4
...
Changelog:
2.0.4:
- Fix missing comma in JSON output.
2.0.3:
- Fix segfault when filelimit is used and tree encounters a directory it
cannot enter.
- Use += when assigning CFLAGS and LDFLAGS in the Makefile allowing
them to be modified by environment variables during make. (Ben Brown)
Possibly assumes GNU make.
- Fixed broken -x option (stops recursing.)
- Fix use after free (causing segfault) for dir/subdir in list.c
- Fixes for .gitignore functionality
- Fixed * handing in patmatch. Worked almost like ** before, now properly
stops at /'s. These issues were the result of forgetting that patmatch()
was just to match filenames to patterns, not paths.
- Patterns starting with / are actually relative to the .gitignore file,
not the root of the filesystem, go figure.
- Patterns without /'s in .gitignore apply to any file in any directory
under the .gitignore, not just the .gitignore directory
- Remove "All rights reserved" from copyright statements. A left-over from
trees original artistic license.
- Add in --du and --prune to --help output
- Fixed segfault when an unknown directory is given with -X
- Fixed output up for -X and -J options.
- Remove one reference to strnlen which isn't necessary since it may not
be available on some OS's.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
3f9744d6b2
usb-modeswitch: upgrade 2.6.0 -> 2.6.2
...
Changelog:
2.6.2:
- Bug in C code (with gcc 1.5) fixed
2.6.1:
- Wrapper now handles devices with non-continuous interface numbering:
www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?f=2&t=2915&p=19605
- catch error with retrieving the active configuration, exit gracefully:
https://bugs.launchpad.net/bugs/1880191
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
ecf59eb1a1
xdg-user-dirs: upgrade 0.17 -> 0.18
...
Changelog:
- Fixed minor leak
- Documentation fixes
- Updated translations
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
672f5f28e8
recipes-core/toybox: Switch SRC_URI to HTTPS for reliable fetch
...
The upstream site (landley.net) serves inconsistent content when using HTTP,
causing checksum mismatches during do_fetch. Using HTTPS ensures stable
downloads and resolves checksum failures.
Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
3dc63bce4d
nodejs: ignore CVE-2024-36137
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36137
The vulnerability affects the permission model, which was introduced[1]
in v20 - the recipe version isn't vulerable yet.
[1]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
e88e353f30
nodejs: ignore CVE-2024-3566 and CVE-2024-36138
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-3566
https://nvd.nist.gov/vuln/detail/CVE-2024-36138
This vulnerabilities affect Windows only.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
9e38c37a62
sassc: ignore CVE-2022-43357
...
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.
[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
are not present in this repository.
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] https://github.com/sass/libsass/issues/3177
[3] https://github.com/sass/libsass/pull/3184
[4] https://github.com/sass/sassc/
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 576b84263bskandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
8e69851e6d
nodejs: patch CVE-2024-27983
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-27983
Pick the patch that mentions this CVE ID explcitly in its commit message.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
ab83c61385
nodejs: ignore CVE-2024-22017
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-22017
The vulnerability is related to the io_uring usage of libuv.
Libuv first introduced io_uring support in v1.45[1].
oe-core ships a non-vulnerable version (1.44.2), and nodejs
vendors also an older version (1.43).
Mark this CVE as ignored for this recipe version.
[1]: https://github.com/libuv/libuv/commit/d2c31f429b87b476a7f1344d145dad4752a406d4
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
f9ed3b8197
nodejs: patch CVE-2023-39333
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39333
Backport the patch that mentions this CVE ID explicitly in its
commit message.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
04f577d527
nodejs: ignore CVE-2023-30583, CVE-2023-30584 and CVE-2023-30587
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30583
https://nvd.nist.gov/vuln/detail/CVE-2023-30584
https://nvd.nist.gov/vuln/detail/CVE-2023-30587
None of these vulnerabilities are present in the recipe version.
CVE-2023-30583: While the main feature (blob) was intruced in v16, the vulnerable
code (load blobs from file) was introduced in v20[1], and as such,
the vulnerability is not present in the recipe version.
CVE-2023-30584, CVE-2023-30587: The whole vulnerable feature (permission model) was
introduced[2] in v20.
Ignore these CVE IDs.
[1]: https://github.com/nodejs/node/commit/950cec4c2642c15e2913f35babadda56c1d8a723
[2]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
9608348824
fio: ignore CVE-2025-10824
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-10824
The upstream maintainer wasn't able to reproduce the issue[1],
and the related bug is closed without further action.
[1]: https://github.com/axboe/fio/issues/1981
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a275078cbeskandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
15750d5584
atop: patch CVE-2025-31160
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-31160
Backport the patch that's subject references the CVE id explicitly.
I was able to verify the patch with a reproducer[1] (which is mentioned
in a reference[2] in the nvd report). Without the patch atop crashed,
with the patch it worked fine (both with and without -k/-K flags).
[1]: https://blog.bismuth.sh/blog/bismuth-found-the-atop-bug
[2]: https://gist.github.com/kallsyms/3acdf857ccc5c9fbaae7ed823be0365e
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
f3df89aedb
php: upgrade 8.1.33 -> 8.1.34
...
Comes with fixes for CVE-2025-14177, CVE-2025-14178 and CVE-2025-14180
Changelog:
- Curl: Fix curl build and test failures with version 8.16.
- Opcache: Reset global pointers to prevent use-after-free in zend_jit_status().
- PDO: Fixed: PDO quoting result null deref. (CVE-2025-14180)
- Standard:
* Fixed: Null byte termination in dns_get_record().
* Fixed: Heap buffer overflow in array_merge(). (CVE-2025-14178)
* Fixed: Information Leak of Memory in getimagesize. (CVE-2025-14177)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
d618b8dc84
xmlsec1: update SRC_URI
...
The tarball was moved to a subfolder. Adapt the SRC_URI.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
dcf2b5030d
softhsm: correct SRC_URI branch
...
The develop branch doesn't exist anymore. The fetched commit is on the main branch.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
11b7fe9a91
thrift: fix SRC_URI
...
The tarball was moved to an archive server, so the link stopped
working. Update it to the new location.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
feb9c53544
srecord: fix SRC_URI
...
The tarball was moved to a new folder in the SourceForge project,
and the original convenience link stopped working.
Use the direct link instead.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
02422765c6
pcp: switch SRC_URI to git
...
The original link stopped working.
I have compared the original tarball's content with this revision: the contents
are bit-identical to each other. The only difference is that the original
tarball came with an extra "debian/control" file which is not present in
the git repository, but it not using for compiling.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
0ac70cf0bb
tcsh: update SRC_URI
...
The tarball was moved to a new subfolder, making do_fetch fall back to a mirror.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
75080e6708
hunspell: patch CVE-2019-16707
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-16707
Pick the patch that resolves the Github issue[1] that tracked
this vulnerability.
[1]: https://github.com/hunspell/hunspell/issues/624
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
6ba8215d31
smarty: patch CVE-2023-28447
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28447
Pick the patch that is referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
2acc0c3720
smarty: update CVE_PRODUCT
...
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit ceadb83fcfskandigraun@gmail.com >
2026-01-08 22:03:02 +01:00
a5ac9b82bd
smarty: patch CVE-2018-25047
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2018-25047
Pick the patch that resolved the issue referenced in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:02:57 +01:00
f642e61588
snappy: add CVE_PRODUCT
...
If CVE_PRODUCT is not explicitly set to google:snappy, CVEs are
found for https://github.com/KnpLabs/snappy instead.
Signed-off-by: Emil Kronborg Andersen <emkan@prevas.dk >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit b888130e95skandigraun@gmail.com >
2025-12-25 15:09:15 +01:00
Gyorgy Sarvari
Ankur Tyagi
Peter Marko
Jeroen Hofstee
Sanjay Chitroda
Emil Kronborg Andersen