mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity
31,047 Commits 64 Branches 0 Tags
f1d78e95277e4a74a71a75098da88edb2927b9a6
Commit Graph

31047 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Hugo SIMELIERE (Schneider Electric) f1d78e9527 dnsmasq: Fix CVE-2026-5172 
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.

[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-5172.patch

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 09:56:21 +05:30
Hugo SIMELIERE (Schneider Electric) 7dda8e9bd7 dnsmasq: Fix CVE-2026-4893 
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.

[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4893.patch

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 09:56:20 +05:30
Hugo SIMELIERE (Schneider Electric) e614003e0a dnsmasq: Fix CVE-2026-4892 
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.

[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4892.patch

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 09:56:20 +05:30
Hugo SIMELIERE (Schneider Electric) cab6f6c603 dnsmasq: Fix CVE-2026-4891 
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.

[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4891.patch

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 09:56:19 +05:30
Hugo SIMELIERE (Schneider Electric) 59f8c396f9 nss: Fix CVE-2026-2781 
Pick patch from [1] as 3.9X upstream mirror backport of [2] mentioned in Debian report in [3].

[1] https://github.com/nss-dev/nss/commit/870d3b013e6b39540d14e67b3db89da5a96381bf
[2] https://hg-edge.mozilla.org/projects/nss/rev/245385e16fa6
[3] https://security-tracker.debian.org/tracker/CVE-2026-2781

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 09:56:15 +05:30
Theo Gaige 7acc744194 dash: fix CVE-2026-31323 
Backport upstream fix for CVE-2026-31323 [1].

[1] https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3

Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:48 +05:30
Hitendra Prajapati a587f53a0e strongswan: fix for CVE-2026-35334 
Pick patch according to [1]

[1] https://download.strongswan.org/security/CVE-2026-35334
[2] https://www.strongswan.org/blog/2026/04/22/strongswan-vulnerability-(cve-2026-35334).html
[3] https://security-tracker.debian.org/tracker/CVE-2026-35334

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:48 +05:30
Sudhir Dumbhare 9f70f8d461 libssh: set status for CVE-2025-14821 
The vulnerability is Windows-specific and depends on loading
configuration from C:\etc, which does not apply to Linux/Yocto builds

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-14821
https://github.com/advisories/GHSA-5jf9-8f86-jhvw
https://www.libssh.org/security/advisories/CVE-2025-14821.txt

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:48 +05:30
Ankur Tyagi 797f2baebe nanomsg: upgrade 1.2.1 -> 1.2.2 
Changelog:
https://github.com/nanomsg/nanomsg/releases/tag/1.2.2

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:47 +05:30
Ankur Tyagi c756576c1c postfix: upgrade 3.8.12 -> 3.8.16 
3.8.13
http://www.postfix.org/announcements/postfix-3.10.6.html

3.8.14
http://www.postfix.org/announcements/postfix-3.10.7.html

3.8.15
http://www.postfix.org/announcements/postfix-3.10.8.html

3.8.16
http://www.postfix.org/announcements/postfix-3.11.2.html

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:47 +05:30
Ankur Tyagi 100da99a04 lcms: patch CVE-2026-42798 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-42798

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:46 +05:30
Ankur Tyagi 49a682f2ed lcms: patch CVE-2026-41254 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-41254

Backport the patches referenced by the NVD advisory.

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:46 +05:30
Ankur Tyagi fdd887bc29 frr: patch CVE-2026-28532 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-28532

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:45 +05:30
Ankur Tyagi 764a8f2154 firewalld: upgrade 1.3.2 -> 1.3.4 
https://github.com/firewalld/firewalld/releases/tag/v1.3.3
https://github.com/firewalld/firewalld/releases/tag/v1.3.4

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:45 +05:30
Liyin Zhang 9f64ff03f5 apache2: upgrade 2.4.66 -> 2.4.67 
Security fixes:
- CVE-2026-34059
- CVE-2026-34032
- CVE-2026-33857
- CVE-2026-33523
- CVE-2026-33007
- CVE-2026-33006
- CVE-2026-29169
- CVE-2026-29168
- CVE-2026-28780
- CVE-2026-24072
- CVE-2026-23918

See: https://archive.apache.org/dist/httpd/CHANGES_2.4.67

Signed-off-by: Liyin Zhang <liyin.zhang.cn@windriver.com>
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:44 +05:30
Ankur Tyagi 92b5798115 exiftool: ignore CVE-2026-7580 
The impacted function mentioned in the nvd[1] was introduced in v12.82[2],
hence we can ignore this CVE.

[1]https://nvd.nist.gov/vuln/detail/CVE-2026-7580
[2]https://github.com/exiftool/exiftool/commit/280a7f0db71b5887be492d57723723cb196ad2f9

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:44 +05:30
Jason Schonberg 5fe0fb19e7 php: upgrade 8.2.30 -> 8.2.31 
This is a security release.

Changelog: https://www.php.net/ChangeLog-8.php#8.2.31

Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:43 +05:30
Het Patel 90a0e3bf89 open-vm-tools: Add entry to CVE_PRODUCT to support the product name 
- Added 'vmware:open_vm_tools' to CVE_PRODUCT to align with the NVD
CPE and ensure accurate CVE reporting.

Signed-off-by: Het Patel <hetpat@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9b69587ecb)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:43 +05:30
Het Patel aaa594e19e onig: Add CVE_PRODUCT to support product name 
- Set CVE_PRODUCT to align with the NVD CPE and ensure correct CVE
reporting.

Signed-off-by: Het Patel <hetpat@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7bc5268662)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:43 +05:30
Het Patel 9500d05195 abseil-cpp: Add CVE_PRODUCT to support product name 
- Set CVE_PRODUCT to align with the NVD CPE and ensure correct CVE
reporting.

Signed-off-by: Het Patel <hetpat@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a428ea90c0)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:42 +05:30
Gyorgy Sarvari 3fd10def49 python3-ecdsa: set CVE_PRODUCT 
Set the correct CVE_PRODUCT value, the default python: ecdsa doesn't
match relevant entries.

The correct values were taken from the CVE db, by checking which CVEs
are relevant.

See CVE db query:
sqlite> select * from products where product like '%ecdsa%';
CVE-2019-14853|python-ecdsa_project|python-ecdsa|||0.13.3|<
CVE-2019-14859|python-ecdsa_project|python-ecdsa|||0.13.3|<
CVE-2020-12607|antonkueltz|fastecdsa|||2.1.2|<
CVE-2021-43568|starkbank|elixir_ecdsa|1.0.0|=||
CVE-2021-43569|starkbank|ecdsa-dotnet|1.3.2|=||
CVE-2021-43570|starkbank|ecdsa-java|1.0.0|=||
CVE-2021-43571|starkbank|ecdsa-node|1.1.2|=||
CVE-2021-43572|starkbank|ecdsa-python|||2.0.1|<
CVE-2022-24884|ecdsautils_project|ecdsautils|||0.4.1|<
CVE-2024-21502|antonkueltz|fastecdsa|||2.3.2|<
CVE-2024-23342|tlsfuzzer|ecdsa|||0.18.0|<=

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7f962ef155)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:42 +05:30
Peter Marko 6b76759967 python-grpcio(-tools): add grpc:grpc to cve product 
These grpc python modules contain parts of grpc core.
Each CVE needs to be assessed if the patch applies also to core parts
included in each module.

Note that so far there was never a CVE specific for python module, only
for grpc:grpc and many of those needed to be fixed at leasts in grpcio:

sqlite> select vendor, product, count(*) from products where product like '%grpc%' group by vendor, product;
grpc|grpc|21
grpck|grpck|1
linuxfoundation|grpc_swift|9
microsoft|grpconv|1
opentelemetry|configgrpc|1

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f993cb2ecb)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:41 +05:30
Hitendra Prajapati fb4ebd1200 wireshark: fix for CVE-2025-13946 
Pick patch from [1] also mentioned at NVD report in [2]

[1] https://gitlab.com/wireshark/wireshark/-/issues/20884
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-13946
[3] https://security-tracker.debian.org/tracker/CVE-2025-13946

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-21 08:57:37 +05:30
Khem Raj ae7dfb1224 jq: Stick to C17 until next release 
Patches are sprinkled in master branch of jq but the backports
regresses tests, so its better to keep it at C17 for now.

Backport: changed from += to :append to apply to all target, native
and nativesdk builds.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-05-05 06:57:17 +05:30
Mikko Rapeli a9b7af632e onig: fix gcc 15 build 
With backport from upstream 6.9.10.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 12:56:07 +05:30
Ankur Tyagi 964065663c jq: patch CVE-2026-39979 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-39979

Ptests passed:
root@qemux86:~# ptest-runner jq
START: ptest-runner
2026-04-26T11:09
BEGIN: /usr/lib/jq/ptest
PASS: optionaltest
PASS: mantest
PASS: jqtest
PASS: onigtest
PASS: shtest
PASS: utf8test
PASS: base64test
=== Test Summary ===
TOTAL: 7
PASSED: 7
FAILED: 0
SKIPPED: 0
DURATION: 44
END: /usr/lib/jq/ptest
2026-04-26T11:10
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Ankur Tyagi 6cbaf81a01 jq: patch CVE-2026-33948 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Ankur Tyagi 18de8de0ef jq: patch CVE-2026-33947 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Ankur Tyagi 9bdfbd20b2 jq: patch CVE-2026-32316 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32316

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Hitendra Prajapati fdf83ebd28 python3-pillow: fix CVE-2026-40192 
Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2].

[1] https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-40192
[3] https://security-tracker.debian.org/tracker/CVE-2026-40192

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Ankur Tyagi 955189fbcb libssh: Fix CVE-2026-0965 
Backport the patch [1] as mentioned in [2]

[1] https://git.libssh.org/projects/libssh.git/commit/?id=bf390a042623e02abc8f421c4c5fadc0429a8a76
[2] https://security-tracker.debian.org/tracker/CVE-2026-0965

Ptests passed:
root@qemux86:~# ptest-runner libssh
START: ptest-runner
2026-04-28T04:44
BEGIN: /usr/lib/libssh/ptest
...
...
DURATION: 269
END: /usr/lib/libssh/ptest
2026-04-28T04:49
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Ankur Tyagi 0f64da2ab9 libssh: patch CVE-2026-0967 
Backport patch [1] as mentioned in [2]

[1] https://git.libssh.org/projects/libssh.git/commit/?id=6d74aa6138895b3662bade9bd578338b0c4f8a15
[2] https://security-tracker.debian.org/tracker/CVE-2026-0967

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Ankur Tyagi 015b974b6b libssh: patch CVE-2026-0968 
Backport patches [1] and [2] as mentioned in [3]

[1] https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9
[2] https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03
[3] https://security-tracker.debian.org/tracker/CVE-2026-0968

Certain functions from sftp.c were moved to a new file sftp_common.c
in version 0.11.0 by following commit:
https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a

This is the backport of the changes using the original file sftp.c

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Gyorgy Sarvari 5ce7602ce1 corosync: patch CVE-2026-35092 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35092

Pick the patch that mentions the CVE ID explicitly (the same commit
was identified by Debian also[1])

[1]: https://security-tracker.debian.org/tracker/CVE-2026-35092

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit af73e716bc)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Gyorgy Sarvari 985cc4d384 corosync: patch CVE-2026-35091 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091

Pick the patch that mentions the CVE ID explicitly (it was identified
by Debian also as the fix[1])

[1]: https://security-tracker.debian.org/tracker/CVE-2026-35091

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit 701b22fda3)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Ankur Tyagi 9a19b0f3cb opensc: patch CVE-2025-66215 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66215

Backport the patches referenced by the PR[1] mentioned in the nvd.
Dropped the formatting commit from the backport.

[1] https://github.com/OpenSC/OpenSC/pull/3436

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Ankur Tyagi 91858e7ff9 opensc: patch CVE-2025-66038 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66038

Backport the patch referenced by the wiki[1] mentioned in the nvd.

[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Ankur Tyagi a02592adda opensc: patch CVE-2025-66037 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66037

Backport the patch referenced by the wiki[1] mentioned in the nvd.

[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66037

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Ankur Tyagi 886f7d221a opensc: patch CVE-2025-49010 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49010

Backport the patch referenced by the wiki[1] mentioned in the nvd.

[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Gyorgy Sarvari 22a2ae9646 openjpeg: patch CVE-2026-6192 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6192

Backport the patch referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit 09050325e6)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Daniel Turull 383ff86953 jq: fix CVE-2026-40164 
Backport patch to fix CVE-2026-40164.

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Hitendra Prajapati 7ba6689d13 nginx: fix CVE-2026-32647 
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.

[1] https://my.f5.com/manage/s/article/K000160366
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-32647
[3] https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Khem Raj bed3ecfe03 krb5: Backport additional fixes to build on clang 
Enabling additional warning tightens the function prototype checks
and clang goes a step ahead to flag void foo() as well it should be
void foo(void)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Martin Jansa <martin.jansa@gmail.com>
(cherry picked from commit 37cc472e44)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Michael Opdenacker 32081787dc kernel-hardening-checker: update 0.6.10.2 -> 0.6.17.1 
Following the update on master.

This version reports more hardening issues:
128 "failures" instead of 113 on the same kernel.

Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Gyorgy Sarvari 0febf2f87d python3-tornado: set CVE_PRODUCT 
The default "python:tornado" CVE_PRODUCT doesn't match relevant CVEs, because
the project's CPE is "tornadoweb:tornado".

See cve db query (docmosis is an irrelevant vendor):

sqlite> select * from products where PRODUCT = 'tornado';
CVE-2012-2374|tornadoweb|tornado|||2.2|<=
CVE-2012-2374|tornadoweb|tornado|1.0|=||
CVE-2012-2374|tornadoweb|tornado|1.0.1|=||
CVE-2012-2374|tornadoweb|tornado|1.1|=||
CVE-2012-2374|tornadoweb|tornado|1.1.1|=||
CVE-2012-2374|tornadoweb|tornado|1.2|=||
CVE-2012-2374|tornadoweb|tornado|1.2.1|=||
CVE-2012-2374|tornadoweb|tornado|2.0|=||
CVE-2012-2374|tornadoweb|tornado|2.1|=||
CVE-2012-2374|tornadoweb|tornado|2.1.1|=||
CVE-2014-9720|tornadoweb|tornado|||3.2.2|<
CVE-2023-25264|docmosis|tornado|||2.9.5|<
CVE-2023-25265|docmosis|tornado|||2.9.5|<
CVE-2023-25266|docmosis|tornado|||2.9.5|<
CVE-2023-28370|tornadoweb|tornado|||6.3.2|<
CVE-2024-42733|docmosis|tornado|||2.9.7|<=
CVE-2024-52804|tornadoweb|tornado|||6.4.2|<
CVE-2025-47287|tornadoweb|tornado|||6.5.0|<
CVE-2025-67724|tornadoweb|tornado|||6.5.3|<
CVE-2025-67725|tornadoweb|tornado|||6.5.3|<
CVE-2025-67726|tornadoweb|tornado|||6.5.3|<

Set the CVE_PRODUCT accordingly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 139cc15de3)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Libo Chen c40989630d hdf5: fix CVE-2025-6857 
According to [1], A vulnerability has been found in HDF5 1.14.6 and
classified as problematic. Affected by this vulnerability is the function
H5G__node_cmp3 of the file src/H5Gnode.c. The manipulation leads to
stack-based buffer overflow. It is possible to launch the attack on the
local host. The exploit has been disclosed to the public and may be used.

Backport patch [2] from upstream to fix CVE-2025-6857

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-6857
[2] https://github.com/HDFGroup/hdf5/commit/a8ceb1d95bb997f548c1129363dad53c18540096

Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Libo Chen 4ab556ad1e hdf5: fix CVE-2025-2308 
According to [1], A vulnerability, which was classified as critical, was
found in HDF5 1.14.6. This affects the function
H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter.
The manipulation leads to heap-based buffer overflow. An attack has to be
approached locally. The exploit has been disclosed to the public and may be
used. The vendor plans to fix this issue in an upcoming release.

Backport patch [2] from upstream to fix CVE-2025-2308

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2308
[2] https://github.com/HDFGroup/hdf5/commit/2ce7fdc4cf147d280aa6d49686297faacc250e40

Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Gyorgy Sarvari a26a769011 nginx: set CVE_PRODUCT 
nginx has a long history, and has used multiple CPEs
over time. Set CVE_PRODUCT to reflect current and historic
vendor:product pairs.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d25aadbbb5)
Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Zahir Hussain 6f90f29b18 rocksdb: packageconfig knob for set static library option 
Adding PACKAGECONFIG knob for enable/disable the static library option

It is just a follow-up changes of previous commit
https://git.openembedded.org/meta-openembedded/commit/?h=scarthgap&id=72018ca1b1a471226917e8246e8bbf9a374ccf97
and also this changes are already accepted and integrated in kirkstone branch.

Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:29 +05:30
Naman Jain 098a230565 imagemagick: Fix CVEs 
Fix the following CVEs-
CVE-2026-24481 CVE-2026-25638 CVE-2026-25794 CVE-2026-25795
CVE-2026-25796 CVE-2026-25797 CVE-2026-25798 CVE-2026-25799
CVE-2026-25897 CVE-2026-25898 CVE-2026-25965 CVE-2026-25966
CVE-2026-25967 CVE-2026-25968 CVE-2026-25969 CVE-2026-25970
CVE-2026-25982 CVE-2026-25985 CVE-2026-25986 CVE-2026-25987
CVE-2026-25988 CVE-2026-26066 CVE-2026-26283 CVE-2026-26284
CVE-2026-26983

Signed-off-by: Naman Jain <namanj1@kpit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-29 10:14:24 +05:30