mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity
30,625 Commits 64 Branches 0 Tags
f6c6cdce9d5bab67dceffa47448562417e01cee7
Commit Graph

30625 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Gyorgy Sarvari f6c6cdce9d iptraf-ng: patch CVE-2024-52949 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-52949

Pick the commit that mentions the CVE in its description.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 16071ef98f)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Ankur Tyagi fd052187ac hdf5: patch CVE-2025-2926 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2926

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Ankur Tyagi 3c45985620 freerdp3: patch CVE-2025-4478 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-4478

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Ankur Tyagi e2bf6a8064 botan: patch CVE-2024-50382 and CVE-2024-50383 
Same patch fixes both vulnerabilities.

Details:
https://nvd.nist.gov/vuln/detail/CVE-2024-50382
https://nvd.nist.gov/vuln/detail/CVE-2024-50383

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Gyorgy Sarvari 2d31b3897f libwmf: patch CVE-2016-9011 
Details: https://nvd.nist.gov/vuln/detail/CVE-2016-9011

Pick the patch that explicitly mentions the vulnerability ID.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Gyorgy Sarvari 41d4d6c022 libwmf: patch CVE-2015-4696 
Details: https://nvd.nist.gov/vuln/detail/CVE-2015-4696

Pick the patch that mentions the vulnerability ID explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Gyorgy Sarvari ee90f2d75e libwmf: patch CVE-2015-4695 
Details: https://nvd.nist.gov/vuln/detail/CVE-2015-4695

Pick the commit that explicitly mentions the vulnerability ID.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Gyorgy Sarvari dbc98a00eb libwmf: patch CVE-2015-0848 and CVE-2015-4588 
Details:
https://nvd.nist.gov/vuln/detail/CVE-2015-0848
https://nvd.nist.gov/vuln/detail/CVE-2015-4588

Pick the commit that mentions the CVE IDs explicitly.
The same patch fixes both vulnerabilities.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Gyorgy Sarvari 786bad8097 libwmf: add missing CVE tag to patch 
CVE-2006-3376 is already patched, but the patch is missing
the required CVE tag, so the cve-checker misses it.

This patch adds the tag.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Gyorgy Sarvari f5701506eb libwmf: add proper CVE tag to patch 
CVE-2009-1364 is already patched, but the patch didn't contain
the necessary tag so the cve-checker didn't pick it up.

This change adds the required tag.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Gyorgy Sarvari 7435780bbe webmin: patch CVE-2022-0829 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0829

Pick the patch from the nvd report details.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 80b5365780)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Gyorgy Sarvari 0c7d961f95 webmin: patch CVE-2022-0824 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0824

Pick the patch mentioned in the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit b4c4f0c525)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Gyorgy Sarvari 3601d99c9e webmin: patch CVE-2019-15642 
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-15642

Pick the patch mentioned in the nvm report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 241abdec12)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Gyorgy Sarvari e64c857b02 webmin: patch CVE-2017-17089 
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-17089

Pick the patch referenced in the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 85933945fb)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Gyorgy Sarvari 9655a3d880 webmin: patch CVE-2017-15644, CVE-2017-15645 and CVE-2017-15646 
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15644
https://nvd.nist.gov/vuln/detail/CVE-2017-15645
https://nvd.nist.gov/vuln/detail/CVE-2017-15646

Pick the patch mentioned in the nvd report (same patch is marked to
fix all three vulnerabilities).

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 4c602e88b9)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:56 +05:30
Gyorgy Sarvari e8eea380c9 apache2: ignore CVE-2025-3891 
The vulnerability was reported against mod_auth_openidc, which module
is a 3rd party one, and not part of the apache2 source distribution.

The affected module is not part of the meta-oe universe currently,
so ignore the CVE.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 11fc309ae9)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:55 +05:30
Khem Raj d55fea5d43 libforms: Remove buildpaths from fd2ps and fdesign scripts 
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 181409fef4)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:55 +05:30
alperak edb76382f0 pcp: Fix contains reference to TMPDIR [buildpaths] warnings 
WARNING: pcp-6.0.5-r0 do_package_qa: QA Issue: File /etc/pcp.conf in package pcp contains reference to TMPDIR [buildpaths]
WARNING: pcp-6.0.5-r0 do_package_qa: QA Issue: File /usr/include/pcp/builddefs in package pcp-dev contains reference to TMPDIR [buildpaths]

Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e7053ca6b6)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:55 +05:30
Gyorgy Sarvari 65b4b21110 rsyslog: set status for CVE-2015-3243 
Details: https://nvd.nist.gov/vuln/detail/CVE-2015-3243

The issue is about file permissions: by default rsyslog creates world-readable
files. In case a log message contains some sensitive information, then that's
exposed to every user on the system.

However the rsyslog.conf file that is shipped with the recipe solves it: it
already sets non-world-readable default permissions on all files, so this
vulnerability is fixed in the default OE recipe.

See also this package in OpenSuse[1], where it is solved the same way.

[1]: https://build.opensuse.org/requests/619439/changes (rsyslog.conf.in)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-19 08:46:50 +05:30
Michael Wyraz 55d4df5300 python3-passlib: add python3-misc as a depencency 
python3-passlib requires 'timtit' at runtime which is part of python3-misc

Issue #1001

Signed-off-by: Michael Wyraz <mw@brick4u.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 82f17c4afe)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 13:52:41 +05:30
Michael Wyraz 11d30147cb python3-transitions: add native support 
Issue #997

Signed-off-by: Michael Wyraz <mw@brick4u.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ac8e1757ad)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 13:52:41 +05:30
Michael Wyraz ac810a91ee python3-passlib: add native support 
Issue #998

Signed-off-by: Michael Wyraz <mw@brick4u.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d786d02d22)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 13:52:14 +05:30
Peter Marko 23c3bdefbe squid: patch CVE-2025-62168 
Pick commit mentioned in NVD CVE report.

Conflict in src/errorpage.cc resolved per patch from Debian bookworm.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 11:50:20 +05:30
Jiaying Song 6b689aa132 minifi-cpp: fix python shebang in minifi-python 
Replace '/usr/bin/env python' with '/usr/bin/env python3' in the scripts
under ${libexecdir}/minifi-python.

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 11:50:20 +05:30
Peter Marko 9e96944f42 rtmpdump: mark CVE-2015-8270, CVE-2015-8271 and CVE-2015-8272 as fixed 
This CVE is marked as fixed by Debian.
Extracting Debian jessie Debian sources [1] shows 4 commits uses for
backports. All these commits are already included in current hash
([2]-[5]).

../tmp/work/core2-64-poky-linux/rtmpdump/2.4/git$ git log | grep 'commit \(10b580aabcec1621b25518271ba1ab2b018be88e\|...\|4312322107a94c81d3ec5b98f91bc6b923551dc5\)'
commit 530f9bb2a02a78c1198fb2bf0293a12d225e4691
commit 4312322107a94c81d3ec5b98f91bc6b923551dc5
commit 39ec7eda489717d503bc4cbfaa591c93205695b6
commit 10b580aabcec1621b25518271ba1ab2b018be88e

[1] https://snapshot.debian.org/archive/debian/20170704T094954Z/pool/main/r/rtmpdump/rtmpdump_2.4%2B20150115.gita107cef-1%2Bdeb8u1.debian.tar.xz
[2] https://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/10b580aabcec1621b25518271ba1ab2b018be88e
[3] https://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/39ec7eda489717d503bc4cbfaa591c93205695b6
[4] https://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/530f9bb2a02a78c1198fb2bf0293a12d225e4691
[5] https://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/4312322107a94c81d3ec5b98f91bc6b923551dc5

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d7758a8d0c)

I performed the above has verification successfully with the Scarthgap
recipe's revision.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 11:50:20 +05:30
Peter Marko 1a6b962e47 proftpd: set status of CVE-2001-0027 
This ancient CVE [1] is unversioned ("*") in NVD DB.
"mod_sqlpw module in ProFTPD does not reset a cached password..."

Looking at history and changelog, the module was removed [2] around
the time when this CVE was published, likely as reaction to this CVE.
"mod_sqlpw.c, mod_mysql.c and mod_pgsql.c have been REMOVED from the
distribution. They are currently unmaintained and have numerous bugs."

Note: It was later re-introduced as mod_sql when it got fixed under
new maintainer.

[1] https://nvd.nist.gov/vuln/detail/CVE-2001-0027
[2] https://github.com/proftpd/proftpd/blob/v1.3.8b/NEWS#L3362

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 03a1b56bc7)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 11:50:20 +05:30
Gyorgy Sarvari 03f418d36b linuxptp: ignore CVE-2024-42861 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-42861

The vulnerability report is considered to be bogus and a non-issue
(or at least not a security issue) by upstream[1] and by major
Linux distros[2][3][4].

[1]: https://lists.nwtime.org/sympa/arc/linuxptp-devel/2024-09/msg00080.html
[2]: Ubuntu: https://ubuntu.com/security/CVE-2024-42861
[3]: Debian: https://security-tracker.debian.org/tracker/CVE-2024-42861
[4]: Suse: https://bugzilla.suse.com/show_bug.cgi?id=1230935

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 11:50:20 +05:30
Peter Marko da046dd9e0 audiofile: mark CVE-2020-18781 as patched 
Per [1] this CVE is already patched by commit [2].

This can be also verified with yocto build.

Running without this patch:
root@qemux86-64:~# sfconvert poc.wav output format wave
malloc(): corrupted top size
Aborted

Running with it:
root@qemux86-64:~# sfconvert poc.wav output format wave
Audio File Library: Bad number of coefficients [error 62]
Could not open file 'poc.wav' for reading.

[1] https://github.com/mpruett/audiofile/issues/56
[2] https://github.com/antlarr/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 68f55c158e)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:16:55 +05:30
Gyorgy Sarvari ab86e1f967 audiofile: patch CVE-2018-13440 and CVE-2018-17059 
Details:
https://nvd.nist.gov/vuln/detail/CVE-2018-13440
https://nvd.nist.gov/vuln/detail/CVE-2018-17059

The patches have been backported from Debian - upstream
has been inactive for almost a decade by now.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e16a7d11d1)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:16:55 +05:30
Gyorgy Sarvari 5613d8330c audiofile: patch CVE-2019-13147 and CVE-2022-24599 
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-13147
https://nvd.nist.gov/vuln/detail/CVE-2022-24599

These patches are used by opensuse to mitigate the corresponding vulnerabulities.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8ef997336a)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:16:55 +05:30
Anuj Mittal 5287390c05 remmina: add DEPENDS on curl 
remmina has a hard dependency on curl [1]. This doesn't result in an
error on branches with gtk4 because curl gets pulled in via vte ->
gtk4 -> gstreamer-plugins-bad -> curl.

Add an explicit DEPENDS on curl to reflect the dependency.

[1] https://github.com/FreeRDP/Remmina/blob/a8afdd728d215791e3ce2ebc0411569529cd0296/src/CMakeLists.txt#L259

Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:16:55 +05:30
Ninette Adhikari 8343ef75dd redis: Update status for CVE-2022-3734 
CVE only applies for Windows.

Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 36bb521a13)
Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:16:55 +05:30
Ankur Tyagi 72cf12a3c7 botan: patch CVE-2024-34703 
Details https://nvd.nist.gov/vuln/detail/CVE-2024-34703

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:53 +05:30
Yi Zhao 5e2e28b4ab cryptsetup: upgrade 2.7.4 -> 2.7.5 
Release Notes:
https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.5-ReleaseNotes

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit cf174f190d)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:53 +05:30
Wang Mingyu df482b962c cryptsetup: upgrade 2.7.3 -> 2.7.4 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a403ed1c3e)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:53 +05:30
Wang Mingyu fe68830763 cryptsetup: upgrade 2.7.2 -> 2.7.3 
Changelog:
============
* Do not allow formatting LUKS2 with Opal SED (hardware encryption)
* Fixes to wiping LUKS2 headers after Opal locking area erase.
* Mention the need for possible PSID revert before Opal format for some
  drives (man page).
* Fix Bitlocker-compatible code to ignore newly seen metadata entries.
* Fix interactive query retry if LUKS2 unbound keyslot is present.
* Detect unsupported zoned devices for LUKS header devices.
* Allow "capi" cipher format for benchmark command and fix parsing
  of plain IV in "capi" format.
* Add support for HCTR2 encryption mode.
* Source code now uses SPDX license identifiers instead of full
  license preambles.
* Fix missing includes for cryptographic backend that could cause
  compilation errors for some systems.
* Fix tests to work correctly in FIPS mode with recent OpenSSL 3.2.
* Fix various (mostly false positive) issues detected by Coverity.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7916a5c55a)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:53 +05:30
Ankur Tyagi e7e1a613d1 redis: upgrade 6.2.20 -> 6.2.21 
Changelog:
https://github.com/redis/redis/releases/tag/6.2.21

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:53 +05:30
Ankur Tyagi 855b23cf2c redis: upgrade 7.2.11 -> 7.2.12 
and refresh patches

Changelog:
https://github.com/redis/redis/releases/tag/7.2.12

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 73978fa1ff)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:53 +05:30
Ankur Tyagi 75cb5178de redis-plus-plus: upgrade 1.3.11 -> 1.3.12 
Changelog:
https://github.com/sewenew/redis-plus-plus/releases/tag/1.3.12

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:53 +05:30
Wang Mingyu 68747f1f7e feh: upgrade 3.10.2 -> 3.10.3 
Changelog:
==========
* Fix feh not respecting aspect ratio of thumbnails that are smaller than
  --thumb-width and --thumb-height
* Fix --no-recursive behaving like --recursive
* Fix rotation by 180° corrupting images
* Speed up --sort=size and --sort=mtime by caching stat(2) calls

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2775cdb58c)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:53 +05:30
Ankur Tyagi be9ed1a359 libspiro: upgrade 20221101 -> 20230902 
Changelog:
https://github.com/fontforge/libspiro/releases/tag/20240902

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:53 +05:30
Ankur Tyagi a177472288 jasper: upgrade 4.1.1 -> 4.1.2 
Changelog:
https://github.com/jasper-software/jasper/releases/tag/version-4.1.2

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:53 +05:30
Wang Mingyu e6bfce8cf2 openjpeg: upgrade 2.5.3 -> 2.5.4 
CVE-2025-54874.patch
removed since it's included in 2.5.4

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2cc8169042)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:06 +05:30
Yi Zhao 2327d77ba7 libbpf: upgrade 1.4.6 -> 1.4.7 
ChangLog:
https://github.com/libbpf/libbpf/releases/tag/v1.4.7

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 07cdb574a5)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:06 +05:30
Wang Mingyu e7179ec91a libbpf: upgrade 1.4.5 -> 1.4.6 
Changelog:
===========
- BPF skeleton forward compatibility fix
- BTF endianness inheritance bug fix

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5bb9ed684b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:06 +05:30
Wang Mingyu d8fbe2d5cd libbpf: upgrade 1.4.3 -> 1.4.5 
Changelog:
============
- fix BPF skeleton forward/backward compat handling
- detect broken PID filtering logic for multi-uprobe

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9773b1358e)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:06 +05:30
Wang Mingyu b41189a637 libbpf: upgrade 1.4.2 -> 1.4.3 
Changelog:
 Fix libbpf unintentionally dropping FD_CLOEXEC flag when (internally) duping FDs.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8fc8a8ee0e)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:06 +05:30
Wang Mingyu 0110b3c028 libbpf: upgrade 1.4.0 -> 1.4.2 
Changelog:
===========
- remove unnecessary struct_ops prog validity check
- handle yet another corner case of nulling out struct_ops program
- fix libbpf_strerror_r() handling unknown errors
- libbpf: improve early detection of doomed-to-fail BPF program loading

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 368ed98e7e)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:06 +05:30
Armin Kuster ff87862031 audit: fix build when systemd is enabled. 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e68145b002)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:06 +05:30
Shinji Matsunaga 80adc2113c audit: Fix CVE_PRODUCT 
Fix "audit" set in CVE_PRODUCT to "linux:audit" to detect only vulnerabilities where the vendor is "linux".

Currently, CVE_PRODUCT also detects vulnerabilities where the vendor is "visionsoft",
which are unrelated to the "audit" in this recipe.
https://www.opencve.io/cve?vendor=visionsoft&product=audit

In addition, all the vulnerabilities currently detected in "audit" have the vendor of "visionsoft" or "linux".
Therefore, fix "audit" set in CVE_PRODUCT to "linux:audit".

Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e87e51da49)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2025-11-17 10:15:06 +05:30