mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity
36,521 Commits 64 Branches 0 Tags
f75da20d3ed1be7dc65995a634886bf3458379df
Commit Graph

36521 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Aviv Daum adb631c144 lldpd: fix xml PACKAGECONFIG dependency 
The xml PACKAGECONFIG entry uses libxm2, which is a typo and not a
valid dependency in OE.

Replace it with libxml2 so enabling PACKAGECONFIG:xml pulls in the
correct provider.

Signed-off-by: Aviv Daum <aviv.daum@gmail.com>
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Wang Mingyu 16af6bba7d imapfilter: upgrade 2.8.3 -> 2.8.5 
License-Update: copyright year updated to 2026.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 89b961c889)

https://github.com/lefcha/imapfilter/blob/v2.8.5/NEWS

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Wang Mingyu b95d21b7aa jasper: upgrade 4.2.8 -> 4.2.9 
Changelog:
- Fixed a bug in the JP2 encoder that caused incorrect handling of
  opacity components in some cases.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 330ecdd2ad)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Gyorgy Sarvari bddcebdc4b libde265: patch CVE-2025-61147 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61147

Backport the patch referenced by the NVD advisory.

Note that this is a partial backport - only the parts that are
used by the application, and without pulling in c++17 headers.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Sujeet Nayak 56f9f2dbd5 libnice: make crypto library configurable via PACKAGECONFIG 
Move gnutls from a hard dependency to a PACKAGECONFIG option defaulting
to gnutls. This allows users to select openssl as an alternative crypto
library by setting PACKAGECONFIG.

Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
Signed-off-by: Sujeet Nayak <sujeetnayak1976@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Peter Kjellerstedt 8bf79306ad bpftrace: Update the runtime dependencies 
* bash and python3 are only needed by the ptest package.
* xz appears to not be needed at all.

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Mingli Yu 76bea270ec mariadb: Upgrade 11.4.9 -> 11.4.10 
Remove 0001-Remove-x86-specific-loop-in-my_convert.patch as it's fixed
in new version [1].

Remove 0001-MDEV-38029-my_tzinfo-t-fails-for-certain-TZ-values-o.patch
as its logic is included in new version [2].

Release note:
https://mariadb.com/docs/release-notes/community-server/11.4/11.4.10

[1] https://github.com/MariaDB/server/commit/470487c
[2] https://github.com/MariaDB/server/commit/a61a746

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Gyorgy Sarvari 6e9eff155e python3-marshmallow: mark CVE-2025-68480 patched 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68480

The vulnerability has been fixed in version 4.1.2[1], however
NVD tracks this CVE without version info. Mark it as patched explicitly.

[1]: https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Gyorgy Sarvari 0efa1d57b6 imagemagick: upgrade 7.1.2-16 -> 7.1.2-17 
Contains bugfixes and a couple of CVE fixes:
https://github.com/ImageMagick/ImageMagick/compare/7.1.2-16...7.1.2-17

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Wang Mingyu e4a9ec5350 imagemagick: upgrade 7.1.2-15 -> 7.1.2-16 
Changelog:
===========
* client: Fix use-after-free when creating async proxy failed
* daemon: Fix race on subscribers list when on thread
* ftp: Validate fe_size when parsing symlink target
* ftp: Check localtime() return value before use
* CVE-2026-28295: ftp: Use control connection address for PASV data
* CVE-2026-28296: ftp: Reject paths containing CR/LF characters
* gphoto2: Use g_try_realloc() instead of g_realloc()
* cdda: Reject path traversal in mount URI host
* client: Fail when URI has invalid UTF-8 chars
* Some other fixes

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Ankur Tyagi eb76962875 python3-tornado: upgrade 6.5.4 -> 6.5.5 
Security fixes including CVE-2026-31958

https://www.tornadoweb.org/en/stable/releases/v6.5.5.html

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Ankur Tyagi dbde84f17b python3-pyjwt: Fix CVE-2026-32597 
Details https://nvd.nist.gov/vuln/detail/CVE-2026-32597

Backport commit[1] which fixes this vulnerability as mentioned in changelog[2]

Dropped changes to the changelog, version bump and tests during backport.

[1] https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92
[2] https://github.com/jpadilla/pyjwt/blob/2.12.0/CHANGELOG.rst

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Gyorgy Sarvari f38ff6e7d0 capnproto: patch CVE-2026-32239 and CVE-2026-32240 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32239
https://nvd.nist.gov/vuln/detail/CVE-2026-32240

Backport the patch that is referenced by the NVD advisories.
(Same patch for both vulnerabilities)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Ankur Tyagi d7710fb408 php: upgrade 8.4.18 -> 8.4.19 
https://www.php.net/ChangeLog-8.php#8.4.19

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Wang Mingyu 62f49bed40 ser2net: upgrade 4.6.6 -> 4.6.7 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 23d4ba6b96)

ser2net is updated to fix some issues in reloading the configuration.
There were some situations that could cause crashes.
The bug was actually in gensio, but a workaround has been added to ser2net for
older versions of gensio.

https://github.com/cminyard/ser2net/releases/tag/v4.6.7

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Gyorgy Sarvari 1e8c1154e3 pcp: fix SRC_URI 
The branch where the revision was got deleted, so this is just a floating commit now.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:24 +05:30
Gyorgy Sarvari b8d1c9b659 hiawatha: fix SRC_URI 
The tarball was moved to a new folder on the source server.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:23 +05:30
Deepak Rathore 92bfb48d4c libssh: Fix CVE-2026-3731 
Pick the patch [1] and [2] as mentioned in [3]

[1] https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8
[2] https://git.libssh.org/projects/libssh.git/commit/?id=02c6f5f7ec8629a7cff6a28cde9701ab10304540
[3] https://security-tracker.debian.org/tracker/CVE-2026-3731

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:23 +05:30
Gyorgy Sarvari 0fd2ea7e0b exiv2: patch CVE-2026-27631 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27631

Backport the patches referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:23 +05:30
Gyorgy Sarvari ab099baf93 exiv2: patch CVE-2026-27596 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27596

Backport the commits referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:23 +05:30
Gyorgy Sarvari 18824f8a2d exiv2: patch CVE-2026-25884 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25884

Backport the commits referenced by the NVD advisory.

One of the patches contain some binary data (for test data),
which needs to be applied with git PATCHTOOL..

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:23 +05:30
Gyorgy Sarvari 51be807682 ettercap: patch CVE-2026-3603 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3606

Pick the commit that is marked to solve the related Github
issue[1]. Its commit message also references the CVE ID explicitly.

[1]: https://github.com/Ettercap/ettercap/issues/1297

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:23 +05:30
Gyorgy Sarvari d7546078a9 python3-django: upgrade 4.2.28 -> 4.2.29 
Contains fixes for CVE-2026-25673 and CVE-2026-25674.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:23 +05:30
Gyorgy Sarvari c08b3e9d8f python3-django: upgrade 5.2.11 -> 5.2.12 
Ptests passed successfully.

Changelog: https://docs.djangoproject.com/en/6.0/releases/5.2.12/
- Fixed CVE-2026-25673 and CVE-2026-25674
- Fixed NameError when inspecting functions making use of deferred
  annotations in Python 3.14.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:23 +05:30
Ankur Tyagi dd54c60cb3 zfs: upgrade 2.2.8 -> 2.2.9 
Also include tag in the SRC_URI and refreshed patches.

Backported patch 0004-linux-use-sys-stat.h-instead-of-linux-stat.h.patch
to resolve build failure with musl.

Release Notes:
https://github.com/openzfs/zfs/releases/tag/zfs-2.2.9

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:23 +05:30
Gyorgy Sarvari 6f6a7b518e owfs: upgrade 3.2p3 -> 3.2p4 
Drop patch that's included in this release.

Changelog:
v3.2p4 is mainly a bugfix & cleanup release.

Enhancements
    Add support for InfernoEmbedded soft-devices (GH-21)

Bug fixes
    Fix bug (GH-55) related to split packet (GH-64)
    Fix copy paste bug (474f06d)
    Add \r to Http header to satisfy RFC2616 specification (GH-20)

Maintenance
    build system cleanup (GH-72, GH-27, GH-16)
    Fix missing files in source distribution (GH-70, GH-69)
    Fix compilation with GCC10 (GH-62)

Minor fixes
    Fix typos (GH-43 GH-23)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 58259850fe)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:23 +05:30
Gyorgy Sarvari ef3c6b8db7 packagegroups: fix foldername 
The correct folder name is "packagegroups", not "packageconfigs".

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 93e33ae809)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:23 +05:30
Liu Yiding 79ff65043e btrfsmaintenance: upgrade 0.5 -> 0.5.2 
1.Changelog:
  fix syntax error in run_task, preventing jobs to start
  start scrub jobs sequentially if RAID5 or RAID6 data profile is found
  fix btrfsmaintenance-refresh.service description

2.Update 0001-change-sysconfig-path-to-etc-default.patch for 0.5.2

Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7adb1a61d2)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-26 10:29:23 +05:30
Wang Mingyu 6f989b75a0 postfix: upgrade 3.10.6 -> 3.10.8 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 09cc9579d4)

Release Notes:
https://www.postfix.org/announcements/postfix-3.10.7.html
https://www.postfix.org/announcements/postfix-3.10.8.html

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:14:08 +05:30
Wang Mingyu e771677d73 libcacard: upgrade 2.8.1 -> 2.8.2 
Changelog:
==========
- Sort certificates by underlying objects CKA_ID to provide deterministic
  object order
- Avoid using uninitialized memory
- Improve test coverage and build scripts
- Improve compatibility with modern compilers (avoid strict warnings)

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bf0ea3fc28)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:14:07 +05:30
Ankur Tyagi bcc33ac73b open62541: upgrade 1.3.15 -> 1.3.17 
Release Notes:
https://github.com/open62541/open62541/releases/tag/v1.3.17
https://github.com/open62541/open62541/releases/tag/v1.3.16

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:14:07 +05:30
Liu Yiding 509063a7cc networkmanager-openvpn: upgrade 1.12.3 -> 1.12.5 
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fcebca61e5)

Release Notes:
https://github.com/NetworkManager/NetworkManager-openvpn/blob/1.12.5/NEWS

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:14:06 +05:30
Liu Yiding e8a99f2978 networkmanager: upgrade 1.52.0 -> 1.52.2 
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 14c9d10173)

Release Notes:
https://github.com/NetworkManager/NetworkManager/blob/1.52.2/NEWS

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:14:06 +05:30
Ankur Tyagi a38694da2b nopoll: upgrade 0.4.7.b429 -> 0.4.9.b462 
0.4.9
-----
Stable release with bug fixing, support for Debian Buster, Debian Bullseye and Ubuntu Focal
https://github.com/ASPLes/nopoll/blob/master/doc/release-notes/nopoll-0.4.9.txt

0.4.8
-----
Stable release with bug fixing, support for Debian Buster, Debian Bullseye and Ubuntu Focal
https://github.com/ASPLes/nopoll/blob/master/doc/release-notes/nopoll-0.4.8.txt

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:14:05 +05:30
Jason Schonberg 5672114d58 nopoll: Upgrade to 0.4.7.b429 
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5f7c5c6641)

Stable release with bug fixing, support for Debian Stretch and Ubuntu Bionic

Release Notes:
https://github.com/ASPLes/nopoll/blob/master/doc/release-notes/nopoll-0.4.7.txt

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:14:05 +05:30
Ankur Tyagi 32ad58ec4e frr: upgrade 10.4.2 -> 10.4.3 
Release Notes:
https://github.com/FRRouting/frr/releases/tag/frr-10.4.3

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:14:05 +05:30
Gyorgy Sarvari 467427d3af zabbix: mark CVE-2026-23925 as patched 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-23925

The vulnerability has been fixed since 7.0.18[1], however NVD
tracks this CVE without version information.

[1]: https://github.com/zabbix/zabbix/commit/89dec866ec7f8230b25f06ac000575e3b7bd4025

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:14:04 +05:30
Gyorgy Sarvari 9f2fe367d8 libjxl: mark CVE-2025-12474 and CVE-2026-1837 patched 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-12474
https://nvd.nist.gov/vuln/detail/CVE-2026-1837

Both CVEs have been fixed in v0.11.2, but NVD tracks these
vulnerabilities without version information.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:14:04 +05:30
Markus Volk 2216b029ff pipewire: update 1.4.9 -> 1.4.10 
PipeWire 1.4.10 (2026-01-16)

This is a small bugfix release that is API and ABI compatible with
previous 1.x releases.

Highlights
  - Fix a regression in restoring volumes on nodes.
    - Clean up timed out stream on pulse-server.
      - Backport filter-graph channel support.
        - More small fixes and improvements.

PipeWire
  - Backport the timer queue from 1.5.

modules
  - Fix module leak in module-eq. (#5045)
    - Fix profiling of multiple drivers when profile.interval.ms is
        set. (#5061)
          - Allow both sink and source pulse tunnels with the same name.
              (#5079)

SPA
  - Emit props events in all cases. (#4610)
    - Backport some filter-graph changes to make it adapt better to the
        number of channels of the stream.
          - Fix some port errors in filter-graph. (#4700)
            - Avoid a memcpy in the convolver.
              - Handle some DBus errors better instead of crashing.
                - Fix AVX2 functions and flags. (#5072)
                  - Limit resampler phases to avoid crashes (#5073)
                    - Support some more channel downmix positions.

pulse-server
  - Clean up timed out streams. (#4901)
    - Add message to force mono mixdown.

GStreamer
  - Avoid scaling overflow in the clock.

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b7bd06e9b4)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:14:03 +05:30
Gyorgy Sarvari b4c7c6ca2a libmediaart-2.0: upgrade 1.9.6 -> 1.9.7 
This is a bugfix release, fixing some memory leaks and compiler warning
(and it also has a couple of commits related to the project's own CI system,
which doesn't affect the application)

Changelog: https://gitlab.gnome.org/GNOME/libmediaart/-/blob/master/NEWS

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3f6b25f18a)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:14:03 +05:30
Ankur Tyagi 3e7a57da7f libde265: upgrade 1.0.15 -> 1.0.16 
Also included tag in the SRC_URI.

This release fixes some rare decoding errors and some build issues.

Changelog:
https://github.com/strukturag/libde265/compare/v1.0.15...v1.0.16

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 625a2be8a8)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 17:13:59 +05:30
Gyorgy Sarvari f4dca597c9 exiftool: ignore CVE-2026-3102 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3102

The vulnerability impacts only MacOS - ignore it.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 07:49:33 +05:30
Gyorgy Sarvari 6bb74fff88 python3-protobuf: mark CVE-2026-0994 patched 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994

It is fixed already in the currently used version, however NVD tracks
it without any version info, so it still shows up in CVE reports.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 07:49:32 +05:30
Gyorgy Sarvari 7b418ef060 unbound: patch CVE-2025-5994 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-5994

Backport the patch[1] provided by upstream, which is linked in
the upstream advisory[2] referenced by the NVD report.

Tests passed successfully in a locally prepared ptest image.

[1]: https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-5994_2.diff
[1]: https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 07:49:32 +05:30
Gyorgy Sarvari c3185de08d streamripper: ignore CVE-2020-37065 
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-37065

The vulnerability is about a 3rd party Windows-only GUI frontend for
the streamripper library, and not for the CLI application that the
recipe builds. Due to this ignore this CVE.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1571c1a8e5)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 07:49:31 +05:30
Gyorgy Sarvari 9fcdfa8b22 python3-pillow: patch CVE-2026-25990 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990

Backport the patch referenced by the NVD advisory.

Note that the patch contain some new binary test data, which
requires "git" PATCHTOOL - other tools fail to apply binary patches.

All ptests passed successfully:

Testsuite summary
TOTAL: 5011
PASS: 4577
SKIP: 431
XFAIL: 3
FAIL: 0
XPASS: 0
ERROR: 0
DURATION: 59
END: /usr/lib/python3-pillow/ptest
2026-03-06T17:58
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 07:49:31 +05:30
Gyorgy Sarvari a892f6cfc9 python3-nltk: upgrade 3.9.2 -> 3.9.3 
Contains fix for CVE-2026-14009.

Changelog:
* Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader
* Block path traversal/arbitrary reads in nltk.data for protocol-less refs
* Block path traversal/abs paths in corpus readers and FS pointers
* Validate external StanfordSegmenter JARs using SHA256
* Add optional sandbox enforcement for filestring()
* Maintenance: downloader/zipped models, CI/tooling updates

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 14d464c150)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 07:49:30 +05:30
Gyorgy Sarvari 7d3016495f libheif: patch CVE-2025-68431 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68431

Backport the patch referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 07:49:30 +05:30
Wang Mingyu 258cdd1e07 imagemagick: upgrade 7.1.2-13 -> 7.1.2-15 
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 853aecb2f9)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-09 07:49:26 +05:30
Peter Kjellerstedt 843542472e ceres-solver: Don't fail if .git/hooks/commit-msg can't be touched 
The .git/hooks/commit-msg Git hook may already exist and not be
writable. E.g., in our environment it is a symbolic link to a script in
/usr/share.

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a22fe21c59)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-06 10:13:27 +05:30