Amaury Couderc
f47c0cb3bf
python3: fix CVE-2026-4224
...
Backport patch to fix CVE-2026-4224.
https://nvd.nist.gov/vuln/detail/CVE-2026-4224
Upstream fix:
https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785
Tested with ptest:
Before: PASSED: 40007, FAILED: 0, SKIPPED: 1877
After: PASSED: 40006, FAILED: 0, SKIPPED: 1877
(From OE-Core rev: 736dd8c8f90d43e4bcdb0954a99764a62fccc20e)
Signed-off-by: Amaury Couderc <amaury.couderc@est.tech >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-07-02 13:42:26 +01:00
Theo Gaige (Schneider Electric)
e2d512c2e7
go: patch CVE-2026-27145
...
Backport patch from [1]
[1] https://go.dev/cl/783621
(From OE-Core rev: 209a1b3a48b8e3996e1b53f2d7efe335855b7375)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-07-02 13:42:25 +01:00
Sudhir Dumbhare
af76dc3437
rust,libstd-rs: set status for CVE-2024-3566
...
The vulnerability is Windows-specific and depends on command-line
handling through CreateProcess, which does not apply to Linux/Yocto
builds.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-3566
(From OE-Core rev: 8c56e85dd02063da5630c9b73fb242686a970e20)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:54 +01:00
Sudhir Dumbhare
5087e4b4a0
go: set status for CVE-2026-39836
...
This issue affects Windows only. The net.Dial and net.LookupPort
functions can panic when given input containing a NUL byte.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-39836
https://security-tracker.debian.org/tracker/CVE-2026-39836
(From OE-Core rev: 324359dcb7cbeb15ef51f5cc18924f590c81b1de)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:54 +01:00
Sudhir Dumbhare
f3fbf45c1d
go-binary-native: set status for CVE-2026-39836
...
This issue affects Windows only. The net.Dial and net.LookupPort
functions can panic when given input containing a NUL byte.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-39836
https://security-tracker.debian.org/tracker/CVE-2026-39836
(From OE-Core rev: 8aab8b31425b3820ef65fc40061b9377c574607b)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:54 +01:00
Adarsh Jagadish Kamini
c0d690e103
python3: CVE-2026-3087 not applicable
...
CVE link: https://nvd.nist.gov/vuln/detail/CVE-2026-3087
The CVE is only applicable to Windows OS
(From OE-Core rev: 96efecfbb2d1eaa24e1c96fbd6593a7087464844)
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:54 +01:00
Yoann Congal
7a90e7adfb
gdb: backport a patch to fix static_assert in recent GCC
...
On Ubuntu 26.04, gcc 15.2 defaults to --std=gnu23 in which static_assert
is a keyword, and not a macro to define like with older GCC. This make
MIPS64 code in gdb fail to compile with:
| In file included from ../../gdb-14.2/opcodes/mips16-opc.c:25:
| ../../gdb-14.2/opcodes/mips16-opc.c: In function ‘decode_mips16_operand’:
| ../../gdb-14.2/opcodes/mips-formats.h:86:7: error: expected identifier or ‘(’ before ‘static_assert’
| 86 | static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
| | ^~~~~~~~~~~~~
| ../../gdb-14.2/opcodes/mips16-opc.c:52:15: note: in expansion of macro ‘MAPPED_REG’
| 52 | case '.': MAPPED_REG (0, 0, GP, reg_0_map);
| | ^~~~~~~~~~
(From OE-Core rev: 92a57b28a4e8e4fe917e4aa3d58079257ee9a41f)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:54 +01:00
Shubham Pushpkar
09f201c834
dpkg: Fix CVE-2026-2219
...
This patch applies the upstream fix as referenced in [2], using the
commit shown in [1].
[1] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-2219
(From OE-Core rev: 66055d7f179d0d838c2139d9d2399a968c6f6529)
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:54 +01:00
Deepak Rathore
b04b16e965
qemu: Fix CVE-2024-6519
...
This patch applies the upstream v11.0.0-rc2 backport for
CVE-2024-6519. The upstream fix commit is referenced in [1],
and the public CVE advisory is referenced in [2]. The individual
backported commit link is recorded in the embedded patch header.
[1] https://gitlab.com/qemu-project/qemu/-/commit/4862d2c95104d9fd0430cc003c205094f8ada1f9
[2] https://security-tracker.debian.org/tracker/CVE-2024-6519
(From OE-Core rev: bb5a1f9c6562038d422ea0efd4e975737c9374c3)
Signed-off-by: Deepak Rathore <deeratho@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
e61bf028a6
python3: Fix CVE-2025-13462
...
Apply the upstream v3.12 fix [1], aligned with the original v3.13 fix [2],
to address incorrect tarfile handling where GNU long name follow-up headers
could be normalized as directories, as referenced in [3].
[1] https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084
[2] https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7
[3] https://security-tracker.debian.org/tracker/CVE-2025-13462
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-13462
(From OE-Core rev: 0b990a354ef858d903d4bed937b1233537c2c478)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
7731db5592
python3: Fix CVE-2026-6019
...
This patch applies the upstream fix [1] and follow-up fix [2], as
referenced in [3] and [4], to address an http.cookies.Morsel.js_output()
flaw where inline JavaScript output escaped quotes but did not neutralize
the HTML parser-sensitive </script> sequence.
[1] https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c
[2] https://github.com/python/cpython/commit/e7d4c3ff421916986223690a8425d2383f6f3802
[3] https://github.com/python/cpython/issues/149144
[4] https://security-tracker.debian.org/tracker/CVE-2026-6019
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-6019
(From OE-Core rev: e17af14ae72e21f7f63407ba5c88da160c73bea9)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
1401e6e003
python3: Fix CVE-2026-4519 and CVE-2026-4786
...
Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2],
and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with
leading dashes when invoking browser commands, as referenced in [5].
CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action
in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in
[5], to revalidate the URL after %action expansion.
[1] https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48
[2] https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03
[3] https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c
[4] https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769
[5] https://security-tracker.debian.org/tracker/CVE-2026-4519
[6] https://security-tracker.debian.org/tracker/CVE-2026-4786
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-4519
https://nvd.nist.gov/vuln/detail/CVE-2026-4786
(From OE-Core rev: e6d81b3be531e97058366c81056a38c0b6fa7380)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
703b680089
python3: Fix CVE-2026-3644 and CVE-2026-0672
...
Apply the upstream v3.13 fix [1], as referenced in [2], to address
CVE-2026-3644 by rejecting control characters in http.cookies.Morsel.update(),
the |= operator, and unpickling paths.
CVE-2026-3644 [2] revealed the CVE-2026-0672 fix was incomplete, as
Morsel.update(), |=, and unpickling could bypass input validation. The fix
also adds output validation to BaseCookie.js_output(), matching the
control-character safeguards already present in BaseCookie.output().
[1] https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd
[2] https://security-tracker.debian.org/tracker/CVE-2026-3644
References:
https://security-tracker.debian.org/tracker/CVE-2026-3644
https://security-tracker.debian.org/tracker/CVE-2026-0672
https://nvd.nist.gov/vuln/detail/CVE-2026-3644
https://nvd.nist.gov/vuln/detail/CVE-2026-0672
(From OE-Core rev: ac763f139ba7f836d0fa9377295ef7d3b10f2238)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:53 +01:00
Deepak Rathore
327a87fffb
binutils: Fix CVE-2025-69644
...
This patch updates the existing CVE-2025-69647 backport metadata for
CVE-2025-69644. NVD records for CVE-2025-69644 and CVE-2025-69647
reference the same upstream binutils fix commit [1], and the public
CVE advisories are referenced in [2] and [3].
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-69644
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-69647
(From OE-Core rev: 267ff299a6fe6f65e0dd86f5e59bb013921526ce)
Signed-off-by: Deepak Rathore <deeratho@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
7d782f3ed0
go: fix CVE-2026-32288
...
This patch applies the upstream fix [1], as referenced in [2],
to address unbounded sparse map handling in `archive/tar`.
[1] https://github.com/golang/go/commit/82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e
[2] https://security-tracker.debian.org/tracker/CVE-2026-32288
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-32288
(From OE-Core rev: 775c3af36899eebe5612844accdfd2a8a2a9327a)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
3401fba731
go: fix CVE-2026-25679
...
This patch applies the upstream fix [1], as referenced in [2],
to address insufficient validation in `url.Parse`.
Debian marks older Go branches as not affected because the vulnerable
parseHost surface was introduced by the earlier CVE-2025-47912 fix.
This Scarthgap recipe already carries CVE-2025-47912.patch, so the
fix is applicable to the patched Go 1.22.12 source used here.
[1] https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803
[2] https://security-tracker.debian.org/tracker/CVE-2026-25679
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-25679
(From OE-Core rev: 913b9dc19ea14edbbaf4b7a677507949e454e685)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
b1af4c89b0
go: fix CVE-2025-58183
...
This patch applies the upstream fix [1], as referenced in [2],
to address unbounded memory consumption when reading GNU tar pax
1.0 sparse file regions in archive/tar.
[1] https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556
[2] https://security-tracker.debian.org/tracker/CVE-2025-58183
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-58183
(From OE-Core rev: e0285488a93cf3b369ad7424d55938791f57174f)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:53 +01:00
Mark Hatle
3f378fc245
pseudo: Update to version 1.9.8
...
Changelog:
Makefile.in: Bump to 1.9.8
pseudo_client.h: Fix typo in the comment
client: permissions drop setuid and setgid
tests: Add setuid permission check
pseudo_client.h: Add +s to PSEUDO_DB_MODE for mkdir
tests: Add test that returned stat is correct
pseudo_client.h: Make it clear both macros must be updated together
Makefile.in: Add pseudo_client.h as a dependency
(From OE-Core rev: d716fe7e4f1dd2156be8773408611bb979a94d5d)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org >
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
(cherry picked from commit fa302de94c7da77a49ca0701580467ebaa8eda18)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-26 16:55:53 +01:00
Hitendra Prajapati
0c205679dd
python3: fix CVE-2026-6100
...
Pick patch from [1] also mentioned at NVD report in [2]
[1] https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-6100
[3] https://security-tracker.debian.org/tracker/CVE-2026-6100
(From OE-Core rev: 0bc9ba624b2fbeff3bf7e2ee4d2858b9c702fca1)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-19 12:49:08 +01:00
Hitendra Prajapati
d30ed7ed1b
python3: fix for CVE-2026-1502
...
Pick patch from [1] also mentioned at NVD report in [2]
[1] https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-1502
[3] https://security-tracker.debian.org/tracker/CVE-2026-1502
(From OE-Core rev: fe96d5bee9c45344e98cda9bac85c9bd853d5a7e)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-19 12:49:08 +01:00
Hitendra Prajapati
34cf18e8c1
libxml-parser-perl: fix for CVE-2006-10003
...
Pick patch from [1].
[1] https://security-tracker.debian.org/tracker/CVE-2006-10003
More details :
https://nvd.nist.gov/vuln/detail/CVE-2006-10003
(From OE-Core rev: 2abf26e7551a8a306d6aaabc9653f655f66b15a1)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-19 12:49:08 +01:00
Hitendra Prajapati
d8f806b3c6
qemu: fix for CVE-2025-11234
...
This patch fix use after free in websocket handshake code.
Backport patch from debian refer :
https://security-tracker.debian.org/tracker/CVE-2025-11234
(From OE-Core rev: f8e3cdf31d6d613e54fe2ffaee875811c52754f5)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-19 12:49:07 +01:00
Hitendra Prajapati
1e7d50296e
go 1.22.12: fix CVE-2026-27143, CVE-2026-27144
...
Pick patch from [1] & [2] also mentioned at Debian report in [3] & [4]
[1] https://github.com/golang/go/commit/7d2dd3488cdfbddda14c18c455d3263df75a46fc
[2] https://github.com/golang/go/commit/72cc33629a3b26e68f6e6e5564618a1d763896f3
[3] https://security-tracker.debian.org/tracker/CVE-2026-27143
[4] https://security-tracker.debian.org/tracker/CVE-2026-27144
(From OE-Core rev: c4273fecc42ab643eea036651c79d968f0caaafd)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-19 12:49:07 +01:00
Hitendra Prajapati
2abc87a006
go 1.22.12: fix CVE-2026-27140
...
Pick patch from [1] also mentioned at Debian report in [2]
[1] https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa
[2] https://security-tracker.debian.org/tracker/CVE-2026-27140
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-27140
(From OE-Core rev: b0048d8bc8134c445a3352bfb631d41319a75331)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-19 12:49:07 +01:00
Theo Gaige (Schneider Electric)
7842ddc5b2
go: patch CVE-2026-42507
...
Backport patch from [1]
[1] https://go.dev/cl/777060
(From OE-Core rev: dfcc700ab9e1785a7ac09fafa8732d513202c70b)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
c0b84584be
go: patch CVE-2026-42504
...
Backport patch from [1]
[1] https://go.dev/cl/774481
(From OE-Core rev: 1556a34831b2d96c8a7862493494f3b9fa10d4a9)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
33b725d19b
go: patch CVE-2026-42501
...
Backport patch from [1]
[1] https://go.dev/cl/775321
(From OE-Core rev: c9cc7872b9ecb426e9cd5921e0bbc175f600964a)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
d896bb9ee4
go: patch CVE-2026-42499
...
Backport patch from [1]
[1] https://go.dev/cl/771520
(From OE-Core rev: 0a692a5f57c43fb478a4a0b771b528fb9cf0c14d)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
9a4407138b
go: patch CVE-2026-39826
...
Backport patch from [1]
[1] https://go.dev/cl/771180
(From OE-Core rev: 11203044b88ecca7bcdf32d58db5808949423de4)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
78bfa2dc96
go: patch CVE-2026-39825
...
Backport patch from [1]
[1] https://go.dev/cl/770541
(From OE-Core rev: ae5b6a1b2bf80e73f18406153d314ff18a89a13f)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
992c2a0192
go: patch CVE-2026-39820
...
Backport patch from [1] mentionned in [2]
[1] https://go.dev/cl/759940
[2] https://security-tracker.debian.org/tracker/CVE-2026-39820
(From OE-Core rev: f694d6cdd10c38a482d8c2a90f84c96da817ea51)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
f195e84050
go: patch CVE-2026-39819
...
Backport patch from [1]
[1] https://go.dev/cl/763882
(From OE-Core rev: 791de4922a5b342e3227713b053709a00400e1b5)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
6394046b02
go: patch CVE-2026-39817
...
Backport patch from [1] mentionned in [2]
[1] https://go.dev/cl/767520
[2] https://security-tracker.debian.org/tracker/CVE-2026-39817
(From OE-Core rev: f88c0ff79cf5838f8d0c31ecacc35faf56059d03)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
d5108e0975
go: patch CVE-2026-33811
...
Backport patch from [1]
[1] https://go.dev/cl/767860
(From OE-Core rev: e4137b29d7b3218ceef9973d57c179e5e2771a68)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
b7967ae307
go: patch CVE-2026-32289
...
Backport patch from [1]
[1] https://go.dev/cl/763762
(From OE-Core rev: d0469c3a9d62a2ab3d6baef92e578f247d68318b)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
d10a96fbd0
go: patch CVE-2026-32283
...
Backport patch from [1]
[1] https://go.dev/cl/763767
(From OE-Core rev: bfba1601c099d7b68c4d9fcf07617d8310d4af66)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
4c319bd87f
go: patch CVE-2026-32280
...
Backport patch from [1]
[1] https://go.dev/cl/758320
(From OE-Core rev: e52259f1d09c722390b49adf3d4e3d863fbde7e8)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
d942ca707b
go: patch CVE-2026-27142
...
Backport patch from [1]
[1] https://go.dev/cl/752081
(From OE-Core rev: c6730245b14c094e3b210af785cda7caf4468163)
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com >
Reviewed-by: Bruno Vernay <bruno.vernay@se.com >
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-16 20:42:19 +01:00
Richard Purdie
b56134ff90
pseudo: Upgrade 1.9.6 -> 1.9.7
...
Pulls in fixes to rename/renameat/renameat2:
Changqing Li (1):
renameat2/renameat: only ignore when both old and new path are not in PSEUDO_INCLUDE_PATHS
Mark Hatle (4):
run_tests.sh: Allow the user to specify specific tests to run
tests: Add mv then hardlink testing
rename: only ignore when both old and new path are not in PSEUDO_INCLUDE_PATHS
Makefile.in: Bump version to 1.9.7
(From OE-Core rev: e2864ea1ac022e43af92badc701fa1e2a9571f46)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
(cherry picked from commit 17567738711d525d9f2b85e54ace2048901e4c34)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-10 14:35:21 +01:00
Richard Purdie
ef43a8a49a
pseudo: Update 1.9.5 -> 1.9.6
...
Pulls in the changes:
* Makefile.in: Bump version to 1.9.6
* pseudo_util.c: Fix symlink processing for symlinkat and related
* test: Add test symlinkat and related
* ports/unix: realpath: Fix chroot processing
* test: Add test cases for canonicalize functions
* ports/unix: fts_open: Fix chroot behavior
* ports/unix: fts_*: Certain functions were incorrectly returning stat data
* test: Add fts test case
* test: Add test for linkat chroot path stripping
* linkat: Avoid a segmentation fault
* Only copy xattrs on a rename if it's cross-filesystem
(From OE-Core rev: 1414f3513099a9a956ec4f602354aa00008e2aff)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
(cherry picked from commit 50e769a598e79ed4600f7362d5f40799a48f9273)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-10 14:35:21 +01:00
Richard Purdie
1c69324f39
pseudo: Upgrade to 1.9.5
...
This adds a wrapper for the __open_2 function
This was breaking shadow and the real reason for the open() call changes.
Add the missing wrapper to properly fix this.
(From OE-Core rev: 876e6497f3323d74d9ac8ce303ed5165a7fda283)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
(cherry picked from commit 8ea63d320aba32d3894cace9e71e850bdff1d6b2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-10 14:35:21 +01:00
Richard Purdie
920a6803d5
pseudo: Upgrade to 1.9.4
...
Update to pull in a full openat2 wrapper which works on Fedora 44.
This update includes the commits:
* Makefile.in: Bump version to 1.9.4
* test: Add renameat2 test cases
* test: Add openat2 test cases
* makewrappers/openat2: Add preserve_path option
* openat2: Implement openat2 wrapper
* ports/linux/guts/renameat2.c: Add comment why this isn't implemented
* Add b4 configuration
* pseudo_setupenvp: Handle malloc failure safely
* pseudo_setupenvp: Allocate space for new env vars if needed
(From OE-Core rev: 9075b66e1f9161407056924954b3d5507f6d8384)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
(cherry picked from commit b2bd1d114fafe1e797149e02e4c08194d529cfde)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-10 14:35:21 +01:00
Ross Burton
4e2dac74d5
perl: link to the system zlib instead of a vendored copy
...
The perl module Compress-Raw-Zlib defaults to using a vendored copy of
the zlib sources which has a number of CVEs. A newer version of perl
updates this to zlib 1.3.2 to resolve them, but we should be linking to
our zlib recipe instead of the vendored code.
This mitigates CVE-2026-4176 so mark it as not appropriate.
(From OE-Core rev: 6e83e5520f415fc6ca9029a8aaa0af31cd832a90)
Signed-off-by: Ross Burton <ross.burton@arm.com >
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
(cherry picked from commit bf515229043685d4f00c965eb3e0236c37b6b403)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-10 14:35:20 +01:00
Ross Burton
1a099cb1fa
python3-requests: backport fix for CVE-2026-25645
...
When unpacking zip files requests uses predictable paths. Backport a fix
to use randomly generated pathnames to mitigate injection attacks.
(From OE-Core rev: b23ec9773d67f8767904731afa86fe5ede08f97f)
Signed-off-by: Ross Burton <ross.burton@arm.com >
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
(cherry picked from commit fe846d71b647fb06e6a87cb45a2dd9b0889e2891)
Signed-off-by: Deepak Rathore <deeratho@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-10 14:35:20 +01:00
Peter Marko
3758595c3e
cargo: set CVE_PRODUCT
...
This removes mediawiki:cargo CVEs from CVE metrics.
* CVE-2026-39837, CVE-2026-39839, CVE-2026-39840, CVE-2026-39841
(From OE-Core rev: 98088c90b6e37ab27e7b4b2546abe9ecd863c02e)
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
(cherry picked from commit a5cb71e7df95925a5c342c341e699e244b1b84f6)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com >
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-06-10 14:35:20 +01:00
Himanshu Jadon
0ceef92802
apt: Add CVE_PRODUCT to support product name
...
- Keep both the older deprecated debian:apt alias and the active
debian:advanced_package_tool identity in CVE_PRODUCT.
- This preserves completeness and avoids missing CVEs in case older
aliases are still used in NVD records.
(From OE-Core rev: 28d3ab81b9386bda16e196ed2934967843413186)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com >
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
(cherry picked from commit 4c777220ee5740b800f4128da79c24f7e42c7b88)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com >
[FT: Rebase onto scarthgap-next]
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-05-12 21:31:34 +01:00
Hitendra Prajapati
957ae42637
rsync: fix for CVE-2026-41035
...
Pick patch from [1] also mentioned at Debian report in [2]
[1] https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c
[2] https://security-tracker.debian.org/tracker/CVE-2026-41035
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-41035
(From OE-Core rev: b2b51c4f8521ac4fa490e96257142826f2dfda25)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-05-12 21:31:33 +01:00
Adarsh Jagadish Kamini
49da7cb317
binutils: fix CVE-2025-69648
...
Backport upstream fix for CVE-2025-69648 [1].
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33
(From OE-Core rev: a905532db94aa09b17ec6445d8b5702f278f22bd)
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech >
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-05-12 21:31:33 +01:00
Adarsh Jagadish Kamini
852fe03a0c
binutils: fix CVE-2025-69647
...
Backport upstream fix for CVE-2025-69647 [1].
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7
(From OE-Core rev: a15dfc1a05ba26ae9f806b0f4c5273bb7c484a04)
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech >
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-05-12 21:31:33 +01:00
Khem Raj
e8c96de370
apt: Fix build with GCC 15
...
(From OE-Core rev: 3e565b8ea4b0694fd3ded7b3b0f9d93d1a7ccbab)
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
(cherry picked from commit ac53f79999bb8301380d7c58025f6fed75e40c9a)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr >
Signed-off-by: Paul Barker <paul@pbarker.dev >
2026-05-04 13:57:33 +01:00