1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-15 15:37:03 +00:00
Commit Graph

9636 Commits

Author SHA1 Message Date
Amaury Couderc f47c0cb3bf python3: fix CVE-2026-4224
Backport patch to fix CVE-2026-4224.
https://nvd.nist.gov/vuln/detail/CVE-2026-4224

Upstream fix:
  https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785

Tested with ptest:
Before: PASSED: 40007, FAILED: 0, SKIPPED: 1877
After: PASSED: 40006, FAILED: 0, SKIPPED: 1877

(From OE-Core rev: 736dd8c8f90d43e4bcdb0954a99764a62fccc20e)

Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-07-02 13:42:26 +01:00
Theo Gaige (Schneider Electric) e2d512c2e7 go: patch CVE-2026-27145
Backport patch from [1]

[1] https://go.dev/cl/783621

(From OE-Core rev: 209a1b3a48b8e3996e1b53f2d7efe335855b7375)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-07-02 13:42:25 +01:00
Sudhir Dumbhare af76dc3437 rust,libstd-rs: set status for CVE-2024-3566
The vulnerability is Windows-specific and depends on command-line
handling through CreateProcess, which does not apply to Linux/Yocto
builds.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-3566

(From OE-Core rev: 8c56e85dd02063da5630c9b73fb242686a970e20)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:54 +01:00
Sudhir Dumbhare 5087e4b4a0 go: set status for CVE-2026-39836
This issue affects Windows only. The net.Dial and net.LookupPort
functions can panic when given input containing a NUL byte.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-39836
https://security-tracker.debian.org/tracker/CVE-2026-39836

(From OE-Core rev: 324359dcb7cbeb15ef51f5cc18924f590c81b1de)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:54 +01:00
Sudhir Dumbhare f3fbf45c1d go-binary-native: set status for CVE-2026-39836
This issue affects Windows only. The net.Dial and net.LookupPort
functions can panic when given input containing a NUL byte.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-39836
https://security-tracker.debian.org/tracker/CVE-2026-39836

(From OE-Core rev: 8aab8b31425b3820ef65fc40061b9377c574607b)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:54 +01:00
Adarsh Jagadish Kamini c0d690e103 python3: CVE-2026-3087 not applicable
CVE link: https://nvd.nist.gov/vuln/detail/CVE-2026-3087

The CVE is only applicable to Windows OS

(From OE-Core rev: 96efecfbb2d1eaa24e1c96fbd6593a7087464844)

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:54 +01:00
Yoann Congal 7a90e7adfb gdb: backport a patch to fix static_assert in recent GCC
On Ubuntu 26.04, gcc 15.2 defaults to --std=gnu23 in which static_assert
is a keyword, and not a macro to define like with older GCC. This make
MIPS64 code in gdb fail to compile with:
| In file included from ../../gdb-14.2/opcodes/mips16-opc.c:25:
| ../../gdb-14.2/opcodes/mips16-opc.c: In function ‘decode_mips16_operand’:
| ../../gdb-14.2/opcodes/mips-formats.h:86:7: error: expected identifier or ‘(’ before ‘static_assert’
|    86 |       static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
|       |       ^~~~~~~~~~~~~
| ../../gdb-14.2/opcodes/mips16-opc.c:52:15: note: in expansion of macro ‘MAPPED_REG’
|    52 |     case '.': MAPPED_REG (0, 0, GP, reg_0_map);
|       |               ^~~~~~~~~~

(From OE-Core rev: 92a57b28a4e8e4fe917e4aa3d58079257ee9a41f)

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:54 +01:00
Shubham Pushpkar 09f201c834 dpkg: Fix CVE-2026-2219
This patch applies the upstream fix as referenced in [2], using the
commit shown in [1].

[1] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-2219

(From OE-Core rev: 66055d7f179d0d838c2139d9d2399a968c6f6529)

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:54 +01:00
Deepak Rathore b04b16e965 qemu: Fix CVE-2024-6519
This patch applies the upstream v11.0.0-rc2 backport for
CVE-2024-6519. The upstream fix commit is referenced in [1],
and the public CVE advisory is referenced in [2]. The individual
backported commit link is recorded in the embedded patch header.

[1] https://gitlab.com/qemu-project/qemu/-/commit/4862d2c95104d9fd0430cc003c205094f8ada1f9
[2] https://security-tracker.debian.org/tracker/CVE-2024-6519

(From OE-Core rev: bb5a1f9c6562038d422ea0efd4e975737c9374c3)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare e61bf028a6 python3: Fix CVE-2025-13462
Apply the upstream v3.12 fix [1], aligned with the original v3.13 fix [2],
to address incorrect tarfile handling where GNU long name follow-up headers
could be normalized as directories, as referenced in [3].

[1] https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084
[2] https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7
[3] https://security-tracker.debian.org/tracker/CVE-2025-13462

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-13462

(From OE-Core rev: 0b990a354ef858d903d4bed937b1233537c2c478)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare 7731db5592 python3: Fix CVE-2026-6019
This patch applies the upstream fix [1] and follow-up fix [2], as
referenced in [3] and [4], to address an http.cookies.Morsel.js_output()
flaw where inline JavaScript output escaped quotes but did not neutralize
the HTML parser-sensitive </script> sequence.

[1] https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c
[2] https://github.com/python/cpython/commit/e7d4c3ff421916986223690a8425d2383f6f3802
[3] https://github.com/python/cpython/issues/149144
[4] https://security-tracker.debian.org/tracker/CVE-2026-6019

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-6019

(From OE-Core rev: e17af14ae72e21f7f63407ba5c88da160c73bea9)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare 1401e6e003 python3: Fix CVE-2026-4519 and CVE-2026-4786
Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2],
and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with
leading dashes when invoking browser commands, as referenced in [5].

CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action
in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in
[5], to revalidate the URL after %action expansion.

[1] https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48
[2] https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03
[3] https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c
[4] https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769
[5] https://security-tracker.debian.org/tracker/CVE-2026-4519
[6] https://security-tracker.debian.org/tracker/CVE-2026-4786

References:
https://nvd.nist.gov/vuln/detail/CVE-2026-4519
https://nvd.nist.gov/vuln/detail/CVE-2026-4786

(From OE-Core rev: e6d81b3be531e97058366c81056a38c0b6fa7380)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare 703b680089 python3: Fix CVE-2026-3644 and CVE-2026-0672
Apply the upstream v3.13 fix [1], as referenced in [2], to address
CVE-2026-3644 by rejecting control characters in http.cookies.Morsel.update(),
the |= operator, and unpickling paths.

CVE-2026-3644 [2] revealed the CVE-2026-0672 fix was incomplete, as
Morsel.update(), |=, and unpickling could bypass input validation. The fix
also adds output validation to BaseCookie.js_output(), matching the
control-character safeguards already present in BaseCookie.output().

[1] https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd
[2] https://security-tracker.debian.org/tracker/CVE-2026-3644

References:
https://security-tracker.debian.org/tracker/CVE-2026-3644
https://security-tracker.debian.org/tracker/CVE-2026-0672
https://nvd.nist.gov/vuln/detail/CVE-2026-3644
https://nvd.nist.gov/vuln/detail/CVE-2026-0672

(From OE-Core rev: ac763f139ba7f836d0fa9377295ef7d3b10f2238)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Deepak Rathore 327a87fffb binutils: Fix CVE-2025-69644
This patch updates the existing CVE-2025-69647 backport metadata for
CVE-2025-69644. NVD records for CVE-2025-69644 and CVE-2025-69647
reference the same upstream binutils fix commit [1], and the public
CVE advisories are referenced in [2] and [3].

[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-69644
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-69647

(From OE-Core rev: 267ff299a6fe6f65e0dd86f5e59bb013921526ce)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare 7d782f3ed0 go: fix CVE-2026-32288
This patch applies the upstream fix [1], as referenced in [2],
to address unbounded sparse map handling in `archive/tar`.

[1] https://github.com/golang/go/commit/82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e
[2] https://security-tracker.debian.org/tracker/CVE-2026-32288

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-32288

(From OE-Core rev: 775c3af36899eebe5612844accdfd2a8a2a9327a)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare 3401fba731 go: fix CVE-2026-25679
This patch applies the upstream fix [1], as referenced in [2],
to address insufficient validation in `url.Parse`.

Debian marks older Go branches as not affected because the vulnerable
parseHost surface was introduced by the earlier CVE-2025-47912 fix.
This Scarthgap recipe already carries CVE-2025-47912.patch, so the
fix is applicable to the patched Go 1.22.12 source used here.

[1] https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803
[2] https://security-tracker.debian.org/tracker/CVE-2026-25679

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-25679

(From OE-Core rev: 913b9dc19ea14edbbaf4b7a677507949e454e685)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare b1af4c89b0 go: fix CVE-2025-58183
This patch applies the upstream fix [1], as referenced in [2],
to address unbounded memory consumption when reading GNU tar pax
1.0 sparse file regions in archive/tar.

[1] https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556
[2] https://security-tracker.debian.org/tracker/CVE-2025-58183

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-58183

(From OE-Core rev: e0285488a93cf3b369ad7424d55938791f57174f)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Mark Hatle 3f378fc245 pseudo: Update to version 1.9.8
Changelog:
    Makefile.in: Bump to 1.9.8
    pseudo_client.h: Fix typo in the comment
    client: permissions drop setuid and setgid
    tests: Add setuid permission check
    pseudo_client.h: Add +s to PSEUDO_DB_MODE for mkdir
    tests: Add test that returned stat is correct
    pseudo_client.h: Make it clear both macros must be updated together
    Makefile.in: Add pseudo_client.h as a dependency

(From OE-Core rev: d716fe7e4f1dd2156be8773408611bb979a94d5d)

Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fa302de94c7da77a49ca0701580467ebaa8eda18)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Hitendra Prajapati 0c205679dd python3: fix CVE-2026-6100
Pick patch from [1] also mentioned at NVD report in [2]

[1] https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-6100
[3] https://security-tracker.debian.org/tracker/CVE-2026-6100

(From OE-Core rev: 0bc9ba624b2fbeff3bf7e2ee4d2858b9c702fca1)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Hitendra Prajapati d30ed7ed1b python3: fix for CVE-2026-1502
Pick patch from [1] also mentioned at NVD report in [2]

[1] https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-1502
[3] https://security-tracker.debian.org/tracker/CVE-2026-1502

(From OE-Core rev: fe96d5bee9c45344e98cda9bac85c9bd853d5a7e)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Hitendra Prajapati 34cf18e8c1 libxml-parser-perl: fix for CVE-2006-10003
Pick patch from [1].

[1] https://security-tracker.debian.org/tracker/CVE-2006-10003

More details :
https://nvd.nist.gov/vuln/detail/CVE-2006-10003

(From OE-Core rev: 2abf26e7551a8a306d6aaabc9653f655f66b15a1)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Hitendra Prajapati d8f806b3c6 qemu: fix for CVE-2025-11234
This patch fix use after free in websocket handshake code.

Backport patch from debian refer :
https://security-tracker.debian.org/tracker/CVE-2025-11234

(From OE-Core rev: f8e3cdf31d6d613e54fe2ffaee875811c52754f5)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Hitendra Prajapati 1e7d50296e go 1.22.12: fix CVE-2026-27143, CVE-2026-27144
Pick patch from [1] & [2] also mentioned at Debian report in [3] & [4]

[1] https://github.com/golang/go/commit/7d2dd3488cdfbddda14c18c455d3263df75a46fc
[2] https://github.com/golang/go/commit/72cc33629a3b26e68f6e6e5564618a1d763896f3
[3] https://security-tracker.debian.org/tracker/CVE-2026-27143
[4] https://security-tracker.debian.org/tracker/CVE-2026-27144

(From OE-Core rev: c4273fecc42ab643eea036651c79d968f0caaafd)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Hitendra Prajapati 2abc87a006 go 1.22.12: fix CVE-2026-27140
Pick patch from [1] also mentioned at Debian report in [2]

[1] https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa
[2] https://security-tracker.debian.org/tracker/CVE-2026-27140
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-27140

(From OE-Core rev: b0048d8bc8134c445a3352bfb631d41319a75331)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Theo Gaige (Schneider Electric) 7842ddc5b2 go: patch CVE-2026-42507
Backport patch from [1]

[1] https://go.dev/cl/777060

(From OE-Core rev: dfcc700ab9e1785a7ac09fafa8732d513202c70b)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) c0b84584be go: patch CVE-2026-42504
Backport patch from [1]

[1] https://go.dev/cl/774481

(From OE-Core rev: 1556a34831b2d96c8a7862493494f3b9fa10d4a9)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 33b725d19b go: patch CVE-2026-42501
Backport patch from [1]

[1] https://go.dev/cl/775321

(From OE-Core rev: c9cc7872b9ecb426e9cd5921e0bbc175f600964a)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) d896bb9ee4 go: patch CVE-2026-42499
Backport patch from [1]

[1] https://go.dev/cl/771520

(From OE-Core rev: 0a692a5f57c43fb478a4a0b771b528fb9cf0c14d)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 9a4407138b go: patch CVE-2026-39826
Backport patch from [1]

[1] https://go.dev/cl/771180

(From OE-Core rev: 11203044b88ecca7bcdf32d58db5808949423de4)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 78bfa2dc96 go: patch CVE-2026-39825
Backport patch from [1]

[1] https://go.dev/cl/770541

(From OE-Core rev: ae5b6a1b2bf80e73f18406153d314ff18a89a13f)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 992c2a0192 go: patch CVE-2026-39820
Backport patch from [1] mentionned in [2]

[1] https://go.dev/cl/759940

[2] https://security-tracker.debian.org/tracker/CVE-2026-39820

(From OE-Core rev: f694d6cdd10c38a482d8c2a90f84c96da817ea51)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) f195e84050 go: patch CVE-2026-39819
Backport patch from [1]

[1] https://go.dev/cl/763882

(From OE-Core rev: 791de4922a5b342e3227713b053709a00400e1b5)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 6394046b02 go: patch CVE-2026-39817
Backport patch from [1] mentionned in [2]

[1] https://go.dev/cl/767520

[2] https://security-tracker.debian.org/tracker/CVE-2026-39817

(From OE-Core rev: f88c0ff79cf5838f8d0c31ecacc35faf56059d03)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) d5108e0975 go: patch CVE-2026-33811
Backport patch from [1]

[1] https://go.dev/cl/767860

(From OE-Core rev: e4137b29d7b3218ceef9973d57c179e5e2771a68)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) b7967ae307 go: patch CVE-2026-32289
Backport patch from [1]

[1] https://go.dev/cl/763762

(From OE-Core rev: d0469c3a9d62a2ab3d6baef92e578f247d68318b)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) d10a96fbd0 go: patch CVE-2026-32283
Backport patch from [1]

[1] https://go.dev/cl/763767

(From OE-Core rev: bfba1601c099d7b68c4d9fcf07617d8310d4af66)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 4c319bd87f go: patch CVE-2026-32280
Backport patch from [1]

[1] https://go.dev/cl/758320

(From OE-Core rev: e52259f1d09c722390b49adf3d4e3d863fbde7e8)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) d942ca707b go: patch CVE-2026-27142
Backport patch from [1]

[1] https://go.dev/cl/752081

(From OE-Core rev: c6730245b14c094e3b210af785cda7caf4468163)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Richard Purdie b56134ff90 pseudo: Upgrade 1.9.6 -> 1.9.7
Pulls in fixes to rename/renameat/renameat2:

Changqing Li (1):
  renameat2/renameat: only ignore when both old and new path are not in PSEUDO_INCLUDE_PATHS

Mark Hatle (4):
  run_tests.sh: Allow the user to specify specific tests to run
  tests: Add mv then hardlink testing
  rename: only ignore when both old and new path are not in PSEUDO_INCLUDE_PATHS
  Makefile.in: Bump version to 1.9.7

(From OE-Core rev: e2864ea1ac022e43af92badc701fa1e2a9571f46)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 17567738711d525d9f2b85e54ace2048901e4c34)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Richard Purdie ef43a8a49a pseudo: Update 1.9.5 -> 1.9.6
Pulls in the changes:

  * Makefile.in: Bump version to 1.9.6
  * pseudo_util.c: Fix symlink processing for symlinkat and related
  * test: Add test symlinkat and related
  * ports/unix: realpath: Fix chroot processing
  * test: Add test cases for canonicalize functions
  * ports/unix: fts_open: Fix chroot behavior
  * ports/unix: fts_*: Certain functions were incorrectly returning stat data
  * test: Add fts test case
  * test: Add test for linkat chroot path stripping
  * linkat: Avoid a segmentation fault
  * Only copy xattrs on a rename if it's cross-filesystem

(From OE-Core rev: 1414f3513099a9a956ec4f602354aa00008e2aff)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 50e769a598e79ed4600f7362d5f40799a48f9273)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Richard Purdie 1c69324f39 pseudo: Upgrade to 1.9.5
This adds a wrapper for the __open_2 function

This was breaking shadow and the real reason for the open() call changes.
Add the missing wrapper to properly fix this.

(From OE-Core rev: 876e6497f3323d74d9ac8ce303ed5165a7fda283)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8ea63d320aba32d3894cace9e71e850bdff1d6b2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Richard Purdie 920a6803d5 pseudo: Upgrade to 1.9.4
Update to pull in a full openat2 wrapper which works on Fedora 44.

This update includes the commits:
  * Makefile.in: Bump version to 1.9.4
  * test: Add renameat2 test cases
  * test: Add openat2 test cases
  * makewrappers/openat2: Add preserve_path option
  * openat2: Implement openat2 wrapper
  * ports/linux/guts/renameat2.c: Add comment why this isn't implemented
  * Add b4 configuration
  * pseudo_setupenvp: Handle malloc failure safely
  * pseudo_setupenvp: Allocate space for new env vars if needed

(From OE-Core rev: 9075b66e1f9161407056924954b3d5507f6d8384)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b2bd1d114fafe1e797149e02e4c08194d529cfde)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Ross Burton 4e2dac74d5 perl: link to the system zlib instead of a vendored copy
The perl module Compress-Raw-Zlib defaults to using a vendored copy of
the zlib sources which has a number of CVEs.  A newer version of perl
updates this to zlib 1.3.2 to resolve them, but we should be linking to
our zlib recipe instead of the vendored code.

This mitigates CVE-2026-4176 so mark it as not appropriate.

(From OE-Core rev: 6e83e5520f415fc6ca9029a8aaa0af31cd832a90)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bf515229043685d4f00c965eb3e0236c37b6b403)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Ross Burton 1a099cb1fa python3-requests: backport fix for CVE-2026-25645
When unpacking zip files requests uses predictable paths. Backport a fix
to use randomly generated pathnames to mitigate injection attacks.

(From OE-Core rev: b23ec9773d67f8767904731afa86fe5ede08f97f)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fe846d71b647fb06e6a87cb45a2dd9b0889e2891)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Peter Marko 3758595c3e cargo: set CVE_PRODUCT
This removes mediawiki:cargo CVEs from CVE metrics.
* CVE-2026-39837, CVE-2026-39839, CVE-2026-39840, CVE-2026-39841

(From OE-Core rev: 98088c90b6e37ab27e7b4b2546abe9ecd863c02e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a5cb71e7df95925a5c342c341e699e244b1b84f6)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Himanshu Jadon 0ceef92802 apt: Add CVE_PRODUCT to support product name
- Keep both the older deprecated debian:apt alias and the active
  debian:advanced_package_tool identity in CVE_PRODUCT.
- This preserves completeness and avoids missing CVEs in case older
  aliases are still used in NVD records.

(From OE-Core rev: 28d3ab81b9386bda16e196ed2934967843413186)

Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4c777220ee5740b800f4128da79c24f7e42c7b88)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
[FT: Rebase onto scarthgap-next]
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-12 21:31:34 +01:00
Hitendra Prajapati 957ae42637 rsync: fix for CVE-2026-41035
Pick patch from [1] also mentioned at Debian report in [2]

[1] https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c
[2] https://security-tracker.debian.org/tracker/CVE-2026-41035
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-41035

(From OE-Core rev: b2b51c4f8521ac4fa490e96257142826f2dfda25)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-12 21:31:33 +01:00
Adarsh Jagadish Kamini 49da7cb317 binutils: fix CVE-2025-69648
Backport upstream fix for CVE-2025-69648 [1].

[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33

(From OE-Core rev: a905532db94aa09b17ec6445d8b5702f278f22bd)

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-12 21:31:33 +01:00
Adarsh Jagadish Kamini 852fe03a0c binutils: fix CVE-2025-69647
Backport upstream fix for CVE-2025-69647 [1].

[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7

(From OE-Core rev: a15dfc1a05ba26ae9f806b0f4c5273bb7c484a04)

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-12 21:31:33 +01:00
Khem Raj e8c96de370 apt: Fix build with GCC 15
(From OE-Core rev: 3e565b8ea4b0694fd3ded7b3b0f9d93d1a7ccbab)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ac53f79999bb8301380d7c58025f6fed75e40c9a)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-04 13:57:33 +01:00