1
0
mirror of https://git.yoctoproject.org/poky synced 2026-06-30 22:47:26 +00:00
Commit Graph

55493 Commits

Author SHA1 Message Date
Vijay Anusuri fb0a4eb7a8 xserver-xorg: Fix CVE-2026-34003
Pick patch according to [1]

[1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html
[2] https://security-tracker.debian.org/tracker/CVE-2026-34003

(From OE-Core rev: 5faf37e3de47291cffed048ae20d91033d94d686)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Vijay Anusuri 122701d321 xserver-xorg: Fix CVE-2026-34002
Pick patch according to [1]

[1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html
[2] https://security-tracker.debian.org/tracker/CVE-2026-34002

(From OE-Core rev: 5c30b1e0dd0e1cb65091787c9c931d3d16c0f93c)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Vijay Anusuri f58a56f697 xserver-xorg: Fix CVE-2026-34001
Pick patch according to [1]

[1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html
[2] https://security-tracker.debian.org/tracker/CVE-2026-34001

(From OE-Core rev: b85d3abfc5a1fd05c3a82f1f03579df493094719)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Vijay Anusuri eefcaaa556 xserver-xorg: Fix CVE-2026-34000
Pick patch according to [1]

[1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html
[2] https://security-tracker.debian.org/tracker/CVE-2026-34000

(From OE-Core rev: 3611b45c3c0144172c032964bf0d601dba649b49)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Vijay Anusuri a939424099 xserver-xorg: Fix CVE-2026-33999
Pick patch according to [1]

[1] https://lists.x.org/archives/xorg-announce/2026-April/003677.html
[2] https://security-tracker.debian.org/tracker/CVE-2026-33999

(From OE-Core rev: b66a3f975666d9074f0e377ccece1aad2c347da8)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Hitendra Prajapati 0c205679dd python3: fix CVE-2026-6100
Pick patch from [1] also mentioned at NVD report in [2]

[1] https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-6100
[3] https://security-tracker.debian.org/tracker/CVE-2026-6100

(From OE-Core rev: 0bc9ba624b2fbeff3bf7e2ee4d2858b9c702fca1)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Hitendra Prajapati d30ed7ed1b python3: fix for CVE-2026-1502
Pick patch from [1] also mentioned at NVD report in [2]

[1] https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-1502
[3] https://security-tracker.debian.org/tracker/CVE-2026-1502

(From OE-Core rev: fe96d5bee9c45344e98cda9bac85c9bd853d5a7e)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Hitendra Prajapati 34cf18e8c1 libxml-parser-perl: fix for CVE-2006-10003
Pick patch from [1].

[1] https://security-tracker.debian.org/tracker/CVE-2006-10003

More details :
https://nvd.nist.gov/vuln/detail/CVE-2006-10003

(From OE-Core rev: 2abf26e7551a8a306d6aaabc9653f655f66b15a1)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Hitendra Prajapati d8f806b3c6 qemu: fix for CVE-2025-11234
This patch fix use after free in websocket handshake code.

Backport patch from debian refer :
https://security-tracker.debian.org/tracker/CVE-2025-11234

(From OE-Core rev: f8e3cdf31d6d613e54fe2ffaee875811c52754f5)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Benjamin Robin (Schneider Electric) 2d57a09792 meta: fix generation of kernel CONFIG_ in SPDX3
With the current solution, using a separate task
(do_create_kernel_config_spdx) there is a dependency issue. Sometimes
the final rootfs SBOM does not contain the CONFIG_ values.

do_create_kernel_config_spdx is executed after do_create_spdx which
deploys the SPDX file. do_create_kernel_config_spdx calls
oe.sbom30.find_root_obj_in_jsonld to read from the deploy directory,
which is OK, but the do_create_kernel_config_spdx ends up writing to
this deployed file (updating it).

do_create_rootfs_spdx has an explicit dependency to all do_create_spdx
tasks, but there is nothing that prevents executing
do_create_kernel_config_spdx after do_create_rootfs_spdx.

To fix it, instead, now read from the workdir, and write to the
workdir, and do the processing from the do_create_spdx task:
we append to the do_create_spdx task.
Furthermore, update oeqa selftest to execute do_create_spdx instead
of removed function.

Also only execute this task if create-spdx-3.0 was inherited,
previously this code could be executed if create-spdx-2.2 is
inherited.

(cherry picked from commit 8417f4a186e78a9d309541f5d0e711178bb80488)

Fixes: 1fff29a04287 ("kernel.bbclass: Add task to export kernel configuration to SPDX")
(From OE-Core rev: 22e8bc2bcfe762c83c00b73a33384e63548e82c0)

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Benjamin Robin (Schneider Electric) 47a42f8690 avahi: Remove a reference to the rejected CVE-2021-36217
CVE-2021-36217 is rejected, and should no longer be referenced.
CVE-2021-36217 is a duplicate of CVE-2021-3502 which is already
referenced in the local-ping.patch.

The CVE database indicates the following reason:
  ConsultIDs: CVE-2021-3502. Reason: This candidate is a duplicate of
  CVE-2021-3502. Notes: All CVE users should reference CVE-2021-3502
  instead of this candidate. All references and descriptions in this
  candidate have been removed to prevent accidental usage.

(cherry picked from commit bf41240132e2efa6b46aab46290eed9c53e312e9)

(From OE-Core rev: 128af716be75ec76203f1d34a8448741e6573d9e)

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Hitendra Prajapati 1e7d50296e go 1.22.12: fix CVE-2026-27143, CVE-2026-27144
Pick patch from [1] & [2] also mentioned at Debian report in [3] & [4]

[1] https://github.com/golang/go/commit/7d2dd3488cdfbddda14c18c455d3263df75a46fc
[2] https://github.com/golang/go/commit/72cc33629a3b26e68f6e6e5564618a1d763896f3
[3] https://security-tracker.debian.org/tracker/CVE-2026-27143
[4] https://security-tracker.debian.org/tracker/CVE-2026-27144

(From OE-Core rev: c4273fecc42ab643eea036651c79d968f0caaafd)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Hitendra Prajapati 2abc87a006 go 1.22.12: fix CVE-2026-27140
Pick patch from [1] also mentioned at Debian report in [2]

[1] https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa
[2] https://security-tracker.debian.org/tracker/CVE-2026-27140
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-27140

(From OE-Core rev: b0048d8bc8134c445a3352bfb631d41319a75331)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Prabhudasu Vatala 752ee7c108 conf/machine: fix typos in ARM and x86 README files
Correct spelling errors in the machine include README documentation
for both ARM and x86 architectures to improve clarity.

ARM changes:
- Fix TUNE_PKGACH -> TUNE_PKGARCH.
- Fix "definiton" -> "definition".
- Fix "Curently" -> "Currently".
- Fix "specificed" -> "specified".

x86 changes:
- Fix "define" -> "defined".
- Fix "to to" duplication.

(From OE-Core rev: 4f5c4af9fa044a3e744f0c2d44aa101adcded0ff)

Signed-off-by: Prabhudasu Vatala <prabhudasuvatala@gmail.com>
(cherry picked from commit a77dd221c31e44a17784c15f5402ef785fb9c1b7)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
João Marcos Costa (Schneider Electric) 70ed6f6772 meta/lib/oe/package.py: fix path to kernel sources in save_debugsources_info
This is no more than a backport of the current (i.e., from 'master')
version of this same chunk in save_debugsources_info(), where BP is used
instead of PF to form the path to the kernel sources.

This replacement in package.py is followed by a similar change in
meta/classes/create-spdx-2.2.bbclass, so that 'BP' is also used in
spdx_get_src() and we don't face any regressions in SPDX v2.2. As a
matter of fact, SPDX3 also uses 'BP' in get_patched_src() (from
spdx_common.py).

Overall, this backport ensures a coherence between Scarthgap and master,
namely regarding the how the kernel sources are provided by package.py
and consumed by SPDX v2.2 and 3.0.

(From OE-Core rev: dd74c1388d5bfefd2adcdb6abd622297138e2eb1)

Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Co-authored-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:20 +01:00
Theo Gaige (Schneider Electric) 7842ddc5b2 go: patch CVE-2026-42507
Backport patch from [1]

[1] https://go.dev/cl/777060

(From OE-Core rev: dfcc700ab9e1785a7ac09fafa8732d513202c70b)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) c0b84584be go: patch CVE-2026-42504
Backport patch from [1]

[1] https://go.dev/cl/774481

(From OE-Core rev: 1556a34831b2d96c8a7862493494f3b9fa10d4a9)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 33b725d19b go: patch CVE-2026-42501
Backport patch from [1]

[1] https://go.dev/cl/775321

(From OE-Core rev: c9cc7872b9ecb426e9cd5921e0bbc175f600964a)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) d896bb9ee4 go: patch CVE-2026-42499
Backport patch from [1]

[1] https://go.dev/cl/771520

(From OE-Core rev: 0a692a5f57c43fb478a4a0b771b528fb9cf0c14d)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 9a4407138b go: patch CVE-2026-39826
Backport patch from [1]

[1] https://go.dev/cl/771180

(From OE-Core rev: 11203044b88ecca7bcdf32d58db5808949423de4)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 78bfa2dc96 go: patch CVE-2026-39825
Backport patch from [1]

[1] https://go.dev/cl/770541

(From OE-Core rev: ae5b6a1b2bf80e73f18406153d314ff18a89a13f)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 992c2a0192 go: patch CVE-2026-39820
Backport patch from [1] mentionned in [2]

[1] https://go.dev/cl/759940

[2] https://security-tracker.debian.org/tracker/CVE-2026-39820

(From OE-Core rev: f694d6cdd10c38a482d8c2a90f84c96da817ea51)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) f195e84050 go: patch CVE-2026-39819
Backport patch from [1]

[1] https://go.dev/cl/763882

(From OE-Core rev: 791de4922a5b342e3227713b053709a00400e1b5)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 6394046b02 go: patch CVE-2026-39817
Backport patch from [1] mentionned in [2]

[1] https://go.dev/cl/767520

[2] https://security-tracker.debian.org/tracker/CVE-2026-39817

(From OE-Core rev: f88c0ff79cf5838f8d0c31ecacc35faf56059d03)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) d5108e0975 go: patch CVE-2026-33811
Backport patch from [1]

[1] https://go.dev/cl/767860

(From OE-Core rev: e4137b29d7b3218ceef9973d57c179e5e2771a68)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) b7967ae307 go: patch CVE-2026-32289
Backport patch from [1]

[1] https://go.dev/cl/763762

(From OE-Core rev: d0469c3a9d62a2ab3d6baef92e578f247d68318b)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) d10a96fbd0 go: patch CVE-2026-32283
Backport patch from [1]

[1] https://go.dev/cl/763767

(From OE-Core rev: bfba1601c099d7b68c4d9fcf07617d8310d4af66)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) 4c319bd87f go: patch CVE-2026-32280
Backport patch from [1]

[1] https://go.dev/cl/758320

(From OE-Core rev: e52259f1d09c722390b49adf3d4e3d863fbde7e8)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric) d942ca707b go: patch CVE-2026-27142
Backport patch from [1]

[1] https://go.dev/cl/752081

(From OE-Core rev: c6730245b14c094e3b210af785cda7caf4468163)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Hugo SIMELIERE (Schneider Electric) 83670737fd util-linux: Fix CVE-2026-27456
Pick patch from [1] as 2.39.x upstream backport of [2] mentioned in Debian report in [3].

[1] https://github.com/util-linux/util-linux/commit/79164668a412b71fcb1495c7d299cc5e9741fa30
[2] https://github.com/util-linux/util-linux/commit/0ba0f14caa812349424df0da00ac2d97fee9d972
[3] https://security-tracker.debian.org/tracker/CVE-2026-27456

(From OE-Core rev: 9da42b7e29d39a2650d146d9e4a1ffcdb8c1f1ca)

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Hugo SIMELIERE (Schneider Electric) 7204e2e6d6 xz: Fix CVE-2026-34743
Pick patch from [1] as 5.4.x upstream backport of [2] mentioned in Debian report in [3].

[1] https://github.com/tukaani-project/xz/commit/8538443d08591693a8c61f3a03656650f39c7c32
[2] https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87
[3] https://security-tracker.debian.org/tracker/CVE-2026-34743

(From OE-Core rev: 3e239f3c7ff23694741c65cf8444215e3659d690)

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Hugo SIMELIERE (Schneider Electric) 44baf9a477 busybox: Fix CVE-2026-29004
Pick patches from [1] and [2] as mentioned in Debian report in [3].

[1] https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a
[2] https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409
[3] https://security-tracker.debian.org/tracker/CVE-2026-29004

(From OE-Core rev: ce830d67be738ffad413c15fbb6672d9c3a6edef)

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Zahir Hussain bc8fc54f18 libpng: Fix CVE-2026-33416
Backport fixes for CVE-2026-33416

Backport patches from security debian tracker [1] also mentioned at NVD Report [2]

[1] https://security-tracker.debian.org/tracker/CVE-2026-33416
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-33416

Add below patches to fix the CVE:

CVE-2026-33416-01.patch
CVE-2026-33416-02.patch
CVE-2026-33416-03.patch
CVE-2026-33416-04.patch

(From OE-Core rev: 2bf388381ae3de76db288a859040c1130786d41b)

Signed-off-by: Sourav Kumar Pramanik <souravkumar.pramanik@bmwtechworks.in>
Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
Signed-off-by: Jérémy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:18 +01:00
Richard Purdie b56134ff90 pseudo: Upgrade 1.9.6 -> 1.9.7
Pulls in fixes to rename/renameat/renameat2:

Changqing Li (1):
  renameat2/renameat: only ignore when both old and new path are not in PSEUDO_INCLUDE_PATHS

Mark Hatle (4):
  run_tests.sh: Allow the user to specify specific tests to run
  tests: Add mv then hardlink testing
  rename: only ignore when both old and new path are not in PSEUDO_INCLUDE_PATHS
  Makefile.in: Bump version to 1.9.7

(From OE-Core rev: e2864ea1ac022e43af92badc701fa1e2a9571f46)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 17567738711d525d9f2b85e54ace2048901e4c34)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Richard Purdie ef43a8a49a pseudo: Update 1.9.5 -> 1.9.6
Pulls in the changes:

  * Makefile.in: Bump version to 1.9.6
  * pseudo_util.c: Fix symlink processing for symlinkat and related
  * test: Add test symlinkat and related
  * ports/unix: realpath: Fix chroot processing
  * test: Add test cases for canonicalize functions
  * ports/unix: fts_open: Fix chroot behavior
  * ports/unix: fts_*: Certain functions were incorrectly returning stat data
  * test: Add fts test case
  * test: Add test for linkat chroot path stripping
  * linkat: Avoid a segmentation fault
  * Only copy xattrs on a rename if it's cross-filesystem

(From OE-Core rev: 1414f3513099a9a956ec4f602354aa00008e2aff)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 50e769a598e79ed4600f7362d5f40799a48f9273)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Richard Purdie 1c69324f39 pseudo: Upgrade to 1.9.5
This adds a wrapper for the __open_2 function

This was breaking shadow and the real reason for the open() call changes.
Add the missing wrapper to properly fix this.

(From OE-Core rev: 876e6497f3323d74d9ac8ce303ed5165a7fda283)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8ea63d320aba32d3894cace9e71e850bdff1d6b2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Richard Purdie 920a6803d5 pseudo: Upgrade to 1.9.4
Update to pull in a full openat2 wrapper which works on Fedora 44.

This update includes the commits:
  * Makefile.in: Bump version to 1.9.4
  * test: Add renameat2 test cases
  * test: Add openat2 test cases
  * makewrappers/openat2: Add preserve_path option
  * openat2: Implement openat2 wrapper
  * ports/linux/guts/renameat2.c: Add comment why this isn't implemented
  * Add b4 configuration
  * pseudo_setupenvp: Handle malloc failure safely
  * pseudo_setupenvp: Allocate space for new env vars if needed

(From OE-Core rev: 9075b66e1f9161407056924954b3d5507f6d8384)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b2bd1d114fafe1e797149e02e4c08194d529cfde)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Ankur Tyagi e1a33a3bf6 tzdata/tzcode-native: upgrade 2026a -> 2026b
The 2026b release contains the following changes:

Briefly:
    British Columbia moved to permanent -07 on 2026-03-09.
    Some more overflow bugs have been fixed in zic.

Changes to future timestamps

    British Columbia’s 2026-03-08 spring forward was its last
    foreseeable clock change, as it moved to permanent -07 thereafter.
    (Thanks to Arthur David Olson.)  Although the change to permanent
    -07 legally took place on 2026-03-09, temporarily model the change
    to occur on 2026-11-01 at 02:00 instead.  This works around a
    limitation in CLDR v48.2 (2026-03-17).  This temporary hack is
    planned to be removed after CLDR is fixed.

Changes to code

    zic no longer mishandles a last transition to a new time type.
    zic no longer overflows a buffer when generating a TZ string like
    "PST-167:59:58PDT-167:59:59,M11.5.6/-167:59:59,M12.5.6/-167:59:59",
    which can occur with adversarial input.  (Thanks to Naveed Khan.)

    zic no longer generates a longer TZif file than necessary when
    an earlier time zone abbreviation is a suffix of a later one.
    As a nice side effect, zic no longer overflows a buffer when given
    a long series of abbreviations, each a suffix of the next.
    (Buffer overflow reported by Arthur Chan.)

    zic no longer overflows an int when processing input like ‘Zone
    Ouch 2147483648:00:00 - LMT’.  The int overflow can lead to buffer
    overflow in adversarial cases.  (Thanks to Naveed Khan.)

    zic now checks for signals more often.

(From OE-Core rev: 37dab321242e06d2940c4221e4a13e68265d696f)

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit dda7d55396e0c5258cba58af7e990ab3813bf108)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Yoann Congal ec940f36ea linux-yocto/6.6: update CVE exclusions (6.6.127)
Regenerated to fix this warning:
WARNING: linux-yocto-6.6.127+git-r0 do_cve_check: Kernel CVE status needs updating: generated for 6.6.123 but kernel is 6.6.127

$ ./meta/recipes-kernel/linux/generate-cve-exclusions.py .../cvelistV5/ 6.6.127 > meta/recipes-kernel/linux/cve-exclusion_6.6.inc

Generated at 2026-05-27 12:02:49.732909+00:00 for kernel version 6.6.127
From cvelistV5 cve_2026-05-27_0900Z

(From OE-Core rev: d0d02d0f45b4c5108ae648fb16d2a2a0dc1ae0e7)

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Ross Burton 48c16cfa28 classes/base: prefer gnu-prefixed HOSTTOOLS
Ubuntu 25.10 has changed the default coreutils implementation from GNU
coreutils to uutils/coreutils. Unfortunately this causes build problems:

  couldn't allocate absolute path for 'null'.
  tail: cannot open 'standard input' for reading: No such file or directory
  install: failed to chown '...': Invalid argument (os error 22)

Clear build failures happen in 'install' and 'tail', but there may be
further breakage.

Luckily, Ubuntu also installs GNU coreutils with a binary prefix of
'gnu', so whilst these issues are root-caused and fixed in either pseudo
or uutils we can prefer the gnu-prefixed binaries where they are present.

[ YOCTO #16028 ]

(From OE-Core rev: b797cc729f6e6951baa988e1c04bac9fb8183a1c)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 16f2684ebeffa72b5d90525cf9102751b68c298e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Hugo SIMELIERE (Schneider Electric) 5bfb71633f libarchive: Fix CVE-2026-4424
Pick patches from [1] and [2] as mentioned in Debian report in [3].

[1] https://github.com/libarchive/libarchive/commit/d379dc0b2976b7207d1ad78f5ed3eb99a5b6d375
[2] https://github.com/libarchive/libarchive/commit/e1907c5832b6489c7b4198b0825f857c93a03c10
[3] https://security-tracker.debian.org/tracker/CVE-2026-4424

(From OE-Core rev: 7fa280872275e194152cc2d355ad39c81a477d50)

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Theo Gaige (Schneider Electric) 0c7beb2bd7 openssh: patch CVE-2026-35388
Backport patch from [1] matching CVE description in [2] and change described
in release note [3].

[1] https://github.com/openssh/openssh-portable/commit/c805b97b67c774e0bf922ffb29dfbcda9d7b5add

[2] https://security-tracker.debian.org/tracker/CVE-2026-35388

[3] https://www.openssh.org/releasenotes.html#10.3p1

(From OE-Core rev: f8786d027cdf04072fb5f716135127c334dbea6e)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Theo Gaige (Schneider Electric) 473edc73e6 openssh: patch CVE-2026-35387
Backport patch from [1] matching CVE description in [2] and change described
in release note [3].

[1] https://github.com/openssh/openssh-portable/commit/fd1c7e131f331942d20f42f31e79912d570081fa

[2] https://security-tracker.debian.org/tracker/CVE-2026-35387

[3] https://www.openssh.org/releasenotes.html#10.3p1

(From OE-Core rev: c8fb33de27b9e2be5aeaa4178ddc7b6e724f45ee)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Theo Gaige (Schneider Electric) e0f9a13f5f openssh: patch CVE-2026-35385
Backport patch from [1] matching CVE description in [2] and change described
in release note [3].

[1] https://github.com/openssh/openssh-portable/commit/487e8ac146f7d6616f65c125d5edb210519b833a

[2] https://security-tracker.debian.org/tracker/CVE-2026-35385

[3] https://www.openssh.org/releasenotes.html#10.3p1

(From OE-Core rev: 8a5742fdc3d60e8ab0da2e1f1401995105b742b9)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Guðni Már Gilbert 8457a5d3d9 gnupg: upgrade 2.4.8 -> 2.4.9
Drop one patch since change is included in the release.

Upgrade was performed using devtool

Full changelog:
https://github.com/gpg/gnupg/compare/gnupg-2.4.8...gnupg-2.4.9

Noteworthy changes in version 2.4.9 (2025-12-30)
------------------------------------------------
  * gpg: Fix possible memory corruption in the armor parser.  [T7906]
  * gpg: Avoid potential downgrade to SHA1 in 3rd party key
    signatures.  [rGddb012be7f]
  * gpg: Error out on unverified output for non-detached signatures.
    [rG9d302f978b]
  * gpg: Do not allow compressed key packets on import.  [T7014]
  * scd: Fix a harmless read buffer over-read in a function used by
    PKCS#15 cards.  [T7662]
  * dirmngr: Do not require a keyserver for "gpg --fetch-key".
    [T7693]
  * agent: Fix ssh-agent's request_identities for skipped Brainpool
    keys.  [rG6bf5696c85]

  Release-info: https://dev.gnupg.org/T8001

(From OE-Core rev: 5eb2cd21ac86805f5f90ea149da7de6e41342299)

Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Ross Burton 4e2dac74d5 perl: link to the system zlib instead of a vendored copy
The perl module Compress-Raw-Zlib defaults to using a vendored copy of
the zlib sources which has a number of CVEs.  A newer version of perl
updates this to zlib 1.3.2 to resolve them, but we should be linking to
our zlib recipe instead of the vendored code.

This mitigates CVE-2026-4176 so mark it as not appropriate.

(From OE-Core rev: 6e83e5520f415fc6ca9029a8aaa0af31cd832a90)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bf515229043685d4f00c965eb3e0236c37b6b403)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Hitendra Prajapati b233e7b40f libexif: fix for CVE-2026-40385, CVE-2026-40386
Pick patch from [1] & [2] also mentioned at Debian report in [3] & [4]

[1] https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58
[2] https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-40385
[4] https://nvd.nist.gov/vuln/detail/CVE-2026-40386

(From OE-Core rev: 9175f776404a1f4536e0320495c446e80a281172)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Hitendra Prajapati 175a1d0fe3 libexif: fix for CVE-2026-32775
Pick patch from [1] also mentioned at NVD report in [2]

[1] https://github.com/libexif/libexif/commit/7df372e9d31d7c993a22b913c813a5f7ec4f3692
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-32775
[3] https://security-tracker.debian.org/tracker/CVE-2026-32775

(From OE-Core rev: b825582edd8b05be2d3c5ca48d6d7c620628d69b)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Benjamin Robin (Schneider Electric) 6acd7c46b5 lz4: Remove a reference to the rejected CVE-2025-62813
The CVE-2025-62813 is rejected so do not reference it anymore.
So keep the patch but without referencing the CVE identifier.

The CVE database indicates the following reason:
  This candidate was withdrawn by its CNA. Further investigation
  showed that it was not a security issue.

(From OE-Core rev: 99706716626324605c049a9130f705f2090a9f91)

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9c840a69b62a5fdffb3679a44d68dd5630b2916c)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Mathieu Dubois-Briand f4122d12cf oeqa: runtime: go: Increase test_go_compile/test_go_module timeout
These tests tend do take a bit of time, and this is probably why they
have been seen failing a few times in the past months. Rising the
timeout from 5 to 10 minutes appears to help.

Fixes [YOCTO #15999]

(From OE-Core rev: c8a94dfc3a21403e8202a4adddbae9f3bd4a4549)

Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 998ebfc77db4c8d7567d82560595e0994a310ae0)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00