apr is tracked in NVD under apache:portable_runtime rather than the
recipe name apr. Set CVE_PRODUCT accordingly so cve-check uses the
correct NVD product identity for APR.
No additional alias was found to be necessary for this recipe.
(From OE-Core rev: d93c564790a51b53347bde257151c778e8867624)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit bc3803e12d4938e2de514c39bd5d0f011f883ace)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
apr-util is tracked in NVD under apache:apr-util, while a smaller set
of newer CVEs also appears under apache:portable_runtime_utility.
Set CVE_PRODUCT accordingly so cve-check can cover both the historical
and current NVD product identities used for APR-util.
(From OE-Core rev: 3a157840148e14ec9019a008ab94e7f708baac05)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit 927b505c982ed7443aed348ca54b0073ac63d938)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Back in 2015[1] I fixed the libdir passed to the postinst intercept, but
I forgot to also update the postrm intercept. This should also be
libdir_native, not libdir.
[ YOCTO #13896 ]
[1] oe-core 0fe8400717 ("gtk-icon-cache: pass the native libdir to the intercept")
(From OE-Core rev: cd46a25fa3f7ffe5518c7c95f280a7760455aac8)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 92dd67114be325e019c149bddaf5f874f6917094)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
We have a custom TestResult implementation, and Python 3.12 added a new
method addDuration() to the TestResult interface. This would be useful
to implement correctly, but for now stub it out to silence the warning
when running under Python 3.12:
/usr/lib64/python3.12/unittest/case.py:580: RuntimeWarning: TestResult has no addDuration method
warnings.warn("TestResult has no addDuration method",
(From OE-Core rev: 9105e2bbf3245bfa02d2f4c55a010a7d2c3da6c2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2d6fff81b34476b890f6943997615fbf8d3d133f)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
On Ubuntu 26.04, gcc 15.2 defaults to --std=gnu23 in which static_assert
is a keyword, and not a macro to define like with older GCC. This make
MIPS64 code in gdb fail to compile with:
| In file included from ../../gdb-14.2/opcodes/mips16-opc.c:25:
| ../../gdb-14.2/opcodes/mips16-opc.c: In function ‘decode_mips16_operand’:
| ../../gdb-14.2/opcodes/mips-formats.h:86:7: error: expected identifier or ‘(’ before ‘static_assert’
| 86 | static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
| | ^~~~~~~~~~~~~
| ../../gdb-14.2/opcodes/mips16-opc.c:52:15: note: in expansion of macro ‘MAPPED_REG’
| 52 | case '.': MAPPED_REG (0, 0, GP, reg_0_map);
| | ^~~~~~~~~~
(From OE-Core rev: 92a57b28a4e8e4fe917e4aa3d58079257ee9a41f)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Release information [1]:
OpenSSL 3.5.7 is a security patch release. The most severe CVE fixed in this release is High.
This release incorporates the following bug fixes and mitigations:
* Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447)
* Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182)
* Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler. (CVE-2026-34183)
* Fixed NULL pointer dereference in QUIC server initial packet handling. (CVE-2026-42764)
* Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445)
* Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383)
* Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076)
* Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180)
* Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. (CVE-2026-34181)
* Fixed possible NULL dereference in password-dased CMS decryption. (CVE-2026-42766)
* Fixed NULL pointer dereference in CRMF EncryptedValue decryption. (CVE-2026-42767)
* Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt(). (CVE-2026-42768)
* Fixed trust anchor substitution via cert/issuer typo in CMP rootCaKeyUpdate. (CVE-2026-42769)
* Fixed FFC-DH peer validation uses attacker-supplied q. (CVE-2026-42770)
* Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. (CVE-2026-45446)
Refreshed patches.
Installed new test files to pass ptests.
[1] https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-356-and-openssl-357-9-jun-2026
(From OE-Core rev: ed3353c07f6a8a6e55d244c0039e37fb62c81712)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 9365ac47f994a7d6be92b8c011c51ecf48e8ef87)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This patch applies the upstream v11.0.0-rc2 backport for
CVE-2024-6519. The upstream fix commit is referenced in [1],
and the public CVE advisory is referenced in [2]. The individual
backported commit link is recorded in the embedded patch header.
[1] 4862d2c951
[2] https://security-tracker.debian.org/tracker/CVE-2024-6519
(From OE-Core rev: bb5a1f9c6562038d422ea0efd4e975737c9374c3)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This patch applies the upstream fix [1], as referenced in [2],
to address insufficient validation in `url.Parse`.
Debian marks older Go branches as not affected because the vulnerable
parseHost surface was introduced by the earlier CVE-2025-47912 fix.
This Scarthgap recipe already carries CVE-2025-47912.patch, so the
fix is applicable to the patched Go 1.22.12 source used here.
[1] d8174a9500
[2] https://security-tracker.debian.org/tracker/CVE-2026-25679
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-25679
(From OE-Core rev: 913b9dc19ea14edbbaf4b7a677507949e454e685)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
CVE-2026-35386 is already fixed by the existing CVE-2025-61984 backport.
Rename CVE-2025-61984.patch to CVE-2025-61984_CVE-2026-35386.patch and
add the second CVE tag to document that one patch covers both CVEs.
https://nvd.nist.gov/vuln/detail/CVE-2026-35386
(From OE-Core rev: 36ee08f01311253bca4c4f8387446d35a55cc840)
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Changelog:
Makefile.in: Bump to 1.9.8
pseudo_client.h: Fix typo in the comment
client: permissions drop setuid and setgid
tests: Add setuid permission check
pseudo_client.h: Add +s to PSEUDO_DB_MODE for mkdir
tests: Add test that returned stat is correct
pseudo_client.h: Make it clear both macros must be updated together
Makefile.in: Add pseudo_client.h as a dependency
(From OE-Core rev: d716fe7e4f1dd2156be8773408611bb979a94d5d)
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fa302de94c7da77a49ca0701580467ebaa8eda18)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Add the following to the variable glossary LICENSE entry:
- it is a required variable in an OE recipe
- it must be accompanied by LIC_FILES_CHKSUM, except in the
case where LICENSE = "CLOSED"
(From yocto-docs rev: 1b819d324780a699d9307a2d4e68c69b576ab748)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit a75f75fe86c339246b94b78c593c54647a75ba6a)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Add an explanation of the RM_WORK_EXCLUDE_ITEMS variable to both the
Reference Manual variables and classes sections.
(From yocto-docs rev: fa007992c5df04e51de4fbd8edbcf29583cb49f0)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 62c96090be7aeffe7010b70e8dfd5166e506140f)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Warn the developer that if they need to set "PACKAGE_ARCH" in a
custom packagegroup file, that setting must precede the "inherit
packagegroup" line in the packagegroup recipe file.
(From yocto-docs rev: 9d84e1ccddb2cf17641447721cd2b0b524ef872f)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 98a14fe885370d52a6f46e940834c725bad6933d)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Correct the opening sentence of the Init Manager section to clarify
that SysVinit is the default init manager if one is using the Poky
distro.
(From yocto-docs rev: 16e6447ab91b53fed78128dc4d000bc8c086a221)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit d467da2ccb5a78ac6a5ca9d976a435b4d4e0e270)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The code snippet for listing AUTOREV-enabled recipes needs updating
since it now inherits the "poky-bleeding" class file.
(From yocto-docs rev: f4db42b820d489cb20d5b306f66a4f244fdc9338)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit fcf87058a1e6ef77904d74128574028660d5a4ab)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
As the last kernel release under LTSI (Long-Term Support Initiative)
was back in 2018, remove references to it.
(From yocto-docs rev: dcd16f58847b9d6bb593e0ae934c4055a6468b02)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit b2063f6bb4c80e533a11de87d0daddf54e16cd2b)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The current (abridged) SOLIBS-related variables were not included in
their entirety so add the missing content.
(From yocto-docs rev: 9ff28bf8ef2c1d184b1e7b00287749b54f006734)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 6098e0887161ffda87e62dd460702197269d5982)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Add the missing word "with."
(From yocto-docs rev: f67b98070a069eebfe9826467fc681c6ddc3f68c)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit b2820e987abc15b474152e51cd76e9bf30660a69)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The machine include file "x86-base.inc" no longer includes the line
setting the PREFERRED VERSION -- that setting was removed in commit
298fa078fab58b64246376ffd70ad6a0c7589876 on Oct 1, 2023:
qemux86/qemuarm: Drop kernel version overrides
Drop the version overrides for the kernel for the x86 and arm machines
so we can go back to following the distro versions. The reasons for
these versions is mostly historical at this point as the issues were
resolved.
(From yocto-docs rev: 5185c770c30f1041ae1f14290e75f5cc8cfe690d)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit a70ce32d8e314afa833079e17757dc9b19590c56)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
As an accompaniment to earlier commit
0d05dedd62a6d4c726f120a23654ede1f0b23d8e, correct that the
PACKAGE_EXCLUDE variable supports the DEB packaging backend.
(From yocto-docs rev: 7cb1b61247852c0693950f034aa88dcd6dc3accd)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 195fc0981996998ba2939bb9ce8770f396e5f438)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
It's not currently possible to set the build tree to be somewhere we
control, but we know it will always be in the build directory alongside
the pyproject.toml so we can [cleandirs] that.
MJ: this was later reverted in a532cb50151d773c1c351ffccf4d47a37f26f8aa:
This is not needed: setuptools.build_meta does the build under a new
temporary directory.
but the builds in scarthgap aren't using new temporary directory yet,
so this is still useful there:
Just rebuilding python3-tqdm in the same TMPDIR after cherry-picking this:
$ buildhistory-diff -p buildhistory build-minus-1 | grep PKGSIZE
python3-tqdm/python3-tqdm: PKGSIZE changed from 3309408 to 426880 (-87%)
$ wc -l python3-tqdm/4.66.3*/image/usr/lib/python3.12/site-packages/tqdm-4.66.3.dist-info/RECORD
297 python3-tqdm/4.66.3-old/image/usr/lib/python3.12/site-packages/tqdm-4.66.3.dist-info/RECORD
41 python3-tqdm/4.66.3/image/usr/lib/python3.12/site-packages/tqdm-4.66.3.dist-info/RECORD
(From OE-Core rev: d4950d6df0867dcd5c380d83ac4d138ec968e698)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
(cherry picked from commit 383862cfe4c5acf04124080827c8bc6d00b2e86d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
It's not currently possible to set the build tree to be somewhere we
control, but we know it will always be in the build directory alongside
the setup.py so we can [cleandirs] that.
MJ: helps with build/lib directory being added when a recipe is rebuilt
in the same WORKDIR multiple times, e.g.:
Just rebuilding python3-tqdm in the same TMPDIR after cherry-picking this:
$ buildhistory-diff -p buildhistory build-minus-1 | grep PKGSIZE
python3-google-auth/python3-google-auth: PKGSIZE changed from 11752510 to 1315694 (-89%)
python3-googleapis-common-protos/python3-googleapis-common-protos: PKGSIZE changed from 7108856 to 794024 (-89%)
$ wc -l python3-google-auth/2.29.0*/image/usr/lib/python3.12/site-packages/google_auth-2.29.0.dist-info/RECORD
554 python3-google-auth/2.29.0-old/image/usr/lib/python3.12/site-packages/google_auth-2.29.0.dist-info/RECORD
66 python3-google-auth/2.29.0/image/usr/lib/python3.12/site-packages/google_auth-2.29.0.dist-info/RECORD
$ wc -l python3-googleapis-common-protos/1.63.0*/image/usr/lib/python3.12/site-packages/googleapis_common_protos-1.63.0.dist-info/RECORD
1166 python3-googleapis-common-protos/1.63.0-old/image/usr/lib/python3.12/site-packages/googleapis_common_protos-1.63.0.dist-info/RECORD
134 python3-googleapis-common-protos/1.63.0/image/usr/lib/python3.12/site-packages/googleapis_common_protos-1.63.0.dist-info/RECORD
(From OE-Core rev: a0151ab56cf3fcaa6587e240b5454fed5315a534)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
(cherry picked from commit f3854f4f60801e3b6788bee3a0a1850fc498d536)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
We do builds in a separate directory in this class, so add it to cleandirs
to ensure that it is empty.
(From OE-Core rev: 9a32956dd5dcbcc380780bc25e4303280f2ca9f9)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2575adeceedae72f6359c0a35ec5c5325a4ec363)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
With the current solution, using a separate task
(do_create_kernel_config_spdx) there is a dependency issue. Sometimes
the final rootfs SBOM does not contain the CONFIG_ values.
do_create_kernel_config_spdx is executed after do_create_spdx which
deploys the SPDX file. do_create_kernel_config_spdx calls
oe.sbom30.find_root_obj_in_jsonld to read from the deploy directory,
which is OK, but the do_create_kernel_config_spdx ends up writing to
this deployed file (updating it).
do_create_rootfs_spdx has an explicit dependency to all do_create_spdx
tasks, but there is nothing that prevents executing
do_create_kernel_config_spdx after do_create_rootfs_spdx.
To fix it, instead, now read from the workdir, and write to the
workdir, and do the processing from the do_create_spdx task:
we append to the do_create_spdx task.
Furthermore, update oeqa selftest to execute do_create_spdx instead
of removed function.
Also only execute this task if create-spdx-3.0 was inherited,
previously this code could be executed if create-spdx-2.2 is
inherited.
(cherry picked from commit 8417f4a186e78a9d309541f5d0e711178bb80488)
Fixes: 1fff29a04287 ("kernel.bbclass: Add task to export kernel configuration to SPDX")
(From OE-Core rev: 22e8bc2bcfe762c83c00b73a33384e63548e82c0)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
CVE-2021-36217 is rejected, and should no longer be referenced.
CVE-2021-36217 is a duplicate of CVE-2021-3502 which is already
referenced in the local-ping.patch.
The CVE database indicates the following reason:
ConsultIDs: CVE-2021-3502. Reason: This candidate is a duplicate of
CVE-2021-3502. Notes: All CVE users should reference CVE-2021-3502
instead of this candidate. All references and descriptions in this
candidate have been removed to prevent accidental usage.
(cherry picked from commit bf41240132e2efa6b46aab46290eed9c53e312e9)
(From OE-Core rev: 128af716be75ec76203f1d34a8448741e6573d9e)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
