Commit Graph

9631 Commits

Author SHA1 Message Date
Adarsh Jagadish Kamini
c0d690e103 python3: CVE-2026-3087 not applicable
CVE link: https://nvd.nist.gov/vuln/detail/CVE-2026-3087

The CVE is only applicable to Windows OS

(From OE-Core rev: 96efecfbb2d1eaa24e1c96fbd6593a7087464844)

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:54 +01:00
Yoann Congal
7a90e7adfb gdb: backport a patch to fix static_assert in recent GCC
On Ubuntu 26.04, gcc 15.2 defaults to --std=gnu23 in which static_assert
is a keyword, and not a macro to define like with older GCC. This make
MIPS64 code in gdb fail to compile with:
| In file included from ../../gdb-14.2/opcodes/mips16-opc.c:25:
| ../../gdb-14.2/opcodes/mips16-opc.c: In function ‘decode_mips16_operand’:
| ../../gdb-14.2/opcodes/mips-formats.h:86:7: error: expected identifier or ‘(’ before ‘static_assert’
|    86 |       static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
|       |       ^~~~~~~~~~~~~
| ../../gdb-14.2/opcodes/mips16-opc.c:52:15: note: in expansion of macro ‘MAPPED_REG’
|    52 |     case '.': MAPPED_REG (0, 0, GP, reg_0_map);
|       |               ^~~~~~~~~~

(From OE-Core rev: 92a57b28a4e8e4fe917e4aa3d58079257ee9a41f)

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:54 +01:00
Shubham Pushpkar
09f201c834 dpkg: Fix CVE-2026-2219
This patch applies the upstream fix as referenced in [2], using the
commit shown in [1].

[1] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-2219

(From OE-Core rev: 66055d7f179d0d838c2139d9d2399a968c6f6529)

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:54 +01:00
Deepak Rathore
b04b16e965 qemu: Fix CVE-2024-6519
This patch applies the upstream v11.0.0-rc2 backport for
CVE-2024-6519. The upstream fix commit is referenced in [1],
and the public CVE advisory is referenced in [2]. The individual
backported commit link is recorded in the embedded patch header.

[1] 4862d2c951
[2] https://security-tracker.debian.org/tracker/CVE-2024-6519

(From OE-Core rev: bb5a1f9c6562038d422ea0efd4e975737c9374c3)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
e61bf028a6 python3: Fix CVE-2025-13462
Apply the upstream v3.12 fix [1], aligned with the original v3.13 fix [2],
to address incorrect tarfile handling where GNU long name follow-up headers
could be normalized as directories, as referenced in [3].

[1] d10950739a
[2] ae99fe3a33
[3] https://security-tracker.debian.org/tracker/CVE-2025-13462

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-13462

(From OE-Core rev: 0b990a354ef858d903d4bed937b1233537c2c478)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
7731db5592 python3: Fix CVE-2026-6019
This patch applies the upstream fix [1] and follow-up fix [2], as
referenced in [3] and [4], to address an http.cookies.Morsel.js_output()
flaw where inline JavaScript output escaped quotes but did not neutralize
the HTML parser-sensitive </script> sequence.

[1] 3c59b8b53f
[2] e7d4c3ff42
[3] https://github.com/python/cpython/issues/149144
[4] https://security-tracker.debian.org/tracker/CVE-2026-6019

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-6019

(From OE-Core rev: e17af14ae72e21f7f63407ba5c88da160c73bea9)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
1401e6e003 python3: Fix CVE-2026-4519 and CVE-2026-4786
Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2],
and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with
leading dashes when invoking browser commands, as referenced in [5].

CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action
in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in
[5], to revalidate the URL after %action expansion.

[1] cbba611939
[2] ceac1efc66
[3] 96fc504860
[4] f4654824ae
[5] https://security-tracker.debian.org/tracker/CVE-2026-4519
[6] https://security-tracker.debian.org/tracker/CVE-2026-4786

References:
https://nvd.nist.gov/vuln/detail/CVE-2026-4519
https://nvd.nist.gov/vuln/detail/CVE-2026-4786

(From OE-Core rev: e6d81b3be531e97058366c81056a38c0b6fa7380)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
703b680089 python3: Fix CVE-2026-3644 and CVE-2026-0672
Apply the upstream v3.13 fix [1], as referenced in [2], to address
CVE-2026-3644 by rejecting control characters in http.cookies.Morsel.update(),
the |= operator, and unpickling paths.

CVE-2026-3644 [2] revealed the CVE-2026-0672 fix was incomplete, as
Morsel.update(), |=, and unpickling could bypass input validation. The fix
also adds output validation to BaseCookie.js_output(), matching the
control-character safeguards already present in BaseCookie.output().

[1] d16ecc6c36
[2] https://security-tracker.debian.org/tracker/CVE-2026-3644

References:
https://security-tracker.debian.org/tracker/CVE-2026-3644
https://security-tracker.debian.org/tracker/CVE-2026-0672
https://nvd.nist.gov/vuln/detail/CVE-2026-3644
https://nvd.nist.gov/vuln/detail/CVE-2026-0672

(From OE-Core rev: ac763f139ba7f836d0fa9377295ef7d3b10f2238)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Deepak Rathore
327a87fffb binutils: Fix CVE-2025-69644
This patch updates the existing CVE-2025-69647 backport metadata for
CVE-2025-69644. NVD records for CVE-2025-69644 and CVE-2025-69647
reference the same upstream binutils fix commit [1], and the public
CVE advisories are referenced in [2] and [3].

[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-69644
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-69647

(From OE-Core rev: 267ff299a6fe6f65e0dd86f5e59bb013921526ce)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
7d782f3ed0 go: fix CVE-2026-32288
This patch applies the upstream fix [1], as referenced in [2],
to address unbounded sparse map handling in `archive/tar`.

[1] 82b0cdb741
[2] https://security-tracker.debian.org/tracker/CVE-2026-32288

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-32288

(From OE-Core rev: 775c3af36899eebe5612844accdfd2a8a2a9327a)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
3401fba731 go: fix CVE-2026-25679
This patch applies the upstream fix [1], as referenced in [2],
to address insufficient validation in `url.Parse`.

Debian marks older Go branches as not affected because the vulnerable
parseHost surface was introduced by the earlier CVE-2025-47912 fix.
This Scarthgap recipe already carries CVE-2025-47912.patch, so the
fix is applicable to the patched Go 1.22.12 source used here.

[1] d8174a9500
[2] https://security-tracker.debian.org/tracker/CVE-2026-25679

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-25679

(From OE-Core rev: 913b9dc19ea14edbbaf4b7a677507949e454e685)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
b1af4c89b0 go: fix CVE-2025-58183
This patch applies the upstream fix [1], as referenced in [2],
to address unbounded memory consumption when reading GNU tar pax
1.0 sparse file regions in archive/tar.

[1] 613e746327
[2] https://security-tracker.debian.org/tracker/CVE-2025-58183

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-58183

(From OE-Core rev: e0285488a93cf3b369ad7424d55938791f57174f)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Mark Hatle
3f378fc245 pseudo: Update to version 1.9.8
Changelog:
    Makefile.in: Bump to 1.9.8
    pseudo_client.h: Fix typo in the comment
    client: permissions drop setuid and setgid
    tests: Add setuid permission check
    pseudo_client.h: Add +s to PSEUDO_DB_MODE for mkdir
    tests: Add test that returned stat is correct
    pseudo_client.h: Make it clear both macros must be updated together
    Makefile.in: Add pseudo_client.h as a dependency

(From OE-Core rev: d716fe7e4f1dd2156be8773408611bb979a94d5d)

Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fa302de94c7da77a49ca0701580467ebaa8eda18)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Hitendra Prajapati
0c205679dd python3: fix CVE-2026-6100
Pick patch from [1] also mentioned at NVD report in [2]

[1] c3cf71c336
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-6100
[3] https://security-tracker.debian.org/tracker/CVE-2026-6100

(From OE-Core rev: 0bc9ba624b2fbeff3bf7e2ee4d2858b9c702fca1)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Hitendra Prajapati
d30ed7ed1b python3: fix for CVE-2026-1502
Pick patch from [1] also mentioned at NVD report in [2]

[1] 05ed7ce7ae
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-1502
[3] https://security-tracker.debian.org/tracker/CVE-2026-1502

(From OE-Core rev: fe96d5bee9c45344e98cda9bac85c9bd853d5a7e)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Hitendra Prajapati
34cf18e8c1 libxml-parser-perl: fix for CVE-2006-10003
Pick patch from [1].

[1] https://security-tracker.debian.org/tracker/CVE-2006-10003

More details :
https://nvd.nist.gov/vuln/detail/CVE-2006-10003

(From OE-Core rev: 2abf26e7551a8a306d6aaabc9653f655f66b15a1)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Hitendra Prajapati
d8f806b3c6 qemu: fix for CVE-2025-11234
This patch fix use after free in websocket handshake code.

Backport patch from debian refer :
https://security-tracker.debian.org/tracker/CVE-2025-11234

(From OE-Core rev: f8e3cdf31d6d613e54fe2ffaee875811c52754f5)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Hitendra Prajapati
1e7d50296e go 1.22.12: fix CVE-2026-27143, CVE-2026-27144
Pick patch from [1] & [2] also mentioned at Debian report in [3] & [4]

[1] 7d2dd3488c
[2] 72cc33629a
[3] https://security-tracker.debian.org/tracker/CVE-2026-27143
[4] https://security-tracker.debian.org/tracker/CVE-2026-27144

(From OE-Core rev: c4273fecc42ab643eea036651c79d968f0caaafd)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Hitendra Prajapati
2abc87a006 go 1.22.12: fix CVE-2026-27140
Pick patch from [1] also mentioned at Debian report in [2]

[1] abaa0cbb25
[2] https://security-tracker.debian.org/tracker/CVE-2026-27140
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-27140

(From OE-Core rev: b0048d8bc8134c445a3352bfb631d41319a75331)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:07 +01:00
Theo Gaige (Schneider Electric)
7842ddc5b2 go: patch CVE-2026-42507
Backport patch from [1]

[1] https://go.dev/cl/777060

(From OE-Core rev: dfcc700ab9e1785a7ac09fafa8732d513202c70b)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
c0b84584be go: patch CVE-2026-42504
Backport patch from [1]

[1] https://go.dev/cl/774481

(From OE-Core rev: 1556a34831b2d96c8a7862493494f3b9fa10d4a9)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
33b725d19b go: patch CVE-2026-42501
Backport patch from [1]

[1] https://go.dev/cl/775321

(From OE-Core rev: c9cc7872b9ecb426e9cd5921e0bbc175f600964a)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
d896bb9ee4 go: patch CVE-2026-42499
Backport patch from [1]

[1] https://go.dev/cl/771520

(From OE-Core rev: 0a692a5f57c43fb478a4a0b771b528fb9cf0c14d)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
9a4407138b go: patch CVE-2026-39826
Backport patch from [1]

[1] https://go.dev/cl/771180

(From OE-Core rev: 11203044b88ecca7bcdf32d58db5808949423de4)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
78bfa2dc96 go: patch CVE-2026-39825
Backport patch from [1]

[1] https://go.dev/cl/770541

(From OE-Core rev: ae5b6a1b2bf80e73f18406153d314ff18a89a13f)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
992c2a0192 go: patch CVE-2026-39820
Backport patch from [1] mentionned in [2]

[1] https://go.dev/cl/759940

[2] https://security-tracker.debian.org/tracker/CVE-2026-39820

(From OE-Core rev: f694d6cdd10c38a482d8c2a90f84c96da817ea51)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
f195e84050 go: patch CVE-2026-39819
Backport patch from [1]

[1] https://go.dev/cl/763882

(From OE-Core rev: 791de4922a5b342e3227713b053709a00400e1b5)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
6394046b02 go: patch CVE-2026-39817
Backport patch from [1] mentionned in [2]

[1] https://go.dev/cl/767520

[2] https://security-tracker.debian.org/tracker/CVE-2026-39817

(From OE-Core rev: f88c0ff79cf5838f8d0c31ecacc35faf56059d03)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
d5108e0975 go: patch CVE-2026-33811
Backport patch from [1]

[1] https://go.dev/cl/767860

(From OE-Core rev: e4137b29d7b3218ceef9973d57c179e5e2771a68)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
b7967ae307 go: patch CVE-2026-32289
Backport patch from [1]

[1] https://go.dev/cl/763762

(From OE-Core rev: d0469c3a9d62a2ab3d6baef92e578f247d68318b)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
d10a96fbd0 go: patch CVE-2026-32283
Backport patch from [1]

[1] https://go.dev/cl/763767

(From OE-Core rev: bfba1601c099d7b68c4d9fcf07617d8310d4af66)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
4c319bd87f go: patch CVE-2026-32280
Backport patch from [1]

[1] https://go.dev/cl/758320

(From OE-Core rev: e52259f1d09c722390b49adf3d4e3d863fbde7e8)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Theo Gaige (Schneider Electric)
d942ca707b go: patch CVE-2026-27142
Backport patch from [1]

[1] https://go.dev/cl/752081

(From OE-Core rev: c6730245b14c094e3b210af785cda7caf4468163)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-16 20:42:19 +01:00
Richard Purdie
b56134ff90 pseudo: Upgrade 1.9.6 -> 1.9.7
Pulls in fixes to rename/renameat/renameat2:

Changqing Li (1):
  renameat2/renameat: only ignore when both old and new path are not in PSEUDO_INCLUDE_PATHS

Mark Hatle (4):
  run_tests.sh: Allow the user to specify specific tests to run
  tests: Add mv then hardlink testing
  rename: only ignore when both old and new path are not in PSEUDO_INCLUDE_PATHS
  Makefile.in: Bump version to 1.9.7

(From OE-Core rev: e2864ea1ac022e43af92badc701fa1e2a9571f46)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 17567738711d525d9f2b85e54ace2048901e4c34)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Richard Purdie
ef43a8a49a pseudo: Update 1.9.5 -> 1.9.6
Pulls in the changes:

  * Makefile.in: Bump version to 1.9.6
  * pseudo_util.c: Fix symlink processing for symlinkat and related
  * test: Add test symlinkat and related
  * ports/unix: realpath: Fix chroot processing
  * test: Add test cases for canonicalize functions
  * ports/unix: fts_open: Fix chroot behavior
  * ports/unix: fts_*: Certain functions were incorrectly returning stat data
  * test: Add fts test case
  * test: Add test for linkat chroot path stripping
  * linkat: Avoid a segmentation fault
  * Only copy xattrs on a rename if it's cross-filesystem

(From OE-Core rev: 1414f3513099a9a956ec4f602354aa00008e2aff)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 50e769a598e79ed4600f7362d5f40799a48f9273)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Richard Purdie
1c69324f39 pseudo: Upgrade to 1.9.5
This adds a wrapper for the __open_2 function

This was breaking shadow and the real reason for the open() call changes.
Add the missing wrapper to properly fix this.

(From OE-Core rev: 876e6497f3323d74d9ac8ce303ed5165a7fda283)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8ea63d320aba32d3894cace9e71e850bdff1d6b2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Richard Purdie
920a6803d5 pseudo: Upgrade to 1.9.4
Update to pull in a full openat2 wrapper which works on Fedora 44.

This update includes the commits:
  * Makefile.in: Bump version to 1.9.4
  * test: Add renameat2 test cases
  * test: Add openat2 test cases
  * makewrappers/openat2: Add preserve_path option
  * openat2: Implement openat2 wrapper
  * ports/linux/guts/renameat2.c: Add comment why this isn't implemented
  * Add b4 configuration
  * pseudo_setupenvp: Handle malloc failure safely
  * pseudo_setupenvp: Allocate space for new env vars if needed

(From OE-Core rev: 9075b66e1f9161407056924954b3d5507f6d8384)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b2bd1d114fafe1e797149e02e4c08194d529cfde)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:21 +01:00
Ross Burton
4e2dac74d5 perl: link to the system zlib instead of a vendored copy
The perl module Compress-Raw-Zlib defaults to using a vendored copy of
the zlib sources which has a number of CVEs.  A newer version of perl
updates this to zlib 1.3.2 to resolve them, but we should be linking to
our zlib recipe instead of the vendored code.

This mitigates CVE-2026-4176 so mark it as not appropriate.

(From OE-Core rev: 6e83e5520f415fc6ca9029a8aaa0af31cd832a90)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bf515229043685d4f00c965eb3e0236c37b6b403)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Ross Burton
1a099cb1fa python3-requests: backport fix for CVE-2026-25645
When unpacking zip files requests uses predictable paths. Backport a fix
to use randomly generated pathnames to mitigate injection attacks.

(From OE-Core rev: b23ec9773d67f8767904731afa86fe5ede08f97f)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fe846d71b647fb06e6a87cb45a2dd9b0889e2891)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Peter Marko
3758595c3e cargo: set CVE_PRODUCT
This removes mediawiki:cargo CVEs from CVE metrics.
* CVE-2026-39837, CVE-2026-39839, CVE-2026-39840, CVE-2026-39841

(From OE-Core rev: 98088c90b6e37ab27e7b4b2546abe9ecd863c02e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a5cb71e7df95925a5c342c341e699e244b1b84f6)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-10 14:35:20 +01:00
Himanshu Jadon
0ceef92802 apt: Add CVE_PRODUCT to support product name
- Keep both the older deprecated debian:apt alias and the active
  debian:advanced_package_tool identity in CVE_PRODUCT.
- This preserves completeness and avoids missing CVEs in case older
  aliases are still used in NVD records.

(From OE-Core rev: 28d3ab81b9386bda16e196ed2934967843413186)

Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4c777220ee5740b800f4128da79c24f7e42c7b88)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
[FT: Rebase onto scarthgap-next]
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-12 21:31:34 +01:00
Hitendra Prajapati
957ae42637 rsync: fix for CVE-2026-41035
Pick patch from [1] also mentioned at Debian report in [2]

[1] bb0a8118c2
[2] https://security-tracker.debian.org/tracker/CVE-2026-41035
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-41035

(From OE-Core rev: b2b51c4f8521ac4fa490e96257142826f2dfda25)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-12 21:31:33 +01:00
Adarsh Jagadish Kamini
49da7cb317 binutils: fix CVE-2025-69648
Backport upstream fix for CVE-2025-69648 [1].

[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33

(From OE-Core rev: a905532db94aa09b17ec6445d8b5702f278f22bd)

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-12 21:31:33 +01:00
Adarsh Jagadish Kamini
852fe03a0c binutils: fix CVE-2025-69647
Backport upstream fix for CVE-2025-69647 [1].

[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7

(From OE-Core rev: a15dfc1a05ba26ae9f806b0f4c5273bb7c484a04)

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-12 21:31:33 +01:00
Khem Raj
e8c96de370 apt: Fix build with GCC 15
(From OE-Core rev: 3e565b8ea4b0694fd3ded7b3b0f9d93d1a7ccbab)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ac53f79999bb8301380d7c58025f6fed75e40c9a)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-04 13:57:33 +01:00
Yoann Congal
3d2536f642 qemu: backport patches to support python 3.14
We use QEMU QMP python module to drive qemu in testimage. QMP uses
asyncIO and the method to get the event loop changed.

Backport the patches handling the depreciation to fix the error:
  ERROR: core-image-minimal-1.0-r0 do_testimage: Error executing a python function in exec_func_python() autogenerated:

  The stack trace of python calls that resulted in this exception/failure was:
  File: 'exec_func_python() autogenerated', lineno: 2, function: <module>
   *** 0002:do_testimage(d)
  ...
  File: '.../openembedded-core/meta/lib/oeqa/utils/qemurunner.py', lineno: 332, function: launch
       0331:                from qmp.legacy import QEMUMonitorProtocol
   *** 0332:                self.qmp = QEMUMonitorProtocol(os.path.basename(qmp_port))
  File: '.../build-ubuntu2604/tmp-glibc/work/qemux86_64-oe-linux/core-image-minimal/1.0/recipe-sysroot-native/usr/lib/qemu-python/qmp/legacy.py', lineno: 89, function: __init__
   *** 0089:        self._aloop = asyncio.get_event_loop()
  File: '/usr/lib/python3.14/asyncio/events.py', lineno: 715, function: get_event_loop
       0711:
       0712:        Returns an instance of EventLoop or raises an exception.
       0713:        """
       0714:        if self._local._loop is None:
   *** 0715:            raise RuntimeError('There is no current event loop in thread %r.'
       0716:                               % threading.current_thread().name)
       0717:
       0718:        return self._local._loop
  Exception: RuntimeError: There is no current event loop in thread 'MainThread'.

Both patches are in Qemu 10.2 (OE Core master version)

(From OE-Core rev: 28bab00b35af8bbe3455c8266e4c792fa2367c5d)

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-04 13:57:33 +01:00
Martin Jansa
9d4a35f6d2 binutils: backport patch to fix build with glibc-2.43 on host
Fixes:
../../../gprofng/libcollector/linetrace.c: In function ‘__collector_ext_line_install’:
../../../gprofng/libcollector/linetrace.c:219:45: error: expected identifier before ‘_Generic’
  219 |   if (java_follow_env != NULL && CALL_UTIL (strstr)(java_follow_env, COLLECTOR_JVMTI_OPTION))
      |                                             ^~~~~~
../../../gprofng/libcollector/linetrace.c:219:34: note: in expansion of macro ‘CALL_UTIL’
  219 |   if (java_follow_env != NULL && CALL_UTIL (strstr)(java_follow_env, COLLECTOR_JVMTI_OPTION))
      |                                  ^~~~~~~~~

(From OE-Core rev: 6421f085fbb75df1cd122f1c327352b9434f8307)

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-04 13:57:33 +01:00
Martin Jansa
cc361cd49b elfutils: don't add -Werror to avoid discarded-qualifiers
With glibc-2.43 on host elfutils-native fails with:
elfutils-0.191/libcpu/riscv_disasm.c:1259:46: error: initialization discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]

elfutils-0.194 in master doesn't have this issue thanks to this patch avoiding -Werror from:
https://git.openembedded.org/openembedded-core/commit/?id=1d6ac3c811798732e6addc798656bbe104661d77

(From OE-Core rev: 7d9d9bcb64094da7121c6d6ce89cf07640537182)

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-04 13:57:32 +01:00
Richard Purdie
09a2e10262 pseudo: Add fix for glibc 2.43
Update to add a fix for a function definition to work with glibc 2.43.

(From OE-Core rev: 689bd1811c2300263a8a86ba3b46bbc6b1622323)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7d35b0e7929d666af783db835a3a809f8f6ce429)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-04 13:57:32 +01:00
Martin Jansa
7076b067e9 gcc: backport a fix for building with gcc-16
Fixes:
https://errors.yoctoproject.org/Errors/Details/905192/
when building on host with gcc-16

Compared to 15.2 used in whinlatter this needs 2 additional backports.

(From OE-Core rev: 53f86b988210506e191f28138b9a58a254ec4615)

Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9eabea38f0c17d41d97284d63a25e45da3c9bbcc)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-04 13:57:32 +01:00