mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-03-08 08:19:40 +01:00
Code Issues Packages Projects Releases Wiki Activity
75,717 Commits 38 Branches 619 Tags
6c2a243d6cfb8277324904ab6b29e4e69ef68e21
Commit Graph

55281 Commits

Author SHA1 Message Date
Ankur Tyagi
df890007b4 vim: ignore CVE-2025-66476 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-66476

(From OE-Core rev: f42ed917ab6a4a91d473ef5b2107cdf0f1961c57)

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-27 17:45:06 +00:00
Ankur Tyagi
4ed95c6c7b mobile-broadband-provider-info: upgrade 20240407 -> 20251101 
Changelog:
https://gitlab.gnome.org/GNOME/mobile-broadband-provider-info/-/blob/20251101/NEWS?ref_type=tags

(From OE-Core rev: 8bad1af53b6bfcd7f1d602cdb5aeee175734e569)

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
[YC: commit 99e2dea3d4328f2aaa6e6e29f5bf4aa38b64b274 upstream]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-27 17:45:06 +00:00
Peter Marko
4c8f687fe6 libsndfile1: patch CVE-2025-56226 
Pick patches from both PRs linked in issue mentioned in NVD report.

(From OE-Core rev: e0ac318128b8f78efddc0b748b1db3e96873c532)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 327546cc0f0bdffcbb4be690ee0b9b469db64842)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-27 17:45:06 +00:00
Ankur Tyagi
34deee3e52 avahi: patch CVE-2026-24401 
Details https://nvd.nist.gov/vuln/detail/CVE-2026-24401

(From OE-Core rev: 030a3fff4b05b785f6ed1a97310b8386628adbf9)

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 183d0ee54f1c194e245a7bbf243c19b3c2acf4f5)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-27 17:45:06 +00:00
Amaury Couderc
49dc4dd983 avahi: patch CVE-2025-68471 
(From OE-Core rev: bfd12b872d922116c1a793cd9debb5ee773bfeaf)

Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5ec4156330c765bc52dbce28dbba6def9868d30f)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-27 17:45:06 +00:00
Amaury Couderc
0d954471b5 avahi: patch CVE-2025-68468 
(From OE-Core rev: 1eebd6d5bd5d930aa8ec68f73789ff0bd742441c)

Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f2ed8adc37a42b561b3c4853cf8106fba39889e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-27 17:45:06 +00:00
Ankur Tyagi
a57370d30c avahi: patch CVE-2025-68276 
Backport the patch[1] from the PR[2] mentioned in the nvd[3].

[1] 2d48e42d44
[2] https://github.com/avahi/avahi/pull/806
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-68276

Dropped CI changes from the original PR during backport.

(From OE-Core rev: 4da15f7fad8df7ba5fae29bc72156b189e993d58)

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-27 17:45:06 +00:00
Yoann Congal
65c3ebea05 pseudo: Update to include a fix for systems with kernel <5.6 
$ git log --oneline --no-decorate  9ab513512d8b5180a430ae4fa738cb531154cdef..43cbd8fb4914328094ccdb4bb827d74b1bac2046
43cbd8f ports/linux: define __NR_openat2 if missing

(From OE-Core rev: fe2666749094e896736ff24d6885419905488723)

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e9a35f32b983de724d2c2e436c017b49d5b70469)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-27 17:45:06 +00:00
Richard Purdie
1d54d1c473 build-appliance-image: Update to scarthgap head revision 
(From OE-Core rev: a1f4ae4e569bc0e36c27c1e4651e502e54d63b28)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:49 +00:00
Richard Purdie
99047ec235 pseudo: Update to include an openat2 fix 
We're seeing occasional autobuilder failures with tar issues related to openat2.
It appears there are definitions missing on debian 11 and opensuse 15.5 systems
which mean the openat2 syscall intercept isn't compiled in. This then triggers
on systems using the openat2 syscall, such as alma9 where it is used in a tar
CVE fix.

This updates to include the fix from upstream pseudo (along with a compile warning
fix).

This was tested by taking sstate for pseudo-native from a debian 11 system and using
it in a build of "bitbake nativesdk-git -c install" on a alma9 system where that task
failed. After this fix, it completes.

(From OE-Core rev: 34b74540ee497e2cc89211d7aa2772097b6fa79b)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c20c05b324e5d6564c8554381019170839509bb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Ken Kurematsu
5eddd0f7fc libtheora: set CVE_PRODUCT 
In the NVD database, the product name of libtheora is theora.
This was set to ensure that cve-check works correctly.

(From OE-Core rev: e86e50b8c5b16065dcb35ebf4b00eff59c5da78c)

Signed-off-by: Ken Kurematsu <k.kurematsu@nskint.co.jp>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a8ddda60332e2a3219e905c1545b5da917f855c6)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Richard Purdie
4f4691984a pseudo: Update to 1.9.3 release 
Pulls in the following changes:

  Makefile.in: Bump version to 1.9.3
  configure: Minor code quality changes
  pseudo: code quality scan - resolved various potential issues
  makewrappers: improve error handling and robustness
  Update COPYRIGHT files
  ports/linux/pseudo_wrappers.c: Call the wrappers where possible
  ports/linux/pseudo_wrappers.c: Workaround compile error on Debian 11
  ports/linux/pseudo_wrappers.c: Reorder the syscall operations
  ports/unix/guts/realpath.c: Fix indents
  pseudo_util.c: Skip realpath like expansion for /proc on Linux
  test/test-proc-pipe.sh: Add test case for proc pipes
  ports/unix/guts/realpath.c: realpath fails if the resolved path doesn't exist

(From OE-Core rev: 7a05347a6418bfb6126e3a601489dc71efb0d2fc)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 524f4bbb11f9c7e0126e8bd46af217b452d48f5e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Khai Dang
d02f35223e docbook-xml-dtd4: fix the fetching failure 
Updating SRC_URI, the old archive url is deprecated.

(From OE-Core rev: 65ead4efec955b1b8877ec39eba44ca4da8cfff3)

Signed-off-by: Khai Dang <khai.dang@lge.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c137d3637b6171fbd3bfd671a56096e7f2b3c318)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Fred Bacon
c7084e7f05 lighttpd: Fix trailing slash on files in mod_dirlisting 
Fixes [YOCTO #16128]

Backport of upstream bug fix from lighttpd-1.4.75. Version 1.4.74 introduced a bug that
would append a trailing slash to files in a directory listing. When the user attempts to
download one of these files, the web browser could not save the file with a trailing
slash. As a consequence, every web browser tested would generate a random character string
for the saved file name.

(From OE-Core rev: 797f15116901328a9a58868edeea44614dc29043)

Signed-off-by: Fred Bacon <bacon@aerodyne.com>
[Yoann: Fixed Upstream-Status: Backport URL]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Benjamin Robin (Schneider Electric)
9628ed0111 meta/classes: fix missing vardeps for CVE status variables 
Several CVE helper functions (get_patched_cves() and decode_cve_status())
implicitly depend on the CVE_STATUS and CVE_CHECK_STATUSMAP variables, but
these were not declared in the vardeps of their callers.

On Scarthgap, the upstream fix (2cc43c72ff28aa39a417dd8d57cd7c8741c0e541)
cannot be cherry-picked cleanly, as it also requires BitBake changes.

As a workaround, explicitly add CVE_STATUS and CVE_CHECK_STATUSMAP to the
vardeps of all tasks invoking these helpers, ensuring correct task
re-execution when CVE status changes.

This keeps CVE-related metadata generation consistent without requiring
BitBake modifications.

(From OE-Core rev: 111e1f2febade3c34649f33676f7f7e7cc8e0bd0)

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
af8b964e9b glibc: stable 2.39 branch updates 
git log --oneline 58cbbd43fe82910cf8ae9008351b0b0665104500..ce65d944e38a20cb70af2a48a4b8aa5d8fabe1cc
ce65d944e3 (HEAD -> release/2.39/master, origin/release/2.39/master) posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814)
831f63b94c resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
fb22fd3f5b memalign: reinstate alignment overflow check (CVE-2026-0861)
10c0bcb3d3 support: Exit on consistency check failure in resolv_response_add_name
f47dd22366 support: Fix FILE * leak in check_for_unshare_hints in test-container
4a53354eaf sprof: fix -Wformat warnings on 32-bit hosts
beb8267909 sprof: check pread size and offset for overflow
c07002038f getaddrinfo.c: Avoid uninitialized pointer access [BZ #32465]
ae5fb93559 nptl: Optimize trylock for high cache contention workloads (BZ #33704)
efff7cb659 ppc64le: Power 10 rawmemchr clobbers v20 (bug #33091)
f6becd8ae8 ppc64le: Restore optimized strncmp for power10
0daa4e46b8 ppc64le: Restore optimized strcmp for power10
28c1de6580 AArch64: Fix instability in AdvSIMD tan
03d0393343 AArch64: Optimise SVE scalar callbacks
0d05a895f1 aarch64: fix includes in SME tests
c1dc4412f8 aarch64: fix cfi directives around __libc_arm_za_disable
d60f15dc89 aarch64: tests for SME
d1d0d09e9e aarch64: clear ZA state of SME before clone and clone3 syscalls
dbe1904b7c aarch64: define macro for calling __libc_arm_za_disable
58cf4aa421 aarch64: update tests for SME
1b3bd9a9a6 aarch64: Disable ZA state of SME in setjmp and sigsetjmp
38942a336b linux: Also check pkey_get for ENOSYS on tst-pkey (BZ 31996)
c74d59a656 aarch64: Do not link conform tests with -Wl,-z,force-bti (bug 33601)
323ad087a1 x86: fix wmemset ifunc stray '!' (bug 33542)

Testing Results:
             Before    After    Diff
PASS         4926      4921     -5
XPASS        4         4         0
FAIL         223       229      +6
XFAIL        16        16        0
UNSUPPORTED  224       224       0

Changes in failed testcases:

testcase-name                                before  after
elf/tst-audit21                              PASS    FAIL
malloc/tst-malloc-too-large                  PASS    FAIL
malloc/tst-malloc-too-large-malloc-check     PASS    FAIL
malloc/tst-malloc-too-large-malloc-hugetlb1  PASS    FAIL
malloc/tst-malloc-too-large-malloc-hugetlb2  PASS    FAIL
malloc/tst-malloc-too-large-mcheck           PASS    FAIL

(From OE-Core rev: a49b898ed6d571391d90cc3ba150a0421642be23)

Signed-off-by: Peter Marko <peter.marko@siemens.com>

[Yoann: When run on the autobuilder, all those new FAIL tests are PASS:
https://valkyrie.yocto.io/pub/non-release/20260209-10/testresults/qemux86-64-tc/testresults.json]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Ankur Tyagi
b617f833e5 ffmpeg: ignore CVE-2025-25469 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-25469

This vulnerability exists in IAMF (Immersive Audio Model and Formats demuxer)
which was introduced in version 7.0 [1]

$ git tag --contains 4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b
n7.0
n7.0.1
n7.0.2
n7.0.3
n7.1
n7.1-dev
n7.1.1
n7.1.2
n7.1.3
n7.2-dev
n8.0
n8.0.1
n8.1-dev

[1] 4ee05182b7

(From OE-Core rev: 935bd46fab333a29a8bf4bb511fb55d5d02b3a71)

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Ankur Tyagi
b8600b66e4 ffmpeg: upgrade 6.1.3 -> 6.1.4 
Dropped patches that are part of the upstream version.

Changelog:
34277e12e8:/Changelog

(From OE-Core rev: f9f054faca45a08507b510c8982f170edd6bf83a)

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
463172affb zlib: ignore CVE-2026-22184 
This is CVE for example tool contrib/untgz.
This is not compiled in Yocto zlib recipe.

This CVE has controversial CVSS3 score of 9.8.

(From OE-Core rev: b00a1990237d473971076c4f92a1060911b8b323)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b0592c51b6ad038d737d2f6b30977bd0c5c50058)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Yoann Congal
028444d608 zlib: cleanup CVE_STATUS[CVE-2023-45853] 
CVE-2023-45853: Version is now higher than NVD CPE

This is a partial cherry-pick from 73ee9789183a ("recipes: cleanup
CVE_STATUS which are resolved now").

Cc: Peter Marko <peter.marko@siemens.com>
(From OE-Core rev: 2e05844a70f97399e323f967e926075428cb5233)

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Het Patel
a2c9f142ed zlib: Add CVE_PRODUCT to exclude false positives 
To avoid false positives (such as CVE-2023-6992, cloudflare:zlib), add a
CVE_PRODUCT to identify the vendors that have been used.

Removing the present existing CVE_STATUS for CVE-2023-6992.

(From OE-Core rev: 85427d225416b3b12bf05513c9427370309b2127)

Signed-off-by: Het Patel <hetpat@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 119b775b36dfd51286493763cffb6e965893b8fd)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Adarsh Jagadish Kamini
54e7eb5951 python-urllib3: Backport fix for CVE-2026-21441 
Include the patch linked in the NVD report : https://nvd.nist.gov/vuln/detail/CVE-2026-21441
(From OE-Core rev: bf85dff7bf4340a691df3da21f04a651fff11a17)

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
534b2c966a python3: patch CVE-2025-13837 
Pick patch from 3.12 branch per NVD report.

(From OE-Core rev: 37936e0e93ab5c236d8cc8e709ba1faf8380577c)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
8d61eb390a libxml2: add follow-up patch for CVE-2026-0992 
References:
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
* https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/377

(From OE-Core rev: 2c8e455148e12e097ff757bcf0a57d7d5bd77c30)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
bd21ac68d0 libxml2: patch CVE-2026-0992 
Pick patch which closed [1].
Adapt for missing xmlCatalogPrintDebug per [2].

[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
[2] 728869809e

(From OE-Core rev: 826dd15a99433c4066d2cd4546515d174d443350)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
57126cdaa7 libxml2: patch CVE-2026-0990 
Pick patch which closed [1].

[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018

(From OE-Core rev: f1bb433bbdb0fa19d7d8cbe15d4180c9d18cca5a)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
35fca9ec35 libxml2: patch CVE-2026-0989 
Pick patch from [1] linked from [2].

[1] https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374
[2] https://gitlab.gnome.org/GNOME/libxml2/-/issues/998

(From OE-Core rev: d201a09eee8efca8a889f0b7a60133e850256369)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Hugo SIMELIERE
308c5dd2c9 libtasn1: Fix CVE-2025-13151 
Upstream-Status: Backport from d276cc495a

(From OE-Core rev: 3f9f51783597a682efdf989bebac2934b1f7040c)

Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
005e0f6daf libpng: patch CVE-2026-22801 
Pick comit per [1].

[1] https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8

(From OE-Core rev: fc0f0ecb694ae3042cff4472c62c78a7389662c6)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
f824456616 libpng: patch CVE-2026-22695 
Pick commit per [1].
This CVE is regression of fix for CVE-2025-65018.

[1] https://security-tracker.debian.org/tracker/CVE-2026-22695

(From OE-Core rev: cdfeb4e55f856b1020caf58f380d3a1e7eb5cd97)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Vijay Anusuri
2541663fd1 inetutils: Fix CVE-2026-24061 
Upstream-Status: Backport from
https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=ccba9f748aa8d50a38d7748e2e60362edd6a32cc
& https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fd702c02497b2f398e739e3119bed0b23dd7aa7b

Ref: https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html

(From OE-Core rev: da89012029cb110f6d2768248981ab9c4872d871)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
53dbc9c218 glib-2.0: patch CVE-2026-0988 
Pick relevant commit from [2] linked from [1].

[1] https://gitlab.gnome.org/GNOME/glib/-/issues/3851
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4944

(From OE-Core rev: 9df34167c74267b63d46c354efe9b3874efa062e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
236069b7e0 expat: patch CVE-2026-25210 
Pick patches from [1].

[1] https://github.com/libexpat/libexpat/pull/1075

(From OE-Core rev: 97cf4b2341449b34e61a09437e2159b279f9f848)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
46fdae1b0f expat: patch CVE-2026-24515 
Pick commits from PR linked in NVD report.

(From OE-Core rev: 7c4fb02b8d8668ec85f5d4ba98db5d69e1e6b712)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Amaury Couderc
cc5e0688c0 curl: patch CVE-2025-14524 
(From OE-Core rev: 951113a6e8185969444b5e28292f23434dba1f6c)

Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Hitendra Prajapati
68f03e2a9f curl: fix CVE-2025-10148 
curl's websocket code did not update the 32 bit mask pattern
for each new outgoing frame as the specification says. Instead
it used a fixed mask that persisted and was used throughout
the entire connection.

A predictable mask pattern allows for a malicious server to induce
traffic between the two communicating parties that could be
interpreted by an involved proxy (configured or transparent) as
genuine, real, HTTP traffic with content and thereby poison its
cache. That cached poisoned content could then be served to all
users of that proxy.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-10148

Upstream patch:
https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa

(From OE-Core rev: 3793ee12d8da4f8f90a0ffcad180ef8122251491)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Richard Purdie
3534914790 build-appliance-image: Update to scarthgap head revision 
(From OE-Core rev: d50e4680ed6f930582d907b37c9ed545a89f5c27)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:50:55 +00:00
Richard Purdie
fb693aab03 pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation' 
The pseudo update was causing hangs in builds, pull in the fix.

(From OE-Core rev: a845c75096c381f45c13451b1baedc7774e4eff2)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8acdbefd0a148c8b7713f46066ae8489984c5d2d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Richard Purdie
3bcac51eb2 pseudo: Update to pull in openat2 and efault return code changes 
Pulls in the following fixes:

 * makewrappers: Enable a new efault option
 * ports/linux/openat2: Add dummy wrapper
 * test-syscall: Add a syscall test
 * ports/linux/pseudo_wrappers: Avoid openat2 usage via syscall

which should fix issues with the tar CVE fix on Centos/Alma/Rocky 9 distros
that uses openat2 as well as the efault issue breaking rust based uutils.

(From OE-Core rev: a872357343b29530d05823368cfc8863a798412d)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 51f1388dd1679a28ec3ca468cf16aa0ea32bccf9)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Paul Barker
bf7d623729 pseudo: Add hard sstate dependencies for pseudo-native 
Where a task (such as do_package) runs under fakeroot, the corresponding
setscene task (do_package_setscene) will also run under fakeroot when
restoring from sstate. Assuming pseudo is used as the fakeroot
implementation, we need pseudo-native and all its runtime dependencies
to be available in the sysroot before running any setscene tasks under
fakeroot.

We already add a hard dependency from all do_package_setscene tasks to
virtual/fakeroot-native:do_populate_sysroot in base.bbclass, but this
does not cover transitive dependencies. So, extend the dependencies of
pseudo-native:do_populate_sysroot_setscene to ensure that the sqlite3
library is also available in the sysroot before running fakeroot
setscene tasks.

[YOCTO #15963]

(From OE-Core rev: c73e9513f26cd9e073fc2eb0a67378ad7864d677)

Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c146ca657440550e00bc5e53d13502ef7aa945b)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Richard Purdie
e380eea705 pseudo: Update to pull in memleak fix 
(From OE-Core rev: b6e48eac4b61d66b240b80f35b1d97752e814d15)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 42137b6f97da0672af365cd841678f39ce5907d2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Robert Yang
e6cbef9080 pseudo: 1.9.0 -> 1.9.2 
(From OE-Core rev: 89256d7c891c0053028a4d8679ccebc24f36577c)

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 48a42747fd280ce68283e1491971d22273e3bdf2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Richard Purdie
80593d0ce1 pseudo: Upgrade to version 1.9.1 
This brings in:
 * nftw, nftw64: add wrapper
 * ftw, nftw, ftw64, nftw64: add tests
 * Move ftw and ftw64 to calling ntfw and nftw64
 * makewrappers: Introduce 'array' support
 * pseudo_util.c: Avoid warning when we intentionally discard const
 * pseudo_client.c: Fix warning
 * yocto-older-glibc-symbols.path: Add as a reference patch
 * pseudo/pseudo_client: Add wrapper functions to operate correctly with glibc 2.38 onwards
 * configure: Prune PIE flags
 * test/test-parallel-rename.sh: Add parallel rename test
 * test/test-parallel-symlinks.sh: Add parallel symlink test
 * ports/linux/guts: Add .gitignore to ignore generated files

(From OE-Core rev: a019d270cd6f41c751e685f36581c00e65287b9d)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 994e508b2a0ede8b5cc4fe39444cf25dc9a53faf)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
4581b795c6 curl: patch CVE-2025-15224 
Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-15224.html

(From OE-Core rev: 83c7d4acc5da661b44055db95355c3c420f7afac)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
41c8c7c5c5 curl: patch CVE-2025-15079 
Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-15079.html

(From OE-Core rev: 48a162d90daada0f992e665696f7f2e738780af1)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
ea774774ef curl: patch CVE-2025-14819 
Pick patch per [1].

Additionally pick commit with definition of CURL_UNCONST to make the
cherry-pick possible without build errors.
It will be probably needed also by further CVE patches.

[1] https://curl.se/docs/CVE-2025-14819.html

(From OE-Core rev: 3a8e5ae08380ca201df950546dd5f02f9bbe1237)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
7a394819a8 curl: patch CVE-2025-14017 
Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-14017.html

(From OE-Core rev: 2284de47317ada818f916be65abf13969294541c)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
b6ea3460e5 libarchive: fix CVE-2025-60753 regression 
Pick patch from PR mentioned in v3.8.5 release notes.

(From OE-Core rev: c316c6e50e73a681c22fa03cdb59a0317495a418)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
8df07c5662 cups: allow unknown directives in conf files 
Patch for CVE-2025-61915 by mistake causes fatal error on unknown
directives in configuration files.
The default configuration already contains unknown directive in
non-systemd setups:
Unknown directive IdleExitTimeout on line 32 of /etc/cups/cupsd.conf

Backport fix for this from 2.4.x branch which reverts this behavior.

(From OE-Core rev: 2f36a12a72cf1f91a2d6ee68bd04292979608eb9)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
bfe84d74fe libpcap: patch CVE-2025-11964 
Pick patch per [1].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-11964

(From OE-Core rev: 64c2af571190f7c2b3bb5c53517f0cbcb5dddd6e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00