Yogita Urade
022d6ec767
curl: fix CVE-2025-0167
...
When asked to use a `.netrc` file for credentials *and* to
follow HTTP redirects, curl could leak the password used
for the first host to the followed-to host under certain
circumstances.
This flaw only manifests itself if the netrc file has a
`default` entry that omits both login and password. A
rare circumstance.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-0167
Upstream patch:
0e120c5b92yogita.urade@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-07-14 08:37:40 -07:00
Yogita Urade
580a1571c4
curl: fix CVE-2024-11053
...
When asked to both use a `.netrc` file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has an entry that matches
the redirect target hostname but the entry either omits just the password or
omits both login and password.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-11053
https://git.launchpad.net/ubuntu/+source/curl/diff/debian/patches/CVE-2024-11053-pre1.patch?id=2126676d86041cabd7b1aa302fc1fdf47989df95
https://git.launchpad.net/ubuntu/+source/curl/diff/debian/patches/CVE-2024-11053.patch?id=2126676d86041cabd7b1aa302fc1fdf47989df95
Upstream patch:
9bee39bfede9b9bbac22yogita.urade@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-07-14 08:37:40 -07:00
Changqing Li
def97edcef
libsoup: fix CVE-2025-4945
...
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
(From OE-Core rev: cd589717c05b887986b9d61f5193e764f4deb3ee)
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-07-14 08:37:40 -07:00
Changqing Li
65b1587627
libsoup-2.4: fix CVE-2025-4945
...
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
(From OE-Core rev: 2169742d4b88f9072501819b5842efbed04939f2)
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-07-14 08:37:40 -07:00
Changqing Li
bfcca9e202
libsoup-2.4: refresh CVE-2025-4969.patch
...
refresh CVE-2025-4969.patch to fix the following build failure for
libsoup-2.4-native on fedora40/41:
../libsoup-2.74.3/tests/multipart-test.c:578:63: error: passing argument 2 of ‘soup_multipart_new_from_message’ from incompatible pointer type [-Wincompatible-pointer-types]
578 | multipart = soup_multipart_new_from_message (headers, bytes);
| ^~~~~
| |
| GBytes * {aka struct _GBytes *}
(From OE-Core rev: 4a0135992778110f2b523f436538c1197ef971b8)
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-07-14 08:37:40 -07:00
Changqing Li
b4284b3eb2
libsoup-2.4: fix CVE-2025-4476
...
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/440
(From OE-Core rev: 2be01469687f30f33b768164f66916b081cc8c62)
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-25 08:11:58 -07:00
Changqing Li
09407f375d
libsoup-2.4: fix CVE-2025-4948
...
Refer:
http://gitlab.gnome.org/GNOME/libsoup/-/issues/449
(From OE-Core rev: d5af0295d26f8967dfe49a53ffa6f275e249d087)
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-25 08:11:58 -07:00
Changqing Li
3aa44948cb
libsoup-2.4: fix CVE-2025-46421
...
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/439
(From OE-Core rev: 33bf900bcb563c5769b75e69059751f969a8771f)
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-25 08:11:58 -07:00
Changqing Li
6a19b931f0
libsoup-2.4: fix CVE-2025-32907
...
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/428
(From OE-Core rev: e6d9dd16d9b70cc8d3a9ca8b2fc542d547b456b9)
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-25 08:11:57 -07:00
Hitendra Prajapati
467cc32439
libsoup-2.4: Fix CVE-2025-4969
...
Upstream-Status: Backport from 07b94e27afhprajapati@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-25 08:11:57 -07:00
Changqing Li
16168960c4
libsoup: fix CVE-2025-4948
...
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
(From OE-Core rev: 95383d7d95631a4c3b385a073ce1deff744bf725)
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-25 08:11:57 -07:00
Changqing Li
f9f25b4fd6
libsoup: fix CVE-2025-46421
...
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/439
(From OE-Core rev: 388453296c32759623ed35a8142c6af2df7f30b0)
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-25 08:11:57 -07:00
Changqing Li
f9ae7a93d4
libsoup: fix CVE-2025-32051
...
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/401
(From OE-Core rev: 4af9a40f53a6a9607999f0f4b28d2ce1eaf325a2)
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-25 08:11:57 -07:00
Changqing Li
3fc748ecd7
libsoup: fix CVE-2025-32907
...
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/429
(From OE-Core rev: e31c9f12193d040480eca6a4be6a9ec6675b19f8)
Signed-off-by: Changqing Li <changqing.li@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-25 08:11:57 -07:00
Hitendra Prajapati
64327d7000
libsoup: Fix CVE-2025-4969
...
Upstream-Status: Backport from 07b94e27afhprajapati@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-25 08:11:57 -07:00
Ashish Sharma
41197b0df6
libsoup: patch CVE-2025-4476
...
Upstream-Status: Backport [e64c221f9casharma@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-25 08:11:57 -07:00
Guocai He
91d538d055
babeltrace/libatomic-ops: correct the SRC_URI
...
The old SRC_URIs are not available and need to update.
(From OE-Core rev: 94d24ff01573dc1d65078c92150dc252b3e9b145)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-20 08:06:30 -07:00
Vijay Anusuri
bb706cfe48
libsoup: Fix CVE-2025-46420
...
Upstream-Status: Backport
[c9083869ecvanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-20 08:06:29 -07:00
Vijay Anusuri
cecdcf3428
libsoup: Fix CVE-2025-32053
...
Upstream-Status: Backport
[eaed42ca8dvanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-20 08:06:29 -07:00
Vijay Anusuri
dd4d1b28e3
libsoup-2.4: Fix CVE-2025-32053
...
Upstream-Status: Backport
[eaed42ca8dvanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-20 08:06:29 -07:00
Vijay Anusuri
c2489908d7
libsoup: Fix CVE-2025-32052
...
Upstream-Status: Backport
[f182429e5bvanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-20 08:06:29 -07:00
Vijay Anusuri
4976dc40af
libsoup-2.4: Fix CVE-2025-32052
...
Upstream-Status: Backport
[f182429e5bvanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-20 08:06:29 -07:00
Vijay Anusuri
8bce7467dc
libsoup: Fix CVE-2025-32050
...
Upstream-Status: Backport
[9bb0a55de5vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-20 08:06:29 -07:00
Vijay Anusuri
ca51d99bf3
libsoup-2.4: Fix CVE-2025-32050
...
Upstream-Status: Backport
[9bb0a55de5vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-20 08:06:29 -07:00
Vijay Anusuri
07f522869c
libsoup: Fix CVE-2025-2784
...
Upstream-Status: Backport
[242a10fbb1c415ad0b67https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435
(From OE-Core rev: b51135e1f7eaa20c97e54f5c52b98963819127e9)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-20 08:06:29 -07:00
Vijay Anusuri
f49fc9966d
libsoup-2.4: Fix CVE-2025-2784
...
Upstream-Status: Backport
[242a10fbb1c415ad0b67https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435
(From OE-Core rev: 5cea727e87489b144cba9b2aa491d0c90f34f93d)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-20 08:06:29 -07:00
Jiaying Song
179c5dc17f
taglib: fix CVE-2023-47466
...
TagLib before 2.0 allows a segmentation violation and application crash
during tag writing via a crafted WAV file in which an id3 chunk is the
only valid chunk.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-47466
Upstream patch:
dfa33bec08jiaying.song.cn@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-13 08:42:35 -07:00
Vijay Anusuri
9a368c7b92
libsoup-2.4: Backport auth tests for CVE-2025-32910
...
libsoup-2.74.2/tests/auth-test.c:1554:39: error: unknown type name 'SoupServerMessage'; did you mean 'SoupServerClass'?
Fix auth-test.c compilation failure caused by CVE-2025-32910 patch
Link: 9af7d0fc75vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-13 08:42:34 -07:00
Hitendra Prajapati
e35c7960a7
icu: fix CVE-2025-5222
...
Upstream-Status: Backport from 2c667e31cfhprajapati@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-06-13 08:42:34 -07:00
Vijay Anusuri
ef632f4693
libsoup-2.4: Fix CVE-2025-32914
...
import patch from debian to fix
CVE-2025-32914
Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads
Upstream commit 5bfcf81575https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450
https://security-tracker.debian.org/tracker/CVE-2025-32914
(From OE-Core rev: 8996e178264cf6bf9b69365172f43a5ee8e9f727)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-28 08:46:32 -07:00
Vijay Anusuri
cbbea14280
libsoup-2.4: Fix CVE-2025-32912
...
Upstream-Status: Backport from
cd077513f2910ebdcd3dvanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-28 08:46:32 -07:00
Vijay Anusuri
d8278fd9f9
libsoup-2.4: Fix CVE-2025-32911 & CVE-2025-32913
...
Upstream-Status: Backport from
7b4ef0e004f4a761fb66vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-28 08:46:32 -07:00
Vijay Anusuri
21bb9c063b
libsoup-2.4: Fix CVE-2025-32910
...
import patch from debian to fix
CVE-2025-32910
Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads
Upstream commit e40df6d48a405a8a3459ea16eeacb0https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417
https://security-tracker.debian.org/tracker/CVE-2025-32910
(From OE-Core rev: b65e3d3a4dc2375d9bb81c7a91c84139cc667a47)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-28 08:46:32 -07:00
Ashish Sharma
0f58759f1b
libsoup-2.4: Fix CVE-2025-46420
...
Upstream-Status: Backport [c9083869ecasharma@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-28 08:46:32 -07:00
Vijay Anusuri
45c3cde26b
libsoup: Fix CVE-2025-32914
...
Upstream-Status: Backport
[5bfcf81575vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-16 08:58:06 -07:00
Vijay Anusuri
3f1cc96cb9
libsoup: Fix CVE-2025-32912
...
Upstream-Status: Backport from
cd077513f2910ebdcd3dvanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-16 08:58:06 -07:00
Vijay Anusuri
d8c4c5ea04
libsoup: Fix CVE-2025-32911 & CVE-2025-32913
...
Upstream-Status: Backport from
7b4ef0e004f4a761fb66vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-16 08:58:06 -07:00
Vijay Anusuri
fe91f67d38
libsoup: Fix CVE-2025-32910
...
Upstream-Status: Backport from
e40df6d48a405a8a3459ea16eeacb0vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-16 08:58:06 -07:00
Vijay Anusuri
cc7f7f1c29
libsoup: Fix CVE-2025-32909
...
Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/comm
it/ba4c3a6f988beff59e45801ab36067293d24ce92
(From OE-Core rev: 491373828c1c66030fb41687f9a42b9e4deb010b)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-16 08:58:06 -07:00
Vijay Anusuri
dc621121b1
libsoup: Fix CVE-2025-32906
...
Upstream-Status: Backport from
1f509f31b6af5b9a4a39vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-16 08:58:06 -07:00
Vijay Anusuri
14f293eecf
libsoup: update fix CVE-2024-52532
...
Upstream-Status: Backport from 4c9e75c667vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-16 08:58:06 -07:00
Vijay Anusuri
e07ed2059c
libsoup-2.4: Fix CVE-2025-32909
...
Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/comm
it/ba4c3a6f988beff59e45801ab36067293d24ce92
(From OE-Core rev: ad1244ee75b4169eab21c2c8744b86342b32dd07)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-16 08:58:06 -07:00
Vijay Anusuri
6b27d84c2c
libsoup-2.4: Fix CVE-2025-32906
...
Upstream-Status: Backport from
1f509f31b6af5b9a4a39vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-16 08:58:06 -07:00
Vijay Anusuri
02c2876c5e
libsoup-2.4: Update fix CVE-2024-52532
...
Upstream-Status: Backport from 4c9e75c667vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-16 08:58:06 -07:00
Peter Marko
ade4d1829a
sqlite3: patch CVE-2025-29088
...
Pick commit [1] mentioned in [2].
[1] 56d2fd008bhttps://nvd.nist.gov/vuln/detail/CVE-2025-29088
(From OE-Core rev: 70d2d56f89d6f4589d65a0b4f0cbda20d2172167)
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-05-02 08:12:41 -07:00
Yogita Urade
b5b884bc1a
curl: ignore CVE-2025-0725
...
CVE-2025-0725 can only trigger for curl when using a runtime
zlib version 1.2.0.3 or older and kirkstone supports
zlib 1.2.11 version, hence ignore cve for kirkstone.
Reference:
https://curl.se/docs/CVE-2025-0725.html
https://git.openembedded.org/openembedded-core/commit/?h=scarthgap&id=8c3b4a604b40260e7ca9575715dd8017e17d35c0
(From OE-Core rev: 9077246122b1284e8b6430384cccaf6f0b6c80c3)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-04-11 08:36:02 -07:00
Vijay Anusuri
e4721dd506
vim: Upgrade 9.1.1115 -> 9.1.1198
...
This includes CVE-fix for CVE-2025-27423 and CVE-2025-29768
Changes between 9.1.1115 -> 9.1.1198
====================================
https://github.com/vim/vim/compare/v9.1.1115...v9.1.1198
(From OE-Core rev: 0ace90f2918496ceae32aebea05bb826d1e3dad6)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com >
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com >
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org >
(cherry picked from commit 8e540bd287fd56e3a714f81395b59dd508a6d957)
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-04-01 09:02:41 -07:00
Vijay Anusuri
4df4248036
libxslt: Fix for CVE-2025-24855
...
Upstream-Commit: c7c7f1f78dvanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-03-27 08:16:30 -07:00
Vijay Anusuri
0490768a25
libxslt: Fix for CVE-2024-55549
...
Upstream-Commit: 46041b65f2vanusuri@mvista.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-03-27 08:16:30 -07:00
Divya Chellam
b210ed67de
vim: Upgrade 9.1.1043 -> 9.1.1115
...
This includes CVE-fix for CVE-2025-26603 and CVE-2025-1215
Changes between 9.1.1043 -> 9.1.1115
====================================
https://github.com/vim/vim/compare/v9.1.1043...v9.1.1115
(From OE-Core rev: acb88b244e89bc1300a24f60d0a44c21e0ab1af6)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com >
Signed-off-by: Steve Sakoman <steve@sakoman.com >
2025-03-19 07:13:17 -07:00
