mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-29 00:32:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
75,699 Commits 38 Branches 623 Tags
b617f833e5eeff596ee85b63bd5c40cbf14c7ba9
Commit Graph

55265 Commits

Author SHA1 Message Date
Ankur Tyagi
b617f833e5 ffmpeg: ignore CVE-2025-25469 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-25469

This vulnerability exists in IAMF (Immersive Audio Model and Formats demuxer)
which was introduced in version 7.0 [1]

$ git tag --contains 4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b
n7.0
n7.0.1
n7.0.2
n7.0.3
n7.1
n7.1-dev
n7.1.1
n7.1.2
n7.1.3
n7.2-dev
n8.0
n8.0.1
n8.1-dev

[1] 4ee05182b7

(From OE-Core rev: 935bd46fab333a29a8bf4bb511fb55d5d02b3a71)

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Ankur Tyagi
b8600b66e4 ffmpeg: upgrade 6.1.3 -> 6.1.4 
Dropped patches that are part of the upstream version.

Changelog:
34277e12e8:/Changelog

(From OE-Core rev: f9f054faca45a08507b510c8982f170edd6bf83a)

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
463172affb zlib: ignore CVE-2026-22184 
This is CVE for example tool contrib/untgz.
This is not compiled in Yocto zlib recipe.

This CVE has controversial CVSS3 score of 9.8.

(From OE-Core rev: b00a1990237d473971076c4f92a1060911b8b323)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b0592c51b6ad038d737d2f6b30977bd0c5c50058)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Yoann Congal
028444d608 zlib: cleanup CVE_STATUS[CVE-2023-45853] 
CVE-2023-45853: Version is now higher than NVD CPE

This is a partial cherry-pick from 73ee9789183a ("recipes: cleanup
CVE_STATUS which are resolved now").

Cc: Peter Marko <peter.marko@siemens.com>
(From OE-Core rev: 2e05844a70f97399e323f967e926075428cb5233)

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Het Patel
a2c9f142ed zlib: Add CVE_PRODUCT to exclude false positives 
To avoid false positives (such as CVE-2023-6992, cloudflare:zlib), add a
CVE_PRODUCT to identify the vendors that have been used.

Removing the present existing CVE_STATUS for CVE-2023-6992.

(From OE-Core rev: 85427d225416b3b12bf05513c9427370309b2127)

Signed-off-by: Het Patel <hetpat@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 119b775b36dfd51286493763cffb6e965893b8fd)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Adarsh Jagadish Kamini
54e7eb5951 python-urllib3: Backport fix for CVE-2026-21441 
Include the patch linked in the NVD report : https://nvd.nist.gov/vuln/detail/CVE-2026-21441
(From OE-Core rev: bf85dff7bf4340a691df3da21f04a651fff11a17)

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
534b2c966a python3: patch CVE-2025-13837 
Pick patch from 3.12 branch per NVD report.

(From OE-Core rev: 37936e0e93ab5c236d8cc8e709ba1faf8380577c)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
8d61eb390a libxml2: add follow-up patch for CVE-2026-0992 
References:
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
* https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/377

(From OE-Core rev: 2c8e455148e12e097ff757bcf0a57d7d5bd77c30)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
bd21ac68d0 libxml2: patch CVE-2026-0992 
Pick patch which closed [1].
Adapt for missing xmlCatalogPrintDebug per [2].

[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
[2] 728869809e

(From OE-Core rev: 826dd15a99433c4066d2cd4546515d174d443350)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
57126cdaa7 libxml2: patch CVE-2026-0990 
Pick patch which closed [1].

[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018

(From OE-Core rev: f1bb433bbdb0fa19d7d8cbe15d4180c9d18cca5a)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
35fca9ec35 libxml2: patch CVE-2026-0989 
Pick patch from [1] linked from [2].

[1] https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374
[2] https://gitlab.gnome.org/GNOME/libxml2/-/issues/998

(From OE-Core rev: d201a09eee8efca8a889f0b7a60133e850256369)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Hugo SIMELIERE
308c5dd2c9 libtasn1: Fix CVE-2025-13151 
Upstream-Status: Backport from d276cc495a

(From OE-Core rev: 3f9f51783597a682efdf989bebac2934b1f7040c)

Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
005e0f6daf libpng: patch CVE-2026-22801 
Pick comit per [1].

[1] https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8

(From OE-Core rev: fc0f0ecb694ae3042cff4472c62c78a7389662c6)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
f824456616 libpng: patch CVE-2026-22695 
Pick commit per [1].
This CVE is regression of fix for CVE-2025-65018.

[1] https://security-tracker.debian.org/tracker/CVE-2026-22695

(From OE-Core rev: cdfeb4e55f856b1020caf58f380d3a1e7eb5cd97)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Vijay Anusuri
2541663fd1 inetutils: Fix CVE-2026-24061 
Upstream-Status: Backport from
https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=ccba9f748aa8d50a38d7748e2e60362edd6a32cc
& https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fd702c02497b2f398e739e3119bed0b23dd7aa7b

Ref: https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html

(From OE-Core rev: da89012029cb110f6d2768248981ab9c4872d871)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
53dbc9c218 glib-2.0: patch CVE-2026-0988 
Pick relevant commit from [2] linked from [1].

[1] https://gitlab.gnome.org/GNOME/glib/-/issues/3851
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4944

(From OE-Core rev: 9df34167c74267b63d46c354efe9b3874efa062e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
236069b7e0 expat: patch CVE-2026-25210 
Pick patches from [1].

[1] https://github.com/libexpat/libexpat/pull/1075

(From OE-Core rev: 97cf4b2341449b34e61a09437e2159b279f9f848)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
46fdae1b0f expat: patch CVE-2026-24515 
Pick commits from PR linked in NVD report.

(From OE-Core rev: 7c4fb02b8d8668ec85f5d4ba98db5d69e1e6b712)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Amaury Couderc
cc5e0688c0 curl: patch CVE-2025-14524 
(From OE-Core rev: 951113a6e8185969444b5e28292f23434dba1f6c)

Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Hitendra Prajapati
68f03e2a9f curl: fix CVE-2025-10148 
curl's websocket code did not update the 32 bit mask pattern
for each new outgoing frame as the specification says. Instead
it used a fixed mask that persisted and was used throughout
the entire connection.

A predictable mask pattern allows for a malicious server to induce
traffic between the two communicating parties that could be
interpreted by an involved proxy (configured or transparent) as
genuine, real, HTTP traffic with content and thereby poison its
cache. That cached poisoned content could then be served to all
users of that proxy.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-10148

Upstream patch:
https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa

(From OE-Core rev: 3793ee12d8da4f8f90a0ffcad180ef8122251491)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Richard Purdie
3534914790 build-appliance-image: Update to scarthgap head revision 
(From OE-Core rev: d50e4680ed6f930582d907b37c9ed545a89f5c27)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:50:55 +00:00
Richard Purdie
fb693aab03 pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation' 
The pseudo update was causing hangs in builds, pull in the fix.

(From OE-Core rev: a845c75096c381f45c13451b1baedc7774e4eff2)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8acdbefd0a148c8b7713f46066ae8489984c5d2d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Richard Purdie
3bcac51eb2 pseudo: Update to pull in openat2 and efault return code changes 
Pulls in the following fixes:

 * makewrappers: Enable a new efault option
 * ports/linux/openat2: Add dummy wrapper
 * test-syscall: Add a syscall test
 * ports/linux/pseudo_wrappers: Avoid openat2 usage via syscall

which should fix issues with the tar CVE fix on Centos/Alma/Rocky 9 distros
that uses openat2 as well as the efault issue breaking rust based uutils.

(From OE-Core rev: a872357343b29530d05823368cfc8863a798412d)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 51f1388dd1679a28ec3ca468cf16aa0ea32bccf9)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Paul Barker
bf7d623729 pseudo: Add hard sstate dependencies for pseudo-native 
Where a task (such as do_package) runs under fakeroot, the corresponding
setscene task (do_package_setscene) will also run under fakeroot when
restoring from sstate. Assuming pseudo is used as the fakeroot
implementation, we need pseudo-native and all its runtime dependencies
to be available in the sysroot before running any setscene tasks under
fakeroot.

We already add a hard dependency from all do_package_setscene tasks to
virtual/fakeroot-native:do_populate_sysroot in base.bbclass, but this
does not cover transitive dependencies. So, extend the dependencies of
pseudo-native:do_populate_sysroot_setscene to ensure that the sqlite3
library is also available in the sysroot before running fakeroot
setscene tasks.

[YOCTO #15963]

(From OE-Core rev: c73e9513f26cd9e073fc2eb0a67378ad7864d677)

Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c146ca657440550e00bc5e53d13502ef7aa945b)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Richard Purdie
e380eea705 pseudo: Update to pull in memleak fix 
(From OE-Core rev: b6e48eac4b61d66b240b80f35b1d97752e814d15)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 42137b6f97da0672af365cd841678f39ce5907d2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Robert Yang
e6cbef9080 pseudo: 1.9.0 -> 1.9.2 
(From OE-Core rev: 89256d7c891c0053028a4d8679ccebc24f36577c)

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 48a42747fd280ce68283e1491971d22273e3bdf2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Richard Purdie
80593d0ce1 pseudo: Upgrade to version 1.9.1 
This brings in:
 * nftw, nftw64: add wrapper
 * ftw, nftw, ftw64, nftw64: add tests
 * Move ftw and ftw64 to calling ntfw and nftw64
 * makewrappers: Introduce 'array' support
 * pseudo_util.c: Avoid warning when we intentionally discard const
 * pseudo_client.c: Fix warning
 * yocto-older-glibc-symbols.path: Add as a reference patch
 * pseudo/pseudo_client: Add wrapper functions to operate correctly with glibc 2.38 onwards
 * configure: Prune PIE flags
 * test/test-parallel-rename.sh: Add parallel rename test
 * test/test-parallel-symlinks.sh: Add parallel symlink test
 * ports/linux/guts: Add .gitignore to ignore generated files

(From OE-Core rev: a019d270cd6f41c751e685f36581c00e65287b9d)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 994e508b2a0ede8b5cc4fe39444cf25dc9a53faf)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
4581b795c6 curl: patch CVE-2025-15224 
Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-15224.html

(From OE-Core rev: 83c7d4acc5da661b44055db95355c3c420f7afac)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
41c8c7c5c5 curl: patch CVE-2025-15079 
Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-15079.html

(From OE-Core rev: 48a162d90daada0f992e665696f7f2e738780af1)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
ea774774ef curl: patch CVE-2025-14819 
Pick patch per [1].

Additionally pick commit with definition of CURL_UNCONST to make the
cherry-pick possible without build errors.
It will be probably needed also by further CVE patches.

[1] https://curl.se/docs/CVE-2025-14819.html

(From OE-Core rev: 3a8e5ae08380ca201df950546dd5f02f9bbe1237)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
7a394819a8 curl: patch CVE-2025-14017 
Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-14017.html

(From OE-Core rev: 2284de47317ada818f916be65abf13969294541c)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
b6ea3460e5 libarchive: fix CVE-2025-60753 regression 
Pick patch from PR mentioned in v3.8.5 release notes.

(From OE-Core rev: c316c6e50e73a681c22fa03cdb59a0317495a418)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
8df07c5662 cups: allow unknown directives in conf files 
Patch for CVE-2025-61915 by mistake causes fatal error on unknown
directives in configuration files.
The default configuration already contains unknown directive in
non-systemd setups:
Unknown directive IdleExitTimeout on line 32 of /etc/cups/cupsd.conf

Backport fix for this from 2.4.x branch which reverts this behavior.

(From OE-Core rev: 2f36a12a72cf1f91a2d6ee68bd04292979608eb9)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
bfe84d74fe libpcap: patch CVE-2025-11964 
Pick patch per [1].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-11964

(From OE-Core rev: 64c2af571190f7c2b3bb5c53517f0cbcb5dddd6e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
5941c9425f libpcap: patch CVE-2025-11961 
Pick patch per [1].
Also pick additional preparation patch to apply it cleanly.

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-11961

(From OE-Core rev: f28be1d360056949a56c62c7d5ce98d15ca8b7d5)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
38071ff688 dropbear: patch CVE-2019-6111 
Pick patch mentioning this CVE number.

(From OE-Core rev: 8fa0c278c269ed1ef0225cf22a86d0b36632058e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
6b53fa118e glib-2.0: patch CVE-2025-14512 
Pick patch from [1] linked from [2].

[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4935
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3845

(From OE-Core rev: 9a526a195241dff60707b99b46d1d43f2f5ad2fd)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
6e462f0df2 glib-2.0: patch CVE-2025-14087 
Pick commits from [1] linked from [2].

[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4933
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3834

(From OE-Core rev: f477d209a56a4f382636d49fd5cfba3e8169f7f0)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
d77b73fd3f glib-2.0: patch CVE-2025-13601 
Pick commits from [1] per [2].

[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-13601

(From OE-Core rev: 5744d66b8f2f0ee8ed963bb3e6d93a9a167070e3)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
47124f2fda qemu: ignore CVE-2025-54566 and CVE-2025-54567 
These CVEs are not applicable to version 8.2.x as the vulnerable code
was introduced inly in 10.0.0.

Debian made the analysis, reuse their work.
* https://security-tracker.debian.org/tracker/CVE-2025-54566
* https://security-tracker.debian.org/tracker/CVE-2025-54567

(From OE-Core rev: 77533b3dbd9cb82d6fad3c3d07872913a2991627)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
6152ee6778 util-linux: patch CVE-2025-14104 
Pick patches per [1].

[1] https://security-tracker.debian.org/tracker/CVE-2025-14104

(From OE-Core rev: 0dee49ec49c341235863ec75fc80619e70dfd836)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
2104407814 python3: patch CVE-2025-13836 
Pick commit from branch 3.12 mentioned in [1].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-13836

(From OE-Core rev: 05aa143fb5f63de0f53e916daa3392917da46131)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
5ae239f8ea python3: patch CVE-2025-12084 
Pick patch from 3.12 branch according to [1].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-12084

(From OE-Core rev: c3ed0dfa3a7b8716008968b0d7f80885b2f61a84)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Steve Sakoman
72983ac391 build-appliance-image: Update to scarthgap head revision 
(From OE-Core rev: 6988157ad983978ffd6b12bcefedd4deaffdbbd1)

Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2026-01-02 07:00:05 -08:00
Vijay Anusuri
795103a538 go: Fix CVE-2025-61729 
Upstream-Status: Backport from 3a842bd5c6

(From OE-Core rev: 2d6d68e46a430a1dbba7bd8b7d37ff56f4f5a0e6)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2026-01-02 06:56:54 -08:00
Vijay Anusuri
d3c87dc830 go: Fix CVE-2025-61727 
Upstream-Status: Backport from 04db77a423

(From OE-Core rev: 647e151485bd10a8bbbdbae4825791723c9a5d8e)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2026-01-02 06:56:54 -08:00
Vijay Anusuri
a5cecb013b go: Update CVE-2025-58187 
Upstream-Status: Backport from ca6a5545ba

(From OE-Core rev: 2d6b089de3ef5e062d852eb93e3ff16997e796ef)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2026-01-02 06:56:54 -08:00
Changqing Li
a4841fb5a2 libsoup: fix CVE-2025-12105 
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/481

(From OE-Core rev: 1ac9ad3faf022684ae709f4494a430aee5fb9906)

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2026-01-02 06:56:54 -08:00
Jiaying Song
17a65b334d grub: fix CVE-2025-54770 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-61664 
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-54770
https://nvd.nist.gov/vuln/detail/CVE-2025-61661
https://nvd.nist.gov/vuln/detail/CVE-2025-61662
https://nvd.nist.gov/vuln/detail/CVE-2025-61663
https://nvd.nist.gov/vuln/detail/CVE-2025-61664

(From OE-Core rev: c28fa3e6421257f50d4ae283cca28fadb621f831)

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2026-01-02 06:56:54 -08:00
Martin Jansa
52ba7ab020 cross.bbclass: Propagate dependencies to outhash 
Similar to what native and staging is doing since:
https://git.openembedded.org/openembedded-core/commit/meta/classes/native.bbclass?id=d6c7b9f4f0e61fa6546d3644e27abe3e96f597e2
https://git.openembedded.org/openembedded-core/commit/meta/classes/staging.bbclass?id=1cf62882bbac543960e4815d117ffce0e53bda07

Cross task outputs can call native dependencies and even when cross
recipe output doesn't change it might produce different results when
the called native dependency is changed, e.g. clang-cross-${TARGET_ARCH}
contains symlink to clang binary from clang-native, but when clang-native
outhash is changed, clang-cross-${TARGET_ARCH} will still be considered
equivalent and target recipes aren't rebuilt with new clang binary, see
work around in https://github.com/kraj/meta-clang/pull/1140 to make target
recipes to depend directly not only on clang-cross-${TARGET_ARCH} but
clang-native as well.

I have added a small testcase in meta-selftest which demostrates this issue.
Not included in this change, but will send it if useful.

openembedded-core $ ls -1 meta-selftest/recipes-devtools/hashequiv-test/
print-datetime-link-cross.bb
print-datetime-link-native.bb
print-datetime-native.bb
print-datetime-usecross.bb
print-datetime-usenative.bb

print-datetime-native provides script which prints defined PRINT_DATETIME variable.

print-datetime-link-native and print-datetime-link-cross both provide a symlink to
the script from print-datetime-native.

print-datetime-usenative and print-datetime-usecross are target recipes using the
native and cross versions of print-datetime-link-* recipe.

  # clean build all is rebuilt:
  $ bitbake -k print-datetime-usenative print-datetime-usecross
  WARNING: print-datetime-native-1.0-r0 do_install: print-datetime-native current DATETIME in script is 2025-11-13_20_05
  WARNING: print-datetime-link-native-1.0-r0 do_install: print-datetime-link-native current DATETIME in symlink is 2025-11-13_20_05
  WARNING: print-datetime-link-cross-x86_64-1.0-r0 do_install: print-datetime-link-cross-x86_64 current DATETIME in symlink is 2025-11-13_20_05
  WARNING: print-datetime-usenative-1.0-r0 do_install: print-datetime-usenative current DATETIME from print-datetime-link is 2025-11-13_20_05
  WARNING: print-datetime-usecross-1.0-r0 do_install: print-datetime-usecross current DATETIME from print-datetime-link is 2025-11-13_20_05

  # keep sstate-cache and hashserv.db:
  # print-datetime-usenative is correctly rebuilt, because print-datetime-link-native has different hash (because print-datetime-native hash changed)
  # print-datetime-usecross wasn't rebuilt, because print-datetime-link-cross-x86_64 doesn't include the changed hash of print-datetime-native
  $ bitbake -k print-datetime-usenative print-datetime-usecross
  WARNING: print-datetime-native-1.0-r0 do_install: print-datetime-native current DATETIME in script is 2025-11-13_20_07
  WARNING: print-datetime-link-native-1.0-r0 do_install: print-datetime-link-native current DATETIME in symlink is 2025-11-13_20_07
  WARNING: print-datetime-link-cross-x86_64-1.0-r0 do_install: print-datetime-link-cross-x86_64 current DATETIME in symlink is 2025-11-13_20_07
  WARNING: print-datetime-usenative-1.0-r0 do_install: print-datetime-usenative current DATETIME from print-datetime-link is 2025-11-13_20_07

It's because print-datetime-link-cross-x86_64 depsig doesn't include print-datetime-native signature:

$ cat tmp/work/x86_64-linux/print-datetime-link-cross-x86_64/1.0/temp/depsig.do_populate_sysroot
OEOuthashBasic
18
SSTATE_PKGSPEC=sstate:print-datetime-link-cross-x86_64:x86_64-oe-linux:1.0:r0:x86_64:14:
task=populate_sysroot
drwx                                                                                       .
drwx                                                                                       ./recipe-sysroot-native
drwx                                                                                       ./recipe-sysroot-native/sysroot-providers
-rw-                   32 19fbeb373f781c2504453c1ca04dab018a7bc8388c87f4bbc59589df31523d07 ./recipe-sysroot-native/sysroot-providers/print-datetime-link-cross-x86_64
drwx                                                                                       ./recipe-sysroot-native/usr
drwx                                                                                       ./recipe-sysroot-native/usr/bin
drwx                                                                                       ./recipe-sysroot-native/usr/bin/x86_64-oe-linux
lrwx                                                                                       ./recipe-sysroot-native/usr/bin/x86_64-oe-linux/print-datetime-link -> ../print-datetime

While print-datetime-link-native doesn't have this issue, because print-datetime-native signature is there:

$ cat tmp/work/x86_64-linux/print-datetime-link-native/1.0/temp/depsig.do_populate_sysroot
OEOuthashBasic
18
print-datetime-native: 60f2734a63d708489570ca719413b4662f8368abc9f4760a279a0a5481e4a17b
quilt-native: 65d78a7a5b5cbbf0969798efe558ca28e7ef058f4232fcff266912d16f67a8b8
SSTATE_PKGSPEC=sstate:print-datetime-link-native:x86_64-linux:1.0:r0:x86_64:14:
task=populate_sysroot
drwx                                                                                       .
drwx                                                                                       ./recipe-sysroot-native
drwx                                                                                       ./recipe-sysroot-native/sysroot-providers
-rw-                   26 3d5458be834b2d0e4c65466b9b877d6028ae2210a56399284a23144818666f10 ./recipe-sysroot-native/sysroot-providers/print-datetime-link-native
drwx                                                                                       ./recipe-sysroot-native/usr
drwx                                                                                       ./recipe-sysroot-native/usr/bin
lrwx                                                                                       ./recipe-sysroot-native/usr/bin/print-datetime-link -> print-datetime

With the cross.bbclass fix the link-cross recipe has a checksum from native recipe as well:

$ cat tmp/work/x86_64-linux/print-datetime-link-cross-x86_64/1.0/temp/depsig.do_populate_sysroot
OEOuthashBasic
18
print-datetime-native: 9ceb6c27342eae6b8da86c84685af38fb8927ccc19979aae75b8b1e444b11c5c
quilt-native: 65d78a7a5b5cbbf0969798efe558ca28e7ef058f4232fcff266912d16f67a8b8
SSTATE_PKGSPEC=sstate:print-datetime-link-cross-x86_64:x86_64-oe-linux:1.0:r0:x86_64:14:
task=populate_sysroot
drwx                                                                                       .
drwx                                                                                       ./recipe-sysroot-native
drwx                                                                                       ./recipe-sysroot-native/sysroot-providers
-rw-                   32 19fbeb373f781c2504453c1ca04dab018a7bc8388c87f4bbc59589df31523d07 ./recipe-sysroot-native/sysroot-providers/print-datetime-link-cross-x86_64
drwx                                                                                       ./recipe-sysroot-native/usr
drwx                                                                                       ./recipe-sysroot-native/usr/bin
drwx                                                                                       ./recipe-sysroot-native/usr/bin/x86_64-oe-linux
lrwx                                                                                       ./recipe-sysroot-native/usr/bin/x86_64-oe-linux/print-datetime-link -> ../print-datetime

And print-datetime-usecross is correctly rebuilt whenever print-datetime-native output is different.

(From OE-Core rev: dccb7a185fe58a97f33e219b4db283ff4a2071d7)

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2025-12-31 07:49:31 -08:00