mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-02 18:32:15 +02:00
Code Issues Packages Projects Releases Wiki Activity
75,703 Commits 38 Branches 624 Tags
c7084e7f0596663787e2d9b87a58233d7fec342c
Commit Graph

55268 Commits

Author SHA1 Message Date
Fred Bacon
c7084e7f05 lighttpd: Fix trailing slash on files in mod_dirlisting 
Fixes [YOCTO #16128]

Backport of upstream bug fix from lighttpd-1.4.75. Version 1.4.74 introduced a bug that
would append a trailing slash to files in a directory listing. When the user attempts to
download one of these files, the web browser could not save the file with a trailing
slash. As a consequence, every web browser tested would generate a random character string
for the saved file name.

(From OE-Core rev: 797f15116901328a9a58868edeea44614dc29043)

Signed-off-by: Fred Bacon <bacon@aerodyne.com>
[Yoann: Fixed Upstream-Status: Backport URL]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Benjamin Robin (Schneider Electric)
9628ed0111 meta/classes: fix missing vardeps for CVE status variables 
Several CVE helper functions (get_patched_cves() and decode_cve_status())
implicitly depend on the CVE_STATUS and CVE_CHECK_STATUSMAP variables, but
these were not declared in the vardeps of their callers.

On Scarthgap, the upstream fix (2cc43c72ff28aa39a417dd8d57cd7c8741c0e541)
cannot be cherry-picked cleanly, as it also requires BitBake changes.

As a workaround, explicitly add CVE_STATUS and CVE_CHECK_STATUSMAP to the
vardeps of all tasks invoking these helpers, ensuring correct task
re-execution when CVE status changes.

This keeps CVE-related metadata generation consistent without requiring
BitBake modifications.

(From OE-Core rev: 111e1f2febade3c34649f33676f7f7e7cc8e0bd0)

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
af8b964e9b glibc: stable 2.39 branch updates 
git log --oneline 58cbbd43fe82910cf8ae9008351b0b0665104500..ce65d944e38a20cb70af2a48a4b8aa5d8fabe1cc
ce65d944e3 (HEAD -> release/2.39/master, origin/release/2.39/master) posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814)
831f63b94c resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
fb22fd3f5b memalign: reinstate alignment overflow check (CVE-2026-0861)
10c0bcb3d3 support: Exit on consistency check failure in resolv_response_add_name
f47dd22366 support: Fix FILE * leak in check_for_unshare_hints in test-container
4a53354eaf sprof: fix -Wformat warnings on 32-bit hosts
beb8267909 sprof: check pread size and offset for overflow
c07002038f getaddrinfo.c: Avoid uninitialized pointer access [BZ #32465]
ae5fb93559 nptl: Optimize trylock for high cache contention workloads (BZ #33704)
efff7cb659 ppc64le: Power 10 rawmemchr clobbers v20 (bug #33091)
f6becd8ae8 ppc64le: Restore optimized strncmp for power10
0daa4e46b8 ppc64le: Restore optimized strcmp for power10
28c1de6580 AArch64: Fix instability in AdvSIMD tan
03d0393343 AArch64: Optimise SVE scalar callbacks
0d05a895f1 aarch64: fix includes in SME tests
c1dc4412f8 aarch64: fix cfi directives around __libc_arm_za_disable
d60f15dc89 aarch64: tests for SME
d1d0d09e9e aarch64: clear ZA state of SME before clone and clone3 syscalls
dbe1904b7c aarch64: define macro for calling __libc_arm_za_disable
58cf4aa421 aarch64: update tests for SME
1b3bd9a9a6 aarch64: Disable ZA state of SME in setjmp and sigsetjmp
38942a336b linux: Also check pkey_get for ENOSYS on tst-pkey (BZ 31996)
c74d59a656 aarch64: Do not link conform tests with -Wl,-z,force-bti (bug 33601)
323ad087a1 x86: fix wmemset ifunc stray '!' (bug 33542)

Testing Results:
             Before    After    Diff
PASS         4926      4921     -5
XPASS        4         4         0
FAIL         223       229      +6
XFAIL        16        16        0
UNSUPPORTED  224       224       0

Changes in failed testcases:

testcase-name                                before  after
elf/tst-audit21                              PASS    FAIL
malloc/tst-malloc-too-large                  PASS    FAIL
malloc/tst-malloc-too-large-malloc-check     PASS    FAIL
malloc/tst-malloc-too-large-malloc-hugetlb1  PASS    FAIL
malloc/tst-malloc-too-large-malloc-hugetlb2  PASS    FAIL
malloc/tst-malloc-too-large-mcheck           PASS    FAIL

(From OE-Core rev: a49b898ed6d571391d90cc3ba150a0421642be23)

Signed-off-by: Peter Marko <peter.marko@siemens.com>

[Yoann: When run on the autobuilder, all those new FAIL tests are PASS:
https://valkyrie.yocto.io/pub/non-release/20260209-10/testresults/qemux86-64-tc/testresults.json]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Ankur Tyagi
b617f833e5 ffmpeg: ignore CVE-2025-25469 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-25469

This vulnerability exists in IAMF (Immersive Audio Model and Formats demuxer)
which was introduced in version 7.0 [1]

$ git tag --contains 4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b
n7.0
n7.0.1
n7.0.2
n7.0.3
n7.1
n7.1-dev
n7.1.1
n7.1.2
n7.1.3
n7.2-dev
n8.0
n8.0.1
n8.1-dev

[1] 4ee05182b7

(From OE-Core rev: 935bd46fab333a29a8bf4bb511fb55d5d02b3a71)

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Ankur Tyagi
b8600b66e4 ffmpeg: upgrade 6.1.3 -> 6.1.4 
Dropped patches that are part of the upstream version.

Changelog:
34277e12e8:/Changelog

(From OE-Core rev: f9f054faca45a08507b510c8982f170edd6bf83a)

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
463172affb zlib: ignore CVE-2026-22184 
This is CVE for example tool contrib/untgz.
This is not compiled in Yocto zlib recipe.

This CVE has controversial CVSS3 score of 9.8.

(From OE-Core rev: b00a1990237d473971076c4f92a1060911b8b323)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b0592c51b6ad038d737d2f6b30977bd0c5c50058)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Yoann Congal
028444d608 zlib: cleanup CVE_STATUS[CVE-2023-45853] 
CVE-2023-45853: Version is now higher than NVD CPE

This is a partial cherry-pick from 73ee9789183a ("recipes: cleanup
CVE_STATUS which are resolved now").

Cc: Peter Marko <peter.marko@siemens.com>
(From OE-Core rev: 2e05844a70f97399e323f967e926075428cb5233)

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Het Patel
a2c9f142ed zlib: Add CVE_PRODUCT to exclude false positives 
To avoid false positives (such as CVE-2023-6992, cloudflare:zlib), add a
CVE_PRODUCT to identify the vendors that have been used.

Removing the present existing CVE_STATUS for CVE-2023-6992.

(From OE-Core rev: 85427d225416b3b12bf05513c9427370309b2127)

Signed-off-by: Het Patel <hetpat@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 119b775b36dfd51286493763cffb6e965893b8fd)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Adarsh Jagadish Kamini
54e7eb5951 python-urllib3: Backport fix for CVE-2026-21441 
Include the patch linked in the NVD report : https://nvd.nist.gov/vuln/detail/CVE-2026-21441
(From OE-Core rev: bf85dff7bf4340a691df3da21f04a651fff11a17)

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
534b2c966a python3: patch CVE-2025-13837 
Pick patch from 3.12 branch per NVD report.

(From OE-Core rev: 37936e0e93ab5c236d8cc8e709ba1faf8380577c)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
8d61eb390a libxml2: add follow-up patch for CVE-2026-0992 
References:
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
* https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/377

(From OE-Core rev: 2c8e455148e12e097ff757bcf0a57d7d5bd77c30)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
bd21ac68d0 libxml2: patch CVE-2026-0992 
Pick patch which closed [1].
Adapt for missing xmlCatalogPrintDebug per [2].

[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
[2] 728869809e

(From OE-Core rev: 826dd15a99433c4066d2cd4546515d174d443350)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:35 +00:00
Peter Marko
57126cdaa7 libxml2: patch CVE-2026-0990 
Pick patch which closed [1].

[1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018

(From OE-Core rev: f1bb433bbdb0fa19d7d8cbe15d4180c9d18cca5a)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
35fca9ec35 libxml2: patch CVE-2026-0989 
Pick patch from [1] linked from [2].

[1] https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374
[2] https://gitlab.gnome.org/GNOME/libxml2/-/issues/998

(From OE-Core rev: d201a09eee8efca8a889f0b7a60133e850256369)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Hugo SIMELIERE
308c5dd2c9 libtasn1: Fix CVE-2025-13151 
Upstream-Status: Backport from d276cc495a

(From OE-Core rev: 3f9f51783597a682efdf989bebac2934b1f7040c)

Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
005e0f6daf libpng: patch CVE-2026-22801 
Pick comit per [1].

[1] https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8

(From OE-Core rev: fc0f0ecb694ae3042cff4472c62c78a7389662c6)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
f824456616 libpng: patch CVE-2026-22695 
Pick commit per [1].
This CVE is regression of fix for CVE-2025-65018.

[1] https://security-tracker.debian.org/tracker/CVE-2026-22695

(From OE-Core rev: cdfeb4e55f856b1020caf58f380d3a1e7eb5cd97)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Vijay Anusuri
2541663fd1 inetutils: Fix CVE-2026-24061 
Upstream-Status: Backport from
https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=ccba9f748aa8d50a38d7748e2e60362edd6a32cc
& https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fd702c02497b2f398e739e3119bed0b23dd7aa7b

Ref: https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html

(From OE-Core rev: da89012029cb110f6d2768248981ab9c4872d871)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
53dbc9c218 glib-2.0: patch CVE-2026-0988 
Pick relevant commit from [2] linked from [1].

[1] https://gitlab.gnome.org/GNOME/glib/-/issues/3851
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4944

(From OE-Core rev: 9df34167c74267b63d46c354efe9b3874efa062e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
236069b7e0 expat: patch CVE-2026-25210 
Pick patches from [1].

[1] https://github.com/libexpat/libexpat/pull/1075

(From OE-Core rev: 97cf4b2341449b34e61a09437e2159b279f9f848)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Peter Marko
46fdae1b0f expat: patch CVE-2026-24515 
Pick commits from PR linked in NVD report.

(From OE-Core rev: 7c4fb02b8d8668ec85f5d4ba98db5d69e1e6b712)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Amaury Couderc
cc5e0688c0 curl: patch CVE-2025-14524 
(From OE-Core rev: 951113a6e8185969444b5e28292f23434dba1f6c)

Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Hitendra Prajapati
68f03e2a9f curl: fix CVE-2025-10148 
curl's websocket code did not update the 32 bit mask pattern
for each new outgoing frame as the specification says. Instead
it used a fixed mask that persisted and was used throughout
the entire connection.

A predictable mask pattern allows for a malicious server to induce
traffic between the two communicating parties that could be
interpreted by an involved proxy (configured or transparent) as
genuine, real, HTTP traffic with content and thereby poison its
cache. That cached poisoned content could then be served to all
users of that proxy.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-10148

Upstream patch:
https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa

(From OE-Core rev: 3793ee12d8da4f8f90a0ffcad180ef8122251491)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-02-16 09:52:34 +00:00
Richard Purdie
3534914790 build-appliance-image: Update to scarthgap head revision 
(From OE-Core rev: d50e4680ed6f930582d907b37c9ed545a89f5c27)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:50:55 +00:00
Richard Purdie
fb693aab03 pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation' 
The pseudo update was causing hangs in builds, pull in the fix.

(From OE-Core rev: a845c75096c381f45c13451b1baedc7774e4eff2)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8acdbefd0a148c8b7713f46066ae8489984c5d2d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Richard Purdie
3bcac51eb2 pseudo: Update to pull in openat2 and efault return code changes 
Pulls in the following fixes:

 * makewrappers: Enable a new efault option
 * ports/linux/openat2: Add dummy wrapper
 * test-syscall: Add a syscall test
 * ports/linux/pseudo_wrappers: Avoid openat2 usage via syscall

which should fix issues with the tar CVE fix on Centos/Alma/Rocky 9 distros
that uses openat2 as well as the efault issue breaking rust based uutils.

(From OE-Core rev: a872357343b29530d05823368cfc8863a798412d)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 51f1388dd1679a28ec3ca468cf16aa0ea32bccf9)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Paul Barker
bf7d623729 pseudo: Add hard sstate dependencies for pseudo-native 
Where a task (such as do_package) runs under fakeroot, the corresponding
setscene task (do_package_setscene) will also run under fakeroot when
restoring from sstate. Assuming pseudo is used as the fakeroot
implementation, we need pseudo-native and all its runtime dependencies
to be available in the sysroot before running any setscene tasks under
fakeroot.

We already add a hard dependency from all do_package_setscene tasks to
virtual/fakeroot-native:do_populate_sysroot in base.bbclass, but this
does not cover transitive dependencies. So, extend the dependencies of
pseudo-native:do_populate_sysroot_setscene to ensure that the sqlite3
library is also available in the sysroot before running fakeroot
setscene tasks.

[YOCTO #15963]

(From OE-Core rev: c73e9513f26cd9e073fc2eb0a67378ad7864d677)

Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c146ca657440550e00bc5e53d13502ef7aa945b)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Richard Purdie
e380eea705 pseudo: Update to pull in memleak fix 
(From OE-Core rev: b6e48eac4b61d66b240b80f35b1d97752e814d15)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 42137b6f97da0672af365cd841678f39ce5907d2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Robert Yang
e6cbef9080 pseudo: 1.9.0 -> 1.9.2 
(From OE-Core rev: 89256d7c891c0053028a4d8679ccebc24f36577c)

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 48a42747fd280ce68283e1491971d22273e3bdf2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Richard Purdie
80593d0ce1 pseudo: Upgrade to version 1.9.1 
This brings in:
 * nftw, nftw64: add wrapper
 * ftw, nftw, ftw64, nftw64: add tests
 * Move ftw and ftw64 to calling ntfw and nftw64
 * makewrappers: Introduce 'array' support
 * pseudo_util.c: Avoid warning when we intentionally discard const
 * pseudo_client.c: Fix warning
 * yocto-older-glibc-symbols.path: Add as a reference patch
 * pseudo/pseudo_client: Add wrapper functions to operate correctly with glibc 2.38 onwards
 * configure: Prune PIE flags
 * test/test-parallel-rename.sh: Add parallel rename test
 * test/test-parallel-symlinks.sh: Add parallel symlink test
 * ports/linux/guts: Add .gitignore to ignore generated files

(From OE-Core rev: a019d270cd6f41c751e685f36581c00e65287b9d)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 994e508b2a0ede8b5cc4fe39444cf25dc9a53faf)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
4581b795c6 curl: patch CVE-2025-15224 
Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-15224.html

(From OE-Core rev: 83c7d4acc5da661b44055db95355c3c420f7afac)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
41c8c7c5c5 curl: patch CVE-2025-15079 
Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-15079.html

(From OE-Core rev: 48a162d90daada0f992e665696f7f2e738780af1)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
ea774774ef curl: patch CVE-2025-14819 
Pick patch per [1].

Additionally pick commit with definition of CURL_UNCONST to make the
cherry-pick possible without build errors.
It will be probably needed also by further CVE patches.

[1] https://curl.se/docs/CVE-2025-14819.html

(From OE-Core rev: 3a8e5ae08380ca201df950546dd5f02f9bbe1237)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
7a394819a8 curl: patch CVE-2025-14017 
Pick patch per [1].

[1] https://curl.se/docs/CVE-2025-14017.html

(From OE-Core rev: 2284de47317ada818f916be65abf13969294541c)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
b6ea3460e5 libarchive: fix CVE-2025-60753 regression 
Pick patch from PR mentioned in v3.8.5 release notes.

(From OE-Core rev: c316c6e50e73a681c22fa03cdb59a0317495a418)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
8df07c5662 cups: allow unknown directives in conf files 
Patch for CVE-2025-61915 by mistake causes fatal error on unknown
directives in configuration files.
The default configuration already contains unknown directive in
non-systemd setups:
Unknown directive IdleExitTimeout on line 32 of /etc/cups/cupsd.conf

Backport fix for this from 2.4.x branch which reverts this behavior.

(From OE-Core rev: 2f36a12a72cf1f91a2d6ee68bd04292979608eb9)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
bfe84d74fe libpcap: patch CVE-2025-11964 
Pick patch per [1].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-11964

(From OE-Core rev: 64c2af571190f7c2b3bb5c53517f0cbcb5dddd6e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
5941c9425f libpcap: patch CVE-2025-11961 
Pick patch per [1].
Also pick additional preparation patch to apply it cleanly.

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-11961

(From OE-Core rev: f28be1d360056949a56c62c7d5ce98d15ca8b7d5)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:39 +00:00
Peter Marko
38071ff688 dropbear: patch CVE-2019-6111 
Pick patch mentioning this CVE number.

(From OE-Core rev: 8fa0c278c269ed1ef0225cf22a86d0b36632058e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
6b53fa118e glib-2.0: patch CVE-2025-14512 
Pick patch from [1] linked from [2].

[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4935
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3845

(From OE-Core rev: 9a526a195241dff60707b99b46d1d43f2f5ad2fd)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
6e462f0df2 glib-2.0: patch CVE-2025-14087 
Pick commits from [1] linked from [2].

[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4933
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3834

(From OE-Core rev: f477d209a56a4f382636d49fd5cfba3e8169f7f0)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
d77b73fd3f glib-2.0: patch CVE-2025-13601 
Pick commits from [1] per [2].

[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-13601

(From OE-Core rev: 5744d66b8f2f0ee8ed963bb3e6d93a9a167070e3)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
47124f2fda qemu: ignore CVE-2025-54566 and CVE-2025-54567 
These CVEs are not applicable to version 8.2.x as the vulnerable code
was introduced inly in 10.0.0.

Debian made the analysis, reuse their work.
* https://security-tracker.debian.org/tracker/CVE-2025-54566
* https://security-tracker.debian.org/tracker/CVE-2025-54567

(From OE-Core rev: 77533b3dbd9cb82d6fad3c3d07872913a2991627)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
6152ee6778 util-linux: patch CVE-2025-14104 
Pick patches per [1].

[1] https://security-tracker.debian.org/tracker/CVE-2025-14104

(From OE-Core rev: 0dee49ec49c341235863ec75fc80619e70dfd836)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
2104407814 python3: patch CVE-2025-13836 
Pick commit from branch 3.12 mentioned in [1].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-13836

(From OE-Core rev: 05aa143fb5f63de0f53e916daa3392917da46131)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Peter Marko
5ae239f8ea python3: patch CVE-2025-12084 
Pick patch from 3.12 branch according to [1].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-12084

(From OE-Core rev: c3ed0dfa3a7b8716008968b0d7f80885b2f61a84)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2026-01-26 09:45:38 +00:00
Steve Sakoman
72983ac391 build-appliance-image: Update to scarthgap head revision 
(From OE-Core rev: 6988157ad983978ffd6b12bcefedd4deaffdbbd1)

Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2026-01-02 07:00:05 -08:00
Vijay Anusuri
795103a538 go: Fix CVE-2025-61729 
Upstream-Status: Backport from 3a842bd5c6

(From OE-Core rev: 2d6d68e46a430a1dbba7bd8b7d37ff56f4f5a0e6)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2026-01-02 06:56:54 -08:00
Vijay Anusuri
d3c87dc830 go: Fix CVE-2025-61727 
Upstream-Status: Backport from 04db77a423

(From OE-Core rev: 647e151485bd10a8bbbdbae4825791723c9a5d8e)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2026-01-02 06:56:54 -08:00
Vijay Anusuri
a5cecb013b go: Update CVE-2025-58187 
Upstream-Status: Backport from ca6a5545ba

(From OE-Core rev: 2d6b089de3ef5e062d852eb93e3ff16997e796ef)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
 2026-01-02 06:56:54 -08:00