Drop one patch since change is included in the release.
Upgrade was performed using devtool
Full changelog:
https://github.com/gpg/gnupg/compare/gnupg-2.4.8...gnupg-2.4.9
Noteworthy changes in version 2.4.9 (2025-12-30)
------------------------------------------------
* gpg: Fix possible memory corruption in the armor parser. [T7906]
* gpg: Avoid potential downgrade to SHA1 in 3rd party key
signatures. [rGddb012be7f]
* gpg: Error out on unverified output for non-detached signatures.
[rG9d302f978b]
* gpg: Do not allow compressed key packets on import. [T7014]
* scd: Fix a harmless read buffer over-read in a function used by
PKCS#15 cards. [T7662]
* dirmngr: Do not require a keyserver for "gpg --fetch-key".
[T7693]
* agent: Fix ssh-agent's request_identities for skipped Brainpool
keys. [rG6bf5696c85]
Release-info: https://dev.gnupg.org/T8001
(From OE-Core rev: 5eb2cd21ac86805f5f90ea149da7de6e41342299)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The CVE-2025-62813 is rejected so do not reference it anymore.
So keep the patch but without referencing the CVE identifier.
The CVE database indicates the following reason:
This candidate was withdrawn by its CNA. Further investigation
showed that it was not a security issue.
(From OE-Core rev: 99706716626324605c049a9130f705f2090a9f91)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9c840a69b62a5fdffb3679a44d68dd5630b2916c)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Changelog for liburcu: 0.14.0 -> 0.14.2
============================================================
2026-01-26 Userspace RCU 0.14.2
* Fix: Only include linux/time_types.h when __NR_futex_time64 is defined
* Use __NR_futex_time64 in futex syscall wrapper
* Cleanup: Remove useless declarations from urcu-qsbr
* src/urcu-bp.c: assert => urcu_posix_assert
2024-08-28 Userspace RCU 0.14.1
* Fix: missing typename in URCU_FORCE_CAST
* Allow building with GCC >= 13.3 on RISC-V
* pointer.h: Fix the rcu_cmpxchg_pointer documentation
* Adjust shell script to allow Bash in other locations
* fix: handle EINTR correctly in get_cpu_mask_from_sysfs
* Relicense src/compat-smp.h to MIT
* ppc.h: use mftb on ppc
* Fix: allow clang to build liburcu on RISC-V
* Fix -Walloc-size
* urcu/uatomic/riscv: Mark RISC-V as broken
* Fix: urcu-bp: misaligned reader accesses
* LoongArch: Document that byte and short atomics are implemented with LL/SC
* Add LoongArch support
* tests/regression/rcutorture: Add wait state
* urcu-wait: Initialize node in URCU_WAIT_NODE_INIT
* Fix: urcu-wait: add missing futex.h include
* Adjust shell scripts to allow Bash in other locations
* Add support for OpenBSD
* Revert compiler.h: Introduce caa_unqual_scalar_typeof
* rculfhash: Use caa_container_of_check_null in cds_lfht_entry
* compiler.h: Introduce caa_container_of_check_null
* compiler.h: Introduce caa_unqual_scalar_typeof
* Avoid calling caa_container_of on NULL pointer in cds_lfht macros
* Fix: revise urcu_read_lock_update() comment
* Fix: uatomic powerpc comment about lwsync
* fix: aarch64: allow RHEL7 gcc 4.8.5-11
* fix: warning 'noreturn' function does return on ppc
* Fix: use __noreturn__ for C11-compatibility
(From OE-Core rev: dc2df90b1d4f71023169d492f3819326e0e6c055)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
GCC-15 has switched to using C23 by default, we have been selectively
disabling warnings as errors to get by, however with autoconf 2.72 adding
-std=gnu23 it now gets enabled for every compiler and clang-22 is more
obidient and has dropped support for K&R C completely. db5 code has a lot
of K&R C prototypes and it starts to fail vigorously. We can not keep
working around with out uplifting sources to be compliant with newer C
standard like C23.
Therefore pin the cflags to use C99 standard as this package expects.
Drop the code to disable warnings as errors selectively instead add a
fix for addressing implicit int warnings
(From OE-Core rev: ff6d0aa3ce4d39bc6b140c13846b5872ce4a181c)
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit 8615b3388b97a56096b959dea4d7499e03187100)
[YC: switched from CFLAGS += to CFLAGS:append]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Changelog:
* Update Mozilla certificate authority bundle to version 2.82
The following certificate authorities were added (+):
+ TrustAsia TLS ECC Root CA
+ TrustAsia TLS RSA Root CA
+ SwissSign RSA TLS Root CA 2022 - 1
+ OISTE Server Root ECC G1
+ OISTE Server Root RSA G1
The following certificate authorities were removed (-):
- GlobalSign Root CA
- Entrust.net Premium 2048 Secure Server CA
- Baltimore CyberTrust Root (closes: #1121936)
- Comodo AAA Services root
- XRamp Global CA Root
- Go Daddy Class 2 CA
- Starfield Class 2 CA
- CommScope Public Trust ECC Root-01
- CommScope Public Trust ECC Root-02
- CommScope Public Trust RSA Root-01
- CommScope Public Trust RSA Root-02
* Use dh_usrlocal to create /usr/local/share/ca-certificates
(From OE-Core rev: 219ca927c9cd31a200b2ab4bed17937af4e5afc8)
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 738e08718e31de19c1c8db5e162a4a00e2b0c0e6)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
curl's websocket code did not update the 32 bit mask pattern
for each new outgoing frame as the specification says. Instead
it used a fixed mask that persisted and was used throughout
the entire connection.
A predictable mask pattern allows for a malicious server to induce
traffic between the two communicating parties that could be
interpreted by an involved proxy (configured or transparent) as
genuine, real, HTTP traffic with content and thereby poison its
cache. That cached poisoned content could then be served to all
users of that proxy.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-10148
Upstream patch:
https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa
(From OE-Core rev: 3793ee12d8da4f8f90a0ffcad180ef8122251491)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Introduce new packageconfig to explicitly avoid compilation of
experimental code. Note that the code was not compiled by default also
before this patch, this now makes it explicit and makes it possible to
check for the flags in cve-check code.
This is less intrusive change than a patch removing the code which was
rejected in patch review.
This will solve CVE-2025-59777 and CVE-2025-62689 as the vulnerable code
is not compiled by default.
Set appropriate CVE status for these CVEs based on new packageconfig.
(From OE-Core rev: 9e3c0ae261afb7b9ff9528dbc147fb6c89d5a624)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Due to what looks like a copy'n'paste mistake, the environment setup script
might override 'CURL_CA_BUNDLE' from the host env instead of leaving it
untouched. Fix that.
(cherry picked from commit 545e43a7a45be02fda8fc3af69faa20e889f58c4)
CC: changqing.li@windriver.com
CC: raj.khem@gmail.com
CC: Peter.Marko@siemens.com
(From OE-Core rev: ef198b0c6063ede32cb93fe44eb89937c076a073)
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When the package is installed directly on the machine (instead of
installing it in the rootfs directly), the postinstall script fails with
the following error:
/usr/sbin/update-ca-certificates: line 75: shift: shift count out of range
The reason is that the "update-ca-certificates" script is executed with
the "--sysroot" argument, and as the sysroot $D is passed. However on the
target system this variable doesn't exist, so the argument is passed without
this mandatory value, and the execution fails.
To avoid this error, check if the $D variable exists, and pass the --sysroot
argument only when it does.
Reported-by: WXbet <Wxbet@proton.me>
(From OE-Core rev: 9a2bd3b6e2e53071a1463d2804d0d4fb17b1814f)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cf39461e97098a1b28693299677888ba7e8bfccf)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
refreshed for 20250419
0002-sbin-update-ca-certificates-add-a-sysroot-option.patch
removed since it's included in 20250419
(From OE-Core rev: dd05818a422c8c5be1aef06405d200280b382b91)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e39cc1fb7234bf2b37856296d3c0d10ddf8cae64)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch
was using a non-standard environment variable, and was replaced
with a patch that adds a command line option (and then this
was submitted upstream). ca-certificates recipe was tweaked accordingly,
and nothing else in core or meta-oe is using update-ca-certificates.
Drop default-sysroot.patch as the use case is unclear: sysroot
is explicitly specified in all known invocations of update-ca-certificate,
and if there's a place where it isn't, then update-ca-certificates
will error out trying to write to /etc, and should be fixed to
explicitly specify the sysroot.
(From OE-Core rev: a80185fd72a2be183783b0e464c07f1043d7dd37)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 90d9f0ba674d4fe8e9291f0513c13dff3775c545)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
git repo no longer has tags for recent versions which means
we had missed several of them, and wouldn't be able to get
notifications about any future releases.
(From OE-Core rev: 44c113497c7e3f9f06604e892df1eb717bb3410d)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 81f013fd1312551628701bf36ac62746a2606dbd)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Provide references for how the SRCREV was arrived at for the 20240203
release.
(From OE-Core rev: b1d86653f1485aa56fe8bf050931d5b8657ee499)
Signed-off-by: Theodore A. Roth <troth@openavr.org>
Signed-off-by: Theodore A. Roth <theodore_roth@trimble.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6916cdb0f05f6644edb1e432a9421595abb9f0ca)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The 20240203 version is the same as used in Ubuntu >= 24.04 and Debian
Trixie (testing).
(From OE-Core rev: 63620f034019b3b3585e263bd26b3fadd9a1692e)
Signed-off-by: Theodore A. Roth <troth@openavr.org>
Signed-off-by: Theodore A. Roth <theodore_roth@trimble.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ce19168885a04b0d77e81c1fd1c4262b195a47d4)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
