linux/meta-openembedded.git, branch walnascar-next Mirror of git.openembedded.org/meta-openembedded https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=walnascar-next 2025-07-27T18:35:10+00:00 ][PATCH] ufs-utils: fix crash for ufs-utils list_bsg 2025-07-27T18:35:10+00:00 Yi Zhao yi.zhao@eng.windriver.com 2025-07-20T14:03:49+00:00 urn:sha1:dca497d728792e3cb655c78455c2d649af312ce8 The full_path buffer in find_bsg_device function consists of: path + '/' + files->d_name + '\0' So the buffer size should be: strlen(path) + strlen(files->d_name) + 2, not: strlen(path) + strlen(files->d_name) + 1. Backport a patch to fix crash when running 32-bit binary on 64-bit system: $ ufs-utils list_bsg malloc(): invalid next size (unsorted) Aborted (core dumped) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> mariadb: upgrade 11.4.5 -> 11.4.6 2025-07-27T18:35:10+00:00 Yogita Urade yogita.urade@windriver.com 2025-07-18T12:35:22+00:00 urn:sha1:78447a67fc8495d485b327d984147d9fd519d8b0 This upgrade includes fix for CVE-2023-52971 Changelog: https://mariadb.com/kb/en/mariadb-11-4-6-changelog/ refresh 0001-Add-missing-includes-cstdint-and-cstdio.patch Droped 3871.patch and mm_malloc.patch as these are available in 11.4.6 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> mbedtls: upgrade 3.6.3.1 -> 3.6.4 2025-07-27T18:35:10+00:00 gudni gudni.m.g@gmail.com 2025-07-17T13:53:58+00:00 urn:sha1:7b05b691041d894508b22148c872b266d0c2f5ee Fixes several security vulnerabilities: CVE-2025-49601, CVE-2025-49600, CVE-2025-52496, CVE-2025-47917, CVE-2025-48965, CVE-2025-52497, and CVE-2025-49087 The framework directory has been changed into a git submodule.[1][2] The recipe now uses Git Submodule Fetcher (gitsm) Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4 [1] https://github.com/Mbed-TLS/mbedtls/commit/8cf5666a174237998a7965e284d7ba8c1655d16d [2] https://github.com/Mbed-TLS/mbedtls/commit/c90c6d8ff787ab8787d9373b0e662a95ed1f4dae Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> mbedtls: upgrade 3.6.3 -> 3.6.3.1 2025-07-27T18:35:10+00:00 Wang Mingyu wangmy@fujitsu.com 2025-07-17T13:53:57+00:00 urn:sha1:4f92de2059f82913aea763bf0e6bbd5801c429d4 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> python3-aiohttp: fix CVE-2025-53643 2025-07-27T18:35:10+00:00 Jiaying Song jiaying.song.cn@windriver.com 2025-07-16T09:22:22+00:00 urn:sha1:59d381adcaf70ccae5e78a8a21e2afbc59a52165 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-53643 Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> python3-tornado: upgrade 6.4.2 -> 6.5 2025-07-27T18:35:10+00:00 Praveen Kumar praveen.kumar@windriver.com 2025-07-15T09:19:21+00:00 urn:sha1:0883565b5dc963318111b04fd0c5dbf1d1b5fa2d Changelog: https://github.com/tornadoweb/tornado/releases/tag/v6.5.0 Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> syslog-ng: upgrade 4.8.1 -> 4.8.2 2025-07-27T18:35:10+00:00 Praveen Kumar praveen.kumar@windriver.com 2025-07-15T09:19:22+00:00 urn:sha1:1950ca4270ec115e6c88a6d0d6cd9bb8f8dbd0a6 Includes fix for CVE-2024-47619 Release notes: https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.2 Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> poco: patch CVE-2025-6375 2025-07-27T18:35:10+00:00 Peter Marko peter.marko@siemens.com 2025-07-13T09:50:21+00:00 urn:sha1:a2b56547ffd0a23db1f0bf584f23073b6a8409ab Pick commit mentioned in [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-6375 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> minifi-cpp: patch spdlog CVE-2025-6140 2025-07-27T18:35:10+00:00 Peter Marko peter.marko@siemens.com 2025-07-12T12:58:20+00:00 urn:sha1:3d969d3a4ae075f94787d3d9d739d46924dac665 Same patch as in spdlog recipe. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> spdlog: patch CVE-2025-6140 2025-07-27T18:35:10+00:00 Peter Marko peter.marko@siemens.com 2025-07-12T12:58:19+00:00 urn:sha1:ce5314a8d81f59472ece3d79b3284fc8f5178075 Pick commit [1] mentioned in [2] as listed in [3]. [1] https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094 [2] https://github.com/gabime/spdlog/issues/3360 [3] https://nvd.nist.gov/vuln/detail/CVE-2025-6140 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>