linux/meta-openembedded.git/meta-multimedia, branch scarthgap

libde265: upgrade 1.0.12 -> 1.0.16

2026-04-13T07:10:21+00:00

Dropped patches which are part of the upstream version. https://github.com/strukturag/libde265/releases/tag/v1.0.16 https://github.com/strukturag/libde265/releases/tag/v1.0.15 https://github.com/strukturag/libde265/releases/tag/v1.0.14 https://github.com/strukturag/libde265/releases/tag/v1.0.13 Signed-off-by: Ankur Tyagi Signed-off-by: Anuj Mittal

bluealsa: fix QA issue staticdev

2026-03-24T10:23:24+00:00

When building bluealsa with building static libraries NOT disabled, you get the following error: ERROR: bluealsa-4.3.0-r0 do_package_qa: QA Issue: non -staticdev package contains static .a library: bluealsa path '/usr/lib/alsa-lib/libasound_module_pcm_bluealsa.a' [staticdev] ERROR: bluealsa-4.3.0-r0 do_package_qa: QA Issue: non -staticdev package contains static .a library: bluealsa path '/usr/lib/alsa-lib/libasound_module_ctl_bluealsa.a' [staticdev] ERROR: bluealsa-4.3.0-r0 do_package_qa: Fatal QA errors were found, failing task. Fix this by explicitly putting these files in the -staticdev package. Signed-off-by: Matthias Proske Signed-off-by: Khem Raj (cherry picked from commit 1a9744b3cabd440ff0cece448a3b9717da8cfd97) Signed-off-by: Anuj Mittal

libde265: patch CVE-2025-61147

2026-03-24T03:22:16+00:00

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61147 Backport the patch referenced by the NVD advisory. Note that this is a partial backport - only the parts that are used by the application, and without pulling in c++17 headers. Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal

vlc: ignore CVE-2026-26227 and CVE-2026-26228

2026-03-24T03:22:06+00:00

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-26227 https://nvd.nist.gov/vuln/detail/CVE-2026-26228 Both vulnerabilities affect only the Android version of VLC, not the other ones. Because of this, ignore these CVEs. Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal

streamripper: ignore CVE-2020-37065

2026-03-24T03:22:03+00:00

Details: https://nvd.nist.gov/vuln/detail/CVE-2020-37065 The vulnerability is about a 3rd party Windows-only GUI frontend for the streamripper library, and not for the CLI application that the recipe builds. Due to this ignore this CVE. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 1571c1a8e5e876db9db744d0a3e3256ac585242b) Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal

README: update listed maintainer

2026-02-25T08:28:47+00:00

Signed-off-by: Anuj Mittal

sox: patch CVE-2019-8354

2026-02-09T04:05:45+00:00

Details: https://nvd.nist.gov/vuln/detail/CVE-2019-8354 Pick the patch that was identified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2019-8354 Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal

sox: patch CVE-2019-13590

2026-02-09T04:05:45+00:00

Details: https://nvd.nist.gov/vuln/detail/CVE-2019-13590 Pick the patch that was identified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2019-13590 Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal

sox: mark CVE-2019-1010004 as patched

2026-02-09T04:05:44+00:00

Details: https://nvd.nist.gov/vuln/detail/CVE-2019-1010004 The description mentions that this vulnerability overlaps with CVE-2017-18189, and Debian's investigation[1] confirms that it is solved by the same commit. Add the ID to the CVE tag of CVE-2017-18189.patch. [1]: https://security-tracker.debian.org/tracker/CVE-2019-1010004 Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal

sox: patch CVE-2017-18189

2026-02-09T04:05:44+00:00

Details: https://nvd.nist.gov/vuln/detail/CVE-2017-18189 Pick the patch that was identified by Debian[1] as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2017-18189 Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal