<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-openembedded.git/meta-oe/recipes-support, branch scarthgap</title>
<subtitle>Mirror of git.openembedded.org/meta-openembedded</subtitle>
<id>https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=scarthgap</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=scarthgap'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/'/>
<updated>2026-05-21T04:26:15+00:00</updated>
<entry>
<title>nss: Fix CVE-2026-2781</title>
<updated>2026-05-21T04:26:15+00:00</updated>
<author>
<name>Hugo SIMELIERE (Schneider Electric)</name>
<email>hsimeliere.opensource@witekio.com</email>
</author>
<published>2026-05-20T11:50:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=59f8c396f936e99770e6876af1e68e27d696857c'/>
<id>urn:sha1:59f8c396f936e99770e6876af1e68e27d696857c</id>
<content type='text'>
Pick patch from [1] as 3.9X upstream mirror backport of [2] mentioned in Debian report in [3].

[1] https://github.com/nss-dev/nss/commit/870d3b013e6b39540d14e67b3db89da5a96381bf
[2] https://hg-edge.mozilla.org/projects/nss/rev/245385e16fa6
[3] https://security-tracker.debian.org/tracker/CVE-2026-2781

Signed-off-by: Hugo SIMELIERE (Schneider Electric) &lt;hsimeliere.opensource@witekio.com&gt;
Reviewed-by: Bruno VERNAY &lt;bruno.vernay@se.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>libssh: set status for CVE-2025-14821</title>
<updated>2026-05-21T03:27:48+00:00</updated>
<author>
<name>Sudhir Dumbhare</name>
<email>sudumbha@cisco.com</email>
</author>
<published>2026-05-14T12:48:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=9f70f8d461abae94342da0e41ed978022e0eefe2'/>
<id>urn:sha1:9f70f8d461abae94342da0e41ed978022e0eefe2</id>
<content type='text'>
The vulnerability is Windows-specific and depends on loading
configuration from C:\etc, which does not apply to Linux/Yocto builds

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-14821
https://github.com/advisories/GHSA-5jf9-8f86-jhvw
https://www.libssh.org/security/advisories/CVE-2025-14821.txt

Signed-off-by: Sudhir Dumbhare &lt;sudumbha@cisco.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>lcms: patch CVE-2026-42798</title>
<updated>2026-05-21T03:27:46+00:00</updated>
<author>
<name>Ankur Tyagi</name>
<email>ankur.tyagi85@gmail.com</email>
</author>
<published>2026-05-13T05:04:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=100da99a04bff89f53822c220e223298cb780f66'/>
<id>urn:sha1:100da99a04bff89f53822c220e223298cb780f66</id>
<content type='text'>
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-42798

Signed-off-by: Ankur Tyagi &lt;ankur.tyagi85@gmail.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>lcms: patch CVE-2026-41254</title>
<updated>2026-05-21T03:27:46+00:00</updated>
<author>
<name>Ankur Tyagi</name>
<email>ankur.tyagi85@gmail.com</email>
</author>
<published>2026-05-13T05:04:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=49a682f2eda7d3405347fe9665d435b04fd9cfa3'/>
<id>urn:sha1:49a682f2eda7d3405347fe9665d435b04fd9cfa3</id>
<content type='text'>
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-41254

Backport the patches referenced by the NVD advisory.

Signed-off-by: Ankur Tyagi &lt;ankur.tyagi85@gmail.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>onig: Add CVE_PRODUCT to support product name</title>
<updated>2026-05-21T03:27:43+00:00</updated>
<author>
<name>Het Patel</name>
<email>hetpat@cisco.com</email>
</author>
<published>2026-05-08T06:28:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=aaa594e19e932d99f9de020a5f9f83077d0cf28d'/>
<id>urn:sha1:aaa594e19e932d99f9de020a5f9f83077d0cf28d</id>
<content type='text'>
- Set CVE_PRODUCT to align with the NVD CPE and ensure correct CVE
reporting.

Signed-off-by: Het Patel &lt;hetpat@cisco.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
(cherry picked from commit 7bc5268662f1428bdbca08e14d223aa6b62e87f3)
Signed-off-by: Himanshu Jadon &lt;hjadon@cisco.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>onig: fix gcc 15 build</title>
<updated>2026-04-29T07:26:07+00:00</updated>
<author>
<name>Mikko Rapeli</name>
<email>mikko.rapeli@linaro.org</email>
</author>
<published>2026-04-28T09:00:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=a9b7af632e143718d7776b0b85c360eae742b370'/>
<id>urn:sha1:a9b7af632e143718d7776b0b85c360eae742b370</id>
<content type='text'>
With backport from upstream 6.9.10.

Signed-off-by: Mikko Rapeli &lt;mikko.rapeli@linaro.org&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>libssh: Fix CVE-2026-0965</title>
<updated>2026-04-29T04:44:29+00:00</updated>
<author>
<name>Ankur Tyagi</name>
<email>ankur.tyagi85@gmail.com</email>
</author>
<published>2026-04-28T05:01:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=955189fbcb749b2a14191f4a19fa083d0ca24ce1'/>
<id>urn:sha1:955189fbcb749b2a14191f4a19fa083d0ca24ce1</id>
<content type='text'>
Backport the patch [1] as mentioned in [2]

[1] https://git.libssh.org/projects/libssh.git/commit/?id=bf390a042623e02abc8f421c4c5fadc0429a8a76
[2] https://security-tracker.debian.org/tracker/CVE-2026-0965

Ptests passed:
root@qemux86:~# ptest-runner libssh
START: ptest-runner
2026-04-28T04:44
BEGIN: /usr/lib/libssh/ptest
...
...
DURATION: 269
END: /usr/lib/libssh/ptest
2026-04-28T04:49
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Ankur Tyagi &lt;ankur.tyagi85@gmail.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>libssh: patch CVE-2026-0967</title>
<updated>2026-04-29T04:44:29+00:00</updated>
<author>
<name>Ankur Tyagi</name>
<email>ankur.tyagi85@gmail.com</email>
</author>
<published>2026-04-28T05:01:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=0f64da2ab994edf2086a3dc90524f18c731fa721'/>
<id>urn:sha1:0f64da2ab994edf2086a3dc90524f18c731fa721</id>
<content type='text'>
Backport patch [1] as mentioned in [2]

[1] https://git.libssh.org/projects/libssh.git/commit/?id=6d74aa6138895b3662bade9bd578338b0c4f8a15
[2] https://security-tracker.debian.org/tracker/CVE-2026-0967

Signed-off-by: Ankur Tyagi &lt;ankur.tyagi85@gmail.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>libssh: patch CVE-2026-0968</title>
<updated>2026-04-29T04:44:29+00:00</updated>
<author>
<name>Ankur Tyagi</name>
<email>ankur.tyagi85@gmail.com</email>
</author>
<published>2026-04-28T05:01:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=015b974b6b7e7e302725012096432e260fb2c39c'/>
<id>urn:sha1:015b974b6b7e7e302725012096432e260fb2c39c</id>
<content type='text'>
Backport patches [1] and [2] as mentioned in [3]

[1] https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9
[2] https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03
[3] https://security-tracker.debian.org/tracker/CVE-2026-0968

Certain functions from sftp.c were moved to a new file sftp_common.c
in version 0.11.0 by following commit:
https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a

This is the backport of the changes using the original file sftp.c

Signed-off-by: Ankur Tyagi &lt;ankur.tyagi85@gmail.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>opensc: patch CVE-2025-66215</title>
<updated>2026-04-29T04:44:29+00:00</updated>
<author>
<name>Ankur Tyagi</name>
<email>ankur.tyagi85@gmail.com</email>
</author>
<published>2026-04-26T13:03:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=9a19b0f3cb781caba872cbd359480de5a0824d43'/>
<id>urn:sha1:9a19b0f3cb781caba872cbd359480de5a0824d43</id>
<content type='text'>
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66215

Backport the patches referenced by the PR[1] mentioned in the nvd.
Dropped the formatting commit from the backport.

[1] https://github.com/OpenSC/OpenSC/pull/3436

Signed-off-by: Ankur Tyagi &lt;ankur.tyagi85@gmail.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
</feed>
