linux/meta-openembedded.git/meta-oe, branch scarthgapMirror of git.openembedded.org/meta-openembeddedhttps://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=scarthgap2026-04-15T08:42:18+00:00grpc: set status for CVE-2026-331862026-04-15T08:42:18+00:00Peter Markopeter.marko@siemens.com2026-04-12T15:37:04+00:00urn:sha1:0ef4a2ecee12e2145c868ab7c049c5298de9e02d
CPE per NVD report is for "go", while this is C++ component:
* cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*
Also the link to adisory within NVD report says "grpc-go":
* https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
nmap: rename enum PCAP_SOCKET2026-04-15T08:42:18+00:00Jinfeng Wangjinfeng.wang.cn@windriver.com2026-04-10T07:05:08+00:00urn:sha1:f3e47be00a48203722057ed36d6fc0878a447000
The enum PCAP_SOCKET conflicts with the PCAP_SOCKET macro introduced in
libpcap 1.10.5. Use ifdefs to handle both old and new libpcap versions,
renaming the enum to NM_PCAP_SOCKET when the PCAP_SOCKET macro is defined.
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
hdf5: fix CVE-2025-23092026-04-15T08:42:18+00:00Libo Chenlibo.chen.cn@windriver.com2026-04-10T07:05:04+00:00urn:sha1:6f240eceb0fe8ae357a4e5560bb7fb6dcae0e197
According to [1], A vulnerability has been found in HDF5 1.14.6 and
classified as critical. This vulnerability affects the function
H5T__bit_copy of the component Type Conversion Logic. The manipulation
leads to heap-based buffer overflow. Local access is required to approach
this attack. The exploit has been disclosed to the public and may be used.
The real existence of this vulnerability is still doubted at the moment.
The vendor plans to fix this issue in an upcoming release.
Backport patch [2] from upstream to fix CVE-2025-2309
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2309
[2] https://github.com/HDFGroup/hdf5/commit/9d90b21ef5c5373978014f1a711795aa653bd9a1
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
hdf5: fix CVE-2025-449052026-04-15T08:42:18+00:00Libo Chenlibo.chen.cn@windriver.com2026-04-10T07:05:03+00:00urn:sha1:69fcb4d4b1bbd991f12185ef11dfe81561375887
According to [1], hdf5 v1.14.6 was discovered to contain a heap buffer
overflow via the H5Z__filter_scaleoffset function.
Backport patch [2] from upstream to fix CVE-2025-44905
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-44905
[2] https://github.com/HDFGroup/hdf5/commit/42588aeba786a121fec1fbad72cf39d8f60a4983
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
hdf5: fix CVE-2025-23102026-04-15T08:42:18+00:00Libo Chenlibo.chen.cn@windriver.com2026-04-10T07:05:02+00:00urn:sha1:c96f578f10812ea0be4bace170d62f1a116dc0fc
According to [1], A vulnerability was found in HDF5 1.14.6 and classified
as critical. This issue affects the function H5MM_strndup of the component
Metadata Attribute Decoder. The manipulation leads to heap-based buffer
overflow. Attacking locally is a requirement. The exploit has been
disclosed to the public and may be used.
Backport patch [2] from upstream to fix CVE-2025-2310
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2310
[2] https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
hdf5: fix CVE-2025-21532026-04-15T08:42:15+00:00Libo Chenlibo.chen.cn@windriver.com2026-04-10T07:05:01+00:00urn:sha1:43572581cf07864489f7f89c6d29e68bffc76c0b
According to [1], A vulnerability, which was classified as critical, was
found in HDF5 1.14.6. Affected is the function H5SM_delete of the file
H5SM.c of the component h5 File Handler. The manipulation leads to
heap-based buffer overflow. It is possible to launch the attack remotely.
The complexity of an attack is rather high. The exploitability is told to
be difficult. The exploit has been disclosed to the public and may be used.
Backport patch [2] from upstream to fix CVE-2025-2153
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2153
[2] https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
yasm: fix CVE-2021-334542026-04-15T08:40:33+00:00Guocai Heguocai.he.cn@windriver.com2026-04-10T07:04:58+00:00urn:sha1:c14dcffcd77b7b9d0d1f3473f98d51ffe2b166e9
An issue was discovered in yasm version 1.3.0. There is a
NULL pointer dereference in yasm_expr_get_intnum() in
libyasm/expr.c.
Backport patch to fix CVE-2021-33454 per reference [1].
[1]: https://security-tracker.debian.org/tracker/CVE-2021-33454
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
nodejs: upgrade 20.20.0 -> 20.20.22026-04-13T07:10:21+00:00Ankur Tyagiankur.tyagi85@gmail.com2026-04-09T11:22:04+00:00urn:sha1:07c2b52840aa5b60b0fa98efcbb6c3336b962ff3
License Update: Update minimatch to the Blue Oak Model License[1]
nodejs LTS releases containing security and bugfixes.
https://nodejs.org/en/blog/release/v20.20.1
https://nodejs.org/en/blog/release/v20.20.2
[1] https://github.com/nodejs/node/commit/f0ef221b0d458d9358c6e6e49094da475e86c229
Ptests passed:
root@qemux86:~# ptest-runner nodejs
START: ptest-runner
2026-04-09T10:37
BEGIN: /usr/lib/nodejs/ptest
Running main() from /usr/src/debug/nodejs/20.20.2/deps/googletest/src/gtest_main.cc
[==========] Running 152 tests from 23 test suites.
[----------] Global test environment set-up.
...
...
[----------] Global test environment tear-down
[==========] 152 tests from 23 test suites ran. (30533 ms total)
[ PASSED ] 152 tests.
PASS: nodejs
DURATION: 31
END: /usr/lib/nodejs/ptest
2026-04-09T10:37
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
libvncserver: fix CVE-2026-328542026-04-13T07:10:21+00:00Ankur Tyagiankur.tyagi85@gmail.com2026-04-09T11:22:02+00:00urn:sha1:39924b5b88a66212cabc6074591a23d66210067c
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32854
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
libvncserver: fix CVE-2026-328532026-04-13T07:10:21+00:00Ankur Tyagiankur.tyagi85@gmail.com2026-04-09T11:22:01+00:00urn:sha1:c56964fcf28c21e5b85d02212e41c6a396776212
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32853
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>