Mirror of git.openembedded.org/meta-openembedded https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=scarthgap 2026-04-15T08:42:18+00:00 2026-04-15T08:42:18+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-04-11T11:14:49+00:00 urn:sha1:a1b14b7a3aadd2ad6b117bdafa505928edadfeb7 Vvulnerability affects Windows application and can be ignored. Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27199 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15T08:42:18+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-04-11T11:14:48+00:00 urn:sha1:3b6292cfbef8b60750071da92ccb91d50a63c2be Backport the commit[1] from version 6.5.5 which fixes this vulnerability according to the NVD[2]. [1] https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-35536 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15T08:42:18+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-04-11T11:14:47+00:00 urn:sha1:667917103437dd9a6a737f005628884058ee2b79 License Update: File renamed as txt[1] Release Notes: https://github.com/pallets/flask/releases/tag/3.0.3 [1] https://github.com/pallets/flask/commit/87d5f5b9a9697434e6d972b021201105eabb54e6 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15T08:42:18+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-04-11T11:14:46+00:00 urn:sha1:8ce4b233c6e2afa6be89ad31a3c77452b0f3a23b Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33936 Ptests passed: root@qemux86:~# ptest-runner python3-ecdsa START: ptest-runner 2026-04-11T08:04 BEGIN: /usr/lib/python3-ecdsa/ptest ... ... Testsuite summary # TOTAL: 1978 # PASS: 1974 # SKIP: 4 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 DURATION: 386 END: /usr/lib/python3-ecdsa/ptest 2026-04-11T08:10 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15T08:42:18+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-04-11T11:14:45+00:00 urn:sha1:8e106a9b12bb8dbb24a63ef058bc12fc0c218b4b Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.30/ Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15T08:42:18+00:00 Haixiao Yan haixiao.yan.cn@windriver.com 2026-04-10T07:05:07+00:00 urn:sha1:9757d0151b92601c4c6fd05baf7e328afa000213 QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods on MySQL and MariaDB. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-59681 Upstream-patch: https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15T08:42:18+00:00 Haixiao Yan haixiao.yan.cn@windriver.com 2026-04-10T07:05:06+00:00 urn:sha1:838ca228086821cf82b3de83fb78412c6d2784c8 FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-57833 Upstream-patch: https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15T08:40:33+00:00 Haixiao Yan haixiao.yan.cn@windriver.com 2026-04-10T07:04:59+00:00 urn:sha1:151e634ed297eec8d9b269c2b08001fd76f4cc62 The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q() were subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64459 https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html Upstream-patch: https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241 https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-03T09:30:47+00:00 Hitendra Prajapati hprajapati@mvista.com 2026-03-31T06:15:06+00:00 urn:sha1:4810cd8c5bbc0b4349a78eac85a6a882bc0b03a2 Backport the patch[1] which fixes this vulnerability as mentioned in the comment[3]. Details: https://nvd.nist.gov/vuln/detail/CVE-2026-26209 [1] https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b [2] https://github.com/agronholm/cbor2/commit/fb4ee1612a8a1ac0dbd8cf2f2f6f931a4e06d824 (pre patch) [3] https://github.com/agronholm/cbor2/pull/275 Dropped changes to the changelog from the original commit. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-24T03:22:14+00:00 Hitendra Prajapati hprajapati@mvista.com 2026-03-18T08:00:15+00:00 urn:sha1:808d3a73de75f7b5c76c247209c910e1686304db Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990 Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2]. [1] https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa [2] https://nvd.nist.gov/vuln/detail/CVE-2026-25990 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>